Archive | January, 2013

New eLearnSecurity Pen-Testing Labs Launched – Attend Live Demo Event

Outsmart Malicious Hackers


You might remember the Hera Labs info from the post about the updated Pen-testing Pro course:

eLearnSecurity Launches Newly Updated & Refreshed Penetration Testing Professional Training v2

Now eLearnSecurity has decided to open up just the labs outside of the course, for people that want a practical hands-on environment to learn.

Hera Pentesting Labs

http://www.elearnsecurity.com/virtual-labs/hera

Main Features


  • You get completely isolated networks to pentest (You are not sharing resources with others)
  • You get new scenarios every month
  • Scenarios are created by experienced pentesters
  • You can sign up with on-demand model

They will be holding a live webinar on January 29th on latest Java vulnerabilities, and demonstrating live exploitation in Hera Labs, you can find more info and register your interest here:

http://www.elearnsecurity.com/c/register_live.php

At the end of the event they are going to give special discount to sign up, so be there or be square!

Posted in: Advertorial, Exploits/Vulnerabilities, Secure Coding

Topic: Advertorial, Exploits/Vulnerabilities, Secure Coding


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


CERT Failure Observation Engine (FOE) – Mutational Fuzzing Tool

Keep on Guard!


The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

Note: this software package contains both the source code for the distribution and a binary installer package for Windows. The installer package will attempt to install FOE and all of its dependent software packages on the system. If you wish to evaluate the binary installer, it is highly advisable to do so on a non-enterprise system devoted solely to testing. An ISO image is also available for convenient use within a Windows virtual machine instance.

At the CERT/CC, we have already used the FOE infrastructure to find a number of critical vulnerabilities in products such as Adobe Reader, Flash Player, and Shockwave player; Microsoft Office and Windows; Google Chrome; Oracle Outside In; Autonomy Keyview IDOL; Apple QuickTime; and many others.

Note: Because fuzzing can fill temporary directories, put the target application in an unusable state, or trigger other operating-system-level bugs, we recommend that FOE be used in a virtual machine.

You can download FOE here:

http://www.cert.org/vuls/discovery/foe.html

Posted in: Exploits/Vulnerabilities, Secure Coding

Topic: Exploits/Vulnerabilities, Secure Coding


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit

Keep on Guard!


Pretty unusual for Microsoft but they’ve rushed out a fast fix for a 0-day Internet Explorer vulnerability which allows remote code execution and malware dropping. It doesn’t effect the latest version of Internet Explorer (9) but it effects all the common previous versions (6, 7 & 8) – which still accounts for the majority of users.

It is definitely important though, so I can appreciate their urgency. The sad part is most people that will fall for the scam sites that push out such malware won’t know about this patch, so they will remain at risk.

It will help a lot for corporates though managing the entire organization security as many are mandated to use Internet Explorer, and try and keep it secure..

Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.

The security flaw (CVE-2012-4792) – which affects IE 6, 7 and 8 but not the latest versions of Microsoft’s web browser software – allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.

Redmond has released a temporary Fix It (easy-to-apply workaround) pending the development of a more comprehensive patch.

The flaw was initially discovered by security tools firm FireEye on the Council on Foreign Relations website on 27 December.


The flaw was discovered right before the new year on December 27th, so Microsoft have managed to get this temporary fix out pretty fast. I’d imagine the full patch will be rolled into the next Windows Update Patch Tuesday.

I don’t expect anyone reading this is using Internet Explorer, so it wouldn’t effect us anyway – but seen as though you are probably at home over the holidays. Do us all a favour and install Chrome or Firefox on your relatives computers.

The attack had been running for at least a week, and perhaps longer, before it was detected. Retrospective analysis by Sophos suggests the same exploit was used on at least five additional websites, suggesting assaults using the bug are far from limited.

“While the assaults appeared to be targeting a small number of sites, there is no obvious link between the victims,” noted Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. “Some are referring to this as a ‘watering hole’ attack, but the evidence we have doesn’t necessarily support that conclusion.”

Security watchers advise either applying Redmond’s workarounds, upgrading to IE 9 or using an alternative browser – at least until a proper patch becomes available. The next patch Tuesday is coming up on 8 January. This doesn’t give Microsoft much time but given the high-profile nature of the vulnerability it’s likely that Redmond will release a patch sooner rather than later.

It was exploited for a week at least before discovery, so that’d give a date of around December 20th when it was first seen in the wild. The next Patch Tuesday is coming in 5 days, so we might even see an emergency out of bounds patch for this so it gets pushed out via Windows Update to the masses.

You can check out the Fix It here:

Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking

Topic: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.