Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on RSS or Twitter for the latest updates.

06 March 2014 | 754 views

Target CIO Beth Jacob Resigns After Huge Breach

Secure Your Website with Acunetix

So the latest news this week is that the Target CIO Beth Jacob has resigned, it seems to be somewhat linked to the massive heist of credit card details from Target that took place in December last year.

To be fair it was a fairly complex, high-level attack and I’m pretty sure most companies would have been infiltrated with a similarly pervasive attack vector.

Beth Jacob - Target CIO

Target CIO Beth Jacob has apparently fallen on her sword in the wake of the massive security breach in mid-December that compromised 40 million debit and credit cards and swept national headlines. Her resignation was rendered this week effective immediately.

“If you look at the history of other large data breaches, turnover at the top of the IT shop is not unusual,” says retail IT consultant Cathy Hotka.

Target CEO Gregg Steinhafel says the retailer is now looking outside the company for a CIO to succeed Jacob and help overhaul its network security, according to the Wall Street Journal.

Ironically, Jacob, who has a sterling reputation among retail CIOs, was thought of as a great hire by Target in 2008, Hotka says.

Target’s security incident — from the sophisticated breach to Steinhafel penning a mea culpa open letter to Target customers to running apologetic ads in the Wall Street Journal and other major publications to Jacob’s resignation — is a watershed moment for retail CIOs. They are now faced with rethinking their data security strategy.

The kind of breach that occurred at Target was highly sophisticated. Hackers slipped their software into Target’s computer systems via credentials stolen from one of Target’s vendors, reported the Wall Street Journal. The software eventually made its way to checkout stations and began amassing credit card data.

Having worked in this industry for many years, it really comes as no surprise how lackadaisical corporate information security can be at times.

And this was a pretty slick multi-level attack coming in at first through a vendor’s access, and eventually landing on the POS terminals – as was the plan from the beginning I would imagine.

“The people who are responsible for these kinds of breaches are well-organized, criminal enterprises,” Hotka says. “If you went to go up to a bunch of retail CIOs and asked them, ‘Could this have happened to you?’ the answer would be, yes.”

CIOs are put in a tough position because they’re not given adequate security funding, Hotka says. She recalls five years ago when the CIO of apparel and home fashions retailer TJX Companies had asked for additional data security resources and didn’t get them. A massive security breach followed, compromising millions of credit card numbers. TJX Companies agreed to pay $40.9 million to resolve potential claims by banks.

Given the growing sophistication of attacks, retail CIOs must now reconsider whether or not managing the risk in-house is wise. As Jacob’s resignation shows, a retail CIO is culpable yet might not have the know-how or resources to protect the company.

So should retail CIOs outsource data security to the experts?

“I think at this stage it’s not unreasonable,” Hotka says.

There’s a LOT of articles going around about this at the moment, many concerning who’s to blame, was it the CIO? who’s fault is it that engineers brought up that they felt there’s a problem? and so on.

Could the CIO have prevented this? Perhaps if she was very technical and on the ground concerning security practice, but honestly there should be a CSO for that and it falls more under the remit of the CTO than the CIO in my eyes.

Source: Network World



04 March 2014 | 2,003 views

EyeWitness – A Rapid Web Application Triage Tool

EyeWitness is a rapid web application triage tool designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

EyeWitness

The author would love for EyeWitness to identify more default credentials of various web applications. So as you find devices which utilizes default credentials, please e-mail him the source code of the index page and the default credentials so he can add it in to EyeWitness. You can e-mail to EyeWitness [@] christophertruncer [dot] com.

Inspiration came from Tim Tomes’s PeepingTom Script. The author just wanted to change some things, and then it became a thought exercise to write it again himself.

EyeWitness is designed to run on Kali Linux. It will auto detect the file you give it with the -f flag as either being a text file with URLs on each new line, nmap xml output, or nessus xml output. The -t (timeout) flag is completely optional, and lets you provice the max time to wait when trying to render and screenshot a web page. The –open flag, which is optional, will open the URL in a new tab within iceweasel.

Setup

Navigate into the setup directory and run the setup.sh script.

Usage

./EyeWitness.py -f filename -t optionaltimeout --open (Optional)

Examples

./EyeWitness -f urls.txt

./EyeWitness -f urls.xml -t 8 --open

You can download EyeWitness here (Or clone the Github repo):

master.zip

Or read more here.


26 February 2014 | 744 views

Apple Retires Support Leaving 20% Of Macs Vulnerable

There’s been a lot of news and scrambling lately related to the Apple SSL vulnerability, and this week Apple announced it would no longer be supporting OS X 10.6 AKA Snow Leopard.

It looks like Lion and Mountain Lion will be supported for a while, and an upgrade to Mavericks is free, so there’s no real reason not to.

The free upgrade path seems to be working fairly well for them, with 42% of all versions of OS X used in January being attributed to Mavericks.

Apple on Tuesday made it clear that it will no longer patch OS X 10.6, aka Snow Leopard, when it again declined to offer a security update for the four-and-a-half-year-old operating system.

As Apple issued an update for Mavericks, or OS X 10.9, as well as for its two predecessors, Mountain Lion (10.8) and Lion (10.7), Apple had nothing for Snow Leopard or its owners yesterday.

Snow Leopard was also ignored in December, when Apple patched Safari 6 and 7 for newer editions of OS X, but did not update Safari 5.1.10, the most-current Apple browser for the OS.

Apple delivered the final security update for Snow Leopard in September 2013.

Traditionally, Apple has patched only the OS X editions designated as “n” and “n-1″ — where “n” is the newest — and discarded support for “n-2″ either before the launch of “n” or immediately after. Under that plan, Snow Leopard was “n-2″ when Mountain Lion shipped in mid-2012, and by rights should have been retired around then.

But it wasn’t. Instead, Apple continued to ship security updates for Snow Leopard, and with Tuesday’s patches of Mountain Lion and Lion Tuesday, it now seems plain that Apple has shifted to supporting “n-2″ as well as “n” and “n-1.”

(In that scenario, Mavericks is now “n,” Mountain Lion is “n-1″ and Lion is “n-2.”)

The change was probably due to Apple’s accelerated development and release schedule for OS X, which now promises annual upgrades. The shorter span between editions meant that unless Apple extended its support lifecycle, Lion would have fallen off the list about two years after its July 2011 launch.

Apple only used to support the current product and the release before that, but Snow Leopard has been supported far longer than that – which indicates they are now probably supporting the current release and the two before that.

Though they haven’t really released any formal statements about support, end of life procedures or timelines. They do have an accelerated release timeline now so it does make sense for them to support more previous releases.

None of this would be noteworthy if Apple, like Microsoft and a host of other major software vendors, clearly spelled out its support policies. But Apple doesn’t, leaving users to guess about when their operating systems will fall off support.

“Let’s face it, Apple doesn’t go out of their way to ensure users are aware when products are going end of life,” said Andrew Storms, director of DevOps at security company CloudPassage, in a December interview.

To Apple, Snow Leopard increasingly looks like Windows XP does to Microsoft: an operating system that refuses to roll over and die. At the end of January, 19% of all Macs were running Snow Leopard, slightly more, in fact, than ran its successor, Lion, which accounted for 16%, and almost as much as Mountain Lion, whose user share plummeted once Mavericks arrived, according to Web analytics firm Net Applications.

With Snow Leopard’s retirement, 1 in 5 Macs are running an operating system that could be compromised because of unpatched vulnerabilities.

Snow Leopard users have given many reasons for hanging on, including some identical to those expressed by Windows XP customers: The OS still works fine for them; their Macs, while old, show no sign of quitting; and they dislike the path that Apple’s taken with OS X’s user interface (UI).

If Apple really wants more corporate/enterprise support – they really need to come out with some formal policies for support and end of life. Also they could really use some enterprise level tools for delivering patches/OS upgrades.

On top of that we also have a whole lot of people who choose not to upgrade for whatever reason (the same folks still using Windows XP) – who will become vulnerable at some point.

Source: Network World


24 February 2014 | 1,258 views

wig – WebApp Information Gatherer – Identify CMS

wig is a Python tool that identifies a websites CMS by searching for fingerprints of static files and extracting version numbers from known files.

OS identification is done by using the value of the ‘server’ and ‘X-Powered-By’ in the response header. These values are compared to a database of which package versions are include with different operating systems.

The version detection is based on md5 checksums of statics files, regex and string matching. OS detection is based on headers and packages listed in the ‘server’ header. There’s a quite large database of package versions included in common linux distros.

The author uses scripts to automatically update the md5 checksums for new versions of open source CMS the the tool is capable to detecting. This one of the main advantages over BlindElephant and WhatWeb.

There are some other tools similar to this such as:

- Web-Sorrow v1.48 – Version Detection, CMS Identification, Enumeration & Server Scanning Tool
- WhatWeb – Next Gen Web Scanner – Identify CMS (Content Management System)

And web services like http://builtwith.com/

There are currently three profiles for wig:

  1. Only send one request: wig only sends a request for ‘/’. All fingerprints matching this url are tested.
  2. Only send one request per plugin: The url used in most fingerprints is used
  3. All fingerprints: All fingerprints are tested

You can download wig here (or just clone it from the Github repo):

master.zip

Or read more here.


19 February 2014 | 1,182 views

2 Different Hacker Groups Exploit The Same IE 0-Day

It hasn’t been too long since the last serious Internet Explorer 0-day, back in November it was used in drive-by attacks – Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks.

And earlier last year there was an emergency patch issued – Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit.

This time though it seems two different groups have figured this one out and have developed attack code independently, that ended up pretty similar (which is not surprising considering it’s attacking the same exploit).

Two different hacker groups are exploiting the same still-unpatched vulnerability in Internet Explorer (IE) with almost-identical attack code, a security researcher said Tuesday.

The attacks, the first campaign unearthed last week by FireEye and a second campaign found by Websense, exploit a flaw in IE9 and IE10, two editions of Microsoft’s browser. Attacks have been spotted targeting only IE10, however.

According to FireEye, the attacks it found targeted current and former U.S. military personnel who visited the Veterans of Foreign Wars (VFW) website. Meanwhile, Websense reported that the exploit it discovered had been planted on the website of a French aerospace association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), whose members include defense and space contractors.

GIFAS is best known to the public as the sponsor of the Paris Air Show, where commercial and military aircraft makers strut their newest fixed-wing planes and helicopters.

Aviv Raff, chief technology officer at security firm Seculert, contended that the attacks uncovered by FireEye and Websense were the work of two gangs.

The attack will work on both IE9 and IE10, but it seems the groups are only targeting IE10 for some reason. Also it seems to be targeting defense/military related targets via related websites. It is possible both groups are using the same attack code though purchased through the black market and customised to their particular purpose.

IF people are already using IE11 though (which is heavily pushed in Windows 7/8 updates) they will be safe against this particular attack.

Raff confirmed that Seculert believed two different groups of cyber criminals were at work, both leveraging the same IE zero-day vulnerability, in an interview conducted via instant message Tuesday.

“We do see similar variations of zero-day exploits, but zero-day [vulnerabilities] that were never publicly disclosed before, that is not that common [for two groups to use simultaneously],” Raff said in that interview.

He speculated that the two hacker gangs probably obtained the attack code from the same third-party by purchasing it on the black market. “The elements of the exploits are almost identical,” Raff added, explaining his reasoning.

Although Microsoft has acknowledged that both 2011′s IE9 and 2012′s IE10 contain the vulnerability, it has yet to issue an official security, the usual first step towards publishing a patch. Nor has the Redmond, Wash. company’s security team named any temporary defensive measures, which are frequently offered in the “Fixit” format.

Instead, Microsoft has encouraged users to upgrade to IE11, which is immune to the attacks. However, Windows Vista owners running IE9 cannot migrate to IE11 as the latter does not support the little-used Vista.

Raff also said Seculert’s research had found that the malware used in the GIFAS campaign had changed the hosts files of the infected machines to redirect any remote access software traffic through the hackers’ servers so that they could steal log-on credentials.

“The domains that were added to the hosts file by the malware provide remote access to the employees, partners, and third-party vendors of a specific multinational aircraft and rocket engine manufacturer,” said Raff on the blog.

This case appears to be quite a focused attack though and the zero day isn’t being used to do drive by malware installation, or to build a botnet. Although now the exploit code is out there, I don’t see that kind of activity being too far behind.

It’ll be interesting to see if Microsoft consider this serious enough to push an out of band patch out before the next patch Tuesday rolls around.

Source: Network World


14 February 2014 | 1,670 views

Azazel – Userland Anti-debugging & Anti-detection Rootkit

Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Azazel Rootkit

Features

  • Anti-debugging
  • Avoids unhide, lsof, ps, ldd detection
  • Hides files and directories
  • Hides remote connections
  • Hides processes
  • Hides logins
  • PCAP hooks avoid local sniffing
  • Two accept backdoors with full PTY shells.
    • Crypthook encrypted accept() backdoor
    • Plaintext accept() backdoor
  • PAM backdoor for local privesc and remote entry
  • Log cleanup for utmp/wtmp entries based on pty
  • Uses xor to obfuscate static strings

As with anything of this nature, it’s recommended you check the source-code/run it in a safe environment etc. But if I have to emphasise stuff like that, this is probably the wrong site for you.

You can grab Azazel from Github here:

Or read more here.


12 February 2014 | 884 views

The Mask AKA Careto Espionage Malware

So the latest buzz going around is caused by a hacking group that appears to be Spanish and is called The Mask or Careto.

The reason there is a fair amount of buzz is their next level espionage malware that has been targeting government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists.

And the crazy part? It’s been in operation over SEVEN YEARS, without detection.

A recently discovered hacking group called “The Mask” has set a new standard for malware used in sophisticated attacks against government agencies, industry and research organizations, experts say.

On Monday, Kaspersky Lab reported discovering the advanced Spanish-speaking group that has been involved in cyberespionage since at least 2007.

The Mask, aka Careto, has targeted government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists in 31 countries from the Middle East and Europe to Africa and the Americas.

The hackers’ mission is to steal sensitive data, but the capabilities of their malware go far beyond pilfering documents. It can also take from networks various encryption keys and authentication keys used in machine-to-machine communications.

“Basically, everything secured and confidential easily becomes available and in a plain text,” Dmitry Bestuzhen, head of the research center for Kaspersky Lab in Latin America, said Tuesday.

Versions of the malware were found for Windows, Mac OS X and Linux. Other versions are believed to be capable of infecting Android and iOS mobile devices.

The Mask has built malware that has set a new standard for other hackers to emulate, security experts say.

The implication that’s its likely a Spanish sourced attack is the targets are predominantly Spanish speaking nations and infections in places like Morocco and Gibraltar are on the list.

It’s a fairly cross platform attack as well with Windows, Mac, Linux and even possibly mobile versions for iOS and Android.

The discovery of The Mask, which experts say is likely working for a nation-state, is expected to spark a cyber-arms race, Bestuzhev said.

“They certainly will invest more money in new exploit development, trying to align their cyber-arms to the same level as their potential adversaries,” he said.

To infect systems, the group started with emails designed to get the recipient to click on a link to a malicious website. The site contained a number of exploits that were downloaded based on the configuration of the visitor’s computer.

Following the infection, the visitor was redirected to the benign website referenced in the email, which could be a YouTube movie or news portal.

Because the malware was designed to evade anti-virus software, the best defense would be to catch the malicious app after it is installed.

“This malware highlights how critical it is to audit SSH (machine-to-machine authentication) keys, minimize their number, and regularly change them,” Ylonen said.

Kevin Coleman, strategic management consultant for SilverRhino, which specializes in IT security for U.S. government agencies, favored technology that monitors software behavior in the network and warns of unusual activity.

Organizations should also monitor outbound traffic and make sure it is going to known IP addresses, Coleman said.

It also grabs all kinds of goodies like encryption keys making ‘secure’ communications not so secure any more.

I’ll be interested to see if any more technical details about it come out, or even possibly if the binaries get posted.

Soource: Network World


11 February 2014 | 619 views

Yes – We Now Have A Facebook Page – So Please Like It!

Yes finally, like 6 years later than everyone else we have a Facebook page – it has a huge 3 likes..

I’ll share the posts there (if you don’t use RSS any more since Google Reader closed down – it might be a decent way to keep up) plus some other funny/interesting stuff of relevance I find online.

Right now it has 3 likes, me, a friend and some random who must have discovered it.

So if you use Facebook and want to keep up with us there, do a drop a like on the page.

https://www.facebook.com/darknetorguk


05 February 2014 | 3,298 views

hash-identifier – Identify Types Of Hashes Used To Encrypt Passwords

Somewhat similar to HashTag – Password Hash Type Identification (Identify Hashes) – which we posted about a while back, here we have hash-identifier or Hash ID.

Once again this is a Python script created to identify types of hashes used to encrypt data and especially passwords.

It supports a whole bunch of hashes such as (but not limited to):

  • ADLER-32
  • CRC-32
  • CRC-32B
  • CRC-16
  • CRC-16-CCITT
  • DES(Unix)
  • FCS-16
  • GHash-32-3
  • GHash-32-5
  • GOST R 34.11-94
  • Haval-160
  • Haval-192 110080 ,Haval-224 114080 ,Haval-256
  • Lineage II C4
  • Domain Cached Credentials
  • XOR-32
  • MD5(Half)
  • MD5(Middle)
  • MySQL
  • MD5(phpBB3)
  • MD5(Unix)
  • MD5(WordPress)
  • MD5(APR)
  • Haval-128
  • MD2
  • MD4
  • MD5
  • MD5(HMAC(WordPress))
  • NTLM
  • RAdmin v2.x
  • RipeMD-128
  • SNEFRU-128
  • Tiger-128
  • MySQL5 – SHA-1(SHA-1($pass))
  • MySQL 160bit – SHA-1(SHA-1($pass))
  • RipeMD-160
  • SHA-1
  • SHA-1(MaNGOS)
  • Tiger-160
  • Tiger-192
  • md5($pass.$salt) – Joomla
  • SHA-1(Django)
  • SHA-224
  • RipeMD-256
  • SNEFRU-256
  • md5($pass.$salt) – Joomla
  • SAM – (LM_hash:NT_hash)
  • SHA-256(Django)
  • RipeMD-320
  • SHA-384
  • SHA-256
  • SHA-384(Django)
  • SHA-512
  • Whirlpool

You can download Hash ID v1.1 here:

Hash_ID_v1.1.py

Or read more here.


03 February 2014 | 823 views

A Story Of Social Engineering – How @N Lost His $50,000 Twitter Handle

So last week I read an interesting tale about social engineering on Medium, a story by a chap named Naoki Hiroshima and his Twitter handle, which was @N.

Yes just one letter, a pretty rare and it seems valuable handle as he had offers of up to $50,000 for it. In the end though, someone decided they would just take it. Although there had been many attempts on the account before, this one was successful.

I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.

While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.

Later in the day, I checked my email which uses my personal domain name (registered with GoDaddy) through Google Apps. I found the last message I had received was from GoDaddy with the subject “Account Settings Change Confirmation.” There was a good reason why that was the last one.

Unsurprisingly, this cautionary tale involves two of the most hated companies online – PayPal and GoDaddy. GoDaddy has accepted partial responsibility though and has agreed that it needs to address and improve the processes that were abused in this case.

GoDaddy accepts partial responsibility in social engineering attack of @N’s customer account

PayPal however has denied giving out any information to the hacker, as would be expected from them:

PayPal denies providing payment information to hacker who hijacked $50,000 Twitter username

I changed my username @N to @N_is_stolen for the first time since I registered it in early 2007. Goodbye to my problematic username, for now.

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.

With my GoDaddy account restored, I was able to regain access to my email as well. I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

This whole situation just shows why 2 factor authentication is so important and also that you should really use @gmail.com accounts for important stuff rather than vanity domains registered with shady providers like GoDaddy.

Read the full story on Medium to see all the e-mail exchanges and get the full low down on exactly what happened.

Source: Medium.com