Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

06 August 2014 | 2,616 views

HoneyDrive 3 Released – The Premier Honeypot Bundle Distro

Check For Vulnerabilities with Acunetix

A new version of HoneyDrive, HoneyDrive 3 has been released codenamed Royal Jelly, Honeypots in a box is a great concept if you want to deploy a honeypot quickly without too much hassle.

HoneyDrive 3

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

Features

  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

You can download HoneyDrive 3 here:

HoneyDrive_3_Royal_Jelly.ova

Or read more here.



04 August 2014 | 3,463 views

Windows Registry Infecting Malware Has NO Files

This is a pretty interesting use of the Windows Registry and reminds me a little of the transient drive-by malware used last year against Internet Explorer that left no files either – Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks.

The main difference being, that wasn’t persistent and as it lived in RAM, it wouldn’t survive a reboot. This time, it’s based in the Registry (which technically is stored on the file system) – so it does survive a reboot and is pretty well hidden.

Registry Based Malware

The malware itself is stored in the registry in a non-ASCII key (to hide it from autostart) and an encoded entry that can’t be properly read by Regedit.

Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect.

It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

“All activities are stored in the registry. No file is ever created,” Rascagneres said in a post. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.

“To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”

Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual ‘stacked’ execution of code.

The researcher doing this work is pretty well known for tearing down blackhat/malware networks, you can follow him (Paul Rascagneres) on Twitter here, and should (he’s interesting): @r00tbsd.

It’ll be interesting to see if any even smarter variations are spawned from this, or if Microsoft does anything to stop it from working (although they rarely do anything related to malware unless it’s using an actual exploited vulnerability).

The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.

Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.

Malware geeks on the KernelMode.info forum last month analysed one sample which exploited the flaws explained in CVE-2012-0158 that affected Microsoft products including Office.

Deviants distributed the malware under the guise of Canada Post and UPS emails purportedly carrying tracking information.

“This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,” Rascagneres said.

Rascagneres has made a name ripping malware and bots to uncover and undermine black hat operations. He won last years’ Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1.

The malware is technically pretty smart (And well obfuscated) as it has layers of execution, the initial code executed is JScript code and then it runs a PowerShell script which finally executes shellcode.

You can read the original post here: Poweliks: the persistent malware without a file

The Irony? This encoding technique was originally made by Microsoft themselves..to protect source code from being changed/tampered with.

Source: The Register


30 July 2014 | 3,194 views

XSSYA – Cross Site Scripting (XSS) Scanner Tool

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation Tool, it’s written in Python and works by executing an encoded payload to bypass Web Application Firewalls (WAF) which is the first method request and response. If the website/app responds 200 it attempts to use “Method 2″ which searches for the payload decoded in the web page HTML code if it confirmed get the last step which is to execute document.cookie to get the cookie.

XSSYA - Cross Site Scripting (XSS) Scanner Tool

XSSYA Features

  • Supports HTTPS
  • After Confirmation (execute payload to get cookies)
  • Can be run in Windows & Linux
  • Identifies 3 types of WAF (mod_security, WebKnight & F5 BIG IP)
  • XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall)
  • Support Saving The Web HTML Code Before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal

We have written about a couple of XSS related tools before:

XSS-Proxy – Cross Site Scripting Attack Tool
XSS Shell v0.3.9 – Cross Site Scripting Backdoor Tool

You can download XSSYA here:

xssya.py

Or read more here.


28 July 2014 | 2,264 views

Microsoft China Offices Raided By Government

There has been a lot of back and forth between the US government and China when it comes to cyber-terrorism or cyber-espionage, valuable secrets being sought out by both sides. For political and commercial purposes, and if you’ve watched any movies lately you’ll know the ‘China Hackers’ are almost super human.

Microsoft China

This time the Chinese government has targeted Microsoft China across all 4 regional offices as a part of a currently unnamed, unknown investigation.

A Microsoft spokesperson has confirmed its four offices in China have been raided as part of a surprise investigation by government officials most likely related to US-Chinese cyber tensions.

Both the US and Chinese governments have been engaging in tit-for-tat claims of cyberespionage, particularly when it comes to corporate affairs, and now China is looking to investigate one of the US’s largest tech companies to determine whether it is working with the US government to spy on its citizens and companies.

According to Reuters, the four Chinese offices Microsoft operates are in Beijing, Shanghai, Guangzhou and Chengdu. Tensions appeared to have eased somewhat when Microsoft announced last April it was about to begin selling the Xbox One gaming console in China, the first US gaming console allowed to be sold in the country in more than a decade.

Microsoft is obviously being very PR about the whole thing, and most analysts felt the situation was fairly good since the announcement that that Xbox One will be sold in China.

So really, a console can solve political tension and US-China digital conflict? Why didn’t we know that earlier!

The Microsoft spokesperson admitted the inspection was a surprise and did not go into the specifics of why it had been instigated.

“We aim to build products that deliver the features, security and reliability customers expect and we’re happy to answer the government’s questions.”

Despite its progress with the Xbox One, the Chinese government last May has increased its weariness of the Windows operating system, having requested that all of its central government offices must not use Windows 8 on new computers.

I’m not sure if any more news of this will come out, as this things tend to be fairly rapidly brushed under the carpet. But we shall keep an eye out and see if the Chinese government really have their heart set on disrupting Microsoft China.

Source: Silicon Republic


25 July 2014 | 4,069 views

Gauntlt – Security Testing Framework For Developers & Ops

Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Gauntlt - Security Testing Framework For Developers & Ops

To use gauntlt, you will need one or more attack files. An attack file is a plain text file written with Gherkin syntax and named with the .attack extension. For more info on the Gherkin syntax, have a look at Cucumber. A gauntlt attack file is almost the same as a cucumber feature file. The main difference is that gauntlt aims to provide the user with predefined steps geared towards security and durability testing so that you do not have to write your own step definitions, whereas cucumber is aimed at developers and stakeholders building features from end to end. Gauntlt and cucumber can and do work together harmoniously.

Example attack file:

Features

  • Gauntlt attacks are written in a easy-to-read language
  • Easily hooks into your org’s testing tools and processes
  • Security tool adapters come with gauntlt
  • Uses unix standard error and standard out to pass status

Tools Supported

You will need to install each tool yourself before you can use it with gauntlt. However, if you try to use a tool that is not installed or that gauntlt cannot find, you will get a helpful error message from gauntlt with information on how to install and/or configure the tool for use with gauntlt.

The authors also include a generic attack adapter that allows you to run anything on the command line, parse its output and check its exit status.

You can download Gauntlt here (using the starter kit):

Pre-requisites

  • Virtual Box
  • Vagrant

Or read more here.


23 July 2014 | 3,845 views

Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas).

And it turns out, every single browser will draw the image slightly differently, so they can track you regardless of your cookie/privacy settings by asking your browser to redraw the image then I assume quickly scanning a database of image checksums for a match.

Canvas Fingerprinting

It wouldn’t exactly tie to your identity (unless you did it on a site that requires/supports login) but it would tie your usage together across sites, especially any sites using AddThis (which I could never stand).

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

The type of tracking, called canvas fingerprinting, works by instructing the visitor’s web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard web browser privacy settings or using anti-tracking tools

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5% of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

I can foresee a lot of people removing AddThis from their sites if this news gets any kind of traction.

You can find a list of the sites with the fingerprinting code here – Sites with canvas fingerprinting scripts

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

Plus whatever AddThis is doing isn’t regulated in any way, so they can say they are gonna stop/change but just continue on anyway. If you wear a Tinfoil hat, you are probably already using Tor Browser anyway – so good for you.

The full paper is also available here – The Web Never Forgets [PDF]

Source: Mashable


21 July 2014 | 2,076 views

clipcaptcha – CAPTCHA Service Impersonation Tool

clipcaptcha is an extensible and signature based CAPTCHA Provider impersonation tool based off Moxie Marlinspike’s sslstrip codebase, which we mentioned back in 2009 – SSLstrip – HTTPS Stripping Attack Tool.

Depending on its mode of operation it may approve, reject or forward the CAPTCHA verification requests. It maintains an easy to edit XML configuration file that it queries to identify CAPTCHA provider request formats and render corresponding responses.

clipcaptcha - CAPTCHA Service Impersonation Tool

Signature based CAPTCHA provider detection

All CAPTCHA providers are basically HTTP based custom web services. These services accept CAPTCHA validation requests in a particular format and respond with finite set of responses that allow the clients to make Boolean choices to allow or disallow the request. clipcaptcha takes advantage of this finite and predictable request and response data set to implement signature based request detection and response system.

Running clipcaptcha

The four steps to getting this working on Linux are:

1. Enable forwarding mode on your machine

2. Setup iptables to redirect HTTP traffic to clipcaptcha.

3. Run arpspoof to redirect the traffic to your machine.

4. Run clipcaptcha in one of its mode of operation.

Requirements

It requires Python 2.5 or newer, along with the ‘twisted’ python module.

You can download clipcaptcha here:

clipcaptcha-v0.1.zip

Or read more here.


18 July 2014 | 3,311 views

Microsoft Says You SHOULD Re-use Passwords Across Sites

Ok so we constantly tell people not to reuse passwords across sites, because if they are stored in plain text (and leaked) those naughty hackers now have your e-mail address AND your password and can wreak havoc on your life.

Which is pretty much true, but Microsoft disagrees and there is some validity to what they say, if you MUST re-use passwords (which you shouldn’t) – do so only on low risk sites (anything without payment details really).

Re-use Passwords - what madness!

Keep the good passwords for the important sites (like online banking).

As for me, I say use a bloody password manager, generate different passwords for every site and make them all strong! A good online password manager is free, and even though some of them appear to not be totally secure (as we wrote a few days ago) – they are certainly better than not using one.

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon.

Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites.

The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access.

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

I’m not sure why we are arguing about this though, I honestly don’t even know any of my passwords any more (or try to remember then) as for one, I have over 100 and I don’t have to. I use a password manager (PassPack in my case).

I only need to remember 1 login/password combo and 1 really strong keyphrase (which even the experts agree, is way better than a contiguous password).

Users should therefore slap the same simple passwords across free websites that don’t hold important information and save the tough and unique ones for banking websites and other repositories of high-value information.

“The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio,” the trio wrote.

“Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum.”

Password sets should be reused across groups of websites. Those sites holding little personal information could be placed in the users’ ‘go-ahead-and-hack-me’ bucket protected by codes like P@ssword1, while sites where pwnage would trigger fire and brimstone should be protected by complex and unique login credentials.

Hackable groups “should be very exposed” and “should have weak passwords”, the researchers said, because pushing users to light up even a small amount of grey matter “would be wasteful”.

The Redmond research realises the realities of userland security; People are bad at remembering passwords and seemingly worse at caring about the issue of security.

Research published in 2012 found the average Brit glued the same five passwords to their 26 online accounts while one in 25 used the same code for everything.

You can read the full paper here – Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts [PDF]

The whole issue is kind of sad if you ask me.

It’ll be interesting to see if any kind of counter-studies are done on this, or anyone comes out with a rebuttal of any sort. It’s a little odd to release a research paper on something that’s basically an opinion though.

Source: The Register


16 July 2014 | 3,938 views

FakeNet – Windows Network Simulation Tool For Malware Analysis

FakeNet is a Windows Network Simulation Tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.

Windows Network Simulation Tool

The goal of the project is to:

  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration

The tool is in its infancy of development. The team started working on the tool in January 2012 and intend to maintain the tool and add new and useful features. If you find a bug or have a cool feature you think would improve the tool please do contact them.

Features

  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc. The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.

Right now the tool only supports WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatically disabled.

You can download FakeNet here:

Fakenet1.0c.zip

Or read more here.


14 July 2014 | 4,457 views

Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension.

Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack which exposed 42 Million plain text passwords.

Password Manager Security

Now some researchers have ganged up and are taking a really close look at some of the popular password management solutions and password manager security. Honestly I haven’t heard of My1Login, PasswordBox or NeedMyPassword and wonder why they are included over more popular choices like PassPack and 1Password.

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.

“Critical” vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a “wake-up call” for developers of web password vaults.

“Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers (PDF).

“We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords.

“The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting).”

The LastPass bookmarklet option which permitted ad-hoc integration with Safari on iOS was found vulnerable if users were tricked into running the Java code on an attackers’ site.

I just hope this means that PassPack is so secure they left it out (because that’s the one I use). I also chose PassPack because the choice was really between that or LastPass and LastPass has faced some security issues and does some things in rather pointless ways.

PassPack address the LastPass masked password features for example here: Why Masked Passwords Are a Serious Security Hole

I’m fairly certain though, all current password management solutions have security flaws – I just hope the companies developing them take them seriously (however much of an edge case they are) and address them.

A carder, for example, could set up a fake banking site in an attempt to con the less than one percent of LastPass users running bookmarklets to log in. Doing so could allow attackers to extract passwords from the victim’s LastPass vault.

A second CSRF bug affected LastPass one time passwords. It could allow attackers to see which apps and devices were running LastPass, to steal the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.

The disclosure prompted LastPass to issue a statement playing down vulnerabilities affecting its Java bookmarklets and one time passwords which if run on a malicious website could compromise user accounts prior to a fix pushed out in September.

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” chief information officer Joe Siegrist said.

“The OTP attack is a ‘targeted attack’ requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen.

“Even if this was exploited, the attacker would still not have the key to decrypt user data.”

The research did not signal curtains for web password managers, but rather served as a warning to developers and users of inherent security risks.

You can check out the original paper here – The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers [PDF].

My sceptical side however does see this a little like a pre-marketing stunt, where these guys prove everyone else is insecure (or at least find some guys are partially insecure), publish the details then come out with a new super secure alternative..which you have to pay for obviously.

We shall of course have to wait and see if that happens.

Source: The Register