Archive | August, 2009

Twitter Being Used As Botnet Command Channel

Outsmart Malicious Hackers


Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

Posted in: Malware, Networking Hacking

Topic: Malware, Networking Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


sslsniff v0.6 Released – SSL MITM Tool

Outsmart Malicious Hackers


This tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.

It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

New In Version 0.6

Version 0.6 has been significantly updated to additionally support the null-prefix attacks that was demonstrated at BlackHat 09 and Defcon 17. These allow for completely silent MITM attacks against SSL/TLS in the NSS, Microsoft CryptoAPI, and GnuTLS stacks — ultimately allowing for SSL communication in Firefox, Internet Explorer, Chrome, Thunderbird, Outlook, Evolution, Pidgin, AIM, irssi, and every other client that uses the Microsoft CryptoAPI to be intercepted.


sslsniff has also been updated to support the OCSP attacks that was published at Blackhat 09 and Defcon 17, thus making the revocation of null-prefix certificates very difficult. Additionally, sslsniff now supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. Attackers can specify payloads of their choice, which will be delivered to the targets being man-in-the-middled.

sslsniff is useful for deploying other vulnerabilities as well. This is the tool that the people who pulled the recent MD5 hash collision publicity stunt used to demonstrate MITM attacks with their rogue CA-certificate. Also, anyone who is capable of obtaining a forged certificate by any means can easily deploy it through sslsniff with the targeted mode designed for null-prefix attacks.

You can download sslsniff v0.6 here:

sslsniff-0.6.tar.gz

Or read more here.

Posted in: Forensics, Hacking Tools, Networking Hacking

Topic: Forensics, Hacking Tools, Networking Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


WordPress 2.8.3 Admin Reset Exploit

Outsmart Malicious Hackers


Ah it’s WordPress again, sometimes I wonder how many holes there are in WordPress. I guess a dedicated attacker could find some serious ones with the complexity of the code base.

It’s suspected some of the recent high profile breaches have come from WordPress exploits.

The latest one to become public is a simple but effective flaw, it doesn’t enable take-over but it does allow a prankster to lock an admin out of their blog by resetting the password.

Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password.

The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list.

The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. Exploiting it is as easy is directing a web browser to a link that looks something like:

I actually saw the alert as it was published on Full-Disclosure, obviously anything to do with WordPress catches my attention.

The exploit can be executed by running the following code on a WordPress 2.8.3 blog:

Simple but effective.


According to WordPress documentation here, the bug has been fixed by changing a single line of code so the program checks to make sure the input supplied for the new password isn’t an array. If it is, the user gets an error message and must try again.

That would appear to be the end of it, but security researchers Rafal Los and Mike Bailey wonder aloud here whether it would have made more sense to check instead whether the input is a string.

“Hasty coding?” he asks. “Why take the blacklist vs. whitelist approach?”

The bigger point he and other observers seem to make is that PHP is the coding equivalent of an everyman’s jet pack. It allows him to quickly soar into the sky with a minimal amount of training but doesn’t necessarily provide the means to check for buildings, planes or other hazards that may greet the user once he gets there.

WordPress 2.8.4 has already been released so if you’re running WordPress do update ASAP to ensure you are safe from this bug.

With the core updates now available on auto-update there’s no excuse for not updating (no more download, extract, upload via FTP).

Of course with its history, this doesn’t mean you are safe from any of the other exploits that haven’t been made public.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

Topic: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


Xplico – Network Forensic Analysis Tool

Outsmart Malicious Hackers


The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License (see License for more details).

Xplico Features

  • Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or Mysql database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size);
  • IPv4 and IPv6 support
  • Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
  • The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

You can download Xplico 0.5.2 here:

xplico-0.5.2.tgz

Or read more here.

Posted in: Forensics, Hacking Tools, Networking Hacking

Topic: Forensics, Hacking Tools, Networking Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


Twitter & Facebook Taken Offline By DDoS Attacks

Keep on Guard!


Both Facebook and Twitter were hit with pretty severe DDoS attacks rendering them useless and unavailable to the majority of users.

The thing is it seems like it wasn’t a traditional network based botnet style DDoS attack, but a ‘joejob‘ attack where spam is sent out containing a link and the users clicking on the link contribute to the site becoming overwhelmed with requests.

The DoS attack has been confirmed on the Twitter Status page here – Ongoing denial-of-service attack.

The attack theory comes from Bill Woodcock, as reported by The Register.

Users looking to update their Twitter feeds or Facebook pages were likely disappointed Thursday morning, as a denial-of-service attack made both services hard to reach.

Around 9 a.m. Eastern Time, the number of responses from micro-blogging service Twitter fell precipitously, reaching a bandwidth of 60 Mbps by 10:40 a.m. ET, according to Arbor Networks, a networking services firm. Twitter had reached nearly 200 Mbps prior to the drop.

The service continued to be impacted Thursday afternoon, reaching a peak of 150 Mbps, about half of its normal peak for that time of day, according to Arbor.

It seems to be a politically motivated attack aimed at a certain anti-Russian blogger known as Cyxymu.

It targeted all web properties where had profiles, the main ones of course being Facebook and Twitter but also included Livejournal (where he hosts his blog) and his Youtube account.

It’s a simple but seemingly very successful method of attack, shown by the fact that it took out a couple of major sites which already manage large amounts of traffic.

Users also complained of issues accessing Facebook. The service confirmed midday on Thursday that, it too, had suffered a denial-of-service attack.

“You may have had trouble accessing Facebook earlier today because of network issues related to an apparent distributed denial-of-service attack,” the social network stated on its own Facebook page. “We have restored full access for most people. We’ll keep monitoring the situation to make sure you have the reliable experience you expect from us.”

You might have noticed a lot of failed requests if you use Facebook (JavaScript timeout errors and network pipe errors).

Facebook fell because of the same targetted attack on Cyxymu, they acknowledged such on their Facebook page.

Source: Security Focus

Posted in: Hacking News

Topic: Hacking News


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


FakeIKEd – Fake IKE Daemon Tool For MITM

Keep on Guard!


FakeIKEd, or fiked for short, is a fake IKE daemon supporting just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi MitM attack. Fiked can impersonate a VPN gateway’s IKE responder in order to capture XAUTH login credentials; it doesn’t currently do the client part of full MitM.

Fiked is partially based on vpnc and uses libgcrypt and optionally libnet.

Fiked supports IKEv1 in aggressive mode, using pre-shared keys and XAUTH. Supported algorithms are DES, 3DES, AES-128, AES-192, AES-256; MD5, SHA1; and DH groups 1, 2 and 5. IKE main mode is not supported.

The Attack

Basically, if you know the pre-shared key, also known as shared secret or group password, you can play Man in the Middle, impersonate the VPN gateway in IKE phase 1, and learn XAUTH user credentials in phase 2.

This attack is not new. It has been known for a long time that IKE using PSK with XAUTH is insecure, and this is not the first actual implementation of the attack.

To successfully demonstrate an attack on a VPN site, you need to know the shared secret, and you must be able to intercept the IKE traffic between the clients and the VPN gateway.


There are several ways to find out the shared secret, including being a legitimate user, grabbing it from some Cisco config file, using ike-crack, or layer 8 hackery.

There are also several ways to redirect the IKE traffic to your running fiked instance, including ARP spoofing, 802.11 hostap, or layer 1 hackery.

Usage

See the README file and fiked(1) manpage for more details.

Fiked builds and runs on FreeBSD, OpenBSD and Linux, and probably other BSD variants too. MacOS X is reported not to work.

You can download FakeIKEd here:

fiked-0.0.5.tar.bz2

Or read more here.

Posted in: Hacking Tools, Networking Hacking

Topic: Hacking Tools, Networking Hacking


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.