Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on RSS or Twitter for the latest updates.

05 December 2013 | 2,165 views

Sandboxie – Sandbox Your Browser / Software / Programs In Windows

Acunetix Web Application Security

Sandboxie enables you to easily sandbox your browser and other programs, it runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can’t effect permanent changes to your computer. Instead, the changes are effected only in the sandbox.

Sandboxie - Sandbox Your Programs

For those too lazy to set up a full on vm image for testing stuff, this is a pretty good alternative.

Benefits of the Isolated Sandbox

  • Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
  • Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don’t leak into Windows.
  • Secure E-mail: Viruses and other malicious software that might be hiding in your email can’t break out of the sandbox and can’t infect your real system.
  • Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.

Registration is optional but there is a nag screen after 30 days (typical shareware style).

You can download Sandboxie here:

SandboxieInstall.exe

Or read more here.



03 December 2013 | 1,706 views

Stuxnet 2 Under Development By Spy Agencies?

It’s been a fair while since we’ve heard a mention of Stuxnet, so the potential for Stuxnet 2 is quite interesting. Of course at this point, it’s pretty much all just rumours – but still I’d be very surprised if such a thing wasn’t already in the works.

Apparently in this case, it’s the Saudi and Israeli governments working together so develop something more powerful than Stuxnet, for the same end – to disrupt Iran’s nuclear program and facilities.

Hold the front page: Saudi Arabian and Israeli spy agencies are developing a worm more powerful than Stuxnet to sabotage Iran’s nuclear program again, after meeting in Vienna last week.

Sound a little far-fetched? Well, stranger things have happened but this particular yarn comes from Iran’s FARS news agency, thought to have strong ties to the country’s Revolutionary Guard, so a healthy dose of scepticism is probably advised.

Citing “an informed source close to the Saudi secret service”, the agency claims that the November 24 meeting was held to “increase the two sides’ cooperation in intelligence and sabotage operations against Iran’s nuclear program”.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARS, adding that the $1m plan was welcomed by the Saudis.

It’ll be interesting to see in the coming months if anything actually turns up, and well even if it does – will Iran ever let us hear about it? For those not familiar with the original:

Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by United States and Israel agencies to attack Iran’s nuclear facilities. Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. – Wikipedia

The two sides had apparently set off on this hardline course after being frustrated by a warming of relations between the US and Iran and a deal struck between the Islamic Republic and the US, UK, Russia, China, France and Germany.

This November 24 deal, branded a “historic mistake” by Israel, will see Iran agree to halt some of its nuclear activities in return for around £4bn in sanctions relief.

The yarn certainly plays to the paranoia and FUD so often present in coverage of the Middle East, but it’s unlikely that Israel would want to anger its allies in Washington by jeopardising the recent rapprochement with Iran.

Unless, that is, the idea is to have the malware all ready to go in case there’s a sudden breakdown in talks.

A final thought: FARS lifted almost word-for-word an entire Onion story last year claiming most rural US voters would rather hang out with former Iranian president Mahmoud Ahmadinejad than Barack Obama.

The agency’s editorial judgement was called into question again this year after it posted a story claiming an Iranian boffin had invented a time machine.

If it follows a similar infection vector to the original Stuxnet tho, we probably would hear of it due to the massive Windows infections that precede the attacks on the industrial systems.

And well the original ‘source’ of this news is rather suspicious to say the least, with them publishing satire as real news last year.

Source: The Register


28 November 2013 | 1,885 views

ike-scan – Discover & Fingerprint IKE Hosts (IPsec VPN Servers)

ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.

ike-scan can perform the following functions:

  • Discovery Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
  • Fingerprinting Determine which IKE implementation the hosts are using, and in some cases determine the version of software that they are running. This is done in two ways: firstly by UDP backoff fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.
  • Transform Enumeration Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g. encryption algorithm, hash algorithm etc.).
  • User Enumeration For some VPN systems, discover valid VPN usernames.
  • Pre-Shared Key Cracking Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package) to perform the cracking.

The retransmission backoff fingerprinting concept is discussed in more detail in the UDP backoff fingerprinting paper which should be included in the ike-scan kit as UDP Backoff Fingerprinting Paper.

The program sends IKE phase-1 (Main Mode or Aggressive Mode) requests to the specified hosts and displays any responses that are received. It handles retry and retransmission with backoff to cope with packet loss. It also limits the amount of bandwidth used by the outbound IKE packets.

IKE is the Internet Key Exchange protocol which is the key exchange and authentication mechanism used by IPsec. Just about all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange. Main Mode is one of the modes defined for phase-1 of the IKE exchange (the other defined mode is aggressive mode). RFC 2409 section 5 specifies that main mode must be implemented, therefore all IKE implementations can be expected to support main mode. Many also support Aggressive Mode.

Building and Installing

  • Run git clone https://github.com/royhills/ike-scan.git to obtain the project source code
  • Run cd ike-scan to enter source directory
  • Run autoreconf --install to generate a viable ./configure file
  • Run ./configure or ./configure --with-openssl to use the OpenSSL libraries
  • Run make to build the project
  • Run make check to verify that everything works as expected
  • Run make install to install (you’ll need root or sudo for this part)

You can download ike-scan here:

master.zip

Or read more here.


25 November 2013 | 1,280 views

vBulletin.com Hacked – Forum User Emails & Encrypted Passwords Leaked

vBulletin.com hacked is the latest news going around, there seems to have been a spate of these lately, with huge numbers of user accounts leaked. Thankfully this time, the passwords are actually hashed, but with what algorithm – we aren’t quite sure. Perhaps someone could figure it out with HashTag.

I do have some vBulletin forums as well, so I got the e-mail below:

“We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Apparently they are using some kind of salted hash, so the password hashes should be fairly robust. But with the speed of hash brute forcing, any weak passwords should be discovered fairly quickly.

Forumware giant vBulletin.com has admitted that it’s been turned over by hackers who made off with customer user IDs and encrypted passwords.

vBulletin said it was resetting account passwords in response the the breach, which it blamed on a series of “sophisticated attacks”:

It’s unclear what form of “password encryption” vBulletin actually used. In particular it’s unknown if the forum followed industry best practice and stored passwords only in a hashed digest format together with a pinch of salt as a defence against rainbow table-style brute-force attempts to decode its (now leaked) user credential database.

In any case, users who inadvisedly choose the same password for vBulletin as elsewhere also need to change their password at the second location – this time to something different from anything they use elsewhere.

Another reminder not to reuse passwords, use weak passwords etc. It comes shortly after some large forums (like MacRumours) were hacked, forums using vBulletin – which leads some to believe there is a pretty nasty 0-day for vBulletin out there.

This has been supported by the fact that such an exploit is for sale on various exploit marketplaces by a group called Inj3ct0r Team. I’ve seen no reports so far though on the validity of the exploit for sale, and could it be what caused these compromises.

The disclosure of a breach at vBulletin comes a week after forum site MacRumors (which runs on vBulletin) was hacked, exposing the credentials of more than 860,000 users. In a statement acknowledging the compromise, MacRumours apologised for the breach and advised commentards to change up their passwords.

The attacks against MacRumors and vBulletin may be linked.

A hacking group called Inj3ct0r Team claimed responsibility for both the MacRumours and vBulletin attacks before offering to sell the vulnerability exploit used – supposedly targeting an unpatched security hole in multiple versions of vBulletin’s server software – for $700 a pop through various exploit marketplaces, The Hacker News reports.

The quality and provenance of the goods on sale remains unclear, but even the possibility that the sale could lead to widespread attacks against online forums has given some site admins the jitters. Hacking conference DEF CON, for one, has suspended its forums as a precaution, pending the availability of a suitable patch; a move it is making out of an abundance of caution and during its quiet season, months before its annual hacker jamboree in Las Vegas.

https://forum.defcon.org/ was also taken down for a while until the whole thing got sorted out. You can find the code for sale on the groups site here for $7000USD:

vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execute (0day)

Let’s see who pops next.

Source: The Register


22 November 2013 | 2,476 views

LANs.py ARP Spoofer – Multithreaded Asynchronous Packet Parsing/Injecting

LANs.py is a multithreaded asynchronous packet parsing/injecting ARP spoofer & poisoner.

Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.

This script uses a python nfqueue-bindings queue wrapped in a Twisted IReadDescriptor to feed packets to callback functions. nfqueue-bindings is used to drop and forward certain packets. Python’s scapy library does the work to parse and inject packets.

Requirements

  • Linux
  • Scapy
  • Python nfqueue-bindings 0.4.3+
  • aircrack-ng
  • Python twisted
  • BeEF (optional)
  • A wireless card capable of promiscuous mode if you choose not to use the -ip option

You can download LANs.py here:

LANs.py

Or read more here.


20 November 2013 | 3,166 views

Cupid Media Hack Exposes 42 Million Passwords In Plain Text

42 Million Passwords – now that’s a big number, and the worst part – they aren’t even hashed. Nope, not at all – not even badly. Apparently the intrusion took place earlier this year, in January 2013 – but there was no public announcement.

The data was found on the same server where the hacked data from some other big heists was stored (Adobe/PR Newswire/NW3C etc). And to make it even worse, at least 10% of the users (which itself is over 4 million) use absolutely terrible passwords – passwords that would have been useless even if they were hashed.

Cupid Media Plain Text Passwords
Image Source: Cupid Media Hack Exposed 42M Passwords

Almost 2 million of the users had the password ‘123456‘ followed by 1.2 million with ‘111111‘ (I’m guessing they had a 6 char minimum password requirement).

A hack on niche online dating service Cupid Media earlier this year has exposed names, e-mail addresses and—most notably—plain-text passwords for 42 million accounts, according to a published report.

The cache of personal information was found on the same servers that housed tens of millions of records stolen in separate hacks on sites including Adobe, PR Newswire, and the National White Collar Crime Center, KrebsonSecurity journalist Brian Krebs reported Tuesday night. An official with Southport, Australia-based Cupid Media told Krebs that user credentials appeared to be connected to “suspicious activity” that was detected in January. Officials believed they had notified all affected users, but they are in the process of double-checking that all affected accounts have had their passwords reset in light of Krebs’s discovery.

The compromise of 42 million passwords makes the episode one of the bigger passcode breaches on record. Adding to the magnitude is the revelation the data was in plaintext, instead of a cryptographically hashed format that requires an investment of time, skill, and computing power to crack.

Standing at 42 million passwords, it is indeed one of the biggest breaches ever – and whoever got hold of this had to put no time, effort or computing power into brute forcing hashes. They just opened the DB dump and had 42 million e-mail addresses and passwords.

With many people re-using their passwords across multiple sites, this is indeed like striking the lottery for hackers.

Back in 2011 when Canadian Dating Site PlentyofFish.com was Hacked, they exposed 30 million user accounts – so they weren’t far behind. Notice any similarities? Yah both dating sites…and both storing passwords in plain text.

Making matters worse, many of the Cupid Media users are precisely the kinds of people who might be receptive to content frequently advertised in spam messages, including male enhancement products, services for singles, and diet pills.

The Cupid Media user records reviewed by Krebs contain the usual assortment of weak passwords. More than 1.9 million accounts were protected by 123456. Another 1.2 million used 111111. Users who used the same e-mail address and password to secure accounts on other sites are vulnerable to hijacking. Word of the Cupid Media compromise follows recent reports of password leaks from a host other sites or companies, including Adobe (150 million reversibly encrypted passwords), MacRumors forums (860,000), and web software developer vBulletin (number not disclosed).

Ars has long advised readers to use a password manager that stores a long, randomly generated password that’s unique for every important site. That way, when breaches hit a particular site, users are left scrambling to change credentials for other accounts that used the same password.

You can read more here too:

- Cupid Media Hack Exposed 42M Passwords
- 42 million passwords exposed following massive dating website hack

Once again, another good reason to use PassPack/LastPass/KeePass etc. It once again reinforces the fact that reusing passwords is a terrible idea, especially when sites like this still exist in 2013 that store your password in plain text.

Source: Ars Technica


19 November 2013 | 4,991 views

HashTag – Password Hash Type Identification (Identify Hashes)

HashTag.py is a Python script written to parse and identify the password hash type used.

HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes (use the command line switch -hc to output the hashcat modes). It is also able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.

One of the biggest aspects of this tool is the identification of password hashes. The main attributes used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. ‘$1$’). A lot of password hash strings can’t be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases the author made an exhaustive list of possible types and has the tool output reflect that.

HashTag

It has three main arguments:

  • Identifying a single hash type (-sh)
  • Parsing and identifying multiple hashes from a file (-f)
  • Traversing subdirectories to locate files which contain hashes and parse/identify them (-d)

Usage:

You can download HashTag here:

HashTag.py

Or read more here.


16 November 2013 | 3,073 views

Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

Earlier this week we wrote about an Internet Explorer 0-day which used an in-memory drive by attack, which was pretty smart. Now another new type of malware (a backdoor in this case), this time targeting Linux known as Fokirtor.

There is no real discussion of the exploit used to plant this backdoor (if it was an exploit, there are other channels), but the way it operates is pretty interesting and certainly nothing I’ve seen before.

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

It’s a pretty interesting method, assuming most Linux servers do have SSH enabled (which they do tend to) – it enables attackers to communicate covertly without setting off any alarms. The part I find really interesting is that the malware uses a pretty serious encryption algorithm (Blowfish), rather than the average backdoor or trojan which just uses XOR or Base64 encoding.

The conspiracists amongst us will likely find this pointing to governmental involvement in the development of this backdoor.

The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.
This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Most sources mark this threat as pretty low, and it hasn’t been seen much – so it may have been a very targeted attack and some speculate it may be something to do with the GCHQ/Belgacom case.

It’ll be interesting to see if Fokirtor is found anywhere else, there is some very basic information about it from Symantec here: Linux.Fokirtor and a little more here Linux Back Door Uses Covert Communication Protocol.

In some ways it reminds me of pork knocking – fwknop – Port Knocking Tool with Single Packet Authorization.

Source: The Register


13 November 2013 | 3,844 views

hashcat – Multi-Threaded Password Hash Cracking Tool

hashcat claims to be the world’s fastest CPU-based password recovery tool, while not as fast as GPU powered hash brute forcing (like CUDA-Multiforcer), it is still pretty fast.

hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write hashcat: To make use of the multiple cores of modern CPUs.

Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.

Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.

hashcat - multi-thread password cracker

Features

  • Multi-Threaded
  • Multi-Hash (up to 24 million hashes)
  • Multi-OS (Linux, Windows and OSX native binaries)
  • Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …)
  • SSE2, AVX and XOP accelerated
  • All Attack-Modes except Brute-Force and Permutation can be extended by rules
  • Very fast Rule-engine
  • Rules compatible with JTR and PasswordsPro
  • Possible to resume or limit session
  • Automatically recognizes recovered hashes from outfile at startup
  • Can automatically generate random rules
  • Load saltlist from external file and then use them in a Brute-Force Attack variant
  • Able to work in an distributed environment
  • Specify multiple wordlists or multiple directories of wordlists
  • Number of threads can be configured
  • Threads run on lowest priority
  • Supports hex-charset
  • Supports hex-salt
  • 80+ Algorithms implemented with performance in mind

You can download hashcat here:

hashcat-0.46.7z

Detailed documentation and command line switches can be found here – hashcat.

Or read more here.


12 November 2013 | 1,197 views

Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks

So another IE 0-Day has been uncovered, and is in use in the wild for drive-by attacks on unwitting web users. I have to say, technically speaking, this attack is rather impressive – in terms of the exploit, the delivery method and the way that it runs.

It retrieves the PE headers from a DLL then returns a specific version of the exploit to the DLL file, after that it doesn’t ever write to the disk and only executes in memory directly. This makes it extremely hard for anti-virus scanners to spot it.

The down-side is the attacks lose the persistence aspect, as if the infected user reboots their machine – the malware code is basically gone.

Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack.

FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while running Windows XP or Windows 7.

“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” FireEye explains. “It is one vulnerability being exploited in various different ways.”

The IE flaw is unpatched and separate from the TIFF image-handling zero-day vulnerability that surfaced late last month – which is also under active attack.

Malware slung via the latest exploit is designed to load directly into the memory of victimised Windows PC, bypassing the hard drive. The tactic makes it harder for antivirus software or similar security tools to detect and block the attack.

The attackers are probably under the assumption that the same user will probably visit the same site again, and get reinfected – even after a reboot. The exploit also contains a large multi-stage shellcode payload, to avoid downloading further code (and thus writing to the disk).

In terms of forensics, this also makes it extremely hard to identify infected endpoints as the malware running in memory only leaves little to no artifacts.

However, simply rebooting compromised machines would appear to remove them from the botnet, so what this new type of attack gains in stealth, it loses in persistence. FireEye posits that “the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be[come] re-infected”.

One of the sites spreading the exploit covers national and international security policy, according to FireEye. This, and other instances of the attack method, make it more than likely we are looking at some type of state-backed cyber-espionage campaign, it says.

The infrastructure used in the attack shares similarities with the earlier Operation DeputyDog assaults against targets in Japan and China, claims FireEye. The same hacking crew is suspected of involvement in a high profile hack against whitelisting firm Bit9.

If anything, the latest assaults are even more sophisticated.

More stuff you can read about if you are interested in this topic:

- Return-oriented programming
- APT – Advanced Persistent Threat

You can find the original info and blog post here:

New IE Zero-Day Found in Watering Hole Attack

And a very technical look at the techniques used here:

Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

Source: The Register