Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

04 December 2014 | 4,491 views

Sony Pictures Hacked – Employee Details & Movies Leaked

Cyber Raptors Hunting Your Data?

Sony hasn’t always had the best of times when it comes to being hacked, back in 2011 Sony basically had to rebuild the PlayStation Network (PSN) because of a hack which rendered the service off-line for almost a whole week.

Plus the fact the PSN hack could have leaked up to 10 million user accounts which included credit card details. And again in 2011 they lost 25 Million Customer Account Details Through SOE (Sony Online Entertainment).

Sony Pictures Hacked - Employee Details Leaked

The hack was so bad, it basically shut down Sony Pictures – the above picture is a photo of a desktop in the Sony Pictures office and apparently all computers were showing this. Similar images came from various sources in different offices showing that this is indeed a seriously pervasive attack.

If you downloaded the archive from the URLs in the pictures, it contains text files which are basically HUGE lists of filenames, files that have leaked from Sony servers. And there’s some serious stuff in there including Hollywood stars passport scans, ppk files (SSH private keys), password lists and much much more.

There’s some discussion on the contents and analyse on Reddit here: I used to work for Sony Pictures.

The password lists/SSH keys also led to the compromise of many more related services and accounts (many film related Twitter accounts were hacked).

Sony Pictures is investigating a breach that has seen hackers supposedly steal reams of internal data and splash defacements across staff computers. The company is now in lock-down as it wrestles with the problem.

The beleaguered company, writes Variety, has requested staff disconnect their computers and personal devices from the Sony network and shut down virtual private networks.

Cracking group Guardians of Peace claimed responsibility for a defacement appearing on staff machines that it stole internal corporate data. The group says it will leak more details to the public web depending on what Sony ‘decided’ in what appeared to be a reference to demands quietly sent to the company earlier.

Source: The Register

Sony Pictures e-mail servers were still totally off-line the day after the attack and they made a statement saying it could take between 1-3 weeks to rectify the matter.

It seems like the attackers are really leaking the files they stole too as details of Sony employees were leaked including personal details and salaries.

It’s getting worse for Sony: the latest dump from the raid that’s brought the company to an IT standstill include the personal detas of staff.

Documents leaked through BitTorrent show the names, home addresses, salaries (and bonuses), and social security numbers of thousands of staff, including executives.

Sony Pictures Entertainment could not be reached for comment by the time of writing.

Some 17 executives, from programming to advertising, were listed as having salaries over US$1 million. Severance pays also appeared to be listed.

Source: The Register

It’s 8 days since the attack and Sony Pictures is still struggling to recover, it also seems like some unreleased movies might (including Annie) have been leaked during the compromise.

Sony, the studio behind “The Amazing Spider-Man” films and the “Breaking Bad” television series, restarted many of its computer systems on Monday after a Nov. 24 breach by a group calling itself #GOP, for Guardians of Peace. Executives at the entertainment company said they were also making progress in fighting the apparently related Internet pirating of five complete films, including the unreleased “Annie.”

Source: New York Times

The virus was pretty nasty and wiped all the machines + removed the master boot record rendering most of Sony’s Microsoft based desktops useless. There are some suspicions North Korea could be involved due to the malware used.

Back in August Sony was under attack by a massive DDoS attack aimed at PSN, and then just as they recovered – this.

The latest details to pop-up are that the leaked data dump is being seeded by a bunch of Amazon EC2 servers that host Sony PlayStation websites..which is odd, as the Sony Pictures network and the Sony PlayStation network should be totally separate.

Sony PlayStation website servers were used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers, it’s claimed.

Until early on Tuesday afternoon, San Francisco time, more than 60 systems seeding the archive on the BitTorrent network appeared to be virtual servers in the Amazon EC2 cloud, according to security researcher Dan Tentler.

A number of those fingered server instances – eg, 54.77.62.39 – are also serving websites for Sony Computer Entertainment. The EC2 instances serving up the data were checked by another researcher, who found some had SSL certificates signed by Sony.

Source: The Register

This is quite possibly the worst hack of a major US company ever perpetrated, especially in terms of business disruption and data loss – the financial implications of this could be HUGE. Especially for their biggest Christmas movie Annie.

I’m sure we’re going to see more data dumps dropping in the next week or so, it’s certainly an interesting case and it’s definitely not over yet.

Advertisements



02 December 2014 | 2,437 views

Gruyere – Learn Web Application Exploits & Defenses

This codelab is built around Gruyere – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general, it’s a great way to learn web application exploits & defenses.

Gruyere - Learn Web Application Exploits & Defenses

The codelab is organized by types of vulnerabilities. In each section, you’ll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you’ll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable.

Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it’s open source: you can read through the source code to try to find bugs.

Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

If you want to find more similar apps, you can do so here: Vulnerable Web Applications.

Exploits Available

There is a good variety of stuff to learn in Gruyere including:

  • Cross-Site Scripting (XSS)
  • Client-state Manipulation
  • Cross-Site Request Forgery (XSRF)
  • Cross Site Script Inclusion (XSSI)
  • Path Traversal
  • Denial of Service (DoS)
  • Code Execution
  • Configuration Vulnerabilities
  • AJAX Vulnerabilites

It doesn’t cover SQL Injection as it doesn’t use SQL.

Or you can download Gruyere here:

gruyere-code.zip

Or read more here.

Was previously known as Jarlsberg.


29 November 2014 | 3,939 views

isowall – Completely Isolate A Device From The Local Network

Isowall is a mini-firewall that allows you to completely isolate a device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

isowall - Completely Isolate A Device From The Local Network

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you’ll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

Configuration

The following shows a typical configuration file

You can download isowall here:

master.zip

Or read more here – the author can be found on Twitter here @erratarob.


27 November 2014 | 3,292 views

Bitcoin Not That Anonymous Afterall

One of the big advantages touted by Bitcoin (and other cryptocurrencies) was always the anonymity of the transactions, yes you can track a wallet address and see the transaction history. But there’s no real way to link that wallet address to a real person (so we thought).

I mean other than any leaky fiat exchange process (most of which do require proper registration using passport/ID etc), but now it seems there is a way.

Bitcoin Not That Anonymous Afterall

It seems like 11% of Bitcoin transactions can be ‘unmasked’ fairly easily, without any sign that it’s happening. Unmasking in this context meaning linking the transaction in the blockchain to a public IP address.

The cyber-libertarian poster-child Bitcoin, meant to usher in a new age of anonymous transactions, is rubbish at protecting users’ IP addresses according to research from the University of Luxembourg.

In this Association of Computing Machinery (ACM) conference paper by Alex Biryukov, Dmitry Khovratovich and Ivan Pustogarov of the Laboratory of Algorithmics, Cryptology and Security, “few computers” and a budget of €1,500 per for servers and traffic charges should be enough to start unmasking users’ addresses with as much as 60 per cent accuracy.

If an attacker needed to be stealthy, their success rate would drop to 11 per cent.

In what they call “a generic method to deanonymise a significant fraction of Bitcoin users and correlate their pseudonyms with public IP addresses”, the authors say clients can be uniquely identified by their “entry nodes”, and that these identify the origin of the transaction.

With a small amount of resources (in terms of servers, storage and bandwidth) the attacker (or in this case, researcher) can unmask up to 60% of user IP addresses using entry nodes.

Obviously using something like TOR could protect against this, but even then they can reject TOR connections (But that’s very likely to be noticed in this privacy sensitive part of the Internet).

“In a concrete example, an attacker with a few GB of storage and no more than 50 connections to each Bitcoin server can disclose the sender’s IP address in 11 per cent of all transactions generated in the Bitcoin network”, the paper claims.

Even more scary: the boffins reckon they can identify users behind NAT firewalls – and think their attack could be extended to other P2P networks.

The key phase of the researchers’ attack includes four steps:

  • Getting a list of Bitcoin servers using the GETADDR message and working out if the responder is a server using the ADDR response and sending it a VERSION message;
  • Building a list of nodes as targets for deanonymisation;
  • Mapping clients to entry nodes; and
  • Mapping transactions to entry nodes.

The paper notes that TOR would protect against this, but that, too, can be defeated if the attacker is willing to take a risk: Bitcoin servers can be prohibited from accepting TOR connections, but refusing those connections would be noticed.

Also likely to be noticed: to get their 60 per cent deanonymisation rate, the attackers noted, required “a slight DoS of the network”.

On a positive note (if you’re a cryptocurrency fan), is that this shows that Bitcoin is gaining traction with academics spending their effort looking into it. I’m glad these kind of issues are being uncovered, I just hope they get addressed by the core dev team.

Interesting times ahead I reckon.

Source: The Register


25 November 2014 | 4,131 views

LinEnum – Linux Enumeration & Privilege Escalation Tool

LinEnum will automate many Local Linux Enumeration & Privilege Escalation checks documented in this cheat sheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.

LinEnum - Linux Enumeration & Privilege Escalation Tool

After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.

Usage

Checks/Tasks Performed

  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
    • Checks user config
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail

You can download LinEnum v0.5 here:

master.zip

Or read more here.


22 November 2014 | 2,067 views

Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

So it’s been a while since we’ve talked about any flaws in WordPress – because usually they are pretty dull and require such an obscure set of circumstances, that they are unlikely to ever occur in the wild.

The most recent time was this year actually, but was a DoS attack, which is not THAT damaging – XML Quadratic Blowup Attack Blows Up WordPress & Drupal.

Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

But this, this time it’s different – this one is pretty seriously. Fortunately it’s not a vulnerability in the latest version of WordPress (4.0) but only affects those people still sticking to the latest version on the 3.x branch (3.9.2 or below).

New security updates released for the WordPress content management system and one of its popular plug-ins fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites.

The WordPress development team released Thursday WordPress 4.0.1, 3.9.3, 3.8.5 and 3.7.5 as critical security updates. The 3.9.3, 3.8.5 and 3.7.5 updates address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments.

“In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,” said Jouko Pynnonen, the security researcher who found the flaw, in an advisory. “When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”

Such a rogue operation can be the creation of a second WordPress administrator account with an attacker-specified password. What makes things worse is that the flaw can typically be exploited without authentication, because the action of posting a comment on a WordPress blog does not require an account by default.

Still, if a blog is using 3.9.2 and has anonymous commenting enabled (which most do) then a malicious user could execute JavaScript as you (the admin) by utilising this exploit.

Obviously if you’ve gone the ‘cloud’ way and don’t allow ANY user input at all, and are using only Facebook Comments/Disqus/LiveFyre etc then you are safe.

The comment XSS vulnerability only affects WordPress 3.9.2 and earlier versions, not WordPress 4.0. However, the 4.0.1 update, as well as the 3.x ones, also address three other XSS flaws that can be used to compromise WordPress sites if the attacker has access to a contributor or author account on them.

The new releases also fix a cross-site request forgery flaw that could be used to trick a user into changing their password, as well as a denial-of-service issue.

Separately, the developers of WP-Statistics, a WordPress plug-in that gathers and displays visitor statistics, issued an update to fix a high-risk XSS flaw that’s similar to the ones fixed in the content management system itself.

“The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors,” said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post. “If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

The Sucuri researchers were able to leverage the flaw to create a new admin account on a test site.

As a side note, there is also a similar vulnerability in the popular plug-in WP-Statistics, which also fails to sanitize data and falls foul to the same kind of XSS (which allows addition of an admin account by the malicious user).

There’s an update available for the plugin, so if you’re usint it – get it updated! And of course update WordPress core as well, if your auto-updates failed.

Source: Network World


20 November 2014 | 1,359 views

Sparty – MS Sharepoint and Frontpage Auditing Tool

Sparty is an open source Sharepoint and Frontpage auditing tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

Sparty - MS Sharepoint and Frontpage Auditing Tool

Features

  • Sharepoint and Frontpage Version Detection!
  • Dumping Password from Exposed Configuration Files!
  • Exposed Sharepoint/Frontpage Services Scan!
  • Exposed Directory Check!
  • Installed File and Access Rights Check!
  • RPC Service Querying!
  • File Enumeration!
  • File Uploading Check

Usage

Requirements

This version uses following libraries:

  • import urllib2
  • import re
  • import os, sys
  • import optparse
  • import httplib

Also note Python 2.6 is required.

You can download Sparty here:

master.zip

Or read more here – the author can be found on Twitter here @AdityaKSood.


18 November 2014 | 1,580 views

U.S. State Department Hacked

So the U.S. government has been getting fairly hammered lately with breaches/attacks hitting the White House, USPS (Postal Service) and NOAA.

The latest victim of this onslaught has been the State Department, which had to totally shut down their email systems on November 14th after discovering various ‘areas of concern’.

U.S. State Department Hacked

I wonder who’s going to fall next after this? This seems to be a fairly sustained and systematic attack, perhaps from the same perpetrators (or ‘actors’ if I was to use the new trendy infosec language).

Over the course of the last several weeks, a number of high-profile U.S. federal networks have been breached by attackers. The latest organization to be breached is the U.S. State Department, which had to take its email system offline.

The breach at the State Department follows attacks against the White House, the United States Postal Service (USPS) and the National Oceanic and Atmospheric Administration (NOAA).

The Associated Press, which broke the story on the State Department hack on Nov. 16, indicated that the entire unclassified email system was potentially at risk. The actual State Department email shutdown occurred late Friday, Nov. 14, as areas of concern about the email system were discovered.

Currently, there is no official attribution for the source of the State Department email incident. In the NOAA and White House incidents, reports have alleged that nation-state actors from China and Russia were involved.

Bob Stratton, managing partner at cyber-security accelerator Mach37, told eWEEK that he was somewhat surprised at the State Department disclosure. In general, his view is that the State Department’s discussion of this attack is a constructive development.

“While perfect security is a laudable goal, users of information technology are coming to realize that these events occur even in the face of diligent effort,” Stratton said. “There is some value in not immediately assuming that IT operations and security organizations are incompetent so much as that they are enduring a continuing, innovative, determined stream of network attacks.”

Blame it on Russia or China right? That seems to be the standard answer when it comes to things like this. It is good to see it was announced though and not swept under the carpet like it usually is. It’ll be interesting to see if we get any actual meaty details though (like how the attackers got in, what kind of information was leaked, how they fixed the issues etc.).

But honestly, I don’t see that kind of openness happening any time soon. It would be nice though right?

At this point, Stratton added, he’s more curious about how quickly and effectively a breached agency or company can do damage assessment, and how long it takes for them to perform remediation of the breach with confidence that it was done effectively.

In the State Department incident, the email system was the target, which makes sense considering what sort of information might be present.

“An email system contains not only information regarding users in the directory services, but also a wealth of information in the emails themselves,” John Fitzgerald, CTO North America at Wave Systems, told eWEEK. “So if an attacker is able to gain access to internal data repositories—databases, email systems and file stores—a great amount of direct and indirect information can be gathered.”

There is no question that the use of email as a vehicle for delivery of attacks is extremely popular, and has been for a while, according to Stratton.

“It makes sense if one is trying to collect information on an organization that the attacker might be interested in what is arguably the most commonly used and perhaps most critical collaboration tool,” he said.

In terms of next steps for the government, Fitzgerald said the information gathered from the attacks should be used to investigate whether other areas of the infrastructure have been compromised and look for similar fingerprints in other information systems.

Stratton added that he expects the State Department will be doing a damage assessment to determine what exactly was breached, and the sensitivity and implications of that, as well as developing a remediation plan.

“The question in situations where there is a large set of stored information is, Is there some way that the consistent use of encryption might have prevented the loss of some of this information?” Stratton said. “That is no panacea either, but it can sometimes help to make extracting information through an attack more difficult for the attacker.”

I would imagine an organisation like the State Department has access to some pretty hot forensics/incident response teams though, so they should be able to a fairly quick and thorough investigation of what happened.

That is if it was handled properly and the evidence of tampering hasn’t already been destroyed by some heavy handed internal IT support staff member turning off servers and unplugging switches.

They should have a pretty tight IRP in place to handle things like this though, so the chain of evidence should be pretty legit. Yah, that was an awful lot of ‘shoulds’.

Source: eWeek


15 November 2014 | 5,308 views

Kali Linux – The Most Advanced Penetration Testing Linux Distribution

So Linux Live CDs based around hacking or penetration testing used to be a super big deal, they died down a bit in the last few years. The king of the hill back in 2011 used to be BackTrack and the last time we mentioned it was when BackTrack 5 came out.

This article is our second most viewed of ALL TIME – 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) – perhaps it’s time we do an updated list.

And we covered BackTrack since it first started in 2006, when it was a merger between 2 other distros – Whax and Auditor (anyone remember that far back?).

Kali Linux is the new generation of the industry-leading BackTrack penetration testing Linux distribution also good for security auditing. Kali Linux is a complete re-build of BackTrack from the ground up, adhering completely to Debian development standards.

Kali Linux - The Most Advanced Penetration Testing Linux Distribution

Features in Kali Linux

  • More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality.
  • Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux.
  • Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages.
  • FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc.
  • Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices.
  • Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included.
  • Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols.
  • GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well.
  • Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job.
  • Completely customizable: We completely understand that not everyone will agree with our design decisions so we have made it as easy as possible for our more adventurous users to customize Kali Linux to their liking, all the way down to the kernel.
  • ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution.

You can download Kali Linux here:

Kali Linux 64-Bit ISO (Torrent)
Kali Linux 32-Bit ISO (Torrent)

Or read more here.


13 November 2014 | 2,941 views

Microsoft Schannel Vulnerabilty – Patch It NOW

So yah, it seems like every implementation of TLS is broken and some may say this Microsoft Schannel vulnerabilty is actually worse than Heartbleed. Why is it worse you ask? Because it allows remote code execution, which honestly – is about as bad as it gets.

Microsoft Schannel Vulnerabilty

This is a critical update, a really, really critical patch that must be applied ASAP to all Windows machines. Fortunately there doesn’t seem to be a live exploit in the wild being used, but that doesn’t mean someone doesn’t have one.

Patch Tuesday this month is a genuinely huge (and rather important) set of updates.

Microsoft has been forced to issue a critical patch for a vulnerability that affects every current version of its Windows operating system.

The bug affects code in the Microsoft secure channel (schannel) security component. This component implements the secure sockets layer and transport layer security (TLS) protocols.

A flaw in the code means it fails to properly filter specially formed packets allowing hackers to execute code remotely on an affected Windows machine.

According to the advisory, the flaw affects Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8/8.1, Windows Server 2012/2012 R2, and Windows RT/RT 8.1 machines. The flaw is rated critical for all affected operating systems.

Microsoft said that it “had not received any information to indicate that this vulnerability had been publicly used to attack customers”.

This could potentially wreak havoc if someone codes it into a worm or mass botnet exploit which self replicates, as I imagine we have about a week or so before a live exploit is reverse engineered from the patch.

And then boom, anyone who hasn’t patched (which unfortunately, as we know is going be a lot of people) is going to get popped.

You can read the actual Microsoft Bulletin (MS14-066) here – Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

Security researchers said exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems.

“Heartbleed was less powerful because it was ‘just’ an information disclosure bug and Shellshock was remotely exploitable only in a subset of affected systems,” said Craig Young, security researcher at Tripwire.

“Some administrators may want to prioritise this over the Internet Explorer patch even though we’ve seen attacks we’ve seen in the wild against the browser. This is because MS14-066 has the potential to be exploited without user-interaction,” he said.

Young added that exploitation of the bug would be “tricky”. “Hopefully, this will give admins enough time to patch their systems before we see exploits.”

Just last week, Microsoft was preparing a slew of updates to its products with 16 patches to fix critical flaws in Windows and Internet Explorer.

It seems from some sources too that it’s not just one vulnerability, but a whole set which has been mentioned by Cisco/Talos here:

Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities

It seems like it was internally found during a proactive security assessment, which is a good sign and means a more secure Microsoft environment for us in the future. We shall have to keep a close eye on this and see if the Windows World explodes.

Source: ITPro