Darknet – The Darkside

Web-Sorrow is a PERL based tool for misconfiguration, version detection, enumeration, and server information scanning. It’s entirely focused on enumeration and collecting information about a target server. Web-Sorrow is a “safe to run” program, meaning it is not designed to be an exploit or perform any harmful attacks.

There’s a couple of other tools that focus more on the identification part:

- WhatWeb – Next Gen Web Scanner – Identify CMS (Content Management System)
- Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.)

There’s also a pretty cool web app I use often which is – http://builtwith.com/

Features

• Web Services: Identify a CMS and it’s version number, social media widgets and buttons, hosting provider, CMS plugins, and favicon fingerprints
• Authentication areas: logins, admin logins, email webapps
• Bruteforce: Subdomains, files and directories
• Stealth: with -ninja you can gather valuable info on the target with as few as 6 requests, with -shadow you can request pages via google cache instead of from the host
• AND MORE: Sensitive files, default files, source disclosure, directory indexing, banner grabbing

In some ways it overlaps with other tools too like:

- GoLISMERO – Web Application Mapping Tool
- Skipfish 1.94b Released – Active Web Application Security Reconnaissance Tool
- Nikto 2.1.0 Released – Web Server Security Scanning Tool
- Lilith – Web Application Security Audit Tool

But as always, you should try them all and see which ones suits the way you work best.

You can download Web-Sorrow here:

Web-Sorrow_v1.4.8.zip

Or read more here.

It’s been a while, but hey I’m back! So here’s a news story that caught my eye today – it’s been a while since we’ve reported on a Spear Phishing attack, and guess what? Yes, last time it was also perpetrated by Chinese, but it was targeting Google’s Gmail.

Targeted Phishing Attacks Carried Out On Gmail – Likely From China

This time however the target was a little more serious, the US White House military network (WHMO). It’s pretty scary stuff, if a foreign power was able to take over control of the network used to co-ordinate nuclear attacks..

Hackers reportedly attempted a brazen attack on a White House military network in charge of the president’s nuclear football.

US officials familiar with the incident said unidentified hackers launched an attack early last month on the network used by the White House Military Office (WHMO), an military office in charge of sensitive communications, including systems to send and authenticate nuclear strike commands. The office is also responsible for arranging presidential communications and travel. However it seems only less significant systems were targeted by an assault that was, in any case, ultimately unsuccessful.

An unnamed Obama national security official said: “This was a spear phishing attack against an unclassified network.”

“In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place,” the official said, the Washington Free Beacon (a Conservative blog that broke the story) reports.

It seems like some people in the White House need some education though if these kind of attacks are getting through, even if no data was actually lost – it’s not a good sign. And why are such critical systems even accessible from the Internet?

Even if the attack failed, it shows that something is very wrong with the architecture and network segregation.

Follow-up reports suggest that a dodgy email with a malicious attachment made it past perimeter defences and onto someone’s desktop, where it might have been opened, and a machine infected. But this machine was quickly identified and isolated before any damage was done.

Rob Rachwald, director of security strategy at Imperva, said the attempted attack should nonetheless act as a wake up call.

“Yet again traditional security software has failed to keep the bad guys out. Enterprise needed to assume that they have been compromised which means we need to detect abnormal access to data and Intellectual Property. This is yet another example of why we need to rethink the current security model and implement a new one that puts cameras on sensitive information.”

The attack was launched from Chinese networks, which by itself doesn’t mean much. However some officials seem to reckon the Chinese military cyber warfare specialists, working as part of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA, are the most likely suspects behind the attack.

Obviously the Cyber Security Czar that was talked about at the start of the Obama administration isn’t doing a very good job.

It just goes to show how hard it is to secure critical data, and still give people reasonable access rights to it. It’s a constant struggle between security and usability, as security levels increase – usability decreases and everything tends to become a pain in the arse.

Either way it gives some good insights into the fact that the White House needs to get their act together.

Source: The Register

Reversing complex software quickly is challenging due to the lack of professional tools that support collaborative analysis. The CrowdRE project aims to fill this gap. Rather than using a live distribution of changes to all clients, which has proven to fail in the past, it leverages from the architecture that is being used with success to organize source code repositories: a system that manages a history of changesets as commit messages.

There’s a great video here, which explains more about CrowdRE and how to get started:

The central component is a cloud based server that keeps track of commits in a database. Each commit covers one or more functions of an analyzed binary and contains information like annotations, comments, prototype, struct and enum definitions and the like. Clients can search the database for commits of functions by constructing a query of the analyzed binary’s hash and the function offset. Different concurring commits for a function are possible; in such cases it is up to the user to decide which commit is better.

This basic concept is sufficient for a collaborative workflow on a per-function basis for a shared binary. One exciting feature is a similarity hashing scheme that considers the basic block boundaries of a function. Each function is mapped on a similarity preserving hash of fixed size. A database query for such a functions similarity hash returns a set of functions sorted by their similarity value, and the analyst can choose amongst them. This is extremely helpful when analyzing variants based on the same code or generations of a malware family, for example.

The CrowdRE client is now freely available as an IDA Pro plugin. CrowdStrike maintains a central cloud for the community to share their commits amongst each other. It is our goal to help building a public database of known, well annotated functions to speed up the analysis of standard components, somewhat similar to what BinCrowd (which is offline nowadays) offered but with support for multiple co-existing commits for the same function. We also supports list-based commit visibility to give users control over who else can see and import their contributions.

You can check out the service here:

https://crowdre.crowdstrike.com/sign-in

Seems like some hactivists have been working hard, 1 million accounsts were leaked over the weekend from some pretty serious sources by the group Team GhostShell – who are affiliated with Anonymous.

It seems like these weren’t particularly complex or technically adept multi-layer attacks, they were carried out via the most common avenue – SQL Injection.

In saying that though, they did yield a massive amount of data with some of the leaked databases providing over 30,000 records.

Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend.

The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some of the pinched data includes credit histories from banks among other files, many of which were lifted from content management systems. Some of the breached databases each contained more than 30,000 records.

An analysis of the hacks by security biz Imperva reveals that most of the breaches were pulled off using SQL injection attacks – simply tricking the servers into handing over a bit more information than they should. “Looking at the data dumps reveals the use of the tool SQLmap, one of two main SQL injection tools typically deployed by hackers,” the company’s researchers explained in a blog post.

It looks like they even used off the shelf software too, if you look at the dumps you can actually see some references to sqlmap – which is a pretty powerful tool.

You can check it out in the analysis by Imperva here:

Analyzing the Team GhostShell Attacks

It seems like all the apps attacked were PHP CMS type web applications, there’s no information if they were all using the same platform though.

Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in protest against banks and in revenge for the rounding up of hacktivists by cops and government agents.

The team said it worked with other hacking crews, MidasBank and OphiusLab, on the attacks – and claims to have accessed a Chinese technology vendor’s mainframe, a US stock exchange and the Department of Homeland Security. It plans to offer access to these compromised systems to hackers who have the chops to handle them.

In a statement, the group threatened to carry out further attacks, leak more sensitive data and generally unleash hell.

“All aboard the Smoke & Flames Train, Last stop, Hell,” Team GhostShell wrote. “Two more projects are still scheduled for this fall and winter. It’s only the beginning.”

Team GhostShell is lead by self-proclaimed black hat hacker DeadMellox.

The leaks are part of the Project Hellfire campaign and the collective claims it will be ongoing and more attacks will follow. You can check out the leader on Twitter here @DeadMellox.

You can see a list of all the leak files here and the manifesto by Team GhostShell – http://pastebin.com/BuabHTvr.

Source: The Register

XMPPloit is a command-line tool to attack XMPP connections, allowing the attacker to place a gateway between the client and the server and perform different attacks on the client stream.

The tool exploit implements vulnerabilities at the client & server side utilizing the XMPP protocol.

The main goal is that all the process is transparently for the user and never replace any certificate (like HTTPS attacks).

Features

• Downgrade the authentication mechanism (can obtain the user credentials)
• Force the client not to use an encrypted communication
• Set filters for traffic manipulation

Filters that have been implemented in this version for Google Talk are:

• Read all the the user’s account mails
• Read and modify all the user’s account contacts (being or not in the roster).

You can download XMPPloit here:

XMPPloit.7z

Or read more here.

Another huge raft of critical fixes has been pushed out by Microsoft across almost their entire range of products, including client and server side software and the Windows OS itself.

It’s been a while since I’ve seen such a huge variety of security issues in one update including 5 critical vulnerabilities.

If you are running a Microsoft oriented organization you better get your update testing rig on-line and get rolling ASAP.

Microsoft has fixed 26 vulnerabilities in its software products, including several considered critical, the company said on Tuesday in its monthly security patch report.

The security holes, described in five critical and four important bulletins, affect multiple products, including Windows, Internet Explorer, Exchange, SQL Server and Office. In the worst-case scenarios, exploits could give attackers control of affected systems.

The first critical bulletin, labeled MS12-060, involves Windows Common Controls vulnerabilities, which affect Office, SQL Server, other server products and developer tools.

There have been “limited, targeted attacks” to try to exploit this security hole, but no public proof-of-concept code has been made available to Microsoft’s knowledge, wrote Microsoft security official Yunsun Wee in a related blog post.

If a user visits a website that contains “specially crafted content” designed to exploit the vulnerability, attackers could execute code remotely on the affected machine. However, users would have to be tricked into visiting such a website. The malicious code can also be sent as an email attachment, but users would need to open the attachment for the attack to work.

Most of them don’t seem to be out in the wild as such, as in they don’t have confirmed publicly available exploits. There have been cases of targeting attacks using these exploits, so they would be very much considered 0-day attacks and are probably being traded or sold in the underground.

The Common Controls exploit would be mitigated against if you had trained your users well on the dangers of opening unknown attachments as it would come in the form of a malicious .rtf file – most likely via e-mail.

Affected products include all supported editions of Office 2003, Office 2007, Office 2010 (except x64-based editions), SQL Server 2000 Analysis Services, SQL Server 2000 (except Itanium-based editions), SQL Server 2005 (except Microsoft SQL Server 2005 Express Edition, but including Microsoft SQL Server 2005 Express Edition with Advanced Services), SQL Server 2008, SQL Server 2008 R2, Commerce Server 2002, Commerce Server 2007, Commerce Server 2009, Commerce Server 2009 R2, Microsoft Host Integration Server 2004 SP 1, Visual FoxPro 8.0, Visual FoxPro 9.0 and Visual Basic 6.0 Runtime.

Microsoft patched a Windows Common Control bug in April that “made everyone sit up and take notice” due to the broad scope of important products it touched, said Andrew Storms, director of security operations at enterprise security vendor nCircle.

“There is some good news this month: that the attack vector associated with the [Windows Common Control] patch is an RTF (rich text format) file, and the victim has to explicitly open the file to allow the exploit. If you can’t get this patch rolled out or mitigation applied quickly, you should remind users about the dangers of opening attachments from unknown persons,” he said via email.

The second critical bulletin, labeled MS12-052, concerns four issues with IE that aren’t known to be under “active attack.” If successfully exploited, a malicious hacker could execute code on the affected machine with the privileges of the current user. As with the previous hole, users would need to visit a malicious Web page to fall victim to the attack. This vulnerability is rated critical for IE 6, IE 7, IE 8 and IE 9 on Windows clients and moderate for those same IE versions on Windows servers.

The more serious vulnerability, which effects Internet Explorer – allow code execution. But from the research done, it seems like these are not being actively attacked.

It’s critical for all versions of IE, including the current version IE9.

Source: Network World

chapcrack is a tool for parsing and decrypting MS-CHAPv2 network handshakes, it was announced recently at Defcon as we read over here – Marlinspike demos MS-CHAPv2 crack.

The process is as follows:

1. Obtain a packet capture with an MS-CHAPv2 network handshake in it (PPTP VPN or WPA2 Enterprise handshake, for instance).
2. Use chapcrack to parse relevant credentials from the handshake (chapcrack parse -i path/to/capture.cap).
3. Submit the CloudCracker token to www.cloudcracker.com
4. Get your results, and decrypt the packet capture (chapcrack decrypt -i path/to/capture.cap -o output.cap -n )

If you are interested in a much more in-depth, technical explanation – you can read more here:

Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate

Using this attack they have a 100% success rate of cracking DES hashes within 23~ hours.

You can download chapcrack here:

moxie0-chapcrack.zip

Or read more here.

Sophos seems to be a lot more aggressive recently when it comes to the consumer market, they used to be a hardcore enterprise only solution when they first started out. I guess they’ve realized where the money is.

Back in 2010 they one of the first to come out with a free Antivirus solution for Apple (Sophos Launches FREE Anti-Virus Software For Mac), and now they are coming out with a free AV solution for Android devices.

Sophos has crafted a freebie antivirus app dubbed Sophos Mobile Security for Android-powered devices.

The software tries to protect smartphones against malware, warns fandroids of privacy-invading programs and can lock down a gadget if it’s lost or stolen, ideally without taxing either performance or battery life. The software, released on Monday, can be downloaded from Google Play.

Several free-of-charge security scanners already exist for the Android platform, but the performance of some in recent tests has been mediocre. Paid-for products from the likes of Kaspersky and F-Secure tend to perform better. Sophos is positioning its product against the more capable freebie Android scanners from the likes of Lookout and AVG (Droid Security), but with the additional benefit of offering hardware loss and privacy dashboard features more associated with paid-for products.

Sophos Mobile Security is designed to automatically scan apps as users install them, thus blocking undesirable software. The technology also locates lost or stolen Android devices as well as shielding personal information from thieves.

It is something that’s definitely required as there has been an extremely worrying and rather dangerous trend of Android malware emerging lately:

- Android Malware App Covertly Makes Purchases On China Mobile Market
- Android Trojan Targets Japanese Market – Steals Personal Data
- China Facing Problems With Android Handsets & Pre-installed Trojans

They definitely aren’t the first either, back in 2010 Symantec had already expanded their range to cover Android – Symantec Expands Security Products To Cover Android & iOS.

Sophos has entered the mobile security zone a few years late, but rather than corner the freebie Android scanner market, its new software will be used to market a managed Enterprise version, due to be released this year.

The strategy makes sense because it dovetails neatly with the bring-your-own-device craze that’s allowing consumers’ technology choices shape corporate IT, including the mobile security products that are used.

Android malware last year increased 155 percent from 2010, according to Juniper Networks.

“We’re seeing no slowdown in the number of malicious apps, as more smartphone owners use their devices to not only store personal data, but also access social networks and the internet,” said Matthias Pankert, vice president of product management, Sophos. “This usage, coupled with the increase in Bring Your Own Device (BYOD) activity, is making Android devices a compelling target for cybercriminals and malware.”

Sophos released a freebie security scanner for Macs two years ago. The plan in that case was more about improving home punters’ cyber-hygiene than pushing licences, but mobile security is much more integral to the corporate plans of the UK-based security software firm, so Sophos Mobile Security is not a philanthropic gesture

It seems to be more of a marketing play than anything else though, with them introducing this free version to hook people into a commercial enterprise solution later. We’ll start seeing this in employment contracts in the future I guess:

“If you use your own device with the company e-mail/fileshare/wifi etc you need to have the corporate mobile security solution XXX installed”

We will see more people entering this arena too, with Android having a more open ecosystem than iOS – it’s also a lot more open to malware and spurious apps.

Source: The Register

HconSTF is an Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessment. It contains webtools which are capable of carrying out XSS attacks, SQL Injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. It could prove useful to anybody interested in the information security domain – students, security professionals, web developers and so on.

Features

• Categorized and comprehensive toolset
• Contains hundreds of tools and features and script for different tasks like SQLi, XSS, Dorks, OSINT to name a few
• HconSTF webUI with online tools (same as the Aqua base version of HconSTF)
• Each and every option is configured for penetration testing and Vulnerability assessments
• Specially configured and enhanced for gaining easy & solid anonymity
• Works for web app testing assessments specially for OWASP top 10
• Easy to use & collaborative Operating System like interface
• Multi-Language support (feature in heavy development translators needed)

You can download HconSTF 0.4 beta here:

HconSTF_v0.4_Freedom_portable.exe

Or read more here.

Just a few days back we posted about Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext, and most recently it seems someone has been going after Nvidia pretty hard.

They have already had a few web properties hacked including their forum, the developer zone and their research site. The latest break in the news is a claim that the store has been hacked – they have suspended access whilst they investigate.

Graphics chip manufacturer Nvidia is investigating claims that hackers have compromised its online stores as part of a larger attack that affected several of its websites.

On Friday, a hacker group calling itself Team Apollo claimed that one of Nvidia’s online stores was compromised. As a result, the company suspended access to its Board Store and Gear Store websites.

“Nvidia is investigating whether the store sites were hacked,” Bea Longworth, Nvidia’s senior PR manager for EMEAI (Europe, Middle East, Africa, India), said Monday via email. “We don’t have any evidence that credit card data or customer lists have been put at risk, but we’re investigating.”

The news follows confirmed compromises of some of the company’s other websites last week. “Nvidia Forums, Nvidia Developer Zone and Nvidia Research were compromised in what appears to have been a breach by third parties seeking sensitive information,” Longworth said. On Thursday, Nvidia revealed that hackers had gained access to the Nvidia Forums database and stole usernames, email addresses, hashed passwords and user profile information.

We haven’t really discussed Nvidia much before and I dont recall them being a hacking target previously, we’ve only mentioned them in passing when it comes to tools and methods using graphics card chips for brute forcing like – CUDA-Multiforcer – GPU Powered High Performance Multihash Brute Forcer.

I imagine them having a store and carrying out transactions online puts them in the firing range though, when there’s money or credit card details involved – the bad guys will come.

On the same day, the company also took its Developer Zone and Nvidia Research websites offline over suspicions of compromise. Those suspicions were confirmed on Friday, when a hacker posted hashed passwords for a proportion of DevZone users on a public website.

Nvidia was not the only company forced to deal with data leaks that resulted from hacker attacks during the past week.

On Tuesday, the company operating Formspring, a website where users can post and answer questions, disabled its users’ passwords after 420,000 password hashes were posted on a forum. The company later confirmed that someone broke into one of its development servers and stole user account information from a production database.

On Thursday, a hacker group published a list of 450,000 log-in credentials that it claimed to have stolen from the database of an unnamed Yahoo service. Yahoo later confirmed that the log-in credentials were from its Yahoo! Contributor Network service.

Nvidia has taken the other compromised sites down and confirmed they were hacked, I wonder if the threat against the store is just bravado or someone genuinely has compromised it. There seems to be no proof of that at this point however.

There seems to have a been a real glut of these kind of attacks lately, I wonder if there’s a new vulnerability passing around the underground that no-one knows about in a common web language like PHP or in a common service like Apache or the recent MySQL bug.

I wouldn’t be surprised if a lot of these are due to this: MySQL 1 Liner Hack Gives Root Access Without Password.

Source: Network World