Archive | July, 2010

iKAT – Interactive Kiosk Attack Tool v3

Use Netsparker


iKAT was designed to aid security consultants with the task of auditing the security of a Windows based internet Kiosk terminal. iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality. This tool should be (and is) used by Kiosk vendors/developers/suppliers to test the security of their own Kiosk products.

Designed as a SaaS, iKAT features many methods of escaping out of a browser jailed environment and gaining command execution. iKAT is a website you visit from a Kiosk, its quick, free, and aims to please. iKAT is solely developed by myself (Paul Craig) a Kiosk hacking enthusiast from New Zealand.

Whats New in iKAT v3

Signed Code
All iKAT tools, VBScripts, ActiveXs, ClickOnce, SilverLight apps are now signed by a trusted CA! Four months ago i placed a “Donate Now” button on the front page of iKAT, hoping to raise money for a code signing certificate Sadly only two people donated cash (Enrique Exposito Martinez and Gerald Fehringer, you guys rock) Luckily a Kiosk vendor was willing to come to the party and donate the remaining cash. Big thanks to Kioware Kiosks, who kindly donated the remaining money. All iKAT tools are now signed by a trusted CA.

More Tools
iKAT now contains more tools packaged in different containers, file formats, PDFs, and even silent installers. More Java Applets, More VBScript, More WMI!


iKAT ActiveX
A newly developed ActiveX which focuses on Windows Shell hacking and process spawning. The ActiveX is signed and provides a mad amount of functionality.

iKAT OfficeKAT
Thanks to Didier Stevens who donated his “Excel Spawn CMD in Memory” trick to the iKAT project OfficeKAT allows you to pop shell in environments where you can run Excel, what’s more you don’t need to write to the file system.

iKAT SilverLight
SilverLight (and mono) are now supported by iKAT, and provide yet another attack vector for your pleasure

Improved URI + File Handler Enumeration
Vastly improved enumeration code, more URI’s, more instant “One click magic”. I also added support some of the more interesting Microsoft based URI handler vulnerabilities released this year.

Emo Kiosking – Crashing the Kiosk
The fastest way to get out of a browser jail environment is to simply CRASH IT. Oddly enough this is also the easiest thing to do to a browser, and Emo-Kiosking has become a personal favourite trick of mine. iKAT now supports over 60 different methods of crashing a browser, or a browser add-on This allows you to quickly drop back to the desktop, often with only one click required.

To use iKat just visit the following URL in a kiosk system browser:

http://ikat.ha.cked.net

Posted in: Hacking Tools, Hardware Hacking

Topic: Hacking Tools, Hardware Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


UK ISP TalkTalk Monitoring Users Without Consent (Deep Packet Inspection)

The New Acunetix V12 Engine


Well this can be looked at in a number of ways, many would say “If you’ve nothing to hide, why worry?” – but then we know people in the UK can be fairly fanatical when it comes to issues regarding privacy. Also TalkTalk are claiming it’s an anonymous system, so actual user details aren’t stored.

Either way it’s a bit shady doing this kind of monitoring without even notifying your users and not offering any way of opting out from the exercise.

Plus the fact is, most of the major browsers already have this kind of technology built in and so does Google if people rely on it as their main search engine. It reminds me a little of the recent article Australians Propose ‘No Anti-virus – No Internet Connection’ Policy.

Broadband ISP TalkTalk UK could be about to incur the wrath of privacy campaigners after some of its customers spotted that their online website browsing activity was being monitored and recorded without consent. The situation has caused a significant amount of concern with many end-users worried about the impact upon their personal privacy.

TalkTalk has since confirmed that the monitoring, which was first discovered on the ISPs discussion forum during the middle of July (here), is part of a future Malware/Security/Parental Guidance tool to be provided by Chinese vendor Huawei. This is due to launch before the end of 2010.

The system, which is not yet fully in place, aims to help block dangerous websites (e.g. those designed to spread malware) by comparing the URL that a person visits against a list of good and bad/dangerous sites. Bad sites will then be restricted.

Apparently the system itself will be opt-in, but from what is happening now it’s likely the data collection will still be carried out across the whole customer-base.

Also under the Data Protection act they are operating in a legal grey area and the new Digital Economy Act 2010. I honestly don’t think such a service is required and already duplicates the functionality that people already have.

At present the affected customers cannot opt-out of TalkTalk’s data collection exercise, while the actual malware/block tool itself has yet to be enabled and will also be subjected to optional customer testing before it is. The resulting system will apparently only be available if you opt-in to use it.

As a result the systems first stage is currently just monitoring and recording URLs, which TalkTalk says is an anonymous process; no end-user IP address or personal details are revealed. However some customer posts have suggested that the TalkTalk system also reads the code for sites, at least the ones it cannot identify, which could in theory pose a security risk if the URL you visited was for a private admin page. Some of these would be pages that even Google cannot find.

It’s worth pointing out that ISPs are already required to record website and email accesses (but not content), including dates and times, as part of the previous governments Data Retention Directive. However this is a closed process for use by specific public/security services and should not be confused with what TalkTalk is doing.

Gotta give TalkTalk kudos for owning up to it though, explaining their actions and not trying to sweep it under the carpet. I wonder how they will address it going forwards though and if any legal cases will arise from this.

The conspiracy theorists will also say that the technology vendor is linked to the Chinese PLA and this data could be used for espionage purposes!

Source: ISP Review

Posted in: Legal Issues, Networking Hacking, Privacy

Topic: Legal Issues, Networking Hacking, Privacy


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


FuzzDiff – Tool For Fuzzing and Crash Analysis

Use Netsparker


FuzzDiff is a simple tool to help make crash analysis during file format fuzzing a bit easier. I’m sure many people have written similar tools for their own purposes, but I haven’t seen any that are publicly available. Hopefully at least one person finds it useful.

When provided with a fuzzed file, a corresponding original un-fuzzed file, and the path to the targeted program, FuzzDiff will selectively “un-fuzz” portions of the fuzzed file while re-launching the application to monitor for crashes. This will yield a file that still crashes the target application, but contains a minimum set of changes from the original, un-fuzzed file. This can be useful in pinning down the exact cause of a crash.

The tool is written in Python and currently only works on Unix-based systems, since it monitors for crashes by checking for SIGSEGV. It also assumes that the target program adheres to the syntax “[program] [args] [input file]”. Both of these limitations can be easily worked around. The code is hardly what I’d call production-ready, but it gets the job done.

You can download FuzzDiff here:

fuzzdiff.py

Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Secure Coding

Topic: Exploits/Vulnerabilities, Hacking Tools, Secure Coding


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key)

Use Netsparker


Well as it tends to be, when something is scrutinized for long enough and with enough depth flaws will be uncovered. This time the victim is WPA2 – the strongest protection for your Wi-fi network which is standardized.

WEP fell long ago and there’s a myriad of WEP Cracking tools available. In 2008 it was reported flaws had been found in WPA and it was partially cracked.

These factors of course shifted a lot of people to WPA2, which has now been found to have certain flaws.

Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196” by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

It’s a pretty interesting attack and leverages a man-in-the-middle style exploit to decrypt data from the wire and inject malicious packets onto the network.

The researched Md Sohail Ahmad is going to demo the exploit at 2 upcoming conferences (Black Hat and DEF CON 18) so I’ll be looking out for the slides and videos on that. We’ll have to wait and see if this is another ‘mostly theoretical‘ attack – or something that can actually be implemented in the wild.


The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

The upside is that the attack is limited to people who can genuinely authenticate to the network first, the downside that means large organizations using WPA2 in trouble – as generally most damage comes from the inside.

It’s also something to think about when connecting to ISP/public Wi-fi hotspots using WPA2 encryption.

I’m sure there will be more news about this soon.

Source: Network World (Thanks Austin)

Posted in: Cryptography, Exploits/Vulnerabilities, Wireless Hacking

Topic: Cryptography, Exploits/Vulnerabilities, Wireless Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


PlainSight – Open Source Computer Forensics LiveCD

The New Acunetix V12 Engine


PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools such as RegRipper, Pasco, Mork, Foremost and many more.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

With PlainSight you can perform operations such as:

  • Get hard disk and partition information
  • Extract user and group information
  • View Internet histories
  • Examine Windows firewall configuration
  • Discover recent documents
  • Recover/Carve over 15 different file types
  • Discover USB storage information
  • Examine physical memory dumps
  • Examine UserAssist information
  • Extract LanMan password hashes
  • Preview a system before acquiring it

You can view a more complete features list here:

PlainSight | Features

You can download PlainSight v0.1 ISO here:

UK Mirror – PlainSight-0.1.iso
Belgium Mirror – PlainSight-0.1.iso

Or read more here.

Posted in: Forensics

Topic: Forensics


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Microsoft Confirms Windows Zero Day Bug In Shortcut Files

The New Acunetix V12 Engine


This is a pretty nasty attack and for once Microsoft have actually acknowledged and confirmed this is a critical unpatched vulnerability. Incidentally Microsoft also recently retired Windows XP SP2 from the support cycle, and this vulnerability effects that system and they have stated they will not be patching it.

It’s a pretty serious bug and it seems hackers have been maliciously exploiting it in the wild for over a month. The Stuxnet malware has been using this vulnerability to gain access to machines then download further attack files including a root kit.

Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory , Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

Forstrom characterized the threat as “limited, targeted attacks,” but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15.

Limited but targeted attacks are the worst kind as they can really burrow through corporate defenses. A lot of companies are taking this seriously, including all the main players in the anti-virus arena.

You have to wonder if Microsoft will break their patch tuesday policy and issue an emergency out-of-band patch for this.

Especially since more virus writers are picking up on this flaw meaning it’s becoming more widespread.


On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies. The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute’s Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday.

According to Microsoft, Windows fails to correctly parse shortcut files, identified by the “.lnk” extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that’s necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Chester Wisniewski, a senior security advisory with Sophos, called the threat “nasty,” and said his tests showed that the exploit works even when AutoRun and AutoPlay — two functions that have previously been used by attackers to commandeer PCs using infected flash drives — are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday.

I’m sure they’ll come up with some reason for not patching this sooner rather than later. The scary part is the attack can still be carried out even if AutoRun and AutoPlay are disabled.

The rootkit also bypasses the security mechanisms in Windows 7 and Vista making this a very dangerous attack.

You can find a temporary workaround in the Microsoft Security Advisory here:

Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution

And Microsoft has stated they are working on a patch.

Source: Network World

Posted in: Exploits/Vulnerabilities, Windows Hacking

Topic: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.