Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

12 March 2015 | 2,521 views

Rowhammer – DDR3 Exploit – What You Need To Know

Don't let a Dragon into your website!

So the big news this week was the release of details of a very clever hardware attack posted by Google’s Project Zero security initiative called Rowhammer. The impressive part is this is a hardware/manufacturing bug that has elevated to a software based attack.

Rowhammer - DDR3 Exploit - What You Need To Know

In simple terms Rowhammer is an attack that exploits physical weaknesses in certain types of DDR memory chips (DDR3) to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. It writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges (privilege escalation).

You can read the Google post here: Exploiting the DRAM rowhammer bug to gain kernel privileges

“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Definitely one of the more interesting attacks vectors that have popped up in recent history, the last one as interesting/impressive as this was probably the researchers cracking 4096-bit RSA Encryption with a microphone.

The attack is based on work by scientists from 2014 that proved “bit flipping” could take place, you can find the related academic paper here: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors [PDF]

Memory isolation is a key property of a reliable and secure computing system — an access to one memory address should not have unintended side effects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses.

The research unveiled this week shows how the technique can be turned into an actual attack.

If you’re using ECC memory it will protect you to a certain degree (as you should be if you’re running servers), but won’t make you immune as it won’t protect you against multiple bit flips at once, given enough tries a malicious attacker could pull this off.

If you’re using DDR4 however, you should be immune to this.

The problem with this flaw from a security perspective, is we can’t patch it..it’s a hardware issue. And well, as anyone who has worked in datacenters or server grade computing knows – those DIMMs are not going to get replaced any time soon.

You can find the Rowhammer test on Github here: https://github.com/google/rowhammer-test

“Rowhammer” is a problem with recent DRAM modules in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. This repo contains a program for testing for the rowhammer problem which runs as a normal userland process.

Does this affect the average man on the street? No. Do we as security professionally and people who write code have to consider this, yes we do.

It’s quite an academic/theoretical attack – but also yields quite consistent results.

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that’s easier to corrupt.

From: Ouch! Google crocks capacitors and deviates DRAM to root Linux

Advertisements



09 March 2015 | 1,400 views

MessenPass – Recover MSN, Yahoo Messenger, ICQ, Trillian Passwords

MessenPass is a password recovery tool that reveals the passwords of the many popular Instant Messaging applications.

MessenPass - Recover MSN, Yahoo Messenger, ICQ, Trillian Passwords

MessenPass can only be used to recover the passwords for the current logged-on user on your local computer, and it only works if you chose the remember your password in one of the above programs. You cannot use this utility for grabbing the passwords of other users.

MessenPass supports password recovery for the following IM apps:

  • MSN Messenger
  • Windows Messenger (In Windows XP)
  • Windows Live Messenger (In Windows XP/Vista/7)
  • Yahoo Messenger (Versions 5.x and 6.x)
  • Google Talk
  • ICQ Lite 4.x/5.x/2003
  • AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro.
  • Trillian
  • Trillian Astra
  • Miranda
  • GAIM/Pidgin
  • MySpace IM
  • PaltalkScene
  • Digsby

Installing MessenPass

MessenPass can be used without any installation process, simply by running the executable file (mspass.exe) from the zip file.
If you want to install MessenPass with automatic creation of program group icons and uninstall support, download and run the self-install executable file.

Using MessenPass

When you run MessenPass, it automatically detects the Instant Messenger applications installed on your computer, decrypts the passwords they store, and displays all user name/password pairs that it found in the main window of MessenPass. If from some reason, MessenPass fails to locate the installed Instant Messenger application, you can try to manually select the right folder of your IM application by using ‘Select Folders’ option (from the File menu).

On the main window of MessenPass, you can select one or more password items, and then copy them to the clipboard in tab-delimited format (you can paste this format into Excel or Open-Office Spreadsheet), or save them into text/html files.

You can download MessenPass here:

mspass.zip

Or read more here.


07 March 2015 | 4,127 views

Santoku Linux – Mobile Forensics, Malware Analysis, and App Security Testing LiveCD

The word santoku loosely translates as ‘three virtues’ or ‘three uses’. Santoku Linux has been crafted with a plethora of open source tools to support you in three endeavours, mobile forensics, malware analysis and security testing. Boot into Santoku and get to work, with the latest security tools and utilities focused on mobile platforms such as Android and iOS.

Santoku - Mobile Forensics, Malware Analysis, and App Security Testing LiveCD

Pre-installed platform SDKs, drivers, and utilities, plus helpful tools for easy deployment and control of mobile apps. Auto Detection and setup of new connected mobile devices. To make future updating of Santoku WAY easier for users, we’re hosting a repository. Set it up just once and get updates with package management instead of downloading a whole new iso.

Mobile Forensics

Tools to acquire and analyze data

  • Firmware flashing tools for multiple manufacturers
  • Imaging tools for NAND, media cards, and RAM
  • Free versions of some commercial forensics tools
  • Useful scripts and utilities specifically designed for mobile forensics

Mobile Malware

Tools for examining mobile malware

  • Mobile device emulators
  • Utilities to simulate network services for dynamic analysis
  • Decompilation and disassembly tools
  • Access to malware databases

Mobile Security

Assessment of mobile apps

  • Decompilation and disassembly tools
  • Scripts to detect common issues in mobile applications
  • Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more

You can download Santoku here:

santoku_0.5.iso (Direct ISO)
santoku_0.5.iso.torrent (Torrent)

Or read more here.


05 March 2015 | 614 views

Acunetix Clamps Down On Costly Website Security With Online Solution

As cyber security continues to hit the headlines, even smaller companies can expect to be subject to scrutiny and therefore securing their website is more important than ever. In response to this, Acunetix are offering the online edition of their vulnerability scanner at a new lower entry price. This new option allows consumers to opt for the ability to scan just one target or website and is a further step in making the top of the range scanner accessible to a wider market.

Acunetix clamps down on costly website security with online solution

A web vulnerability scanner allows the user to identify any weaknesses in their website architecture which might aid a hacker. They are then given the full details of the problem in order to fix it. While the scanner might previously have been a niche product used by penetration testers, security experts and large corporations, in our current cyber security climate, such products need to be made available to a wider market. Acunetix have recognised this which is why both the product and its pricing have become more flexible and tailored to multiple types of user, with a one scan target option now available at 295 Euros. Pricing for other options has also been reduced by around 15% to reflect the current strength of the dollar. Use of the network scanning element of the product is also currently being offered completely free.

Acunetix CEO Nicholas Galea said: “Due to recent attacks such as the Sony hack and the Anthem Inc breach, companies are under increasing pressure to ensure their websites and networks are secure. We’ve been continuously developing our vulnerability scanner for a decade now, it’s a pioneer in the field and continues to be the tool of choice for many security experts. We feel it’s a tool which can benefit a far wider market which is why we developed the more flexible and affordable online version.

About Acunetix Vulnerability Scanner (Online version)

User-friendly and competitively priced, Acunetix Vulnerability Scanner fully interprets and scans websites, including HTML5 and JavaScript and detects a large number of vulnerabilities, including SQL Injection and Cross Site Scripting, eliminating false positives. Acunetix beats competing products in many areas; including speed, the strongest support of modern technologies such as JavaScript, the lowest number of false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of reports including HIPAA and PCI compliance.

Users can sign up for a trial of the online version of Acunetix which includes the option to run free network scans.

About Acunetix

Acunetix is the market leader in web application security technology, founded to combat the alarming rise in web attacks. Its products and technologies are the result of a decade of work by a team of highly experienced security developers. Acunetix’ customers include the U.S. Army, KPMG, Adidas and Fujitsu. More information can be found at www.acunetix.com.


03 March 2015 | 2,177 views

Appie – Portable Android Security Testing Suite

Appie is a collection of software packages in a portable Windows format to help with Android security testing, specifically penetration testing Android applications. Appie since its latest release can also help with security assessments, forensics and malware analysis.

It is completely portable and can be carried on USB stick or your smartphone.

Appie – Android Portable Pen-testing Suite

Appie was designed to avoid the use of heavy/large VM machines and the associated images, instead choosing to run the apps on the host machine using a portable console emulator for Windows (cmder).

Various tools are included such as:

You can download Appie here:

Appie2.zip

Or read more here.


01 March 2015 | 2,415 views

CMSmap – Content Management System Security Scanner

CMSmap is a Python open source Content Management System security scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal. This is as opposed to tools like WPScan or Droopescan which just specialise in the security of a single CMS system.

CMSmap - Content Management System Security Scanner

Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Usage

You can grab CMSmap by cloning their Github repo:

Or read more here.


26 February 2015 | 845 views

Google Expands Pwnium Year Round With Infinite Bounty

There are various bug bounty programs, with Google being one of the forerunners in the field – Twitter was late to the party just joining in September 2014.

The latest development is that Google is stopping the annual Pwnium hack fest aimed at the Chromium project to stop bug hoarding, which makes Pwnium essentially a never ending hack-fest that anyone can submit to at any time.

Google Expands Pwnium Year Round With Infinite Bounty

Which makes sense for Google really, they get the bugs faster – with the chances that multiple people have spotted the same bugs (including the blackhat market), the sooner they fix stuff the better.

Google is vastly expanding its popular annual Pwnium hack fest, by allowing hackers to vie try for limitless amounts of cash every day of the year. The contest was previously held once a year at the CanSecWest conference in Canada, with millions in cash on offer to hackers who can take the shine off its Chromium project.

The Choc factory now wants hackers to submit their bad bugs and exploit code as soon as it surfaces, rather than hold it off for the one-day event. Chrome security hacker philanthropist Tim Willis says the “never-ending Pwnium” will cut down barriers for entry and incentives for bug hoarding.

“We’ve received some great entries over the years, but it’s time for something bigger,” Willis says. “Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.

It seems like Google is willing to invest quite a lot of money in this, and the security of the browser. Also they’re probably banking on the fact most of the major bugs have already been found and paid out on – so they shouldn’t take too much of a hit.

And they can pay out over the year, rather than all on one day. Hey who am I kidding, they have more money than the GDP of many small countires – this is nothing to them.

“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million.”

That infinity million was grounded by the top reward for any one bug being US$50,000, the lowest offering US$500. He says hackers with “Pwnium-quality” bug chains would likely hoard the report to claim a cash reward at the risk that code changes may require them to rework their efforts. Hackers too requested that they be able to report whenever they like through the Chrome Vulnerability Reward Program, Willis said.

Willis did not specifically rule out the one day CanSecWest contest although it appeared likely.

The infinite dollars is not for one bug though, it’s a theoretical amount if you discovered infinite different bugs in Chrome, you could get that much (with a cap at $50,000 maximum bounty for each single bug).

With the lowest being $500, that means for a mid-range bug you could be looking at a decent sum of money, worth a crack if it’s up your street skillset wise.

Source: The Register


24 February 2015 | 3,598 views

VScan – Open Source Vulnerability Management System

VScan is an open source Vulnerability Management System designed to make it easier for an organization to track vulnerability resolution and ensure anything found in their infrastructure is fixed.

VScan was created as after a vulnerability assessment it can sometimes be difficult to track the implementation of a security improvement program, so this tool can help you measure your progress and simplify the process of fixing any problems found.

VScan - Open Source Vulnerability Management System

Basically what you want to know is, how many vulnerabilities did we have before? And how many do we have now?

So that’s where VScan comes in, basically it’s a web front end for Nessus (or whatever else you want to plug in on the back end) and gives you scanning capabilities to online commercial scanners like Acunetix Online Vulnerability Scanner, with the ability to omit (false positives) or recheck issues after they’ve been fixed.

You can download VScan here:

VScan-BH_Arsenal.tar.gz

Or read more here.


17 February 2015 | 5,278 views

Windows Credentials Editor (WCE) – List, Add & Change Logon Sessions

Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon.

Windows Credentials Editor (WCE) - List, Add & Change Logon Sessions

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.

Features

  • Perform Pass-the-Hash on Windows
  • ‘Steal’ NTLM credentials from memory (with and without code injection)
  • ‘Steal’ Kerberos Tickets from Windows machines
  • Use the ‘stolen’ kerberos Tickets on other Windows or Unix machines to gain access to systems and services
  • Dump cleartext passwords stored by Windows authentication packages

WCE is aimed at security professionals and penetration testers. It is basically a post-exploitation tool to ‘steal’ and reuse NTLM hashes, Kerberos tickets and plaintext passwords which can then be used to compromise other machines. Under certain circumstances, WCE can allow you to compromise the whole Windows domain after compromising only one server or workstation.

You can download WCE here:

WCE v1.42beta (32-bit)
WCE v1.42beta (64-bit)

Or read more here.


12 February 2015 | 1,523 views

Facebook Launches ThreatExchange – Security Clearinghouse API

So Facebook has launched ThreatExchange, a social network for information security intelligence and cyberthreat sharing, how apt. They have signed up some fairly heavyweight partners from the get go with Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo! being involved initially.

With those kind of names, it’s a sure bet more people will jump on the bandwagon fairly shortly.

Facebook Launches ThreatExchange - Security Clearinghouse API

So yah, it’s gonna be successful – but is it going to be useful? ThreatExchange is an application programming interface that builds on Facebook’s internal threat system called ThreatData – which is basically a social system to share bad URLs and dangerous domains.

Facebook is teaming up with other big names on the interwebs to create a security information sharing portal, dubbed ThreatExchange*, which went live on Wednesday.

ThreatExchange is billed as a platform that enables security professionals to “share threat information more easily, learn from each other’s discoveries, and make their own systems safer”.

Facebook said that it’s built in a set of privacy controls so that “participants can help protect any sensitive data by specifying who can see the threat information they contribute.”

Threats like malware, spam and phishing typically go after multiple targets. Sharing threat intelligence improves collective defence against the bad guys, who are already collaborating, the argument goes.

The US Cyber Intelligence Sharing and Protection Act (CISPA), which allows private companies to share customer information with the NSA and others in the name of cybersecurity, has repeatedly failed to clear legislative hurdles.

Under that latest attempt to revive the proposed law, announced by President Obama last month, corporations and government would be obliged to share information about possible computer security vulnerabilities in order to make everyone more secure. The idea sounds like a winner but the problem is that organisations taking part will also pass on customer information to law enforcement, after taking “reasonable” steps to anonymise it. In return, they get threat intelligence from the Feds about the attack landscape.

Collaboration does work tho and with one of the biggest online entities leading it, the amount of data that this exercise should yield will be fairly impressive. What they’ve build is an API on top of ThreatData basically which allows access to the data in the system, and probably allows you to feed in bad URLs as well.

Business wise, should they giving this data away for free? Why not I say.

Privacy activists are dead against the idea, partly because experience has shown it’s very difficult to anonymise data in practice, as well as because of more general fears that information sharing represents another way for the NSA to hoover up yet more data into its vast data centre.

Groups like the Electronic Frontiers Foundation advocate use of information sharing hubs as an alternative. Facebook’s social network for threat sharing fits into that mould, when viewed from a charitable perspective. On the other hand, Facebook has a long history of shifting its privacy goalposts, at least with information supplied by consumers – and this makes the social network a mite difficult to trust.

Head honcho Mark Zuckerberg famously labelled early Facebookers “dumb fucks” for sharing their personal info on his network – which, let’s not forget, exists to allow its customers (i.e. advertisers) to sling better-targeted adverts at consumers.

Maybe Facebook is coming at ThreatExchange from a different angle. In fairness, other web 2.0 firms have already been convinced to collaborate with Facebook on ThreatExchange.

Early partners for ThreatExchange include Bit.ly, Dropbox, Pinterest, Tumblr, Twitter, and Yahoo. Facebook said that it expect new partners to jump on board as the platform grows. Information sharing has been going on in an ad-hoc basis in certain industries, particularly banking, for many years. Yet sharing e-mail and spreadsheets is too ad-hoc and inconsistent. It’s difficult to verify threats, to standardise formats, and for each company to protect its sensitive data. Commercial options can be expensive and many open standards require additional infrastructure, according to Facebook.

Facebook aims to plug the gap in existing approaches with builds on its internal ThreatData system to create a social platform designed for sharing indicators such as bad URLs and domains. Facebook is at pains to emphasise that it’s really serious about privacy, at least when it comes to the operation of ThreatExchange.

For the majority of netizens, this is good stuff – who doesn’t want to see less spam on Facebook and have malware threats auto-squashed? It’s a pretty healthy move for the Internet in general. I’m just interesting to see if anything else is going to spin off from this.

From the sign-up page, it seems like there’s an option to publish/push your own threat feed into ThreatExchange as well (hence the Exchange name I guess) so it’ll be interesting to see what happens from here on in.

Source: The Register