Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

05 May 2015 | 3,755 views

The Dude – Automatic Network Discovery & Layout Tool

Check Your Web Security with Acunetix

The Dude network monitor is a (not so) new application by MikroTik which can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems.

The Dude - Automatic Network Discovery & Layout Tool

A great tool for automatic network discovery and mapping.

The Dude demo system: Our RouterOS demo routers are viewable from within the Dude, install The Dude and connect to our Demo dude system with the Dude Secure connection to 159.148.147.209.

Features

  • The Dude is free of charge!
  • Auto network discovery and layout
  • Discovers any type or brand of device
  • Device, Link monitoring, and notifications
  • Includes SVG icons for devices, and supports custom icons and backgrounds
  • Easy installation and usage
  • Allows you to draw your own maps and add custom devices
  • Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it
  • Individual Link usage monitoring and graphs
  • Direct access to remote control tools for device management
  • Supports remote Dude server and local client
  • Runs in Linux Wine environment, MacOS Darwine, and Windows
  • Best price/value ratio compared to other products (free of charge)

You can download The Dude here:

dude-install-3.6.exe

Or read more here.

Advertisements



02 May 2015 | 1,822 views

Graudit v1.9 Download – Grep Source Code Auditing Tool

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications and source code auditing tool sets like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit v1.9 Download - Grep Source Coding Auditing Tool

You can find a full selection of code auditing tools here.

Usage

Graudit supports several options and tries to follow good shell practices. For a list of the options you can run graudit -h or see below. The simplest way to use graudit is;

The following options are available:

Databases

Graudit uses extended regular expressions (POSIX) as it’s signatures and comes with several databases ready for use. You can extend the existing databases or make your own if you require additional signatures.

  • All is a combined database of all the databases listed below
  • ASP offers basic auditing support for the Active Server Pages languages
  • C offers support for the C programming language
  • Default is aimed at finding low hanging fruit. It contains generic rules that should match common vulnerabilites in several languages. However, in order to find additional vulnerabilities for a specific language you should use the language specific databases.
  • Dotnet offers basic dot net support
  • JSP basic JSP support.
  • Other looks for source comments that could indicate problems
  • Perl basic support for perl
  • PHP tracks user input and function calls
  • Python basic python support

You can download Graudit v1.9 here:

graudit-1.9.tar.gz

Or read more here.


30 April 2015 | 1,170 views

WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

So this is an interesting announcement due to the discussion points it brings up about responsible disclosure, it seems like in this case a researcher published his findings about a WordPress critical zero-day vulnerability without informing WordPress before hand.

WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

And they got it fixed REAL quickly, where as in a previous (pretty similar) case – they took 14 months to fix it, leaving their users at risk for that period.

WordPress 4.2.1 was released on Monday to address a critical zero-day vulnerability disclosed on Sunday by Finnish researcher Jouko Pynnönen of Klikki Oy. The expert published the details of the security bug without notifying WordPress because he was displeased with the way developers handled his recent vulnerability reports.

The stored cross-site scripting (XSS) vulnerability disclosed by Pynnonen is similar to a flaw discovered by Belgian researcher Cedric Van Bockhaven, which WordPress fixed last week with the release of version 4.1.2, more than a year after it was reported. The bug, which affects WordPress 4.2 and earlier, can be exploited by an unauthenticated attacker to execute arbitrary code via very long comments that get truncated when they’re saved into the database.

“The attacker is sending fragments of HTML code to the server that contains JavaScript in it. WordPress tries to verify the content, but misses the embedded script. This specific exploit is because the attacker sends very long content – over 64Kb, which is truncated in the database,” Jeff Williams, CTO of Contrast Security, explained via email. “[When] WordPress sends that data back to the browser as part of a webpage, the script executes.”

“That would be enough for an interesting attack, but this particular exploit goes further. When the attack is executed on an administrator, it uses the administrative privilege to install plugins and execute content directly on the server. Most XSS problems are not exploitable in a way that allows a complete remote host takeover,” Williams added.

This is a pretty clever bug, and pretty dangerous too as when a comment is viewed by someone logged in as admin – the site can basically be hijacked totally.

For an XSS attack – this is pretty serious.

The comment truncation flaw reported by Van Bockhaven was addressed by WordPress only after 14 months. However, Pynnonen’s approach forced the WordPress team to release a patch within hours.

Before the fix was released, website owners running a self-hosted version of WordPress were advised to install the Askimet anti-spam plugin in order to protect themselves against potential attacks.

Pynnonen said he decided not to notify WordPress before making the vulnerability public because a different stored XSS flaw that he reported in November is still unpatched. His attempts to obtain information from WordPress on the status of a patch were unsuccessful, even after he tried contacting developers via HackerOne and CERT Finland (CERT-FI).

Furthermore, WordPress last year promised the researcher a minimum bounty of $2,000 for responsibly disclosing a critical bug affecting WordPress versions prior to 4.0, but they only awarded him $100.

“I don’t think it’s my job to spend months begging for the security team to communicate with me about security vulnerabilities. It’s their job and responsibility to communicate with researchers who try to help them and their customers. And if they ‘pro-actively’ and spontaneously offer me a bug bounty, I think it would be appropriate for them to keep their word,” Pynnonen told SecurityWeek. “I’m sure many people think the disclosure was irresponsible. But instead of months or years, the fix was produced in a few hours. During this time users were aware of the threat and could take precautions.”

Williams believes WordPress is to blame for incidents like this one.

Their Bug Bounty payouts seem pretty lame too, which doesn’t really encourage researchers and vulnerability developers to follow the path of responsible disclosure.

Compound that with their tardy reaction to serious bugs, and you get frustrated bug-hunters – like Jouko Pynnönen in this case.

Source: SecurityWeek


28 April 2015 | 2,767 views

CeWL v5.1 – Password Cracking Custom Word List Generator

CeWL is a Custom Word List generator which spiders a given site to create a word list of all words it finds on that site. It can also grab email addresses and usernames found in the HTML and in some document types including Office and PDF.

Useful for targeted penetration testing which involves brute force password cracking.

We first wrote about CeWL way back in 2009 not long after it first came out – it’s been updated plenty since then and is now at version 5.1.

CeWL v5.1 - Password Cracking Custom Word List Generator

There are also a bunch of other similar tools out there (some older some newer):

Crunch – Password Cracking Wordlist Generator
The Associative Word List Generator (AWLG) – Create Related Wordlists
Wyd – Automated Password Profiling Tool
CUPP – Common User Passwords Profiler – Automated Password Profiling Tool
RSMangler – Keyword Based Wordlist Generator For Bruteforcing

If you combine the wordlists from the above tools with the commonly found standard password cracking wordlists, you should have a pretty comprehensive, targeted set of lists for bruteforcing with something like John the Ripper, thc-hydra or hashcat.

Usage

You can download CeWL v5.1 here:

cewl_5.1.tar.bz2

Or read more here.


25 April 2015 | 672 views

OAT – Microsoft OCS Assessment Tool (Office Communication Server)

OAT is an Open Source Microsoft OCS Assessment Tool designed to check the password strength of Lync and Microsoft Office Communication Server users. After a password is compromised, OAT demonstrates potential UC attacks that can be performed by legitimate users if proper security controls are not in place.

OAT - Microsoft OCS Assessment Tool (Office Communication Server)

We first wrote about OAT when it was v1.0 and just came out in 2009.

OAT has a user friendly tabbed interface that begins with a password strength test feature. Once the OAT user has successfully elicited the password, attack modules from subsequent tabs can be used for launching UC attacks against valid, registered Lync and OCS users.

New in OAT v3.0

  • Lync Support
  • Improved speed of the online dictionary attack
  • Fixed issues with play spam audio for call walking
  • Minor graphical enhancements
  • New Active Directory Options

Features

  • Online Dictionary Attack
  • Presence Stealing
  • Contact List Stealing
  • Targeted IM Flood
  • Targeted Call Walk
  • Communicator DoS
  • Audio Call Spam
  • Report Generation
  • OCS 2007 & OCS 2007 R2

You can download OAT v3.0 here:

OAT-inst-3.05.zip

Or read more here.


21 April 2015 | 2,103 views

sptoolkit Rebirth – Simple Phishing Toolkit

The sptoolkit (rebirth) or Simple Phishing Toolkit project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organizations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

sptoolkit Rebirth - Simple Phishing Toolkit

spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability.

sptoolkit hasn’t been actively developed for two years. As it stands, it’s a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But a new team would like to go further, and bring sptoolkit up to date – they’ve started active development again on Github just last month.

Requirements

  • Apache
  • PHP
  • MySQL

Features

  • Templates & Visual editor
  • Education completion tracking
  • Support for URL shorterners
  • Support for sending SMTP via SSL
  • Forms display inline errors for correction
  • Accurate e-mail tracking times
  • Browser Detection

You can download the new sptoolkit 0.80.1 here:

v0.80.1.zip

Or read more here.


18 April 2015 | 1,963 views

EvilAP Defender – Detect Evil Twin Attacks

EvilAP_Defender is an application that helps wireless network administrators to discover and prevent Evil Access Points (AP) from attacking wireless users. The application can be run in regular intervals to protect your wireless network and detect Evil Twin attacks.

EvilAP Defender - Detect Evil Twin Attacks

By configuring the tool you can get notifications sent to your email whenever an evil access point is discovered. Additionally you can configure the tool to perform DoS on discovered evil AP in order to give the administrator more time to react. However, notice that the DoS will only be performed for evil APs which have the same SSID but different BSSID (AP’s MAC address) or running on a different channel. This to avoid DoS your legitimate network.

The tool is able to discover evil APs using one of the following characteristics:

  • Evil AP with a different BSSID address
  • Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
  • Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter – mainly different OUI (tagged parameters are additional values sent along with the beacon frame.

Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area).

Whenever an Evil AP is discovered the tool will alert the admin through email (SMS will be supported soon). Additionally the tool will enter into preventive mode in which the tool will DoS the discovered Evil AP. The tool can be configured easily by starting in what we call “Learning Mode”. In this mode you can whitelist your legitimate network. This can be done by following the wizards during the Learning Mode. You can also configure the preventive mode and admin notification from there as well.

Finally, you need to change into Normal Mode or re-run the tool in this mode in order to start discovering Evil APs.

Requirements

Learning Mode:

This Mode can be invoked with the “-L” switch. When running the tool in this mode the tool will start by scanning for the available wireless networks. Then it lists all the found wireless networks with whitelisted APs colored with green. It also lists the whitelist APs and OUIs (tagged parameters).

The tool also provides several options which allow you to add/remove SSIDs into/from whitelist. You need to whitelist your SSID first before running the tool in the Normal Mode. Moreover, you can configure Preventive Mode from “Update options -> Configure Preventive Mode”. First you need to set the Deauthentication time (in seconds) into a number bigger than 0 (setting the value to 0 will disable this mode). Then you need to set the number of time to repeat the attack. This is so important for attacking more than Evil AP because the tool cannot attack all of them in the same time (how can you attack several APs on different channels? Later on we will improve the tool and allow it to attack (in the same time) several APs in the same channel).

The tool will attack the first Evil AP for specified deauthentication time then it will stop and attack the second one and so on. Be careful from increasing the Deatuth time so much because this may attack only one AP and leaving the others running. My recommendation is to set the Deauth time to something suitable such as 10 seconds and increasing the repeat time. Finally, you can configure admin notification by setting admin email, SMPT server address, SMTP username (complete email address) for authentication purpose, and SMTP password. You can use any account on Gmail or your internal SMTP server account.

Normal Mode:

This is the mode in which the tool starts to discover Evil APs and notify the administrator whenever one is discovered. This mode can be invoked by “-N” switch.

You can download EvilAP Defender here:

master.zip

Or read more here.


16 April 2015 | 1,310 views

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Ah finally, the end of NPAPI is coming – a relic from the Netscape era the Netscape Plugin API causes a lot of instability in Chrome and security issues. It means Java is now disabled by default along with other NPAPI based plugins in Google Chrome 42.

Chrome will be removing support for NPAPI totally in Chrome 45.

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Other than that, they have also squashed 45 security issues and vulnerabilities, including some quite serious ones. And many, a product of their Bug Bounty program.

Google announced on Tuesday the availability of Chrome 42 for Windows, Mac and Linux. The latest release addresses a total of 45 security issues and removes NPAPI support.

Judging by the bug bounties paid out by Google, the most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure have been awarded a total of $21,500, according to a blog post published by Google. However, the total amount could be higher since there are some vulnerability reports that haven’t gone through the search giant’s reward panel.

The actual details of the bugs are not public right now, as the policy for Google is keep access to the details restricted until the majority of users are patched. It will be further restricted if the bug is in a third party library that other projects depend on and haven’t yet fixed.

Feature wise, they’ve also launched their implementation of the Push API for notifications.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” wrote Alex Mineer of the Google Chrome team.

In September 2013, Google announced plans to phase out support for the Netscape Plugin API (NPAPI). The company noted at the time that the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it had been disabled earlier for security reasons.

Now, NPAPI support has been disabled by default in Chrome and extensions requiring NPAPI plugins will be removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

There’s more details from Google here: Stable Channel Update

I wish Firefox would keep up..

Source: Security Week


14 April 2015 | 1,548 views

SamuraiWTF 3.x And Onwards – Web Testing Framework Linux LiveCD

The Samurai Web Testing Framework (AKA SamuraiWTF) is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, the authors have based the tool selection on the tools they use in our security practice.

SamuraiWTF 3.x And Onwards - Web Testing Framework Linux LiveCD

SamuraiWTF includes the tools to carry out all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and Burp Suite. For exploitation, the final stage, we included BeEF, AJAXShell and much more.

This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

We’ve reported on Samurai Web Testing Framework since way back in 2006 when it first hit the scene with 0.3.

There’s been a lot of changes with the recent 3.x public release, a lot of clean-up work has been done and the underlying OS has finally been updated to Ubuntu 14.04 LTS (yay).

The major version number will be tied to the Ubuntu LTS release cycle (every 2 years with support for 5 years), so SamuraiWTF 4.0 will be on Ubuntu 16.04 LTS. Then there will be quarterly dot releases, so we should be hitting 3.2 soon (end of this month according to the schedule) but here’s 3.1 for now.

You can download SamuraiWTF 3.1 here:

SamuraiWTF3.1.vmwarevm.zip

Or read more here.


09 April 2015 | 899 views

Security Vendor Trustwave Bought By Singtel For $810M

The big news today is an acquisition, “Trustwave bought by Singtel” is rocking all the headlines. The fairly well known security vendor Trustwave has been bought for a rather large amount (almost $1 Billion – but not quite).

We have mentioned Trustwave before, and not in a good light – they were sued as the security vendor for the Target hacks.

Security Vendor Trustwave Bought By Singtel For $810M

It seems not to have hurt them as the case was dropped a few days after being filed, and they weren’t listed so their value isn’t public knowledge (until now at least) – they are valued at $850 million.

Singapore Telecommunications Ltd. (Singtel) is acquiring privately held security vendor Trustwave in a deal valued at $810 million.

Under the agreement, Singtel will acquire a 98 percent share of Trustwave, which has an enterprise value of $850 million. Trustwave Chairman, President and CEO Robert J. McCullen will retain the remaining 2 percent share.

Singtel expects the transaction to close in the next three to six months pending regulatory approvals. After the deal closes, Trustwave will operate as a stand-alone business unit of Singtel. The current Trustwave management team is expected to stay in place, and Trustwave’s headquarters will remain in Chicago.

Singtel is a leading communications group that provides multiple services, including both fixed and wireless voice and data. The group extends into 25 countries across Asia, Australia, Africa, Europe and the United States. According to Singtel, it has more than 500 million mobile customers globally today.

“Singtel is the perfect partner for us as we continue to help businesses fight cyber-crime, protect data and reduce security risk, and the Trustwave team is thrilled to become a part of such a prestigious and innovative organization,” McCullen said in a statement.

Trustwave is a large company in the security space with more than 2.7 million business customers globally across 96 countries. Definitely one of the leaders in the managed security services market.

This will take Singtel (who already has a strong hold on the services market) to a whole new level in the infosec space.

The deal will help Singtel establishing itself as a global security player.

“Our extensive customer reach and strong suite of ICT [information and communication technology] services, together with Trustwave’s deep cyber-security capabilities, will create a powerful combination and allow Singtel to capture global opportunities in the cyber-security space,” Chua Sock Koong, Singtel Group CEO, said in a statement.

Trustwave is active in multiple areas of cyber-security and has more than 1,200 employees based in 26 countries and currently operates global security operations centers (SOCs) in Chicago, Denver, Minneapolis, Manila and Warsaw.

Trustwave has managed security offerings as well as stand-alone products. In 2010, Trustwave acquired Breach Security, the primary commercial sponsor behind the widely deployed mod_security Web application firewall (WAF).

Also part of Trustwave is the SpiderLabs ethical hacking and threat research team, which has helped discover a number of important security threats in recent years. In August 2014, the U.S. Secret Service credited Trustwave with helping discover the backoff point-of-sale (POS) malware. Initially, the U.S Secret Service warned that 600 U.S. retailers had been impacted by backoff and later upped that number to more than 1,000 retailers.

Trustwave has also acquired a whole slew of smaller companies which took them to the size they are and also contributed greatly to their software service offerings such as Finjan and MailMarshal which were bought by the acquisition of M86.

It’s good to see the little rock down South of Malaysia making such a bold move.

Source: eWeek