Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

18 June 2015 | 4,819 views

Apple’s Password Storing Keychain Cracked on iOS & OS X

Cybertroopers storming your ship?

And another password shocker, a few days after ‘cloud’ password service LastPass was pretty seriously hacked (yah if you’re using it, change your master password) critical 0-day flaws in Apple’s password storing keychain have been exposed.

Apple's Password Storing Keychain Cracked on iOS & OS X

Which is kinda funny, as after the LastPass hack I saw some people espousing the usage of Apple’s keychain as much more secure. And now, Apple’s keychain cracked – and in a really serious way.

Six university researchers have revealed deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s password-storing keychain, break app sandboxes, and bypass its App Store security checks.

Attackers can steal passwords from installed apps, including the native email client, without being detected, by exploiting these bugs.

The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts. That malware, when installed on a victim’s device, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome.

Lead researcher Luyi Xing told El Reg he and his team complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing.

They say the holes are still present in Apple’s software, meaning their work will likely be consumed by attackers looking to weaponize the work.

Apple was not available for immediate comment.

It’s pretty serious as they managed to bypass the app store vetting and can grab access tokens and data from other apps on the device including high profile apps like Facebook, Evernote and iCloud itself even while sandboxed.

The sad part is, Apple was notified about this 6 months ago and still haven’t fixed it – the only fast moving response came from Google’s Chromium security team who removed keychain integration for Chrome, noting that it could likely not be solved at the application level.

“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” Xing told The Register’s security desk.

“Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.

“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”

The team was able to raid banking credentials from Google Chrome on the latest OS X 10.10.3, using a sandboxed app to steal the system’s keychain data and secret iCloud tokens, and passwords from password vaults.

If any malicious teams are out there using this, it could be really bad – and well if they aren’t already using it my bet is they will be by tomorrow.

I guess it’ll probably be blocked from the app store by then though, now it’s getting widespread media coverage.

You can read the full report, including in-depth technical details here – Unauthorized Cross-App Resource Access on MAC OS X and iOS

Source: The Register

Advertisements



14 June 2015 | 3,039 views

Just-Metadata – Gathers & Analyse IP Address Metadata

Just-Metadata is a tool that can be used to gather IP address metadata passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has “gather” modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has “analysis” modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata - Gathers & Analyse IP Address Metadata

Just-Metadata will allow you to quickly find the Top “X” number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily.

Features

Just-Metadata gathers various publicly available IP address metadata such as:

  • Geo-location information
    • Country
    • City
    • Timezone
    • GPS Coordinates
  • ISP
  • Is it a known attacker documented by the Animus Project?
  • Do the attacking IP addresses share any common traits
    • SSH Keys
    • HTTPS Certificates
    • Certificate Chains
  • What common ports are open across the attacking IPs?
  • Are any of the IPs known by VirusTotal?
  • Shodan information (Ports, keys, certificates, etc.)

Requirements

Ideally, you should be able to run the setup script, and it will install everything you need.

For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it’s worth it :).

I’ll be looking forwards to future versions with cli based input and output for scripting and chaining this with other tools, with a bit of data crunching and pattern matching/machine learning it could be turned into a fairly intelligent attack pre-warning system.

You can download Just-Metadata v1.0 here:

Just-Metadata-1.0.zip

Or read more here.


11 June 2015 | 1,909 views

Agile Security – How Does It Fit Into A World Of Continuous Delivery

So, Agile Security? How does it fit into the new age of rapid iteration, continuous integration and continuous development? It’s an interesting discussion and personally very on point for me as I operate in an agile organisation and just today took (and passed yay me) my Scrum Master certification.

The traditional silo approach of security is already breaking down as in smaller organisations it was typically part of the ops team, and with the whole DevOps movement, infrastructure as code and CI/CD – that silo is already getting busted up.

Agile Security - How Does It Fit Into A World Of Continuous Delivery

And I have to agree, the next silo to combust will be security – it has to adapt, become more agile and more integrated into the development flow from the beginning.

Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.

Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.

Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.

Waterfall is dying off, I mean it’s still ok for simple projects with few changes (low complexity) but for the real world, agile is SO much better at adapting to change and building relevant, high quality software which delivers maximum value to the business.

So security needs to get out of the oldskool models of being an after-thought, or an entire separate “ops” stage like architecture, infrastructure and deployment used to be.

For security to flourish in the age of continuous delivery, it must meet the following requirements:

1. Security policy must be embedded into the application development cycle at inception. This means developers must co-join with infrastructure and security teams to create and instrument policy when they are creating new apps. Just as continuous delivery dissolves the barriers between developers and infrastructure, security will be the next silo to go.

2. Enforcement of security policies must move and adapt with the continuous delivery approach. If new applications are moved between private clouds and IaaS environments, security must move with the applications.

3. Thus, security must be decoupled from infrastructure to support the distributed and fluid nature of continuous, on-demand applications and supporting infrastructures. This provides an added benefit of being able to dynamically add resources on-demand, including security

4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.

So what do we do? What’s the way forwards? I’m personally a huge fan of tools like Code Climate which perform static analysis on every commit to your Github repo, it actually uses Brakeman for Ruby security for example and it’s all integrated so it works brilliantly in an agile development flow.

This pushes basic security responsibility to the developers and couples it with code quality, style and test coverage.

There’s much more than this we can do, but it’s a whole new movement I guess – exciting times ahead.

Source: Security Week


09 June 2015 | 3,578 views

Patator – Multi-threaded Service & URL Brute Forcing Tool

Patator is an extremely flexible, module, multi-threaded, multi-purpose service & URL brute forcing tool written in Python that can be used in many ways. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:

  • They either do not work or are not reliable (got me false negatives several times in the past)
  • They are not flexible enough (how to iterate over all wordlists, fuzz any module parameter)
  • They lack useful features (display progress or pause during execution)

Patator - Multi-threaded Service & URL Brute Forcing Tool

Features

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator does the following:

  1. No false negatives, as it is the user that decides what results to ignore based on the status code of the response, the size of the response and/or matching strings/regex
  2. Modular Design (not limited to network modules, e.g. unzip_pass)
  3. Interactive runtime (shows progress, pause/unpause)
  4. Use persistent connections
  5. Multi-threaded
  6. Flexible user input (any module parameter can be fuzzed)
  7. Save every response (along with the request) to separate log files for later review.

Modules

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using the SMTP VRFY command
  • smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
  • finger_lookup : Enumerate valid users using Finger
  • http_fuzz : Brute-force HTTP/HTTPS
  • pop_login : Brute-force POP
  • pop_passd : Brute-force poppassd (not POP3)
  • imap_login : Brute-force IMAP
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • smb_lookupsid : Brute-force SMB SID-lookup
  • rlogin_login : Brute-force rlogin
  • vmauthd_login : Brute-force VMware Authentication Daemon
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • mysql_query : Brute-force MySQL queries
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  • dns_forward : Brute-force DNS
  • dns_reverse : Brute-force DNS (reverse lookup subnets)
  • ike_enum : Enumerate IKE transforms
  • snmp_login : Brute-force SNMPv1/2 and SNMPv3
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files
  • umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking how to use this tool..

You can download Patator v0.6 here:

patator-0.6.zip

Or read more here.


06 June 2015 | 2,676 views

Shadow Daemon – Web Application Firewall

Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.

Shadow Daemon - Web Application Firewall

Shadow Daemon is easy to install and can be managed with a clear and structured web interface. The interface lets you examine attacks in great detail. If you just want to protect your site, but otherwise do not care about attacks you can forget about the web interface once Shadow Daemon is installed and configured. The interface also comes with shell scripts that can be used to send weekly reports via e-mail, rotate the logs and the like.

Language Connectors

Shadow Daemon strives to be a single solution for all popular web languages. At the moment the following programming languages are supported:

  • PHP
  • Perl
  • Python

Accurate Detection

Shadow Daemon combines white and blacklisting to accurately detect malicious requests. The blacklist makes use of sophisticated regular expressions to search for known attack patterns in the user input. The whitelist on the other hand searches for irregularities in the user input based on strict rules that define how the input should look like. Together they can detect almost any attack on a web application and still have a very low false-positive rate.

Shadow Daemon is able to detect common attacks like:

  • SQL Injections
  • XML Injections
  • Code Injections
  • Command Injections
  • Cross-Site Scripting
  • Local/Remote File Inclusions
  • Backdoor Access

Discreet Protection

Unlike many other web application firewalls Shadow Daemon does not completely block malicious requests. Instead it only filters out the dangerous parts of a request and lets it proceed afterwards. This makes attacks impossible, but does not unnecessary frustrate visitors in the case of false-positives.

Secure Architecture

Shadow Daemon is closer to the application than most other web application firewalls. It receives exactly the same input that the web application receives and thus it is almost impossible to bypass the detection by obfuscating the attack. However, the most complex parts of Shadow Daemon are separated from the web application to guarantee a certain standard of security.

You can get Shadow Daemon here:

Debian/Ubuntu

Download here.

or

Red Hat / CentOS / Fedora

Download here.

Or read more here.


04 June 2015 | 3,101 views

OpenSSH On Windows – It’s Happening!

So it seems like getting rid of Ballmer was the best thing Microsoft has done in years, Satya is definitely pushing them in a much more positive direction with a focus on Azure and open sourcing technology and moves like this OpenSSH on Windows!

A real show of support for open source technology and a commitment to making Windows servers more technologically relevant.

OpenSSH On Windows - It's Happening!

There have long been 3rd integrations with Windows to provide SSH support, but it’s good to finally a see real commitment by Microsoft themselves to do encrypted remote access the right way.

Microsoft has finally decided to add support for SSH to PowerShell, allowing people to log into Windows systems and use software remotely over an encrypted connection.

Users of Linux, the BSDs, and other operating systems, will know all about OpenSSH and its usefulness in connecting machines in a secure way to execute commands and transfer data. And soon Windows PowerShell – the command-line shell and scripting language – can be used over SSH, we’re told.

“The PowerShell team [will] adopt an industry-proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with experts across the planet to build it,” wrote Microsoft group software engineering manager Angel Calvo.

“I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community.”

PowerShell’s SSH support will allow users to “interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.”

This brings in a whole new era of monitoring and automation for Windows DevOps guys, more integration with Linux tools and easier deployment etc as pretty much everything already supports SSH.

In many environments the use of a 3rd party SSH server would be prohibited (against service contracts etc) so the fact it’s going to be ‘officially’ part of Windows going forwards is great.

This isn’t the first time Microsofties have tried to adopt SSH for Windows. Engineers at Redmond giant say they had tried on two separate occasions to allow the secure protocol to be used within Windows, attempts that were struck down by leadership.

Third-party SSH tools have been available on Windows for years, but this announcement is effectively Microsoft’s official endorsement of the open-source technology.

The change in policy has been linked directly to changes at the top of Microsoft – the departure of Steve Ballmer as CEO and the rise of Satya Nadella, a move that MS employees say brought a change in culture and perspective in Redmond.

“Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive,” Calvo wrote.

“So I want to take a minute and thank all of you in the community who have been clearly and articulately making the case for why and how we should support SSH! Your voices matter and we do listen.”

Well, they listen now that Ballmer is out of the picture.

There’s no time-line for release of this right now, I wonder if it’s something that will come out with Windows 10? Or something they are only just starting to work on now?

Either way it’s definitely a positive move and I hope to see more industry standards infiltrate the Microsoft ecosystem and the era of proprietary technologies for remote control, network stacks and so on die off.

Source: The Register


31 May 2015 | 2,825 views

OWASP Zed Attack Proxy – Integrated Penetration Testing Tool

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

With its automated scanner and powerful REST API, ZAP fits seamlessly into your continuous integration environment, allowing you to automate the finding of common issues while you’re still in development.

OWASP Zed Attack Proxy Version - Integrated Penetration Testing Tool

It’s classified as a flagship project for OWASP meaning it’s mature and has demonstrated strategic value to OWASP and application security as a whole. It’s also fully translated into 25 different languages, which is more than a lot of commercial/enterprise tools.

Alternatives to ZAP would be:

Fiddler – Web Debugging Proxy For HTTP(S)
Burp Suite Free Edition v1.4 – Web Application Security Testing Tool
Charles Web Debugging Proxy – HTTP Monitor & Reverse Proxy

We have written about ZAP before, when it first hit v1.0 back in 2010 and again when they had a major update in 2011.

Features

  • Open source
  • Cross platform
  • Easy to install
  • Completely free
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

Functionality

  • Intercepting proxy
  • Traditional and AJAX spiders
  • Active scanner
  • Passive scanner
  • Forced Browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smart card support
  • Web sockets support
  • Authentication and session support
  • Powerful REST based API
  • Support for a wide range of scripting languages
  • Automatic updating option
  • Integrated and growing marketplace of add-ons

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is then controlled via a REST Application programming interface.

This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X.

You can download ZAP here:

Windows – ZAP_2.4.0_Windows.exe
Linux – ZAP_2.4.0_Linux.tar.gz
Mac OS X – ZAP_2.4.0_Mac_OS_X.dmg

There is also a Docker image available here.

Or read more here.


28 May 2015 | 1,129 views

IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People

So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no.

There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data stolen it’s important to note.

IRS Was Not Hacked - Taxpayer Data Stolen For 100,000 People

It seems the biggest leak was of tax returns and the illegal access is to bolster the stolen identities of folks who had already been compromised by some other means.

The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.

The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS’s online “Get Transcript” feature, which allows taxpayers to access past tax records.

To say that the IRS itself was “hacked” – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.

“Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS told The Reg in an emailed statement.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”

According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from “questionable” email accounts, about half of which resulted in successfully accessing the Get Transcript function.

The one thing that surprises me is that so many bogus requests were not detected earlier, as I’m pretty sure a lot of questions were answered wrongly and retried possibly multiple times.

Perhaps the attackers were very smart though and used different IP addresses, different browser agents, different submission timings etc. And not noticing 200,000 illicit requests from “questionable” e-mail addresses – that seems kinda lackadaisical.

It is not known how the personal information used to fill out the transcript requests was gathered, or from where.

“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” the IRS said. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”

The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they’ll need it.

When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.

Again, we would advise those not affected not to panic over any sensationalist “IRS has been hacked!” headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals.

So yah to summarise it’s not a hack, but it does expose some weakness in the IRS Get Transcript service and due to that, they’ve disabled it at the moment.

But as the article mentions, if the attackers already had that much information on you (SSN, address, personal information) – them getting access to your historical tax returns is the least of your worries.

Source: The Register


26 May 2015 | 1,557 views

zzuf – Multi-Purpose Application Input Fuzzing Tool

zzuf is a transparent application input fuzzing tool or fuzzer. Its purpose is to find bugs in applications by corrupting their user-contributed data (which more than often comes from untrusted sources on the Internet). It works by intercepting file and network operations and changing random bits in the program’s input.

zzuf’s behaviour is deterministic, making it easier to reproduce bugs.

zzuf - Multi-Purpose Application Input Fuzzing Tool

Its main areas of use are:

  • quality assurance: use zzuf to test existing software, or integrate it into your own software’s testsuite
  • security: very often, segmentation faults or memory corruption issues mean a potential security hole, zzuf helps exposing some of them
  • code coverage analysis: use zzuf to maximise code coverage

zzuf’s primary target is media players, image viewers and web browsers, because the data they process is inherently insecure, but it was also successfully used to find bugs in system utilities such as objdump.

zzuf is not rocket science: the idea of fuzzing input data is barely new, but zzuf’s main purpose is to make things easier and automated.

You can download zzuf here:

Mac OS X universal binary: zzuf-osx-0.13.tar.gz
Latest Source from Github: master.zip

Or read more here.


22 May 2015 | 4,821 views

Web Security Dojo 2.0 – Self-Contained Web Hacking Training

Web Security Dojo is a free open-source self-contained web hacking training environment for Web Application Security penetration testing. Tools + Targets = Dojo

Web Security Dojo 2.0 - Self-Contained Web Hacking Training

What?

Various web application security testing tools and vulnerable web applications were added to a clean install of xubuntu 12.04. Build scripts are available in git at Sourceforge.

Targets include:

Why?

The Web Security Dojo is for learning and practising web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection since it contains both tools and targets. Also, this removes the possibility of remote attack on the targets, which are insecure by design. The Dojo contains everything needed to get started – tools, targets, and documentation.

Tools included (starred = new this version):

You can download Web Security Dojo v2.0 here:

Web_Security_Dojo-2.0.ova

Or read more here.