Archive | November, 2007

fwtest – Firewall Testing Toolkit

Outsmart Malicious Hackers

The firewall test suite fwtest is a security auditing tool made up of two parts: the test control application fwtest and optionally one or two helper processes named fwagent. The test control application fwtest starts up the python interpreter with the given test script. The test script controls the packet data flow between two virtual interfaces A and B.

For this purpose the python interpreter is extended by commands which support the construction and transfer of arbitrary IP-packets. In this way it is possible to stimulate a firewall (or other relaying network nodes) connected between the interfaces A and B.

According to the interface-spec the virtual interfaces A and B are mapped on given physical interfaces on the same host the fwtest is running or to an interface on a remote host which runs the application fwagent. For the remote access the fwtest establishes a control TLS-protected connection to the fwagent on the specified host. You may use a ca structure or a fingerprint file to authenticate the peer. The shell script is distributed with this software to help you generate the necessary keys for both (ca structure and fingerprint) variants.

For both variants (one or two fwagents) the interfaces needs to be controlled by fwtest and fwagent on the link level. This is achieved by use of the berkely packet filter library pcap for reading and The Network Library libnet for writing of packets.

You can download fwtest source code here:


Or read more here.

Posted in: Network Hacking, Security Software

Tags: , , , , , , ,

Posted in: Network Hacking, Security Software | Add a Comment
Recent in Network Hacking:
- T50 – The Fastest Mixed Packet Injector Tool
- PenTools – Penetration Testing Tools Bundle
- EtherApe – Graphical Network Monitor

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download AET2 - 1,611,935 views
- Wep0ff – Wireless WEP Key Cracker Tool - 515,212 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 331,202 views

Security Software Moves to Consoles – Web Filtering for PS3

Keep on Guard!

Ah it seems some companies are having the same idea as me, consoles might well be the next infection vector for zombie style botnets, they have good processing power, the current generation has ample hard-drive space and they are network connected.

The difference with consoles is they tend to be turned off when not in use unlike PCs which are quite often left on.

Still infecting a few million PS3s could be a great attack mechanism – so the latest update for the PS3 is web filtering, the first step towards security software for consoles.

Sony has integrated a website filter into its latest PlayStation 3 firmware. But while use of the utility is optional and, for now, free, neither the console giant nor its security partner, Trend Micro, are saying how much they’ll demand from user whene the free-use period ends next April.

Trend claimed the site blocker, which is part of PS3 firmware version 2.0, posted last week, is the world’s first global internet security service games console.

It’ll be interesting to see how much it costs when it stops being free, and what the uptake is like percentage wise. I have a feeling it’ll be very low.

If users choose to activate the filtering service, which is accessed through the PS3’s internet browser, they must select a password. If a blocked website is then accessed, users can enter their password to view the site.

Trend’s service is free to use until April 2008, it said. Bizarrely, however, it was unable to say how much it will demand PS3 owners cough up after that date if they want to carry on using the service, perhaps to keep inappropriate content away from their kids.

Apparently the pricing structure hasn’t even been worked out yet, but then I guess they just want to get it out there as the ‘first’ security software for a console and increase the branding strength.

Source: The Register

Posted in: Hardware Hacking, Malware

Tags: , , , , , , ,

Posted in: Hardware Hacking, Malware | Add a Comment
Recent in Hardware Hacking:
- Intel Finally Patches Critical AMT Bug (Kinda)
- Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions
- Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

Related Posts:

Most Read in Hardware Hacking:
- Elevator/Lift Hacking !!!!! - 80,417 views
- Military Communications Hacking – Script Kiddy Style - 49,927 views
- Hackers Crack London Tube Oyster Card - 45,998 views

Chaosreader – Trace TCP/UDP Sessions from tcpdump

Outsmart Malicious Hackers

A freeware tool to trace TCP/UDP sessions and fetch application data from snoop or tcpdump logs. This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG), SMTP emails and so on from the captured data inside network traffic logs.

Similar to tcpflow which we mentioned recently.

A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode – where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.

The cool thing about Chaosreader is that it outputs a nicely formatted HTML file to enable you to look at the extracted sessions a lot easier.

In this example, a snoop file was created while a website was loaded, telnet was used to login and ftp to transfer files. Chaosreader has managed to extract the HTTP sections, follow the telnet session, grab the FTP files, and create an Image Report from the snoop log. It has also created a replay program to playback the telnet session. You can see the example here.

You can find some more screenshots here.

You can download Chaosreader here:

Chaosreader 0.94

You can read more here.

Posted in: Forensics, Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Forensics, Hacking Tools, Network Hacking | Add a Comment
Recent in Forensics:
- PowerShellArsenal – PowerShell For Reverse Engineering
- Androguard – Reverse Engineering & Malware Analysis For Android
- Volatility Framework – Advanced Memory Forensics Framework

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,826 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 35,715 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 35,052 views

Recent in Phishing:
- SPF (SpeedPhish Framework) – E-mail Phishing Toolkit
- Phishing Frenzy – E-mail Phishing Framework
- Gophish – Open-Source Phishing Framework

Related Posts:

Most Read in Phishing:
- Twitter DM Phishing Scam - 28,979 views
- yahoo password grabber - 19,177 views
- Digital Underground Offering Cheap Botnets For Hire - 15,720 views

tcpflow – TCP Flow Recorder for Protocol Analysis and Debugging

Outsmart Malicious Hackers

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.

tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.

tcpflow stores all captured data in files that have names of the form

Where the contents of the above file would be data transmitted from host port 2345, to host port 45103.

The only downside to this tool is that it’s not being actively maintained, the last version was released in 2003.

The upside is that the TCP protocol hasn’t changed, so the tool still work just fine.

Definitely extremely useful for network forensics, it’s one of the tools I use to demo network dissection in classes.

You can download it here:

Version 0.21 source tarball
Version 0.21 Source RPM

Or read more here.

Posted in: Forensics, Network Hacking

Tags: , , , , , , ,

Posted in: Forensics, Network Hacking | Add a Comment
Recent in Forensics:
- PowerShellArsenal – PowerShell For Reverse Engineering
- Androguard – Reverse Engineering & Malware Analysis For Android
- Volatility Framework – Advanced Memory Forensics Framework

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,826 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 35,715 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 35,052 views

Wi-Fi Jacking Extremely Common (45% of People Do!)

Outsmart Malicious Hackers

It seems Wi-Fi is actually extremely common, in fact in a recent poll up to 45% do it! I guess most people here have, I admit I do even with my phone when I’m out and about I’ll use any WiFi point that works.

We can blame it on the manufacturers for having lax default security settings, but they have to do it because if they enforced WEP for example by default..most people wouldn’t be able to connect and would most likely return it to the shop claiming that it’s ‘broken’.

Sophos has revealed new research into the use of other people’s Wi-Fi networks to piggyback onto the internet without payment. The research shows that 54 percent of computer users have admitted breaking the law, by using someone else’s wireless internet access without permission.

According to Sophos, many internet-enabled homes fail to properly secure their wireless connection properly with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an internet service provider (ISP) for their own.

As for the legal and ethical side, it’s hard to say. In most countries it’s still a fairly grey area – if you don’t do anything illegal with the connection (sniffing, cracking, hacking, DoS etc.) and you don’t use enough bandwidth to cause a problem it’s hard to say it’s illegal.

Stealing Wi-Fi internet access may feel like a victimless crime, but it deprives ISPs of revenue. Furthermore, if you’ve hopped onto your next door neighbours’ wireless broadband connection to illegally download movies and music from the net, chances are that you are also slowing down their internet access and impacting on their download limit. For this reason, most ISPs put a clause in their contracts ordering users not to share access with neighbours – but it’s very hard for them to enforce this.

The contract clause is interested but as mentioned, extremely hard to enforce.

I guess Wifi jacking will continue and as more mobile devices support Wifi (n95, E61i, PSP, iPhone etc) it will get even more common.

Source: Net Security

Posted in: Legal Issues, Privacy, Wireless Hacking

Tags: , , , , , , ,

Posted in: Legal Issues, Privacy, Wireless Hacking | Add a Comment
Recent in Legal Issues:
- Fake News As A Service (FNaaS?) – $400k To Rig An Election
- UK Schedule 7 – Man Charged For Not Sharing Password
- Shadow Brokers Release Dangerous NSA Hacking Tools

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,826 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,775 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,664 views

Apple Fixes ‘Misleading’ Leopard Firewall Settings

Outsmart Malicious Hackers

Apple has admitted that is has at LEAST three serious design weaknesses in it’s new application based firewall being rolled out with Mac OS X ‘Leopard’.

It comes (somewhat oddly) only 24 hours after a Mac OS X security update that fixed 41 OS X and Safari security vulnerabilities.

Previously independent researchers proved that Apple’s claim that the Leopard firewall could block all incoming connections was false.

In an advisory accompanying the Mac OS X v10.5.1 update, Apple admitted that the “Block all incoming connections” setting for the firewall is misleading.

“The ‘Block all incoming connections’ setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services,” Apple said.

With the fix, the firewall will more accurately describe the option as “Allow only essential services”, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services, Apple said

Sounds like they are back-pedaling rather fast. They also addressed two other issues with the application based firewall.

CVE-2007-4703: The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

CVE-2007-4704: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access.

So watch out, Apple is not the panacea of security as some people claim it to be.

Source: ZDNet

Posted in: Apple, General Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Apple, General Hacking | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,274 views
- Apple Struggling With Security & Malware - 24,156 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 16,192 views

sqlninja 0.2.1-r1 – SQL Injection Tool for MS-SQL Released for Download

Keep on Guard!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X


  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New

  • A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
  • Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ‘sa’ account can succeed or not
  • Documentation is now in HTML format, which should make things much easier for new users
  • Several bugfixes and minor improvements

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

Posted in: Database Hacking, Hacking Tools

Tags: , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools | Add a Comment
Recent in Database Hacking:
- Another MongoDB Hack Leaks Two Million Recordings Of Kids
- MongoDB Ransack – Over 33,000 Databases Hacked
- DBShield – Go Based Database Firewall

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 79,182 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,888 views
- SQLBrute – SQL Injection Brute Force Tool - 42,943 views

The World’s Biggest Botnets – Peer to Peer

Keep on Guard!

So what’s coming next, after Storm you might ask. You might remember Storm Worm Descending on Blogspot recently and other news about Botnets spiraling out of control accounting for almost 25% of online computers.

Well apparently next will be p2p or peer to peer Botnets which could literally blow Storm away.

You know about the Storm Trojan, which is spread by the world’s largest botnet. But what you may not know is there’s now a new peer-to-peer based botnet emerging that could blow Storm away.

“We’re investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication,” says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. “We can’t say much more about it, but we can tell it’s distinct from Storm.”

It’s hard to imagine anything bigger and more complex than Storm, which despite its nefarious intent as a DDOS and spam tool has awed security researchers with its slick design and its ability to reinvent itself when it’s at risk of detection or getting busted. Storm changed the botnet game, security experts say, and its successors may be even more powerful and wily.

Interesting developments, I’ll certainly be watching out for this and see what happens. This next generation could open up some DDoS attacks of never seen before proportions (I’m talking the ability to take whole countries offline).

Information warfare? Cyber Terrorism? Yes it’s getting very real.

Botnets are no longer just annoying, spam-pumping factories — they’re big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations.

“A year ago, the traditional method for bot infections was through malware. But now you’re getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it,” says Paul Ferguson, network architect for Trend Micro. “No one is immune.”

So watch out, and do educate people wherever you can about the dangers of Malware and safe surfing. A little Firefox here, a little NoScript there, a copy of Avast and a few instructions solve most problems.

Source: Dark Reading

Posted in: Malware

Tags: , , , , , , , , , , ,

Posted in: Malware | Add a Comment
Recent in Malware:
- South Korean Webhost Nayana Pays USD1 Million Ransom
- maltrail – Malicious Traffic Detection System
- Windows XP Too Unstable To Spread WannaCry

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,630 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,775 views
- US considers banning DRM rootkits – Sony BMG - 45,014 views

Medusa 1.4 – Parallel Password Cracker Released for Download

Keep on Guard!

It’s been a long time coming but here it is, after almost a year (Remember Medusa 1.3?) finally version 1.4 is here!

Version 1.4 of Medusa is now available for public download!

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at

The Key Features are as follows:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

  • CVS
  • FTP
  • HTTP
  • IMAP
  • MS-SQL
  • MySQL
  • NCP (NetWare)
  • NNTP
  • PcAnywhere
  • POP3
  • PostgreSQL
  • rexec
  • rlogin
  • rsh
  • SMB
  • SNMP
  • SSHv2
  • SVN
  • Telnet
  • VmAuthd
  • VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see here.

It’s been over a year since version 1.3 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. A somewhat detailed report is available here

You can download Medusa 1.4 here:


Or read more here.

Posted in: Hacking Tools, Password Cracking

Tags: , , , , , , ,

Posted in: Hacking Tools, Password Cracking | Add a Comment
Recent in Hacking Tools:
- Bluto – DNS Recon, Zone Transfer & Brute Forcer
- dork-cli – Command-line Google Dork Tool
- T50 – The Fastest Mixed Packet Injector Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,024,933 views
- Brutus Password Cracker – Download AET2 - 1,611,935 views
- wwwhack 1.9 – Download Web Hacking Tool - 708,038 views