Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

27 October 2015 | 27,279 views

Infernal Twin – Automatic Wifi Hacking Tool

Cybertroopers storming your ship?

Infernal Twin is an automatic wifi hacking tool, basically a Python suite created to aid penetration testers during wireless assessments, it automates many of the common attacks – which can get complicated and hard to manage when executed manually.

Infernal Twin - Automatic Wifi Hacking Tool

The author noticed a gap in the market with there being many tools to automate web application testing and network pen-tests, but nothing really aimed at Wifi apart from some commercial tools. So this is an attempt to create a ‘1-click’ style wifi attack tool – something like Metasploit. A framework with a whole bunch of different attack vectors bundled together in one interface.

Features

  • WPA2 hacking
  • WEP Hacking
  • WPA2 Enterprise hacking
  • Wireless Social Engineering
  • SSL Strip
  • Evil Access Point Creation
  • Infernal Wireless
  • Report generation
  • PDF Report
  • HTML Report
  • Note taking function
  • Data is saved into Database
  • Network mapping
  • MiTM
  • Probe Request

The tool leverages the work done on other utilities to avoid reinventing the wheel, popular wifi security tools such as aircrack-ng and SSLStrip.

You can download Infernal Twin here:

infernal-twin-master.zip

Or read more here.

Advertisements



24 October 2015 | 1,015 views

WP Security Audit Log – A Complete Audit Log Plugin For WordPress

WP Security Audit Log is a complete audit log plugin for WordPress, which helps you keep an audit log of everything that is happening on your WordPress and WordPress multisite installation. Ensure user productivity and identify WordPress security issues before they become a security problem. This is claimed to be the most comprehensive user monitoring and audit log plugin for WordPress and is already helping thousands of WordPress administrators, owners and security professionals ensure the security of their websites and blogs.

WP Security Audit Log - A Complete Audit Log Plugin For WordPress

Increase the security of your WordPress install with good security measures, supplement it by installing WP Security Audit Log and using tools like WPScan the WordPress Vulnerability Scanner.

Features

The plugin has a number of features that make WordPress and WordPress multisite monitoring and auditing easier, such as:

  • Realtime Audit Log viewer to watch user activity as it happens without any delays
  • Built-in support for reverse proxies and web application firewalls more information
  • Limit who can view the security alerts by users and roles
  • Limit who can manage the plugin by users and roles
  • Configurable WordPress dashboard widget highlighting the most recent critical activity
  • Configurable WordPress security alerts pruning rules
  • User role is reported in alerts for a complete overview of what is happening
  • User avatar is reported in the alerts for better recognizability
  • Enable or disable any security alerts

It also has a whole bunch of extensions/add-ons which are mostly paid which allow you to do things like store the log in an external database and generate compliance reports.

Logs Generated

The main purpose of using this, is that it keeps a log of everything happening on your WordPress blog or website and WordPress multisite install. This plugin makes it easier to track suspicious user activity before it becomes a problem or a security issue. A security alert is generated by the plugin when:

  • New user is created via registration or by another user
  • User changes the role, password or other profile settings of another user
  • User on a WordPress multisite network is added or removed from a site
  • User uploads or deletes a file, changes a password or email address
  • User installs, activates, deactivates, upgrades or uninstalls a plugin
  • User creates a new post, page, category or a custom post type
  • User modifies an existing post, page, category or a custom post type
  • User creates, modifies or deletes a custom field from a post, page or custom post type
  • User adds, moves, modifies or deletes a widget
  • User installs or activates a new WordPress theme
  • User changes WordPress settings such as permalinks or administrator notification email
  • WordPress is updated / upgraded
  • Failed login attempts

It also helps with troubleshooting and enables you to quickly pin-point what went down before a problem occured. Very helpful if you support a lot of WordPress customer sites.

You can download WP Security Audit Log latest stable version here:

wp-security-audit-log.latest-stable.zip

Or read more here.


22 October 2015 | 2,875 views

Fitbit Vulnerability Means Your Tracker Could Spread Malware

So it seems there is a Fitbit vulnerability involving the BlueTooth implementation that can be used to embed self replicating malware onto the wearable fitness tracker. I actually own a Fitbit, and have had previous models too, so this is quite interesting to me.

Fitbit Vulnerability Means Your Tracker Could Spread Malware

The malware could spread to your PC/Laptop if you’re using the syncing dongle, or to other Fitbit trackers. From what I’ve read of it though, it’s mostly theoretical. It could work under some circumstances, but there’s no real live code out there infecting Fitbit devices and spreading itself.

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

Fortinet researcher Axelle Apvrille (@cryptax) told Vulture South that full persistence means it does not matter if the FitBit Flex is restarted; any computer that connects with the wearable can be infected with a backdoor, trojan, or whatever the attacker desires.

“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.

“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.

“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”

It is the first time malware has been viably delivered to fitness trackers.

You can see the video of the PoC here – FitBit malware injection by Axelle Apvrille.

It’s an interesting area for sure, wearable security – along with the whole Internet of Things movement, it could be one the next security/privacy frontiers. Imagine in urban, high density areas, there must be literally thousands of these devices within close proximity to each other.

The rate a real worm could spread, would be quite scary.

The attack vectors are still present. Apvrille warned FitBit in March and says the company considers it a bug which will be squashed at some point.

Apvrille, a respected malware researcher, will offer a proof-of-concept demonstration video at the Hack.Lu conference in Luxembourg tomorrow.

“The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”

Apvrille has pulled off other hacks; she is able to manipulate the number of counted steps and logged distance to earn badges that can be traded in for discounts and prizes.

Those badges can be turned into discounts and gifts through third-party companies such as Higi which in April launched an API to help companies receive health data derived from wearables.

Apvrille has reversed 24 messages from the Fitbit tracker and 20 from the USB Bluetooth dongle as part of the largely ground-up reverse engineering work since the devices are closed-source and do not come with documentation on software internals.

She says communication is over XML and Bluetooth Low Energy while encryption and decryption occurs on the wearable device, and not on the dongle which is “outside of the security boundaries”.

The communications data sets are divided into “mega dumps” that include walking steps and user activity information, and “micro dumps” which relate to pairing, server responses, and device identifiers.

The work adds new information on the low-level software internals of Fitbit to an existing repository of work built by fellow researchers.

It’s a bit sad that Fitbit has known about this since March, but the vector isn’t fixed. They do say they will fix it, but there’s no timeline as to when.

I hope the bad guys don’t pick this up and run with it. I’m personally pretty safe, as there’s a very low penetration of wearables where I am, but it could be terrible for the industry as a whole.

Source: The Register


20 October 2015 | 2,117 views

OWASP WebGoat – Deliberately Insecure Web Application

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

OWASP WebGoat - Deliberately Insecure Web Application

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

We’ve written about various Vulnerable Web Apps before including those such as:

Mutillidae – Vulnerable Web-Application To Learn Web Hacking
OWASP Bricks – Modular Deliberately Vulnerable Web Application
WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation
Jarlsberg – Learn Web Application Exploits and Defenses
Damn Vulnerable Web App – Learn & Practise Web Hacking

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard.

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised.

All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.

What can you learn?

  • Cross-site Scripting (XSS)
  • Access Control
  • Thread Safety
  • Hidden Form Field Manipulation
  • Parameter Manipulation
  • Weak Session Cookies
  • Blind SQL Injection
  • Numeric SQL Injection
  • String SQL Injection
  • Web Services
  • Fail Open Authentication
  • Dangers of HTML Comments
  • … and many more!

Getting Started

It’s easy to get started with WebGoat.

The easiest way is to simply download the WebGoat-6.0.1-war.exec.jar binary and run it with:

Then browse to http://localhost:8080/WebGoat to access the app. Detailed instructions here.

You can download WebGoat 6.0.1 here:

WebGoat-6.0.1-war-exec.jar

Or read more here.


17 October 2015 | 3,409 views

windows-privesc-check – Windows Privilege Escalation Scanner

Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local applications (e.g. databases).

windows-privesc-check - Windows Privilege Escalation Scanner

Essentially it’s a Windows privilege escalation scanner, the Microsoft side of the World counterpart to unix-privesc-check – which we wrote about a while back.

It is written in Python and converted to an executable using PyInstaller so it can be easily uploaded and run (as opposed to unzipping python + other dependencies). It can run either as a normal user or as Administrator (obviously it does a better job when running as Administrator because it can read more files).

Find Privesc Vectors (as Administrator)

When run with admin rights, windows-privesc-check has full read access to all secureable objects.

This allows it to perform audits for escalation vectors such as:

  • Reconfiguring Windows Services
  • Replacing Service executables if they have weak file permissions
  • Replacing poorly protected .exe or .dll files in %ProgramFiles%
  • Tojaning the %PATH%
  • Maliciously modifying the registry (e.g. RunOnce)
  • Modifying programs on FAT file systems
  • Tampering with running processes

A great many of the privielges escalation vectors checked are simply checks for weak security descriptors on Windows securable objects, when complete a report is generated in HTML, TXT and XML format.

Find Privesc Vectors (as a Low-Privileged User)

An important design goal is that windows-privesc-check can perform as many checks as possible (above) without admin rights. This will make the tool useful to pentesters as well as auditors.

Clearly, low-privileged users are unable to see certain parts of the registry and file system. The tool is therefore inherently less able to identify security weaknesses when run as a low-privileged user.

As above, a report is generated in HTML, TXT and XML format.

Provide Information To Help Compromise A Remote System

Given low-privileged credentials (or perhaps using anonymous access), windows-privesc-check should provide basic information which might help the user compromise the remote system. This might include:

  • Details of poorly configure shares
  • A list of admin-equivalent users
  • Information about its domain membership and the trusts configured for that domain

You can download windows-privesc-check here:

windows-privesc-check-master.zip

Or read more here.


15 October 2015 | 1,942 views

More Drama About Hillary Clinton’s E-mail Leak – VNC & RDP Open

So this Hillary Clinton’s e-mail leak case has been a pretty interesting phenomena to observe and has been going on since last month, we didn’t really cover it as well it mostly concerns US politics – not a huge area of interest for most.

But it’s getting more and more interesting, there was a report that 32,000 of Hillary Clinton’s Email for auction to the highest bidder.

More Drama About Hillary Clinton's E-mail Leak - VNC & RDP Open

But it was rather unsubstantiated. Now it’s getting more and more interesting, seeing as though Hillary used a private e-mail server “for convenience” and this server also had VNC and RDP open to the INTERNET. Yah..

It also includes her using the same e-mail, yes a state department server technically, for personal e-mails.

Not only did Democratic Party presidential hopeful Hillary Clinton run her own email server while at the State Department: someone, presumably her friendly local sysadmin, decided it needed remote desktop protocol (RDP) and desktop sharing code virtual network computing (VNC) exposed to the Internet.

The folks at Associated Press were alerted to the situation by a Serbian geek the newswire hasn’t named, but who ran bulk port-scans that happened to include Hillary’s email server.

The scans came from the anonymous researcher who in 2013 published the white-botnet-driven “Internet census”, AP says.

Scans of a server that identified itself as clintonemail.com in August and December 2012 showed open ports for RDP and VNC. In March 2012, Microsoft warned that RDP was likely to be attacked, and in October of the same year Verizon warned that RDP’s default Port 3389 was among the most-scanned on the Internet.

So yah, apart from running her own e-mail server rather than using government resources or using a more secure, managed e-mail solution like Google Apps, whoever set it up also thought having VNC and RDP open to the Internet was a smart idea.

Or well, more likely they didn’t think about it at all. It was just such a hassle to get into wherever the server was stored, they installed remote access software and enabled it over the public IP.

VPN? What?

The researcher told AP the server also presented VNC to the Internet at large.

The State Department at the time required a waiver for any of its own techs to use remote access tools for systems administration, all the way down to unclassified servers, the AP notes.

There’s also a suggestion that a Web server – probably bundled with whichever operating system distribution clintonemail.com ran – was running, although not in use.

The Internet Census port-scan showed two other devices that had open ports, but those aren’t identified by the newswire. Presumably one of them was a broadband modem – still leaving one mystery device to be identified.

Another interesting story to note is that all the e-mails were backed up to the cloud using a service called Datto Inc:

Unbeknownst to Clinton, IT firm had emails stored on cloud; now in FBI’s hands

And I wonder if their waivers were signed? I somehow doubt protocol was followed in this case, as using a state funded e-mail server for personal e-mails is probably very much against due process.

Now this was a while back, the actual occurrence being in 2012 – but I guess it’s rising back up again now with Hillary vying for the presidency.

Source: The Register


13 October 2015 | 2,387 views

Malheur – Automatic Malware Analysis Tool

Malheur is a automatic malware analysis tool for the automatic analysis of malware behaviour (program behaviour recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defence measures. Malheur allows for identifying novel classes of malware with similar behaviour and assigning unknown malware to discovered classes.

Malheur - Automatic Malware Analysis Tool

How it Works

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

Features

It supports four basic actions for analysis which can be applied to reports of recorded behavior:

  • Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.
  • Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.
  • Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.
  • Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

You can download Malheur 0.5.4 here:

malheur-0.5.4.zip

Or read more here.


09 October 2015 | 3,621 views

Twittor – Backdoor Using Twitter For Command & Control

Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account.

Twittor - Backdoor Using Twitter For Command & Control

Setup

For this to work you need:

  • A Twitter account (Use a dedicated account! Do not use your personal one!)
  • Register an app on Twitter with Read, write, and direct messages Access levels.

Install the dependencies:

This repo contains two files:

  • twittor.py which is the client
  • implant.py the actual backdoor to deploy

In both files, edit the access token part and add the ones that you previously generated:

You’re probably going to want to compile implant.py into an executable using Pyinstaller. In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

Usage

In order to run the client, launch the script.

You’ll then get into an ‘interactive’ shell which offers few commands that are:

Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:

The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.

Let’s issue a command to an implant:

Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd, the script then outputs the jobid that we can use to retrieve the output of that command.

You can download Twittor here:

Twittor-master.zip

Or read more here.


08 October 2015 | 2,183 views

Amazon AWS Web Application Firewall (WAF ) Launched

So Amazon is stepping up its security game again, this time with an AWS Web Application Firewall or WAF as they are commonly known. Generally a WAF is designed to protect you against common web threats such as XSS (Cross Site Scripting), SQL Injection, and other common patterns (LFI, RFI etc).

Amazon AWS Web Application Firewall (WAF ) Launched

We have written about one such tool before: Shadow Daemon – Web Application Firewall and now modern versions of nginx come with an option to use naxsi out of the box. Plus the most famous one of all of course, ModSecurity.

As with everything AWS related, it seems rather complex to use, and for every rule you want to add, you have to pay more..so of course – it’s costly.

AWS WAF, launched on the first day of Amazon’s AWS re:Invent 2015 conference, is designed to give users control over the type of traffic that is allowed or not allowed to reach their web applications. By defining Access Control Lists (ACLs), rules, and actions, users can block SQL injection, cross-site scripting (XSS) and other common attack patterns. Rules can also be created for each user’s specific application.

The new security product also includes a full-featured API that can be used to automate the creation, deployment and maintenance of rules.

Jeff Barr, chief evangelist for Amazon Web Services, published a blog post detailing the various AWS WAF concepts, including conditions, rules, web ACLs, and actions.

Barr explained that conditions are designed for inspecting incoming requests. They can analyze the incoming IP address and various parameters of the request, such as URI, query string, HTTP header, and HTTP method.

Rules rely on these conditions to block or allow certain types of requests, while actions dictate the action that is taken when a request matches the conditions in a rule. ACLs reference one or more of these rules and the action that is taken for each of them.

It’s certainly a step in the right direction though, and I’m glad to see Amazon making security easier for people. The more Security as a Service offerings cloud providers have available, the more secure the average web app will become.

Well, that is also depending on a big IF, IF people are willing to pay for such services. I’m sure larger companies already have their own rolled solutions in place, but this might be a great fit for medium sized organizations

The Amazon post about it can be found here: New – AWS WAF

Before the rules and filters are deployed, users need to identify the Amazon CloudFront distribution they want to protect with AWS WAF.

Understanding these concepts is important for calculating the costs of running the service. According to Amazon, there are no minimum charges and pricing is calculated based on the number of defined ACLs and the number of rules deployed for them.

The charge for each ACL is $5 per month, and the charge per rule per ACL per month is $1. The volume of web requests handled by AWS WAF is also charged by Amazon, with $0.60 for every million requests. Amazon has pointed out that there are no additional charges for reusing an ACL across multiple CloudFront distributions.

AWS WAF is not the only security product offered by Amazon to AWS customers. At last year’s re:Invent conference, the company launched three new enterprise security and governance solutions for AWS. In June, Amazon released a new open source implementation of the TLS protocol that the company plans on integrating into several AWS services.

It’ll be interesting to see what the adoption of this is like, we’ll have to wait a couple of weeks I guess before people start writing about the on real World usage (difficulties, effectiveness, cost etc).

I know everyone builds everything on Amazon, so it shouldn’t be long. Apart from me, I’m a weirdo..I use Linode and Digital Ocean.

Source: Security Week


06 October 2015 | 2,116 views

LiME – Linux Memory Extractor

LiMe is a Loadable Kernel Module (LKM) Linux memory extractor which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

LiME - Linux Memory Extractor

Features

  • Full Android memory acquisition
  • Acquisition over network interface
  • Minimal process footprint

Usage

Detailed documentation on LiME’s usage and internals can be found in the “doc” directory of the project. LiME utilizes the insmod command to load the module, passing required arguments for its execution.

Examples

In this example we use adb to load LiME and then start it with acquisition performed over the network:

Now on the host machine, we can establish the connection and acquire memory using netcat

Acquiring to sdcard

You can download LiMe v1.7.2 here:

LiMe-v1.7.2.zip

Or read more here.