Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on RSS or Twitter for the latest updates.

23 July 2012 | 3,440 views

Hcon Security Testing Framework (HconSTF) v0.4 – Fire Base

Secure Your Website with Acunetix

HconSTF is an Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessment. It contains webtools which are capable of carrying out XSS attacks, SQL Injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. It could prove useful to anybody interested in the information security domain – students, security professionals, web developers and so on.

Hcon Security Testing Framework (HconSTF) v0.4

Features

  • Categorized and comprehensive toolset
  • Contains hundreds of tools and features and script for different tasks like SQLi, XSS, Dorks, OSINT to name a few
  • HconSTF webUI with online tools (same as the Aqua base version of HconSTF)
  • Each and every option is configured for penetration testing and Vulnerability assessments
  • Specially configured and enhanced for gaining easy & solid anonymity
  • Works for web app testing assessments specially for OWASP top 10
  • Easy to use & collaborative Operating System like interface
  • Multi-Language support (feature in heavy development translators needed)

You can download HconSTF 0.4 beta here:

HconSTF_v0.4_Freedom_portable.exe

Or read more here.



20 July 2012 | 478 views

Nvidia Investigates Claims Of Online Store Compromise During Spate Of Hacking

Just a few days back we posted about Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext, and most recently it seems someone has been going after Nvidia pretty hard.

They have already had a few web properties hacked including their forum, the developer zone and their research site. The latest break in the news is a claim that the store has been hacked – they have suspended access whilst they investigate.

Graphics chip manufacturer Nvidia is investigating claims that hackers have compromised its online stores as part of a larger attack that affected several of its websites.

On Friday, a hacker group calling itself Team Apollo claimed that one of Nvidia’s online stores was compromised. As a result, the company suspended access to its Board Store and Gear Store websites.

“Nvidia is investigating whether the store sites were hacked,” Bea Longworth, Nvidia’s senior PR manager for EMEAI (Europe, Middle East, Africa, India), said Monday via email. “We don’t have any evidence that credit card data or customer lists have been put at risk, but we’re investigating.”

The news follows confirmed compromises of some of the company’s other websites last week. “Nvidia Forums, Nvidia Developer Zone and Nvidia Research were compromised in what appears to have been a breach by third parties seeking sensitive information,” Longworth said. On Thursday, Nvidia revealed that hackers had gained access to the Nvidia Forums database and stole usernames, email addresses, hashed passwords and user profile information.

We haven’t really discussed Nvidia much before and I dont recall them being a hacking target previously, we’ve only mentioned them in passing when it comes to tools and methods using graphics card chips for brute forcing like – CUDA-Multiforcer – GPU Powered High Performance Multihash Brute Forcer.

I imagine them having a store and carrying out transactions online puts them in the firing range though, when there’s money or credit card details involved – the bad guys will come.

On the same day, the company also took its Developer Zone and Nvidia Research websites offline over suspicions of compromise. Those suspicions were confirmed on Friday, when a hacker posted hashed passwords for a proportion of DevZone users on a public website.

Nvidia was not the only company forced to deal with data leaks that resulted from hacker attacks during the past week.

On Tuesday, the company operating Formspring, a website where users can post and answer questions, disabled its users’ passwords after 420,000 password hashes were posted on a forum. The company later confirmed that someone broke into one of its development servers and stole user account information from a production database.

On Thursday, a hacker group published a list of 450,000 log-in credentials that it claimed to have stolen from the database of an unnamed Yahoo service. Yahoo later confirmed that the log-in credentials were from its Yahoo! Contributor Network service.

Nvidia has taken the other compromised sites down and confirmed they were hacked, I wonder if the threat against the store is just bravado or someone genuinely has compromised it. There seems to be no proof of that at this point however.

There seems to have a been a real glut of these kind of attacks lately, I wonder if there’s a new vulnerability passing around the underground that no-one knows about in a common web language like PHP or in a common service like Apache or the recent MySQL bug.

I wouldn’t be surprised if a lot of these are due to this: MySQL 1 Liner Hack Gives Root Access Without Password.

Source: Network World


18 July 2012 | 3,281 views

spt v0.6.0 – Simple Phishing Toolkit Available For Download

spt is a simple concept with powerful possibilities. It is what it’s name implies: a simple phishing toolkit.

The basic idea the spt project had was “Wouldn’t it be cool if there were a simple, effective, easy to use and free (most importantly!) tool that information security professionals could use to evaluate and train what we all know is the weakest link in any security minded organization: the people?“.

spt - Simple Phishing Toolkit

Since the founders of the spt project are themselves information security professionals by day, they themselves faced the frustration of dealing with people within their own organizations that claimed to know better, but 9 times out of 10 fell for the most absurdly obvious phishing emails ever seen. A malware outbreak here, a stolen password and loss of critical organizational data there and the costs of dealing with the results of phishing can get to be astronomical pretty darn quickly!

Enter spt. spt was made from scratch, with the goal of giving over-worked and under-staffed information security professionals a simple tool (more like a framework, as they hope to add more features over time) that could be used to identify and train those weakest links. spt is a fully self-contained phishing email toolkit that can be installed, configured and phishing in less than 15 minutes. Its design is modular and open-ended allowing for future expansion and additional features via easy to snap-in modules that are simply uploaded in the administration dashboard. Why not try out spt today and see who your weakest link is?

You can download spt here:

sptoolkit_0.60_zip.zip

Or read more here.


16 July 2012 | 2,535 views

Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext

There’s been a few HUGE cases of large sites being hacked and exposing either plaintext or extremely poorly encrypted passwords, it happened to LinkedIn not that long ago – and the latest case is of Yahoo!.

It wasn’t the main site, but with almost half a million username and password combos exposed – it’s a fairly large leak. It came from the Yahoo! Voices subdomain (Yahoo! Contributor Network) and seems to have been carried out with a fairly basic UNION type SQL Injection.

I imagine the database or old part of the site that powered the Yahoo! Contributor Network was developed way back in history before secure programming was as big (and as prominent) as it is now, and before frameworks took care of most the security nuts and bolts.

A Yahoo security breach that exposed 450,000 usernames and passwords from a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.

“It is definitely poor security,” Marcus Carey, a security researcher at Rapid7, said. “It’s not even security 101. It’s basic application development 101.”

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an “older file” containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo’s massive network of Web sites. Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo’s 2010 acquisition of Associated Content.

Less than 5 percent of the stolen data had valid passwords, Yahoo said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement said.

Yahoo! seemed to have taken action fairly quickly, but still this is a very sloppy example of data security – even if it was an old system and a defunct one at that.

Unsurprisingly, the top 5 most common passwords in this data set were extremely easy to guess:

  • 123456
  • password
  • welcome
  • ninja
  • abc123

Ninja is a new entrant though, I don’t remember that being in the old common password lists, such as those in this article: The Top 10 Most Common Passwords

The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google’s Gmail, Microsoft’s Hotmail, AOL, Comcast and Verizon.

A hacker group called D33Ds Company took credit for the breach, and posted a statement on its website saying the attack was a warning. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group said, according to media reports. “There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site. Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo’s overall security lapses were a disservice to its users. “It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what’s the probability of that also occurring in their other properties?”

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that 6.5 million usernames and passwords were stolen and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.

At least LinkedIn had the passwords hashed, albeit without salting – so they were pretty secure (but still not secure enough). Please hash, salt, use a salt on the physical disk from a file – oh there’s so many things developers can do to make sure if their system does get cracked – the damage is limited.

But do they do it, well mostly no – because product owners/managers are pushing out things with feature-set being the priority and anything else being pretty much unimportant.

It does make you wonder though, Yahoo! as an organization – how do they store their passwords for other web properties? I wouldn’t be surprised if it’s done with equal slackness.

Source: Network World


12 July 2012 | 1,307 views

Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) 3rd Party GUI

We published an article about Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) when it came out back in June 2011.

The Native GUI for EMET is in .NET and there are some situations or restricted environments where you may be unable to install .NET or just simple don’t want to use it.

This is where this third-party graphical interface for the Enhanced Mitigation Experience Toolkit comes in, it has no dependence on .NET and will work fine in environments without that capability.

3rd Party GUI for Microsoft EMET

You can download EMET GUI here:

nemet.zip

Or read more here.


09 July 2012 | 713 views

Android Malware App Covertly Makes Purchases On China Mobile Market

There seems to be a trend towards malware on the Android platform that extorts money from the user somehow, either through premium SMS or services – or the latest trojan – which covertly purchases apps from the mobile market.

We first wrote about Android Antivirus software from Symantec back in 2010 and it seems like recently, it’s becoming more necessary.

DroidDream malware starting proliferating the app store last year in 2011, and there was the article about China Facing Problems With Android Handsets & Pre-installed Trojans.

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile’s Mobile Market.

Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps.

The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said. Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile’s official Mobile Market online store without informing the user. It is able to intercept China Mobile’s verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.

In the event of CAPTCHA being triggered at this stage, the malware will apparently send the relevant image to a remote server for analysis.

It seems to be happening most of all in China, this isn’t the first time and I guess it won’t be the last. I attribute it to the fact it’s a fairly new smartphone market and the sheer number of people there makes it very attractive to develop this kind of money making malware.

Just get it out there to a few million people (an extremely small percentage of the population in China) and you’re rich. China is being flooded with cheap Android handsets and tablets, so I’d expect to see more of these threats coming from there in the coming months.

The advice from the security experts at TrustGo is for users to only download Android apps from trusted app stores and to have some form of real-time mobile security scanner installed on their device to prevent any dodgy downloads.

Visiting an apparently legit app store is no guarantee you’re going to get a malware-free experience, however. Malware is frequently turning up on the official Android marketplace Google Play – although admittedly less frequently than on some of the more dubious third party sites.

The latest discovery came at the tail end of last week when researchers found malware that lifts the victim’s location data and address book info. China in particular has been a hotbed of malicious Android activity for some time.

In April, the Chinese authorities were forced to publically reprimand the country’s two biggest mobile carriers, China Mobile and China Telecom, after uncovering “many problems” in their respective app stores. Globally too, Android continues to be a favourite with cyber criminals.

So…if you live in China, and use an Android handset – be extremely careful! If not, you should be pretty safe, we aren’t seeing much of this type of malware outside of China – or any kind of Android malware really.

Even though there have been some serious flaws like – Critical Zero Day Abobe Flash Flaw Puts Android Phones At Risk.

The scariest part for me is how smartly this trojan has been developed, it can place orders, intercept the verification SMS and provide it back to the app store – that’s pretty impressive!

Source: The Register


28 June 2012 | 10,158 views

The Mole v0.3 Released For Download – Automatic SQL Injection Exploitation Tool

The Mole is an automatic SQL Injection exploitation tool. All you need to do is provide a vulnerable URL and a valid string on the site you are testing and The Mole will detect the injection and exploit it, either by using the union technique or a boolean query based technique.

We did mention The Mole when we first heard about it back in 2011 – The Mole – Automatic SQL Injection SQLi Exploitation Tool.

The Mole v0.3

Features

  • Support for injections using MySQL, MS-SQL Server, Postgres and Oracle databases.
  • Command line interface.
  • Auto-completion for commands, command arguments and database, table and columns names.
  • Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
  • Exploits SQL Injections through GET/POST/Cookie parameters.
  • Developed in Python 3.
  • Exploits SQL Injections that return binary data.
  • Powerful command interpreter to simplify its usage.

You can download The Mole v0.3 here:

Windows – themole-0.3-win32.zip
Linux – themole-0.3-lin-src.tar.gz

Or read more here.


22 June 2012 | 1,545 views

Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

Oh look, another serious flaw in Windows – and this one is really bad because it can be exploited directly in Internet Explorer.

And even worse than that, this vulnerability is actually being exploited in the wild by cybercriminals – this shows it’s no longer a theoretical attack. Plus of course the fact, it’s actually unpatched – so even if you’ve applied all the available Windows updates – it’s still exploitable.

An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.

Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix. The vulnerability is easily exploited through Internet Explorer.

Security vendor Sophos reported Tuesday that it discovered over the weekend a web page crafted to take advantage of the flaw. The page was on the site of an unidentified European medical company, which did not know its website had been hijacked, Sophos said.

Cybercriminals often hide malware on legitimate websites for so-called drive-by installs. To lure people to the compromised site, hackers typically use specially crafted email to entice recipients to click on a link to the infected page.

Marcus Carey, a security researcher at Rapid7, said his company was sure cybercriminals everywhere were exploiting the widely known vulnerability. “That vulnerability is definitely being exploited in the wild,” he said Wednesday. Unpatched software flaws that are disclosed publicly become priority No. 1 for cyber-criminals, who know that companies and people are slow to install patches, and even slower to apply workarounds.

This is a serious issue, even when it gets patched it’ll still be a serious issue as people and companies tend to be slow in applying patches and quite often people turn off Windows Update entirely because they find it annoying and quite often the updates cause more problems than they solve (Black screen of death etc).

Plus the fact that it’s easily exploitable in the browser, this is not a complex multi-layered attack or something that needs network exposure to work.

A lot of anti-virus software vendors have issued updates that detect this exploit and will help mitigate against the threat until a proper patch is issued by Microsoft.

The latest vulnerability is particularly serious because it can be easily exploited. “The only thing you have to do is visit a website that’s been compromised, and you’re going to compromise your system,” Carey said. “Anyone running Internet Explorer should be terrified unless they apply the [Microsoft] fix-it.”

MSXML is a set of services used in building Windows-native XML-based applications. The latest flaw affects all releases of Windows and Office 2003 and 2007. A successful attacker could use the vulnerability to gain full user rights to a PC, Microsoft said.

Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. “Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later,” Paul Baccas, senior threat researcher at Sophos, said in the company’s blog.

Google reported the vulnerability to Microsoft on May 30 and worked with the software maker.

The vulnerability notation for this is: CVE-2012-1889 – if you want to keep tabs what’s going on with it.

The Microsoft advisory for this is here: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Source: Network World


19 June 2012 | 3,288 views

Graphical Web Interface for OSSEC WUI AnaLogi v1.1

‘Analytical Log Interface’ was built to sit on top of OSSEC (built on OSSEC 2.6) and requires 0 modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL.

Written for inhouse analysis work, released under GPL to give something back – it’s intended to help you spot trends in graphs from hosts/levels/ruleID breakdowns and then let the user drill down to the specific alerts.

AnaLogi v1.1

OSSEC is used for internal servers, therefore server names are treated as trusted and are not filtered for security within this project. For the same reason user input on the details page is not filtered… if you want to inject SQL, go ahead, you are the Sys Admin after all.

Log data IS treated as UNTRUSTED, and is validated before dumping to screen.

This was written and tested on a Virtual Machine, quad core, 4GB ram using a database with currently 1.2million alerts and 10 servers and performs fine.

If the interface gets slow over time you may want to consider your data retention period in the database and clean events out from time to time.

Download AnaLogi v1.1 here:

AnaLogi_v1.1.zip

Or read more here.


12 June 2012 | 15,661 views

MySQL 1 Liner Hack Gives Root Access Without Password

The latest news that has hit the streets is the occurence of the easiest hack ever, if you have local shell access (any user privelege level) and you can connect to MySQL – you can get root access to MySQL within a few seconds.

I tried this yesterday on one of my servers on Ubuntu 12.04 running the latest version of MySQL in the repo…and it worked in about 30 seconds. Scary really, you can use this single line of bash to hack MySQL:

Or the Python version I originally saw:

Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.

According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted. An attacker only needed to know a legitimate username which in most circumstances included the name ‘root’.

The flaw has already been exploited. Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.

Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw.

There’s a lot of vulnerable servers out there, so you better hope they aren’t yours because it’s not hard to scan whole subnets for servers with port 3306 open that accept connections from the outside world.

And if your server is in that state – it’s vulnerable. I just checked the repos for Ubuntu 10.04 LTS and Ubuntu 12.04 LTS and they both have a patched version of MySQL available for download so I suggest you get on your servers and do -

If you are using a shitty OS that uses yum or something – figure it out yourself.

Affected versions, listed below, require for memcmp() to return an arbitrary integer outside of the range -128 to 127. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 were vulnerable, Golubchik said.

Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora. Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.

A list of accessible MySQL servers found 356,000 deployments running versions of 5.0.x, followed by 285,000 running 5.1.x, and 134,436 running 5.5.x. Another list of MySQL build flavours revealed 43,900 running Ubuntu, 6408 on Debian, and 98,665 on Windows.

Honestly I find that this is a really serious vulnerability, but has a pretty low risk profile. It will only work in cases of badly configured MySQL users where they accept connections from any IP address – user@% type entries in the user table.

NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.

This vulnerability is notated as CVE-2012-2122.

Source: SC Magazine