Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

04 July 2014 | 3,267 views

ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Check Your Web Security with Acunetix

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test Oracle database security remotely.

Usage examples of ODAT:

  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
  • You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)

ODAT (Oracle Database Attacking Tool)

Features

  • search valid SID on a remote Oracle Database listener via: a dictionary attack/a brute force attack/ALIAS of the listener
  • search Oracle accounts using: a dictionary attack/each Oracle user like the password
  • execute system commands on the database server using: DBMS_SCHEDULER/JAVA/external tables/oradbg
  • download files stored on the database server using: UTL_FILE/external tables/CTXSYS
  • upload files on the database server using: UTL_FILE/DBMS_XSLPROCESSOR/DBMS_ADVISOR
  • delete files using: UTL_FILE
  • send/reveive HTTP requests from the database server using: UTL_HTTP/HttpUriType
  • scan ports of the local server or a remote server using: UTL_HTTP/HttpUriType/UTL_TCP
  • exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)

Install/Dependencies

ODAT is compatible with Linux only. A standalone version exists in order to don’t have need to install dependencies and slqplus (see the build folder of the git). The ODAT standalone has been generated thanks to pyinstaller.

If you want to have the development version installed on your computer, these following tool and dependencies are needed:

  • Langage: Python 2.7
  • Oracle dependancies: Instant Oracle basic & Instant Oracle sdk
  • Python libraries: cx_Oracle with the following recommended – colorlog/termcolor/argcomplete/pyinstaller

You can download ODAT standalone here:

32-Bit – odat-linux-libc2.19-i686.tar.gz
64-Bit – odat-linux-libc2.19-x86_64.tar.gz

Or read more here.



02 July 2014 | 1,848 views

Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP

So it looks like Microsoft has been a little heavy handed in this case, the case of dynamic DNS provider No-IP serving up malware. I would imagine most of us have utilised a dynamic DNS service at some point to map a dynamic IP address to a memorable domain.

It seems that malware folks have been using dynamic DNS services to mask their activities, it has been reported before by Cisco and No-IP appears to be one of the worst perpetrators (even though it’s through no real fault of their own).

Dynamic DNS Malware

This time though, Microsoft went straight into the legal system and took control of 23 domains owned by No-IP (Vitalwerks) – this has disrupted the services of approximately 4 million No-IP clients (according to them).

Microsoft has won a court order to gain control of 23 No-IP domains owned by dynamic DNS (DDNS) provider Vitalwerks Internet Solutions. The US software giant claimed the domains were being used by malware developed in the Middle East and Africa.

Vitalwerks operates its No-IP DDNS service from Nevada, and there is no suggestion it is in league with malware operators.

The service works by mapping users’ IP addresses, such as a home router’s public address, to a customized No-IP domain-name like myhouse.ddns.net. This allows you to connect to a system using a memorable sub-domain if you forget your IP address or your ISP changes it.

Microsoft’s security research team claimed it had identified two pieces of Windows malware, Bladabindi and Jenxcus, using No-IP sub-domains to communicate with their creators in 93 per cent of detected infections, and that 245 other pieces of malware also use No-IP.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” claimed Richard Boscovich, assistant general counsel of Microsoft Digital Crimes Unit.

The unfortunate part, is that the domains seized are pretty much all of the services popular domains, which I imagine renders the majority of their service down.

There’s an update from their CEO here – A Message From Our CEO – Dan Durrer

And an overwhelming support on Twitter – #FreeNoIP

Court papers filed in Nevada alleged that Bladabindi was written by Naser Al Mutairi, a Kuwaiti national, while Jenxcus is allegedly run by an Algerian man named as Mohamed Benabdellah. Microsoft claimed the two have sold over 500 copies of the malware to crooks, and actively advertise it while using No-IP to help cover their tracks. The software giant said it has detected over seven million infections by the two packages.

The court has now granted a temporary restraining order against No-IP – as Microsoft accused the DNS biz of acting negligently, and claimed some of the sub-domains contained “Microsoft’s protected marks.”

Redmond further alleged that the defendants in its lawsuit – Al Mutairi, Benabdellah, Vitalwerks and 500 John Does – “violated federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”

It’s not exactly certain what is going to happen in this case, but I’m pretty sure everyone involved is working towards a less harsh solution. The official statement from No-IP can be found here: No-IP’s Formal Statement on Microsoft Takedown

It’s going to seriously disrupt their service though, I can’t imagine how many gaming servers are down right now! They have updated with a list of currently working domains though if you are using the service you can switch your host to:

  • ddns.net
  • webhop.me
  • serveminecraft.net
  • ddnsking.com
  • onthewifi.com

Source: The Register


27 June 2014 | 2,749 views

Dradis v2.9 – Information Sharing For Security Assessments

Dradis is an open source framework to enable effective information sharing, specially during security assessments. It’s a tool specifically to help in the process of penetration testing. Penetration testing is about information:

  1. Information discovery
  2. Exploit useful information
  3. Report the findings

But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available in an effective way will result in exploitation opportunities lost and the overlapping of efforts.

Dradis v2.9 - Information Sharing For Security Assessments

Dradis is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead.

Features

  • Easy report generation.
  • Support for attachments.
  • Integration with existing systems and tools through server plugins.
  • Platform independent.


Traditional pentesting teams face different types of challenges regarding information sharing. Different tools provide output in different formats, different testers capture evidence in different ways, different companies report differently, etc.

If you do not use a tool to share the information, every tester will use their own notes file to keep track of their findings. Each will store this file locally, or on a shared resource, but the information will not arrive immediately to the rest of the team.

If you want to know what are the latest findings of your mate, you will need to look for the notes file. You also can try talking, but talking is not that effective when you need to know a specific cookie value or a sql query for an injection attack.

It seems reasonable that some effort must be put to increase the quality and efficiency of this process.

You can download Dradis Framework v2.9 here:

Windowsdradis-v2.9.0-setup.exe
Othersdradis-v2.9.0.tar.gz

Or read more here.


25 June 2014 | 2,820 views

Hackers Recreate NSA Snooping Kit Using Off-the-shelf Parts

So some curious hardware hackers grabbed the leaked catalogue that detailed the hardware involved in the NSA Snooping Kit, and have recreated some of the ‘high-tech’ top secret tools with off-the-shelf parts and items that can be bought from Kickstarter.

I mean some of it seems pretty simplistic though, a monitor mirror and a hardware keystroke logger? Nothing ground-breaking there.

NSA Snooping

The Catalogue itself can be found here:

NSA ANT Catalog

The project itself is open, so if you’re into hardware hacking you could have a look and perhaps even contribute something.

Last year Edward Snowden leaked the NSA’s Advanced Network Technology catalog, a listing of the hardware and software tools the agency makes available to agents for spying. Now enterprising security experts are using the catalog to build similar tools using available electronics.

The team, led by Michael Ossmann of Great Scott Gadgets, examined the leaked catalog and found that a number of the devices the NSA developed can be very simple to recreate.

Ossmann was able to build a software-defined radio (SDR) system capable of recording and transmitting data from a target PC using a Kickstarter project, and reckons the hardware can be bought to market for $300 or less.

“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” he told New Scientist.

It’s not often we get something interesting regarding hardware hacking, the last time something really interesting popped up was the story about the Researchers who Cracked 4096-bit RSA Encryption With a Microphone.

This project is in early days though, so I’m sure we’ll see some more interesting items coming out of it in the coming months.

Ossmann also said he was able to build two devices from the NSA’s catalog using little more than a few transistors and a two-inch length of wire as an antenna. These mimic the NSA products Ragemaster (a plug that sits on the monitor cable of a computer and broadcasts screen images) and the Surlyspawn keystroke logger, but at a fraction of the cost the government gets charged.

In a presentation at the Hack In The Box conference in Amsterdam this May, Ossmann detailed some of his creations and the methods he and his team used to build them using off-the-shelf components. These devices aren’t as small as the NSA’s hardware, but are just as effective, he said.

The team has now set up a website, NSAPlayset.org, detailing the different spying products they have reverse-engineered, and more details will be given out at presentations at the DEFCON hacking conference being hosted in Las Vegas in August.

Ossmann’s goal isn’t to help hackers conduct their own spying operations, nor to make it easier for the government to get low-cost surveillance hardware. While he has developed tools for the federal government, the goal of this project is to help the security industry understand the range of threats it should be protecting against.

It’s also possible they’ve already developed more devices, but are saving them for future stops on the infosec conference circuit. It does mention DEFCON and some more stuff will be released there in August.

I also find the chaps name pretty apt – Ossmann (Open Source Softare Man).

Source: The Register


23 June 2014 | 1,409 views

Codesake::Dawn – Static Code Analysis Security Scanner For Ruby

Codesake::Dawn is a source code scanner designed to review your code for security issues. Basically a static analysis security scanner for ruby written web applications.

Codesake::Dawn is able to scan your ruby standalone programs but its main usage is to deal with web applications. It supports applications written using majors MVC (Model View Controller) frameworks, like Ruby on Rails, Sinatra & Padrino.

When you run Codesake::Dawn on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, …).

Static Code Analysis Security Scanner For Ruby

Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. There checks designed to match rails application or checks that are appliable to any ruby code.

Codesake::Dawn can also understand the code in your views and to backtrack sinks to spot cross site scripting and sql injections introduced by the code you actually wrote. In the project roadmap this is the code most of the future development effort will be focused on.

Codesake::Dawn security scan result is a list of vulnerabilities with some mitigation actions you want to follow in order to build a stronger web application.

Options

Installation

codesake-dawn rubygem is cryptographically signed. To be sure the gem you install hasn’t been tampered, you must first add paolo@codesake.com public signing certificate as trusted to your gem specific keyring.

You can install latest Codesake::Dawn version, fetching it from Rubygems by typing:

Or read more here.


20 June 2014 | 2,811 views

Source Code Hosting Service Code Spaces Deleted By Hacker

There’s been a LOT of noise about this incident in the past day or two, the very definition of a cloud nightmare. Git/SVN & Project Management SaaS Code Spaces has been hacked and completely deleted by a hacker.

It started off with a large scale DDoS attack (the likes of which Feedly and Evernote have also seen this month) – and in all cases the malicious parties have been asking for ransom money to stop the attacks.

Code Spaces Deleted By Hacker

This time however, with Code Spaces – somehow the malicious parties got access to their Amazon console..which gave them access to delete everything, including snapshots and backups. This has rendered Code Spaces totally inoperable, and unfortunately it looks like they won’t be able to recover from this.

Source code hosting provider Code Spaces has suffered the ultimate cloud nightmare, having been effectively forced out of business by the actions of an attacker who managed to gain access to its Amazon EC2 control panel.

The devastating incident began on June 17 when Code Spaces – a company that claimed to offer “Rock Solid, Secure and Affordable Svn Hosting, Git Hosting and Project Management” – became the target of a DDoS attack from an unknown party who demanded “a large fee” to make it stop.

This isn’t the first such incident in recent weeks. Evernote and Feedly were each knocked down on June 10, reportedly by criminals trying to extort money. Both managed to restore their services, albeit only after extended outages.

The difference this time is that in addition to having access to a formidable botnet, Code Spaces’ assailant had also gained access to the company’s Amazon EC2 control panel, giving him control over the data it had stored using Amazon’s Elastic Block Store (EBS) and S3 cloud services.

“We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances,” the company wrote in a message posted to its homepage. “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”

The ironic part is they make claims about having bulletproof ‘offsite’ backups, when all they seem to mean is they put some backups in a different Amazon region – not even on a different cloud platform – so anyone having access to their Amazon console..could nuke everything. You can see their claims on Archive.org here.

We have invested a great deal of time and effort in developing a real-time backup solution that allows us to keep off-site, fully functional backups of your data – at high performance. We literally backup everything you do, as soon as you do it.

Also why weren’t they using 2 Factor Authentication for such an important account? I’m really very interested in how the extortion DDoS gang got hold of their Amazon credentials.

The net effect was that, once the smoke cleared, Code Spaces no longer had any service to offer its customers.

“Code Spaces will not be able to operate beyond this point,” the company’s statement reads, “The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility.”

The source-sharing site said it is now working to export whatever data remains so that customers can regain access to their files. All Git repositories and some svn repositories are reportedly available for export, although their backups and snapshots have been erased, and some svn repositories have been destroyed altogether. All of Code Spaces’ EBS-hosted database files have also been wiped clean, along with their backups and snapshots.

The company said it is experiencing “massive demand” for support and has asked customers for patience as it struggles to get to everyone.

“On behalf of everyone at Code Spaces, please accept our sincere apologies for the inconvenience this has caused to you, and ask for your understanding during this time!” the statement reads. “We hope that one day we will be able to and reinstate the service and credibility that Code Spaces once had!”

In a way I’m glad this happened though, nothing against Code Spaces (never even heard of the service) – but it’s a lesson to be learnt – Cloud DOES not make you any more secure, in many ways it makes you less secure.

All your eggs in one basket? Then yeah, you are asking to get burnt. Set up pull only backups on an entirely different platform (the desktop in your office is fine, or on Linode/Rackspace/Softlayer etc).

It costs $5 to run up a Digital Ocean VPS and pull backups from your production servers – just do it.

There’s further discussion on Reddit here too – Hacker Puts Code Spaces Out of Business.

Source: The Register


18 June 2014 | 1,654 views

Don’t Get Hacked – Have A Free Acunetix Security Scan

The recent Heartbleed vulnerability has highlighted the urgent need for more network level security scanning. In view of this, Acunetix has announced that it will be offering 10,000 users a Free Acunetix Security Scan with the Acunetix Online Vulnerability Scanner (OVS) in a bid to make it easier for businesses to take control of their network security.

Acunetix Online Vulnerability Scanner is a hosted security scanner that will scan a perimeter server for network level vulnerabilities and provide detailed reports so as to allow the security administrator to fix the vulnerabilities before a hacker finds them.

Acunetix Online Vulnerability Scanner (OVS)

All the Network Scanning capabilities available in Acunetix OVS will be available for free for fourteen days (From today June 18th 2014), allowing users to audit their internet (and hacker) facing servers.

Features

  • Scan your servers for over 35,000 network vulnerabilities
  • Audit your internet facing architecture and identify system and network weaknesses
  • Ensure that servers are not running any illegitimate services, such as a Bitcoin mining botnet
  • Identify any vulnerable versions of applications running on the servers
  • Discover the information that the systems are leaking using various techniques such as OS fingerprinting, port banner grabbing and service probing (like the information SHODAN archives)
  • Ensure that all the organisation’s services, including FTP and mail, do not suffer from Heartbleed
  • Get additional information about other vulnerabilities and network problems detected.

To make use of this offer, you can sign-up at www.acunetix.com/free-network-security-scan/ using a valid company email address. Once your scan target has been verified (it actually belongs to your company), you can then make use of the scanning features mentioned above.


16 June 2014 | 2,133 views

SHODAN – Expose Online Devices (Wind Turbines, Power Plants & More!)

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.

Web search engines, such as Google and Bing, are great for finding websites. But what if you’re interested in finding computers running a certain piece of software (such as Apache)? Or if you want to know which version of Microsoft IIS is the most popular? Or you want to see how many anonymous FTP servers there are? Maybe a new vulnerability came out and you want to see how many hosts it could infect? Traditional web search engines don’t let you answer those questions.

Shodan - Expose Online Devices

So what does SHODAN index then? Good question. The bulk of the data is taken from ‘banners’, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server. For example, following is a FTP banner:

This tells us a potential name of the server (kcg.cz), the type of FTP server (Solaris ftpd) and its version (6.00LS). For HTTP a banner looks like:

This can be used to find all sorts of interesting things like Webcams, routers, power plants, iPhones, wind turbines, refrigerators – basically anything connected to the internet that has a banner that identifies what it is.

There is an API service as well if you want to build an app around the data in the Shodan database at https://developer.shodan.io/. The Shodan API is the easiest way to provide users of your tool access to the Shodan data. The API provides access to all of the search features, allowing you to get exactly the information you want. There are libraries for Python, Ruby & NodeJS.

You can get started with Shodan here – http://www.shodanhq.com/


12 June 2014 | 4,324 views

14-Year Olds Hack ATM With Default Password

This is actually a pretty good hack and a good use of the word hacking in the original sense, two curious teenagers managed to access the administrator mode of an ATM in Winnipeg, Canada by using the default password they found in a manual they downloaded online.

Ingenious and pretty forward thinking, I like the fact they were responsible about it too and headed to the branch to let them know there was an issue with the security of their ATM machines.

Hack ATM

I’m not surprised the bank staff were originally skeptical of the teenagers claims as it seems pretty unlikely a couple of 14 year olds could hack your ATM machines..

A Winnipeg BMO branch got an unlikely security tip from two 14-year-olds when the pair managed to get into an ATM’s operating system during their lunch break last Wednesday.

The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store. They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer.

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told the Winnipeg Sun. “When it did, it asked for a password.”

They managed to crack the password on the first try, a result of BMO’s machine using one of the factory default passwords that had apparently never been changed.

They took this information to a nearby BMO branch, where staff were at first skeptical of what the two high-schoolers were telling them. Hewlett and Turon headed back to the Safeway to get proof, coming back with printouts from the ATM that clearly showed the machine had been compromised.

A slightly more advanced hack I remember writing about a few years back was a group Stealing ATM Pin Numbers Using Thermal Imaging Cameras.

Of course back in 2008 there was the famous ATM hacker ‘Chao’ who gave out a bunch of ATM hacking tips.

ATM Hacks have been around for a long time in various forms (skimming being the most common) – and they will continue to be around.

The teens even changed the machine’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.

According to the Sun, the note started with: “Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security.

Ralph Marranca, a spokesperson for BMO’s head office, said no customer information was exposed when Turon and Hewlett probed the ATM’s system. He did not immediately respond to questions from Postmedia News about what steps the bank is taking to ensure security at its thousands of ATMs across the country.

I just hope this incident gets enough press that it alerts other banks to audit their ATM Security and ensure they aren’t using the default administrator password.

Of course the Retards category sees a fair number of ATM related requests too.

Source: Edmonton Journal


09 June 2014 | 1,846 views

OWASP Mantra 0.92 – Browser Based Security Framework

OWASP Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

OWASP Mantra

Mantra is a browser especially designed for web application security testing. By having such a product, more people will come to know the easiness and flexibility of being able to follow basic testing procedures within the browser. Mantra believes that having such a portable, easy to use and yet powerful platform can be helpful for the industry.
Mantra has many built in tools to modify headers, manipulate input strings, replay GET/POST requests, edit cookies, quickly switch between multiple proxies, control forced redirects etc. This makes it a good software for performing basic security checks and sometimes, exploitation. Thus, Mantra can be used to solve basic levels of various web

Mantra Provides

  • A web application security testing framework built on top of a browser.
  • Supports Windows, Linux(both 32 and 64 bit) and Macintosh.
  • Can work with other software like ZAP using built in proxy management function which makes it much more convenient.
  • Available in 9 languages: Arabic, Chinese – Simplified, Chinese – Traditional, English, French, Portuguese, Russian, Spanish and Turkish
  • Comes installed with major security distributions including BackTrack and Matriux

The full list of changes in v0.92 is available here:

OWASP Mantra Security Toolkit 0.92 beta – Janus

You can download OWASP Mantra here:

- Windows: OWASP Mantra Janus.exe
- Linux: OWASP Mantra Janus Linux 32.tar.gz / OWASP Mantra Janus Linux 64.tar.gz

Or read more here.