Archive | May, 2010

Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added

Keep on Guard!


Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Update Summary

  • Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
  • Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
  • Over 100 tickets were closed since the last point release and over 200 since v3.3

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (Metasploit 3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner. Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

Full Metasploit 3.4.0 Release Notes

You can download Metasploit 3.4.0 here:

Windows – framework-3.4.0.exe
Linux – framework-3.4.0-linux-i686.run

Or read more here.

Learn about Exploits/Vulnerabilities



Posted in: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking

Topic: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


Cloud Security – The Next Big Thing? Fortify Readiness Scorecard

Keep on Guard!


With the paradigm shifting, especially for high traffic or high availability web applications, towards cloud computing – will Cloud Security become the next big thing?

We’ve already seen how you can use a cloud platform like Amazon EC2 for password cracking. So with a lot of companies moving to 3rd party cloud platforms, I’m sure security and data privacy is a concern.

Fortify are addressing this with a free add-on for their existing Fortify 360 product.

Fortify Software has come up with a way for companies interested in moving their applications to a cloud provider can analyse it line by line for security-worthiness in the new environment.

The Readiness Scorecard is effectively a free add-on for the company’s software assurance products, Fortify 360, and the online Fortify on Demand assurance service, able to give companies a vulnerability rating for software as if it was running in a cloud environment. Aren’t code vulnerabilities the same whether they are in the cloud or inside a corporate network?

According to Fortify chief scientist and founder, Brian Chess, the cloud questions coding assumptions that would have been reasonable when an application was originally written. Applications can communicate with one another using insecure protocols, while assumed infrastructure such as DNS servers will in the cloud model be shared and beyond the oversight of the IT department.

I would expect the same, if an application is inherently secure and well programmed with sanitized inputs etc, it should be secure on a regular host and on a cloud computing platform. But then there are inherent risks with a cloud platform such as the way in which the nodes communicate with each other and as mentioned – how DNS is handled.

It’s good practice though to make sure an application assumes less trust when on a cloud platform, make sure all communications are encrypted securely (for example between the front-end and the database) and any data written to the file system is also done securely with correct permissions.

In short, software has to assume less trust and the vulnerability of data must be pinpointed precisely. “When you move to the cloud, your risk profile changes,” said Chess.

The point of the Readiness Scorecard is to give in-house teams a list of both minor and major fixes needed before a given application can be run in the cloud in a way that minimises such risk, he said.

“Like immunising themselves against infection, cloud providers can use Fortify 360 or Fortify on Demand to ensure that bad code introduced by one or more customers doesn’t contaminate their cloud offering,” said Chess.

Current Fortify customers would get access to the Scorecard free of cost from later this quarter while new users would have the feature bundled with subscriptions.

Anyway, if you’re considering moving something to a cloud platform – you could use this tool from Fortify..or not. Just be aware that the risk profile for your application is changing and that you should take precautions to ensure you remain secure.

It’s also important for cloud providers themselves to make sure their platform is configured securely to increase customer security and integrity. As it’s a fairly new model I’d say we still have some way to go with this, it’s definitely the way forward for hosting sites prone to large spikes though.

Source: Network World

Learn about Networking Hacking



Posted in: Networking Hacking, Web Hacking

Topic: Networking Hacking, Web Hacking

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


sqlninja v0.2.5 Released – Microsoft SQL Server (MS-SQL) SQL Injection Vulnerability Tool

Keep on Guard!


It’s been 2 years, but a new version of sqlninja is out at Sourceforge, we wrote about the previous release back in 2008 and we’ve actually been following this tool since 2006!

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

  • Proxy support (it was about time!)
  • No more 64k bytes limit in upload mode
  • Upload mode is also massively faster
  • Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
  • Other minor improvements

Compatibility

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

You can download sqlninja v0.2.5 here:

sqlninja-0.2.5.tgz

Or read more here.

Learn about Database Hacking



Posted in: Database Hacking, Hacking Tools, Web Hacking

Topic: Database Hacking, Hacking Tools, Web Hacking

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


Two Thirds Of All Phishing Attacks Carried Out By Single Group

Keep on Guard!


Now this is a pretty surprising figure, we all know Phishing has become a big issue in recent years especially for financial institutions, but it still amazes me two-thirds of all attacks can come from a single group! It’s been a major issue concerning computer security in general, consumer privacy and companies like PayPal have had a lot of problems with phishing attacks.

Apparently Avalanche arose from members of Rock Phish which we wrote about accounting for 50% of all phishing attacks back in 2007.

It seems that phishing is growing into a fairly huge business for some people.

A single criminal operation was responsible for two-thirds of all phishing attacks in the second half of 2009 and is responsible for a two-fold increase in the crime, a report published this week said.

The Avalanche gang is believed to have risen out of the ashes of the Rock Phish outfit, which by some estimates was responsible for half the world’s phishing attacks before fizzling out in late 2008. Driving the success of both groups is their use of state-of-the-art technology for mass-producing imposter websites and distributing huge amounts of crimeware for automating identity theft.

“Avalanche uses the Rock’s techniques but improved upon them, introducing greater volume and sophistication,” the report, released by the Anti-Phishing Working Group, stated.

They are definitely getting more sophisticated as I remember phishing attacks when they first originated and they were really very basic, generally riddled with typos and spelling mistakes and weren’t particularly convincing to anyone.

Now, especially with CSRF/XSS/iframe injection attacks on major websites, phishing gangs have a lot more ways to spoof legitimate looking URLs.

Central to Avalanche’s success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.

There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

Curiously, Avalanche may turn out to be a victim of its own success.

The average uptime for each Avalanche phishing attack is much shorter than from other people due to awareness of their gang and tactics, obviously being infamous doesn’t work in their advantage. Perhaps time for them to rethink their strategies.

Remember anti-virus software, firewalls and even the anti-phishing features built into Internet Explorer and Firefox can’t really help with phishing, it’s more a social problem. So if you get the chance do try and educate the less tech-savvy around you about the risks.

You can find the full report here:

APWG_GlobalPhishingSurvey_2H2009.pdf

Source: The Register

Learn about Phishing



Posted in: Phishing, Spammers & Scammers

Topic: Phishing, Spammers & Scammers

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

Outsmart Malicious Hackers


The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation

OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

You can download Suricata v0.9 here:

suricata-0.9.0.tar.gz

Or read more here.

Learn about Countermeasures



Posted in: Countermeasures, Networking Hacking, Security Software

Topic: Countermeasures, Networking Hacking, Security Software

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


New Argument Switch Attack Bypasses Windows Security Software

Outsmart Malicious Hackers


There’s been a lot of highly technical and most theoretical attacks lately, academic season really is in full swing. This is a very neat attack which is being labeled somewhere between catastrophic and mildly annoying depending on who you ask.

It effects most of the major Anti-virus vendors, it’s called an argument-switch attack and leverages on the way in which most anti-viral suites interact with the Windows kernel.

It seems to be most critical on Windows XP which is an operating system near the end of life anyway, so it shouldn’t be too widespread – that’s even assuming the bad guys can work it out and spread it in the wild (I would safely assume they can). Although the research does indicate it also works on Vista SP1.

A just-published attack tactic that bypasses the security protections of most current antivirus software is a “very serious” problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it’s able to execute. Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

Some of the AV vendors are using different methods to communicate with the Windows kernel, so aren’t vulnerable to this attack – such as Immunet. I hope the collective AV companies pull their fingers out and do some real testing on this attack to see if it can really impact consumers or not.

What we really don’t need is “Oh it’s really complex and unlikely, it’s not a big deal” – then later 200,000 machines get owned using the technique. At least they know about and can perhaps address the sloppy methods they are using to implement kernel hooks.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Some security vendors agreed with Huger. “It’s a serious issue and Matousec’s technical findings are correct,” said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.

“Matousec’s research is absolutely important and significant in the short term,” echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.

Other antivirus companies downplayed the threat, however. “Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario,” a McAfee spokesman said in an e-mail reply to a request for comment. “The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run.”

Kaspersky Lab had a similar reaction. “[We] have analyzed the published material and concluded that the issue is only linked to certain features of [our] products,” Kaspersky said in an e-mailed statement. “Kaspersky Lab products implement not only [kernel] hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”

I guess most AV companies don’t go that deep into system security, to the point of exploring how they implement kernel addressing and hooks to enable their software to function. Either way the research is now published, is picking up quite a bit of press and that itself is likely to force some action.

The full paper is available with details of the attack from Matousec here:

KHOBE – 8.0 earthquake for Windows desktop security software

Source: Network World

Learn about Exploits/Vulnerabilities



Posted in: Exploits/Vulnerabilities, Windows Hacking

Topic: Exploits/Vulnerabilities, Windows Hacking

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.