Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

28 May 2014 | 1,717 views

Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet

Check For Vulnerabilities with Acunetix

Pretty smart idea this one, we wrote about Yahoo! spreading Bitcoin mining malware back in January, but we haven’t really seen any of that type of activity since then.

Watch Dogs Bitcoin Mining Botnet

But this, this is a much better target audience – gamers with high powered GPUs! Especially as this is one of most hyped ‘next-gen’ games for 2014 (yes I’ve been eagerly awaiting it for my PS4). But pirating Watch Dogs via a torrent from popular warez group SkidRow could make you part of a Bitcoin mining botnet!

Tens of thousands of pirate gamers have been enslaved in a Bitcoin botnet after downloading a cracked copy of popular game Watch Dogs.

A torrent of the infected title, which supposedly has had its copy-protection removed, had almost 40,000 active users (seeders and leachers) and was downloaded a further 18,440 times on 23 May on one site alone.

Pirates reported on internet forums that the torrent package masquerading under the popular torrent brand SkidRow had quietly installed a Bitcoin miner along with a working copy of the game.

The Windows miner ran via two executables installed in the folder AppData\Roaming\OaPja and would noticeably slow down lower performance machines sucking up to a quarter of CPU power.

Most sources have removed the offending torrent. Analysis has yet to be done to determine the location or identities of actors behind the attack.

It seems like it was a massively popular torrent, so the infection could easily reach tens of thousands of pirate gamers, which would then turn into a Bitcoin mining botnet with tens of thousands of users (A fairly profitable proposition, even with the current Bitcoin mining difficulty).

It’s also slightly ironic that the tagline for the game is “Everything is connected” as if you pirate it, everyone is connected..to the botnet. And of course the fact it’s a game about ‘hacking’ – although I haven’t played it yet and the reports of the hacking part aren’t great.

Gamers were choice targets for Bitcoin mining malefactors because they often ran high-end graphical processing units (GPUs) and shunned resource-draining anti-virus platforms.

“If you happen to download cracked games via Torrent or other P2P sharing services, chances are that you may become a victim of [a] lucrative trojan bundled with a genuine GPU miner,” BitDefender chief strategist Catalin Cosoi said of an early Bitcoin miner that targeted gamers.

“We advise you to start checking your system for signs of infection, especially if you are constantly losing frames-per-second.”

Using stolen dispersed compute resources was one of the few ways punters could make decent cash by crunching the increasingly difficult mathematical algorithms required to earn Bitcoins.

Crims have in recent years foisted the compute-intensive Bitcoin miners in a host of attacks targeting valuable high-end GPUs right down to ludicrously slow digital video recorders.

They might have been better off mining something else though (Scrypt based coins like Litecoin or perhaps even X11 mining), if they did X11 mining the users probably wouldn’t even notice any framedrops or their GPU fans spinning at full speed.

I’m honestly surprised we don’t see more botnets based around cryptocurrency mining, I guess it’s just not that mainstream yet. And you need a good bait to get so many people to install malware these days (and get past their anti-virus software).

Which is another reason gamers make a good target as they often don’t even use AV software or disable it for maximum performance.

Source: The Register



26 May 2014 | 2,863 views

Moscrack – Cluster Cracking Tool For WPA Keys

Moscrack is a PERL application designed to facilitate cracking WPA keys in parallel on a group of computers. This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes. With Moscrack’s new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and *Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin.

Moscrack

Features

  • Basic API allows remote monitoring
  • Automatic and dynamic configuration of nodes
  • Live CD/USB enables boot and forget dynamic node configuration
  • Uses aircrack-ng (including 1.2 Beta) by default
  • CUDA/OpenCL support via Pyrit plugin
  • CUDA support via aircrack-ng-cuda (untested)
  • Does not require an agent/daemon on nodes
  • Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
  • Supports mixed OS/protocol configurations
  • Supports SSH, RSH, Mosix for node connectivity
  • Effectively handles mixed fast and slow nodes or links
  • Supports Mosix clustering software
  • Nodes can be added/removed/modified while Moscrack is running
  • Failed/bad node throttling
  • Hung node detection
  • Reprocessing of data on error

You can download Moscrack here:

moscrack-2.08b.tar.gz

Or read more here.


22 May 2014 | 1,127 views

eBay Hacked – 128 Million Users To Reset Passwords

The big news this week is that the massive online auction site eBay has been hacked, the compromise appears to have taken place a few months around February/March but has only come to light recently when employee login credentials were used.

eBay Hacked

This is 3 times bigger than the massive 42 Million passwords leaked by Cupid Media last November. But as least they are hashed this time, in the case of Cupid Media – the passwords were in plain text.

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised.

Names, dates of birth, phone numbers, physical addresses, email addresses, and “encrypted” passwords, were copied from servers by attackers, we’re told. Credit card numbers and other financial records were not touched, and are stored separately, eBay claims. The website has hundreds of millions of user accounts.

Hackers accessed the database between late February and early March after obtaining a few employees’ login credentials, and then infiltrated the corporate network.

The digital break-in of staff accounts was detected about two weeks ago, and sparked a computer-forensics probe that is still ongoing. The website’s investigators today revealed a database containing customer information was accessed by the hackers.

eBay reckons everyone should change their passwords as a precaution – but it hasn’t uncovered any evidence of fraud linked to the breach, it claims. One assumes eBay’s techies have closed the hole the attackers exploited to infiltrate its systems, and has cleared its systems of the miscreants.

The passwords should be reasonably secure as they are hashed and apparently salted too, but the encryption algorithm used is currently unknown. If the passwords do go public, perhaps we can use something like HashTag to identify the hash type and see how secure it is.

And the salting, whilst it doesn’t make a single password much more secure, it does make cracking sets of passwords with Rainbow Tables much harder.

eBay’s handling of the breach notification has already created a fair bit of confusion: eBay-owned PayPal published then deleted an alert instructing users to change up their passwords this morning.

The brief item on PayPal’s site, which included the line “place holder text”, was pulled before the security breach was confirmed soon after in a press release. The warning was eventually restored, although PayPal is not affected by the eBay hack.

The exposure of encrypted passwords is bad news because it’s now easy to create convincing phishing emails urging people to change their eBay passwords – although said scam emails will instead take victims to a site masquerading as eBay.com to swipe their details.

Weak passwords could also be easily cracked if the website’s hashing algorithm isn’t up to scratch, and woe betide anyone using the same crap password across multiple sites with the same email address. The habit of many users of using the same password on multiple sites makes this type of attack all too possible.

You can read the official release on the corporate site here:

eBay Inc. To Ask eBay Users To Change Passwords

I hope more technical details are released as everything seems a bit wishy-washy right now, like how exactly did they get compromised? The biggest danger right now is probably Phishing, someone could capitilize on the list of confirmed eBay users and e-mail them all to reset their passwords on a bogus site.

It’s early days though, I’m sure more info will be released as time goes by (or not, as corporates to tend to like to keep a lid on such incidents).

Source: The Register


20 May 2014 | 2,772 views

Hook Analyser 3.1 – Malware Analysis Tool

Hook Analyser is a freeware application which allows an investigator/analyst to perform “static & run-time / dynamic” analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet.

Essentially it’s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping.

Hook Analyser 3.1 - Malware Analysis Tool

Hook Analyser is perhaps the only “free” software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations.

Features/Functionality

  • Spawn and Hook to Application – Enables you to spawn an application, and hook into it
  • Hook to a specific running process – Allows you to hook to a running (active) process
  • Static Malware Analysis – Scans PE/Windows executables to identify potential malware traces
  • Application crash analysis – Allows you to analyse memory content when an application crashes
  • Exe extractor – This module essentially extracts executables from running process/s

The only similar tool I recall is – Malware Analyser v3.0 – A Static & Dynamic Malware Analysis Tool – which is by the same author and I assume is the precursor the more advanced Hook Analyser.

You can download Hook Analyser v3.1 here:

[ Required to fill out a form ]

Or read more here.


14 May 2014 | 1,559 views

Navy Sys Admin Hacks Into Databases From Aircraft Carrier

So this story caught my eye and I found it pretty interesting as it reads like something out of a Tom Clancy novel crossed with a bunch of script kiddies, a Navy Sys Admin has been charged with conspiracy to hack – the interesting part was that he hacked the Navy (whilst working there..) and also did it from a Nuclear aircraft carrier!

Seems like a pretty interesting scenario, I’m more interested in the technical details but all that’s mentioned is a case of SQL Injection – which isn’t exactly high-tech top tier hacking.

Navy Hacker

It also seems like the hacks took place a fair time ago back in 2012, but the court case and its details are only surfacing now.

A former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems during a digital joy ride that spanned several months in 2012.

Nicholas Paul Knight, 27, who referred to himself as a “nuclear black hat,” was discharged from the Navy after he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman.

On Monday, he and Daniel Trenton Krueger, a community college student in Illinois, were charged with one count each of conspiracy to hack in the U.S. District Court for the Northern District of Oklahoma.

They were allegedly part of a hacker gang that went by the names Team Digi7al and Team Hav0k. According to court documents, the gang also included at least three minors who have not been identified or charged in the case. Authorities say they were motivated by a combination of anti-government sentiment, boredom, and thrill-seeking.

The gang is accused of using SQL-injection hacks and other methods to gain access to various systems including ones belonging to the U.S. National Geospatial Intelligence Agency, which provides maps and other intelligence to the military, and a system belonging to the Department of Homeland Security’s Transportation Worker Identification system. The latter contains biometric and other sensitive data on workers who are issued special credentials to access secure areas of maritime facilities and vessels.

The group also allegedly hacked or attempted to hack into systems belonging to Los Alamos National Lab, a number of universities and police departments, as well as the personal web site of Rashod Holmes, a musician who sold merchandise from his site.

There’s also a lot of discussion about background checks, with two sides of the camp as usual – how is someone who has a criminal history hired to work for the Navy as a sys admin? And the other side is that maybe his mad l33t hacking skills could be why he got the job in the first place.

Ethically it’s always an interesting debate, should you hire an ‘ex’ hacker – or is a hacker always a hacker? Can people change/reform/become morally sound? Or does having a bit of the dark-side in you make you better at your job? If you haven’t done any malicious activities – can you really understand the mindset of a malicious hacker?

But despite more than two dozens hacks, the group had sporadic success. During an attempted breach of a Los Alamos Lab computer in April 2012, a systems administrator detected the hack and halted it before they could steal much data, according to a court document (.pdf).

The hack of a computer at the National Geospatial Intelligence Agency got them the schematics for more than ten databases, but they failed to download the sensitive agency data they sought from the computer, authorities say.

A May 2012 breach of an AT&T Uverse computer, however, got them mobile phone numbers of about 7,500 customers, as well as some email addresses of customers, physical addresses and cleartext passwords, the government says.

Three months later, according to authorities, they hacked into the website of Rashod Holmes and stole data on 1,000 customers, including the private bank account information of about 70 customers. They also breached the email account of the Ambassador of Peru in Bolivia and made off with the entire email contents of his account.

The group boasted about their exploits through a Twitter account — @TeamDigi7al — and even published the personal information they stole to storage sites where others could access the data, authorities say.

Knight, known online as “Inertia” and “Logic,” began hacking at age 16, according to the government, and was allegedly the self-professed leader of the gang who handled much of the publicity. Krueger, who was studying to be a network administrator and was known online as “Thor” and “Gambit,” allegedly performed most of the technical hacking.

The investigation, conducted by the Naval Criminal Investigative Service, began in June 2012, when a breach of the Navy’s Smart Web Move website and database occurred. The system, also known as Navy-SWM, is used by the Navy to manage the transfer and relocation of personnel and their family members in all branches of the military — Navy, Army, Air Force, Marines and Coast Guard. The database contained more than a decade’s worth of stored sensitive personal data on about 220,000 service members and their families, including Social Security numbers and birth dates. It also stored the answers to security questions that members used to reset their passwords for the system — such as their mother’s maiden name or the names of their children.

We’ll have to see what kind of charges get put up for this, I’m guessing there’s not going to be any ridiculous claims of terrorism in this case? As it’s quite clearly hacking without much of a point other than ‘because we can’.

You’d think someone working for the Navy would be smart enough to not hack the Navy AND get caught, but hey – who are we to judge.

Source: Wired


13 May 2014 | 1,647 views

Acunetix Vulnerability Scanner 9.5 Released

Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.

This week the latest version was released, Acunetix Vulnerability Scanner 9.5.

Acunetix Vulnerability Scanner

Features

  • AcuSensor Technology
  • Industry’s most advanced and in-depth SQL injection and Cross site scripting testing
  • Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
  • Visual macro recorder makes testing web forms and password protected areas easy
  • Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
  • Extensive reporting facilities including PCI compliance reports
  • Multi-threaded and lightning fast scanner – processes thousands of pages with ease
  • Intelligent crawler detects web server type, application language and smartphone-optimized sites.
  • Acunetix crawls and analyzes different types of websites including HTML5, SOAP and AJAX
  • Port scans a web server and runs security checks against network services running on the server

This new release adds the ability to run security scans on applications built with Google Web Toolkit (GWT). It can also automatically test JSON and XML data objects for vulnerabilities. In addition, vulnerabilities are now also classified using CVE, CWE and CVSS, and AcuSensor has been updated for .NET 4.5 web applications.

There are more technical details regarding scanning a GWT based app here:

Scan Google Web Toolkit Applications with Acunetix Web Vulnerability Scanner

A free 14-day trial is available for anyone who wants to test the latest capabilities of Acunetix Vulnerability Scanner.


07 May 2014 | 2,067 views

MagicTree v1.3 Available For Download – Pentesting Productivity

Have you ever spent ages trying to find the results of a particular portscan you were sure you did? Or grepping through a bunch of files looking for data for a particular host or service? Or copy-pasting bits of output from a bunch of typescripts into a report? We certainly did, and that’s why we wrote MagicTree – so that it does such mind-numbing stuff for us, while we spend our time hacking.

MagicTree is a pentesting productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, “Tree” is because all the data is stored in a tree structure, and “Magic” is because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting.

MagicTree v1.3 - Pentesting Productivity

Changelog for v1.3

  • Fix for #307 “Cannot create a working report template in LibreOffice 3.5.4.2″.
  • Better parsing of Imperva Scuba XML
  • Fixed NullPointerException in FileFilter
  • Added debugging to idTracker and sanity checking to TreeController to catch the integrity bug
  • Fix for NullPointerException when handling MtSimpleObjects with no text
  • Fixes for data integrity bugs causing duplicated ids and broken xrefs
  • Added support for AppScan XML – contributed by VienHa Tran

Installation

No installation is required for MagicTree. The application is distrubuted as a single JAR file which has to be executed with JRE. Just save the file on your desktop. Double-click on it to execute it or, for less user-friendly OSes, issue “java -jar MagicTree.jar’ command.

Can’t get much better than that really, penetration testing report generation! Who wants to do that manually. IF you combined this with using something like Kvasir the Penetration Testing Data Management Tool, you’d be onto a pretty good process I reckon.

You can download MagicTree here:

MagicTree-build1814.jar

Or read more here.


06 May 2014 | 2,922 views

Teen Accused Of Hacking School To Change Grades

So an interested piece of news I spotted today is about Jose Bautista, an 18 year old from Miami-Data, USA who was arrested and charged with hacking school to change grades.

It seems he’s being dealt with fairly harshly, which is a trend with ‘hacking’ related crimes nowadays.

Jose Bautista - School Hacker

We did have a story similar to this way back in 2007 – Class President Hacks School Grades, he was also 18 and charged/arrested for what he did.

A South Florida teen was taken into custody after, authorities said, he illegally accessed the Miami-Dade Public Schools database and changed four students’ grades.

Eighteen-year-old Jose Bautista, a senior at Dr. Michael M. Krop Senior High School in Northeast Miami-Dade, faced Miami-Dade Circuit Judge Thomas J. Rebull, Friday. “You’ve been arrested on four counts of offenses against intellectual property, public records exemption and four counts of offenses against computer users,” Rebull told Bautista at the bond hearing.

Miami-Dade Schools Police arrested Bautista on Thursday. They said the teen took money, hacked into the school’s computer system and changed students’ grades. Police said each of the counts Bautista is charged with represents one of the students for whom he altered grades.

“It’s not fair to the people that really try,” said Mayan Dehry, a student at Bautista’s school. “Like, I know a lot of kids are in AP classes, and they try really hard to get the grades that they get. I don’t know, if you’re just going to be lazy and then change your grades, that’s not what learning is about.”

We ALWAYS get e-mails about this kind of stuff, there’s one here – Retarded E-mails – Brute Force, Change School Grades, Hack US Military & MORE.

So we know there’s a LOT of kids out there who want to do this kind of stuff, some to actually change their grades (but that’s unlikely, if they can hack the system they are probably smart enough to get high grades without much effort), some to prove a point to the school (Antiestablishmentarianism) and some for peer recognition (yo I hacked school I’m cool dawg).

Fellow student Brett Curtis said Bautista’s actions are not representative of the majority of his peers. “We have almost 3,000 kids here who come to school every single day, who work hard for every single grade that they earn,” he said.

News of Bautista’s arrest spread through the school Friday, even reaching the ears of faculty members. “I’m not surprised. The way that kids today are able to [use computers],” said teacher George Lesperance. “All I can say is, I’d have to get more information.”

Curtis said he is certain school officials will make sure the students involved will be brought to justice. “If it is true, it’s definitely not fair to the rest of the students,” he said. “It certainly makes me angry. Like I said, I can’t guarantee or tell you if it happened or not, but we have an amazing administration that will get to the bottom of it.”

When Bautista was booked into jail, his eyes were red and watery in his mug shot. In bond court Friday, a public defender spoke on the teen’s behalf. “There’s no legal basis for four counts of either of the charges,” said the attorney, “since there’s nothing specifically alleged as to the number of times this was allegedly done.”

Bautista’s bond has been set at $5,000.

The teen remained behind bars on Friday. Once released, he will be on house arrest and will be required to wear a GPS monitor.

I honestly don’t think he’s much of a flight risk, and his bail is fairly low – so it’s not too bad. At least they aren’t trying to pin some kind of bullshit terrorism charge on him like poor old Gary McKinnon.

It shows though school systems are pretty secure as we get to see this kind of news pretty rarely, and we know there are people trying to change their grades every day. Either that, or there are a lot of smart kids out there changing their grades without getting caught!

Source: WSVN.com


02 May 2014 | 1,324 views

Host-Extract – Enumerate All IP/Host Patterns In A Web Page

host-extract is a little ruby script that tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL.

With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files.

This is unlike a web crawler which looks for new links only in HTML anchor tags or the like. Using that method you might miss many additional targets if you ever use such web crawler or other GUI-based tools that shows you your main target and its relationship with its linked sub/off-site domains.

Host Extract

In some cases, host-extract may give you false positives when there are some words like – main-site_ver_10.2.1.3.swf. With the -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time.

Usage

There are other tools that do similar things, some overlap, but nothing exactly like this. host-extract would be well combined with the following:

- wsScanner – Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool
- theHarvester – Gather E-mail Accounts, Subdomains, Hosts, Employee Names – Information Gathering Tool
- Web-Sorrow v1.48 – Version Detection, CMS Identification, Enumeration & Server Scanning Tool

You can grab host-extract via SVN here:

Or read more here.


01 May 2014 | 745 views

Microsoft Confirms Internet Explorer 0-Day

So during the past weekend, Microsoft confirmed an Internet Explorer 0-day that is actually being used in targeted online attacks.

Vulnerability in Internet Explorer Could Allow Remote Code Execution

It will be interesting to see if they push an out of band patch for this one or just wait for the next Patch Tuesday.

Internet Explorer 0-Day

It’s pretty serious as it effects the whole family including Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

On Saturday, late in the evening, Microsoft issued a public advisory confirming the existence of a new vulnerability in Internet Explorer that’s being used in targeted attacks online.

The vulnerability was disclosed by researchers at FireEye, who observed attacks against Internet Explorer versions 9 though 11. While criminals seem to be focused on the later releases, all versions of Internet Explorer are affected.

Exploits leveraging the use-after-free vulnerability will bypass protections in ASLR and DEP and gain code execution privileges.

In a blog post, FireEye explains:

“Threat actors are actively using this exploit in an ongoing campaign which we have named Operation Clandestine Fox. However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”

The focus does seem to be on IE9 and 11 (which would be the most commonly used versions on newer operating systems (Windows 7 & 8).

EMET will help Microsoft says..

I would expect them to be pushing out a patch for this ASAP as it’s a pretty serious flaw.

In addition, FireEye researchers stated the group responsible for this exploit has had access to “a select number of browser-based 0-day exploits in the past.”

Moreover, the group is proficient at lateral movement, and have been difficult to track as they rarely reuse command and control infrastructure.

Until a patch is released, Microsoft has said that EMET will help mitigate attacks against this flaw.

Further, versions of Internet Explorer running with the default Enhanced Security Configuration are not at risk, provided that the malicious website used to target the vulnerability isn’t listed in the Trusted sites zone.

This is typically the case for Internet Explorer on Windows Server 2003, Windows Server 2008 (and 2008 R2), and Windows Server 2012 (and 2012 R2).

Microsoft hasn’t said if they will release an out-of-cycle patch for this flaw, only that they’ll take the “appropriate action” once the investigation is completed.

The next Patch Tuesday is due almost two weeks from now on Tuesday 13th May 2014, so that’s a fair bit of exposure if this exploit goes public.

We shall have to wait and see what happens, knowing Microsoft – not a lot.

Source: Network World