Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

04 November 2015 | 953 views

TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

Cyber Raptors Hunting Your Data?

So it turns out the TalkTalk hack is a lot more serious than they initially tried to make it out to be, TalkTalk claimed that it’s core system wasn’t compromised and only the website was breached.

TalkTalk Hack - Breach WAS Serious & Disclosed Bank Details

But now they’ve admitted the hackers got away with bank account numbers, partial credit card numbers and dates of birth.

British telecoms company TalkTalk has published information regarding the details accessed by hackers in the recent data breach, and law enforcement has announced the arrest of a third suspect in the case.

Shortly after launching an investigation into the incident, TalkTalk attempted to downplay the incident saying that the attackers only breached its website and not its core systems, and that the amount of data exposed is significantly smaller than initially believed.

The company has now revealed that the hackers gained access to less than 21,000 bank account numbers and sort codes, less than 28,000 credit and debit cards, and less than 15,000 dates of birth. As it stated earlier in the investigation, the payment card numbers compromised in the breach are incomplete (i.e. six middle digits are blanked out), which means fraudsters cannot use the information directly to steal money from bank accounts.

TalkTalk also reported that the attackers accessed the names, email addresses and phone numbers of less than 1.2 million customers. The data, allegedly obtained by hackers after exploiting a SQL injection vulnerability, has been reportedly sold on cybercrime forums.

All affected individuals will be contacted and informed about the type of information that has been compromised.

The bad guys also got access to limited details from over 1 Million customers, which is a pretty serious leak. There have been some arrests in the UK since the incident, but mostly young teenagers who maybe got hold of the exploit later or took part in the DDoS.

I don’t really see a 16 year old from Norwich being the mastermind of a complex attack like this. Thankfully for TalkTalk the credit card details were stored with the middle 6 digits missing, so they are pretty useless to carders.

“As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers’ accounts in the highly unlikely event that a criminal attempts to defraud them,” TalkTalk said on Friday. “We also encourage you to take up the free 12 months of credit monitoring alerts with Noddle, one of the leading credit reference agencies.”

While the compromised data cannot be used directly to steal money from accounts, it can be highly useful for social engineering attacks, and now that TalkTalk told customers to expect to be contacted, such schemes could become even more successful. TalkTalk users have been warned that scammers and cybercriminals might leverage the recent incident to trick them into handing over bank details and passwords (TalkTalk says it will only ask for two digits), and installing malicious software.

The Metropolitan Police announced over the weekend the arrest of a third suspect in this case, a 20-year-old man from Staffordshire. Investigators had previously arrested a 15-year-old boy from Northern Ireland, and a 16-year-old from Feltham.

The teens were arrested on suspicion of committing offences covered by the Computer Misuse Act, and were later released on bail.

It’s certainly an interesting case, and from the way TalkTalk has acted – it could possibly go even deeper than this. With them already proving they are fully capable of covering up what really happened (at least for a limited time period).

I expect much more news to be cropping up over this in the coming months, if you want to see an absolute train wreck, just watch these:

Talk Talk CEO Dido Harding on the cyber attack – Newsnight
TalkTalk boss: I won’t guarantee against future hacks

Source: Security Week


02 November 2015 | 3,191 views

Scumblr by Netflix – Automatically Scan For Leaks

Scumblr is a search automation web application that helps you to automatically scan for leaks by performing periodic searches and storing / taking actions on the identified results. Scumblr uses the Workflowable gem to allow setting up flexible workflows for different types of results.

Scumblr by Netflix - Automatically Scan For Leaks

How do I use Scumblr?

Scumblr is a web application based on Ruby on Rails. In order to get started, you’ll need to setup / deploy a Scumblr environment and configure it to search for things you care about. You’ll optionally want to setup and configure workflows so that you can track the status of identified results through your triage process.

What can Scumblr look for?

Just about anything! Scumblr searches utilize plugins called Search Providers. Each Search Provider knows how to perform a search via a certain site or API (Google, Bing, eBay, Pastebin, Twitter, etc.). Searches can be configured from within Scumblr based on the options available by the Search Provider. What are some things you might want to look for? How about:

  • Compromised credentials
  • Vulnerability / hacking discussion
  • Attack discussion
  • Security relevant social media discussion


Scumblr includes a number of search providers by default. These include:

  • Google
  • YouTube
  • Facebook
  • Apple AppStore
  • Google Play Store
  • eBay
  • Twitter

Scumblr found stuff, now what?

Up to you! You can create simple or complex workflows to be used along with your results. This can be as simple as marking results as “Reviewed” once they’ve been looked at, or much more complex involving multiple steps with automated actions occurring during the process.

You can download Scumblr here:


Or read more here.

30 October 2015 | 1,557 views

DAMM – Differential Analysis of Malware in Memory

Differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility Framework. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample; data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory.

DAMM - Differential Analysis of Malware in Memory

It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.


  • ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a ‘processes’ plugin)
  • Can run multiple plugins in one invocation
  • The option to store plugin results in SQLite databases for preservation or for “cached” analysis
  • A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
  • The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
  • The ability to warn on certain types of suspicious behavior
  • Output for terminal, tsv or grepable


Most DAMM output looks better piped through ‘less -S’ (upper ‘S’) as in:


In an attempt to make the triage process even easier, DAMM has an experimental warning system built in to sniff out signs of malicious activity including:

For certain Windows processes:

  • incorrect parent/child relationships
  • hidden processes
  • incorrect binary path
  • incorrect default priority
  • incorrect session

For all processes, and loaded DLLs and modules:

  • loaded/run from temp directory

For DLLs:

  • bogus extensions
  • hidden DLLs

Plus more!

  • PE headers in injections
  • SIDs giving domain access
  • debug privileges …

See the warnings.py file for much more information on what DAMM checks for.


You can download DAMM here:

Or read more here.

29 October 2015 | 1,924 views

FBI Recommends Crypto Ransomware Victims Just Pay

Crypto ransomware is a type of malware that holds you ransom by encrypting your files and has been around for a while, but the FBI recently said at a cyber security summit that they advise companies that fall victim just to pay.

FBI Recommends Crypto Ransomware Victims Just Pay

Such malware tends to use pretty strong encryption algorithms like RSA-2048, which you aren’t going to be able to crack. So yah, pragmatically speaking if you got stung by this type of infection – you don’t really have much choice other than to pay.

The Federal Bureau of Investigation (FBI) advises companies that fall victim to hacks involving Cryptolocker, Cryptowall or other forms of ransomware to pay the ransom, said Joseph Bonavolonta, an assistant special agent with FBI, speaking at the Cyber Security Summit 2015 in Boston

Noting that while the agency has their back, “the ransomware is that good,” the Security Ledger quoted Bonavolonta as saying. “To be honest, we often advise people just to pay the ransom” because efforts by the Bureau to defeat the encryption used have proved futile.

But he added that the success of the ransomware has benefited the victims in a twisted way because having so many people willing to pay has driven the price down since malware authors are less likely to try to charge excessive ransom amounts.

Even with all the power the Bureau has, they can’t crack this kind of stuff. And well even if they could, they aren’t going to fire up their super computer farm again some companies encrypted stash of ransomed Excel documents.

It’s interesting to see them kind of officially say it though, that this ransomware is really well made and you don’t really have much choice.

Stu Sjouwerman, CEO at KnowBe4, told SCMagazine.com that he agrees in part with the Bonavolonta’s advice because if a company stands to lose week’s or month’s worth of work while trying to decrypt its files, paying out $500 or so in ransom can be viewed as the equivalent of what he called a cheap “security audit.”

However, Sjouwerman said that the FBI should focus more on education and prevention rather than just giving in to the bad guys.

“I understand where they are coming from but rewarding the bad guys for bad behavior will only reinforce bad behavior,” Sjouwerman said.

He recommended that companies have backup files that are regularly tested, be religious about application and operating system updates, and ensure employees are trained in cybersecurity best practices.

So yah, if you run an organisation, without backups – you kinda deserve this kinda scam coming in your direction. But just be aware, if you do get an infection it could be costly and a royal pain in the arse.

Source: SC Magazine

27 October 2015 | 22,196 views

Infernal Twin – Automatic Wifi Hacking Tool

Infernal Twin is an automatic wifi hacking tool, basically a Python suite created to aid penetration testers during wireless assessments, it automates many of the common attacks – which can get complicated and hard to manage when executed manually.

Infernal Twin - Automatic Wifi Hacking Tool

The author noticed a gap in the market with there being many tools to automate web application testing and network pen-tests, but nothing really aimed at Wifi apart from some commercial tools. So this is an attempt to create a ‘1-click’ style wifi attack tool – something like Metasploit. A framework with a whole bunch of different attack vectors bundled together in one interface.


  • WPA2 hacking
  • WEP Hacking
  • WPA2 Enterprise hacking
  • Wireless Social Engineering
  • SSL Strip
  • Evil Access Point Creation
  • Infernal Wireless
  • Report generation
  • PDF Report
  • HTML Report
  • Note taking function
  • Data is saved into Database
  • Network mapping
  • MiTM
  • Probe Request

The tool leverages the work done on other utilities to avoid reinventing the wheel, popular wifi security tools such as aircrack-ng and SSLStrip.

You can download Infernal Twin here:


Or read more here.

24 October 2015 | 906 views

WP Security Audit Log – A Complete Audit Log Plugin For WordPress

WP Security Audit Log is a complete audit log plugin for WordPress, which helps you keep an audit log of everything that is happening on your WordPress and WordPress multisite installation. Ensure user productivity and identify WordPress security issues before they become a security problem. This is claimed to be the most comprehensive user monitoring and audit log plugin for WordPress and is already helping thousands of WordPress administrators, owners and security professionals ensure the security of their websites and blogs.

WP Security Audit Log - A Complete Audit Log Plugin For WordPress

Increase the security of your WordPress install with good security measures, supplement it by installing WP Security Audit Log and using tools like WPScan the WordPress Vulnerability Scanner.


The plugin has a number of features that make WordPress and WordPress multisite monitoring and auditing easier, such as:

  • Realtime Audit Log viewer to watch user activity as it happens without any delays
  • Built-in support for reverse proxies and web application firewalls more information
  • Limit who can view the security alerts by users and roles
  • Limit who can manage the plugin by users and roles
  • Configurable WordPress dashboard widget highlighting the most recent critical activity
  • Configurable WordPress security alerts pruning rules
  • User role is reported in alerts for a complete overview of what is happening
  • User avatar is reported in the alerts for better recognizability
  • Enable or disable any security alerts

It also has a whole bunch of extensions/add-ons which are mostly paid which allow you to do things like store the log in an external database and generate compliance reports.

Logs Generated

The main purpose of using this, is that it keeps a log of everything happening on your WordPress blog or website and WordPress multisite install. This plugin makes it easier to track suspicious user activity before it becomes a problem or a security issue. A security alert is generated by the plugin when:

  • New user is created via registration or by another user
  • User changes the role, password or other profile settings of another user
  • User on a WordPress multisite network is added or removed from a site
  • User uploads or deletes a file, changes a password or email address
  • User installs, activates, deactivates, upgrades or uninstalls a plugin
  • User creates a new post, page, category or a custom post type
  • User modifies an existing post, page, category or a custom post type
  • User creates, modifies or deletes a custom field from a post, page or custom post type
  • User adds, moves, modifies or deletes a widget
  • User installs or activates a new WordPress theme
  • User changes WordPress settings such as permalinks or administrator notification email
  • WordPress is updated / upgraded
  • Failed login attempts

It also helps with troubleshooting and enables you to quickly pin-point what went down before a problem occured. Very helpful if you support a lot of WordPress customer sites.

You can download WP Security Audit Log latest stable version here:


Or read more here.

22 October 2015 | 2,727 views

Fitbit Vulnerability Means Your Tracker Could Spread Malware

So it seems there is a Fitbit vulnerability involving the BlueTooth implementation that can be used to embed self replicating malware onto the wearable fitness tracker. I actually own a Fitbit, and have had previous models too, so this is quite interesting to me.

Fitbit Vulnerability Means Your Tracker Could Spread Malware

The malware could spread to your PC/Laptop if you’re using the syncing dongle, or to other Fitbit trackers. From what I’ve read of it though, it’s mostly theoretical. It could work under some circumstances, but there’s no real live code out there infecting Fitbit devices and spreading itself.

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be infected with a backdoor, trojan, or whatever the attacker desires.

“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.

“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

It is the first time malware has been viably delivered to fitness trackers.

You can see the video of the PoC here – FitBit malware injection by Axelle Apvrille.

It’s an interesting area for sure, wearable security – along with the whole Internet of Things movement, it could be one the next security/privacy frontiers. Imagine in urban, high density areas, there must be literally thousands of these devices within close proximity to each other.

The rate a real worm could spread, would be quite scary.

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.

Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.

“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”

Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.

Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is “outside of the security boundaries”.

The communications data sets are divided into “mega dumps” that include walking steps and user activity information, and “micro dumps” which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.

It’s a bit sad that Fitbit has known about this since March, but the vector isn’t fixed. They do say they will fix it, but there’s no timeline as to when.

I hope the bad guys don’t pick this up and run with it. I’m personally pretty safe, as there’s a very low penetration of wearables where I am, but it could be terrible for the industry as a whole.

Source: The Register

20 October 2015 | 1,787 views

OWASP WebGoat – Deliberately Insecure Web Application

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

OWASP WebGoat - Deliberately Insecure Web Application

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

We’ve written about various Vulnerable Web Apps before including those such as:

Mutillidae – Vulnerable Web-Application To Learn Web Hacking
OWASP Bricks – Modular Deliberately Vulnerable Web Application
WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation
Jarlsberg – Learn Web Application Exploits and Defenses
Damn Vulnerable Web App – Learn & Practise Web Hacking

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard.

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised.

All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.

What can you learn?

  • Cross-site Scripting (XSS)
  • Access Control
  • Thread Safety
  • Hidden Form Field Manipulation
  • Parameter Manipulation
  • Weak Session Cookies
  • Blind SQL Injection
  • Numeric SQL Injection
  • String SQL Injection
  • Web Services
  • Fail Open Authentication
  • Dangers of HTML Comments
  • … and many more!

Getting Started

It’s easy to get started with WebGoat.

The easiest way is to simply download the WebGoat-6.0.1-war.exec.jar binary and run it with:

Then browse to http://localhost:8080/WebGoat to access the app. Detailed instructions here.

You can download WebGoat 6.0.1 here:


Or read more here.

17 October 2015 | 2,908 views

windows-privesc-check – Windows Privilege Escalation Scanner

Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local applications (e.g. databases).

windows-privesc-check - Windows Privilege Escalation Scanner

Essentially it’s a Windows privilege escalation scanner, the Microsoft side of the World counterpart to unix-privesc-check – which we wrote about a while back.

It is written in Python and converted to an executable using PyInstaller so it can be easily uploaded and run (as opposed to unzipping python + other dependencies). It can run either as a normal user or as Administrator (obviously it does a better job when running as Administrator because it can read more files).

Find Privesc Vectors (as Administrator)

When run with admin rights, windows-privesc-check has full read access to all secureable objects.

This allows it to perform audits for escalation vectors such as:

  • Reconfiguring Windows Services
  • Replacing Service executables if they have weak file permissions
  • Replacing poorly protected .exe or .dll files in %ProgramFiles%
  • Tojaning the %PATH%
  • Maliciously modifying the registry (e.g. RunOnce)
  • Modifying programs on FAT file systems
  • Tampering with running processes

A great many of the privielges escalation vectors checked are simply checks for weak security descriptors on Windows securable objects, when complete a report is generated in HTML, TXT and XML format.

Find Privesc Vectors (as a Low-Privileged User)

An important design goal is that windows-privesc-check can perform as many checks as possible (above) without admin rights. This will make the tool useful to pentesters as well as auditors.

Clearly, low-privileged users are unable to see certain parts of the registry and file system. The tool is therefore inherently less able to identify security weaknesses when run as a low-privileged user.

As above, a report is generated in HTML, TXT and XML format.

Provide Information To Help Compromise A Remote System

Given low-privileged credentials (or perhaps using anonymous access), windows-privesc-check should provide basic information which might help the user compromise the remote system. This might include:

  • Details of poorly configure shares
  • A list of admin-equivalent users
  • Information about its domain membership and the trusts configured for that domain

You can download windows-privesc-check here:


Or read more here.

15 October 2015 | 1,852 views

More Drama About Hillary Clinton’s E-mail Leak – VNC & RDP Open

So this Hillary Clinton’s e-mail leak case has been a pretty interesting phenomena to observe and has been going on since last month, we didn’t really cover it as well it mostly concerns US politics – not a huge area of interest for most.

But it’s getting more and more interesting, there was a report that 32,000 of Hillary Clinton’s Email for auction to the highest bidder.

More Drama About Hillary Clinton's E-mail Leak - VNC & RDP Open

But it was rather unsubstantiated. Now it’s getting more and more interesting, seeing as though Hillary used a private e-mail server “for convenience” and this server also had VNC and RDP open to the INTERNET. Yah..

It also includes her using the same e-mail, yes a state department server technically, for personal e-mails.

Not only did Democratic Party presidential hopeful Hillary Clinton run her own email server while at the State Department: someone, presumably her friendly local sysadmin, decided it needed remote desktop protocol (RDP) and desktop sharing code virtual network computing (VNC) exposed to the Internet.

The folks at Associated Press were alerted to the situation by a Serbian geek the newswire hasn’t named, but who ran bulk port-scans that happened to include Hillary’s email server.

The scans came from the anonymous researcher who in 2013 published the white-botnet-driven “Internet census”, AP says.

Scans of a server that identified itself as clintonemail.com in August and December 2012 showed open ports for RDP and VNC. In March 2012, Microsoft warned that RDP was likely to be attacked, and in October of the same year Verizon warned that RDP’s default Port 3389 was among the most-scanned on the Internet.

So yah, apart from running her own e-mail server rather than using government resources or using a more secure, managed e-mail solution like Google Apps, whoever set it up also thought having VNC and RDP open to the Internet was a smart idea.

Or well, more likely they didn’t think about it at all. It was just such a hassle to get into wherever the server was stored, they installed remote access software and enabled it over the public IP.

VPN? What?

The researcher told AP the server also presented VNC to the Internet at large.

The State Department at the time required a waiver for any of its own techs to use remote access tools for systems administration, all the way down to unclassified servers, the AP notes.

There’s also a suggestion that a Web server – probably bundled with whichever operating system distribution clintonemail.com ran – was running, although not in use.

The Internet Census port-scan showed two other devices that had open ports, but those aren’t identified by the newswire. Presumably one of them was a broadband modem – still leaving one mystery device to be identified.

Another interesting story to note is that all the e-mails were backed up to the cloud using a service called Datto Inc:

Unbeknownst to Clinton, IT firm had emails stored on cloud; now in FBI’s hands

And I wonder if their waivers were signed? I somehow doubt protocol was followed in this case, as using a state funded e-mail server for personal e-mails is probably very much against due process.

Now this was a while back, the actual occurrence being in 2012 – but I guess it’s rising back up again now with Hillary vying for the presidency.

Source: The Register