Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

21 May 2006 | 7,761 views

What Next? The Poker Rootkit of Course!

Check For Vulnerabilities with Acunetix

Ok so the list gets even BIGGER, after the WoW Trojan, Trojan for World Cup Fans, Ransomeware and the buy a spyware kit story

Now we proudly present, the Poker Rootkit!

For online poker players, this was always going to be a losing hand.

A Trojan with malicious rootkit features hidden in a legitimate software package distributed by online gaming tools vendor Check Raised has the ability to hijack log-in information for multiple online poker Web sites, according to a warning from Finnish security vendor F-Secure.

The spying Trojan, identified as Backdoor.Win32.Small.la, was built into a Rakeback calculator application (RBCalc.exe) distributed by Check Raised to help online poker players keep track of scaled commission fees taken by the Web site operator.

Pretty clever stuff.

When the spying component is initialized, it starts a keystroke logger and connects to a remote server that is programmed to send instructions to the infected machines. The instructions range from the downloading of executable files, the uploading of stolen information, the shutdown of the Trojan and the ability to send application screenshots.

The backdoor also sends out sensitive information to remote servers, including keylogger database, computer name, and the username and password of several online poker programs.

What I thought was really clever was the way in which the application took money from users, it’s not direct, it’s very smart in fact!

An anti-virus company says the rootkit is particularly malicious because the hacker could take a victim’s money without making it look stolen — by using the passwords to log on to a poker site, then playing very badly against players controlled by the hacker. The victims are then left with little recourse, since it looks like they just lost their money during normal play.

Smart stuff.

Source: eWeek


20 May 2006 | 14,923 views

The Biggest Web Defacement Ever

A Turkish hacker using the handle iSKORPiTX was able to breach the security of a group of web servers, containing more than 38.500 web sites in less than a day!

Iskorpitx is believed to be 45 years old, sometimes being helped for minor defacement activities by another Turkish “senior cracker” (42) going by the handle of Metlak .

Apparently he doesn’t like a couple of countries:




iscorpitx, marque du monde, presente ses salutations tout le monde. “

Defacement mirror – example

I gotta say:

Script kiddie hack or not, a defacement will always be a ‘cool’ hack to do.

Zone-H is keeping everyone posted of his actions and has compiled a full list of the 21.549 sites he was able to deface.

You can also keep updated with iSKORPiTX latest actions here.

Of all the sites iSKORPiTX was able to hack, 95% of them were using Windows (big part of those same sites, Windows 2003) and running IIS 6. New exploit?

No doubt, the biggest hack ever.

Source: Zone-H

19 May 2006 | 10,516 views

Paros Proxy 3.2.12 Released – MITM HTTP and HTTPS Proxy

Paros 3.2.12 is released. This version is a maintenance release which fix a potental 100% cpu consumption issue. All users are recommended to upgrade to this version.

The changes are:

– Use newest external library for HTTP handling.

– Enable/disable spider to POST forms in options panel to avoid generating unwanted traffic (default to enable). This is requested by many users.

– Decrease the number of possible combinations crawled by spider on forms with multiple SELECT/OPTIONS. This make crawling less resource consuming and lower chance to affect application being scanned.

– Minor UI changes.

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

19 May 2006 | 13,581 views

The RFID Hackers Revealed – Real RFID Hacking

This a very interesting read, the tale of an RFID hacker.

I was always sceptical about RFID I have to say, when everything is tagged, criminals can just drive by your house and scan everything, see what TV you have, which DVD player, how many high value electrical goods, and choose which houses they want to burgle.

The governments can install RFID readers in lamposts everywhere to track your movements from the RFID tags in the underpants you just bought..

Am I being paranoid?

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won’t be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen’s back pocket.

“I just need to bump into James and get my hand within a few inches of him,” Westhues says. We’re shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues’ palm, then disappears.

The guy can clone the signal, then reverse it and play it back to the card reader in your office, bingo, he just broke in without raising any alarms.

Van Bokkelen enters the building, and Westhues returns to me. “Let’s see if I’ve got his keys,” he says, meaning the signal from Van Bokkelen’s smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm’s door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues’ hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen’s card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

Source: Wired

18 May 2006 | 11,292 views

Sprajax – An Open Source AJAX Security Scanner

Denim Group Ltd. announced today the public release of Sprajax, an open source web application security scanner developed to assess the security of AJAX-enabled web applications.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

You can download Sprajax here.

As AJAX becomes more popular with developers, the security of AJAX-enabled web applications will be a growing concern,” says Dan Cornell, Principal at Denim Group.”Sprajax is a great tool for application security maintenance, and its availability as an open source application places it within reach for organizations of all sizes.”

While expert security scans are more thorough and usually recommended, internal developers and security auditors can use this software to produce an initial vulnerability assessment. This can be invaluable, especially in the wake of government regulations regarding web application security. Organizations must take steps to protect sensitive data in public facing applications, and an assessment using a tool like Sprajax could be the first step

Sprajax homepage.

We have written about the danger of AJAX security her.

Digg This Article

18 May 2006 | 12,375 views

Caller ID Spoofing is Still Easy- FCC Investigates

The FCC wants to clamp down on Caller ID spoofing it seems.

If you’ve ever used one of the half-dozen websites that allow you to control the phone number that appears on someone’s Caller ID display when you phone them, the U.S. government would like to know who you are.

Last week the FCC opened an investigation into the caller-ID spoofing sites — services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

One of the example services that received the 7 page FCC report is called Telespoof.

On their website it says..

Telespoof.com offers the first domestic and international Caller ID spoofing service, allowing business professionals to remain anonymous when calling from anywhere in the world, to anywhere in the world. We like to think of it as “mobile invisibility”, the highest quality Caller spoofing service available anywhere in the world.

Another example is Spoofcard.com that sells a virtual ‘calling card’ for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

USA Today also reported on how Caller ID spoofing has become easier, saying..

Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy. The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what Caller ID said.

So if you have used one of these services for whatever reason, the federal government is interested in YOU..

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

Source: Wired

17 May 2006 | 5,431 views

No Your Car CANNOT get a Bluetooth Virus

It’s gone round and round and round, now cars have Bluetooth, that they can get viruses like Cabir, I’m sorry but if an Anti-virus company like F-Secure can’t infect a car with a virus, I don’t have much hope for the others. The rumours came from a Lexus story in SCMagazine (The story is no longer there, and I don’t have a mirror sadly).

So we got a Toyota Prius to test out the myth. Credit has to be given to Toyota for trusting their systems enough to actually lend the car for us for such testing. According to Toyota, this Prius model had identical in-car Bluetooth systems with the Lexus models, so it was suitable for our tests. This Bluetooth functionality is intended to, for example, transfer the phone book from the car owners mobile phone to the built-in phone of the car.

Source: F-Secure

And to be honest, those that benefit from this viral FUD is the anti-virus companies right? So when an anti-virus company comes out and says that it’s not possible, you know it’s not even a vague threat, as if it was, they would come out with some new super car anti-virus protection version 2006.

After fixing the battery problem, we continued tests and Toyota Prius performed admirably. We managed to find one minor issue with the system (a corrupted phone name would freeze the on-board display), but otherwise the Prius Bluetooth system was far more stable than our test phones and PCs. We had to reboot our test systems several times as their Bluetooth systems died on us, while Toyota Prius just kept going.

Seems pretty solid right?

Reuters decided to reinstate the FUD for some reason, pay-off from an AV firm maybe?

Here’s a new excuse for not getting to work on time on a Monday morning: My car caught a virus.

Car industry officials and analysts say hackers’ growing interest in writing viruses for wireless devices puts auto computer systems at risk of infection.

Source: MSN

Not that an anti-virus firm would have anything to gain from spreading such rumours right?

As carmakers turn to computer security, a lucrative market could open for antivirus firms, which have been touting cell phone security for years without notable success. “People will not use the protection before there are several big epidemics. After that they will understand that it is dangerous to use phones to get online, that you need to be protected,” Kaspersky said.

Next up, Kaspersky Car Edition?

17 May 2006 | 5,316 views

Source Code & Software Security Analysis with BogoSec

Bogosec is essentially a tool for finding security vulnerabilities in source code.

BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.

BogoSec is a source code metric tool that wraps multiple source code scanners, invokes them on its target code, and produces a final score that approximates the security quality of the code. This article discusses the BogoSec methodology and implementation, and illustrates the output of BogoSec when run on a number of test cases, including Apache Web server, OpenSSH, Sendmail, Perl, and others.

Bogosec seems to use:

  • Flawfinder
  • ITS4
  • RATS

The CERT Coordination Center (CERT/CC) reported 5,990 vulnerabilities in 2005 compared with 171 in 1995. Many software security vulnerabilities occur because of poor programming practices. Some vulnerabilities are algorithmically detectable by static source code scanners designed for identifying potential security issues. As the number and severity of potential security holes per line of code increase, it is reasonable to believe that the overall quality of the source code in terms of security decreases. BogoSec metrics are computed values that attempt to reflect relative ratings of source code security quality for comparative purposes.

The motivation behind BogoSec is to influence developers to produce more secure source code over time. Various scanners exist that point developers to potentially insecure sections of code, but developers are often reluctant to use such scanners because of a seemingly high degree of false positive output as well as the difficulties associated with use. BogoSec attempts to reduce the penalty of false positives while broadening the scope of the source scan by using multiple independent scanners. This produces high-level metrics that allow developers and users alike to comparatively judge the quality of the source code in terms of security.

You can download the full 23 page article here (PDF Warning).

You can find the BogoSec project here.

16 May 2006 | 39,113 views

Anonymity – Hiding Your Identity in 2006


Anonymity is derived from the greek word ἀνωνυμία (anonymia), meaning without a name or name-less. In colloquial use, the term typically refers to a person, and often means that the Ppersonal identity, or personally identifiable information of that person is not known.

The main question is of course, what are you trying to hide? Closely following that is how important is it?

The precautions you take have to weigh up to the value of the data you are trying to protect, in this case, you are trying to protect your anonymity.

In the recent years privacy and anonymity have become big issues with CCTV cameras everywhere, and projects like Echelon reading all your e-mails and reporting back to the Orwellian ‘Big Brother’.

So just for normal surfing, or if you are planning on hacking a foreign governments personnel database (not that we recommend that of course), you need to protect yourself in different ways.

Remember Anonymity is not an absolute, there are varying degrees.

The Myths

Using a proxy I found on the web in my browser is enough.

People have been using proxies for years, normally open proxies found from scanning large IP ranges on the internet, what you have to think though, is this proxy open for a purpose? Is this purpose to listen to what you are doing? To collect your passwords?

Also it’s not infallible, remember the traffic has to go from your computer to the proxy, and come back in, those records can be corelated in your country alone and need to external aid.

Plus the proxy may keep records of who access what and when, it make be a honeypot and keep full packet logs of all completed TCP/IP sessions.

The problem is you just don’t know.

If I chain proxies no one can find me.

Also not true, it doesn’t matter if you cross through Taiwan, Korea, Russia and Iraq, your ISP just needs to see the packets going out and coming in at the right times to your machine from the last proxy hop in your chain.

The Reality

It can be said, pretty much whole heartedly, there is no such thing as real anonymity online, if you do something bad enough, the people in power can find you.

IP Spoofing is misunderstood in 9/10 cases and is no protection against anything (I’ll write an article about this later).

And web proxies, as above, offer little or no protection. They are good enough if you just want to stop your school/parents/office from tracking your surfing habits, but they won’t protect you from doing time if you commit a federal crime.

There are a whole bunch of proxies to surf at school or work in this post.

The next best thing from this is Onion Routing, the common peer to peer implementation known as Tor.

Onion Routing prevents the transport medium from knowing who is communicating with whom — the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network.

Source: Onion Router

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

You can read more at the Tor site.

Getting Tored Up

For most people Tor is enough, I recommend getting the Tor Bundle, which includes Tor, TorCP and Privoxy.

All you need to do is set your applications to use a proxy, host is localhost and port is 8118.

Instructions with screenshots are here.

Then you’re done, it works for most applications.

Just remember though it’s encrypted from your machine to the end point, not from the end point to wherever it’s going, so that Tor node can see whatever traffic you are sending through Tor..

So make sure you encrypt (POPS, SMTP with TLS etc).

An example is here.

We at the h07 unix research team recognized that people paranoid enough to use tor are still dumb enough to use plaintext-authentication protocols like pop3 and telnet.

They might think it’s “secure because tor encrypts it”. This isn’t the case.

it’s encrypted, but …… communication from client to entry node and exit node to server will still remain as is. POP3, telnet and others will still be plain-text and thus subject to sniffing.

So please, always be REALLY careful :)

True Anonymity?

Still the best way is switching your MAC address and jacking an open Wireless Network, which ethics experts say is ok.

It may not be totally legal, but it’s pretty much bulletproof (Unless of course you get caught in a car parking jacking off to porn downloaded from an open Wireless Access Point).

When you do this, you should make sure you are using an anonymous operating system, so what better than a bootable distro especially for this purpose, called Anonym-OS

You can check it out here.

kaos.theory’s Anonym.OS LiveCD is a bootable live cd based on OpenBSD that provides a hardened operating environment whereby all ingress traffic is denied and all egress traffic is automatically and transparently encrypted and/or anonymized.

Simple Checks

The easiest thing you can do to test your anonymity is to go to WhatismyIP.com and see if the IP showing up is yours or not.

After that you can check out services like:

AuditmyPC Privacy & Spyware Check


And then there are various proxy tests:

Proxy Test and Proxy Checker.

Here you can see if your setup is leaking any info.

Good luck, and stay secure :)

Digg This Article

16 May 2006 | 7,530 views

Browser Security Test – Check Your Browser NOW!

I know this is old, but a lot of people still don’t know about it.

It can test for up to date Mozilla, Opera and Internet Explorer flaws, exploits and vulnerabilities.

Browser vulnerabilities are a serious issue now.

You can see which vulnerabilities they test for here and the statistics of the tests results here.

Total tests finished: 739828
Tests that found high risk vulnerabilities: 219614
Tests that found only medium or low risk vulnerabilities: 82803
Tests that found only low risk vulnerabilities: 9493
Tests that found no vulnerabilities: 427918

The FAQ is here.

Check Your Browser Security Now