Archive | May, 2008

sqlninja 0.2.3 released – Advanced Automated SQL Injection Tool for MS-SQL

Outsmart Malicious Hackers


We’ve been folowing the development of sqlninja since the early days, it’s growing into a well matured and more polished tool with advanced features.

Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
  • Bruteforce of ‘sa’ password, both dictionary-based and incremental
  • Privilege escalation to ‘sa’ if its password has been found
  • Creation of a custom xp_cmdshell if the original one has been disabled
  • Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
  • Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls

Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja! See it in action here.

What’s new in 0.2.3?

  • A Metasploit3 wrapper, which allows the user to use SQL Injection to execute Metasploit payloads on the remote DB server
  • Several other minor improvements

You can download sqlninja 0.2.3 here:

sqlninja-0.2.3.tgz

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

Topic: Database Hacking, Hacking Tools, Web Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


TJX Employee Fired for Trying to Fix Things

Outsmart Malicious Hackers


Ah TJX in the news again….after previously having the Largest Breach of Customer Data in U.S. History, now they are screwing people over that try to help them and their seemingly ridiculous information security policies.

Hello blank passwords? Sounds crazy but I believe it happens, at more places than just TJX. It’s sad that someone who actually wants to help and bring up the issues of shoddy security practise ends up with the raw end of the deal. That also doesn’t surprise me though, sometimes it just pays to keep quiet and let them get owned again.

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

It’s pretty shocking after the huge data loss that they suffered how they can have such lax policies, changing reasonable passwords to blank ones? Hello ownage, here’s my network! Yeah he did disclose important company information…he disclosed to the world that you are a bunch of dickwads.

Incompetent ones at that. Some may berate his actions, but still it didn’t seem he was getting anywhere inside the company.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

Password the same as username? That’s not much more secure…but blank passwords, that’s the worst of all. Oh well it looks like a good reason only to use cash if you are going to shop at any TJX stores!

Well I’d imagine this might be prevalent at most stores…so perhaps a good reason to use cash everywhere. Other than the fact I don’t like people tracking my purchases in some huge consumer database anyway…

Source: The Register

Posted in: Legal Issues, Privacy

Topic: Legal Issues, Privacy


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


fgdump 2.1.0 and pwdump 1.7.1 Released – Dump LanMan & NTLM Hashes

Keep on Guard!


The major change is both tools now support 64-bit targets! Good news for us.

pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily.

I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

fgdump now has:

  • Better 32/64 bit detection. This is not as easy as it sounds, at least not remotely! If someone has a sure-fire way for 100% reliably detecting the target OS, please let me know. In the mean time, if fgdump is unsure, it will report it and default to 32-bit.
  • The -O [32|64] flag will manually override the target OS architecture. So, for example if fgdump is reporting a host as 32-bit and you KNOW it is 64-bit, you can use -O 64 (or vice-versa, of course). Note that this flag will apply to ALL hosts you are dumping! You might want to single out any hosts you need to override.

So if you’re still using pwdump…DON’T! Use fgdump.

Get pwdump here

Get fgdump here

You can read more here and here.

Posted in: Hacking Tools, Password Cracking, Windows Hacking

Topic: Hacking Tools, Password Cracking, Windows Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


UK to Become Even More Draconian with Privacy Laws

Outsmart Malicious Hackers


Oh dear, UK going backwards again. A bad case of Big Brother syndrome and once again under the blanket excuse of efforts against terrorism.

Please! That’s so old and tired now, do governments seriously think they can keep infringing people’s privacy and rights under the same old guise? Strike terror into the public by continually telling them they are under threat from terrorists? I guess they do…watch out folks of the UK because they will be watching you.

A massive government database holding details of every phone call, e-mail and time spent on the internet by the public is being planned as part of the fight against crime and terrorism. Internet service providers (ISPs) and telecoms companies would hand over the records to the Home Office under plans put forward by officials.

The information would be held for at least 12 months and the police and security services would be able to access it if given permission from the courts

The proposal will raise further alarm about a “Big Brother” society, as it follows plans for vast databases for the ID cards scheme and NHS patients. There will also be concern about the ability of the Government to manage a system holding billions of records. About 57 billion text messages were sent in Britain last year, while an estimated 3 billion e-mails are sent every day.

Held for 12 months? Soon to be linked to your ID card and NHS records? To your tax number, driving licence, home address, cellphone number, e-mail address and your ICQ number? I guess…they will be monitoring everything, every SMS and every e-mail.

Worried yet?

The proposal has emerged as part of plans to implement an EU directive developed after the July 7 bombings to bring uniformity of record-keeping. Since last October telecoms companies have been required to keep records of phone calls and text messages for 12 months. That requirement is to be extended to internet, e-mail and voice-over-internet use and included in a Communications Data Bill.

Police and the security services can access the records with a warrant issued by the courts. Rather than individual companies holding the information, Home Office officials are suggesting the records be handed over to the Government and stored on a huge database.

One of the arguments being put forward in favour of the plan is that it would make it simpler and swifter for law enforcement agencies to retrieve the information instead of having to approach hundreds of service providers. Opponents say that the scope for abuse will be greater if the records are held on one database.

It would be easier to get information for the police during an investigation, but does that make it right? Isn’t that the job of the police to co-ordinate with the various ISPs and companies involved to get the records they need to track someone down?

Sometimes I wonder what they are thinking, or if they are really thinking at all.

Source: Times Online

Posted in: Legal Issues, Privacy

Topic: Legal Issues, Privacy


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


thc-Amap – Application Protocol Detection & Fingerprinting

Keep on Guard!


thc-Amap (Application MAPper) is another excellent tool more towards banner grabbing and protocol detection than OS-fingerprinting. But from the services running on a machine you can get a good idea of the OS and the purpose of the server.

Amap is a next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal. It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.

Without filled databases containing triggers and responses, the tool is worthless, the authors would like you to help fill the database. How to do this? Well, whenever a client application connects to a server, some kind of handshake is exchanged (at least, usually. Syslogd for instance won’t say nothing, and snmpd without the right community string neither). Anyway, Amap takes the first packet sent back and compares it to a list of signature responses. Really simple, actually. And in reality, it turns out really to be that simple, at least, for most protocols.

Send the initial packets (sent and received) in tcpdump format for all wacko, proprietary and obscure applications. Send them to: amap-dev@thc.org. Please include application name and version.

Currently there are two tools for this purpose: Amap, and nmap – Both have their strength and weaknesses, as they deploy different techniques. We recommend to use both tools for reliabe identification.

The newer versions of nmap also have a banner grabbing feature.

You can download Amap here:

The source code of Amap: amap-5.2.tar.gz

The Win32/Cywin binary release: amap-5.2-win.zip

Or read more here.

Posted in: Hacking Tools, Networking Hacking

Topic: Hacking Tools, Networking Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


Spammers Target Social Networking Sites

Outsmart Malicious Hackers


It makes sense, spammers will follow whatever is popular, wherever the social mass is at and reading they will bombard.

In the earlier days Myspace was a big target, now they are moving on to other sites such as Facebook. Social networking sites are an ideal place for spammers as they can exploit the trust between ‘friends’ in the system to deliver more compelling messages.

I personally haven’t seen any spam on Facebook yet, but I’m outside of the US, rather selective about my friends, networks and the information I publish there.

Social networking sites have become the new front in the war against spam, according to security watchers.

In the six months leading up to March 2008, social networking sites saw a four-fold growth in the amount of spam on their network. At several major social networking sites, 30 per cent of new accounts created are automated fraudulent ‘zombie’ accounts, designed to be used for spam and other malicious attacks, according to anti-spam firm Cloudmark.

JF Sullivan, VP of marketing at Cloudmark, said the type of spam advertised through social networks is the same type as that advertised by email spam and punted by much the same people. “There’s an implicit trust in social networking. People don’t think they’re going to be attacked with spam,” Sullivan told El Reg. “People don’t trust email anymore. Spammers are following peoples’ online habits.”

It’s scary though that 30% of new accounts are created for spam purposes, that’s a huge number! I imagine it’s a fairly simple process to search for accounts with a generated list of names and just ass them all as friends…then spam them with invites to few phishing sites.

Sometimes flaws in the sites can be used to generate messages that appear to be from people’s other friends.

Social networking spam can be messages between users or posts to walls or other similar applications. Social network spammers most often hijack accounts using fake log-in pages. Phishing-like tactics, password guessing and the use of Trojans to capture keystrokes are also in play.

Junk messages, rigged to appear as though they came from their friends, are more likely to be acted on by recipients on social networking sites compared to the same messages received by email. Social network spammers try to recruit friends by posting profile pictures that depict them as attractive young women. By recruiting people into their groups or networks it’s easier for spammers to subsequently send them spam.

All the major social networks have a problem with spam, according to Sullivan, with volumes of spam ranging from 15 to 30 per cent.

So watch your wall, it might be getting spammed soon. It’s true too that the demographic of most social networking sites is quite low on a technological level so it’s very likely that it would be easy to socially engineer them into clicking something.

Certainly something to watch out for, especially on how they are going to counter it. It’s gets boring to say it…but educating the users is the solution – not more technological strangleholds.

Source: The Register

Posted in: Social Engineering, Spammers & Scammers, Web Hacking

Topic: Social Engineering, Spammers & Scammers, Web Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.