Archive | November, 2013

ike-scan – Discover & Fingerprint IKE Hosts (IPsec VPN Servers)

Keep on Guard!


ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.

ike-scan can perform the following functions:

  • Discovery Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
  • Fingerprinting Determine which IKE implementation the hosts are using, and in some cases determine the version of software that they are running. This is done in two ways: firstly by UDP backoff fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.
  • Transform Enumeration Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g. encryption algorithm, hash algorithm etc.).
  • User Enumeration For some VPN systems, discover valid VPN usernames.
  • Pre-Shared Key Cracking Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package) to perform the cracking.

The retransmission backoff fingerprinting concept is discussed in more detail in the UDP backoff fingerprinting paper which should be included in the ike-scan kit as UDP Backoff Fingerprinting Paper.


The program sends IKE phase-1 (Main Mode or Aggressive Mode) requests to the specified hosts and displays any responses that are received. It handles retry and retransmission with backoff to cope with packet loss. It also limits the amount of bandwidth used by the outbound IKE packets.

IKE is the Internet Key Exchange protocol which is the key exchange and authentication mechanism used by IPsec. Just about all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange. Main Mode is one of the modes defined for phase-1 of the IKE exchange (the other defined mode is aggressive mode). RFC 2409 section 5 specifies that main mode must be implemented, therefore all IKE implementations can be expected to support main mode. Many also support Aggressive Mode.

Building and Installing

  • Run git clone https://github.com/royhills/ike-scan.git to obtain the project source code
  • Run cd ike-scan to enter source directory
  • Run autoreconf --install to generate a viable ./configure file
  • Run ./configure or ./configure --with-openssl to use the OpenSSL libraries
  • Run make to build the project
  • Run make check to verify that everything works as expected
  • Run make install to install (you’ll need root or sudo for this part)

You can download ike-scan here:

master.zip

Or read more here.

Posted in: Cryptography, Hacking Tools, Networking Hacking

Topic: Cryptography, Hacking Tools, Networking Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


vBulletin.com Hacked – Forum User Emails & Encrypted Passwords Leaked

Keep on Guard!


vBulletin.com hacked is the latest news going around, there seems to have been a spate of these lately, with huge numbers of user accounts leaked. Thankfully this time, the passwords are actually hashed, but with what algorithm – we aren’t quite sure. Perhaps someone could figure it out with HashTag.

I do have some vBulletin forums as well, so I got the e-mail below:

“We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Apparently they are using some kind of salted hash, so the password hashes should be fairly robust. But with the speed of hash brute forcing, any weak passwords should be discovered fairly quickly.

Forumware giant vBulletin.com has admitted that it’s been turned over by hackers who made off with customer user IDs and encrypted passwords.

vBulletin said it was resetting account passwords in response the the breach, which it blamed on a series of “sophisticated attacks”:

It’s unclear what form of “password encryption” vBulletin actually used. In particular it’s unknown if the forum followed industry best practice and stored passwords only in a hashed digest format together with a pinch of salt as a defence against rainbow table-style brute-force attempts to decode its (now leaked) user credential database.

In any case, users who inadvisedly choose the same password for vBulletin as elsewhere also need to change their password at the second location – this time to something different from anything they use elsewhere.

Another reminder not to reuse passwords, use weak passwords etc. It comes shortly after some large forums (like MacRumours) were hacked, forums using vBulletin – which leads some to believe there is a pretty nasty 0-day for vBulletin out there.

This has been supported by the fact that such an exploit is for sale on various exploit marketplaces by a group called Inj3ct0r Team. I’ve seen no reports so far though on the validity of the exploit for sale, and could it be what caused these compromises.


The disclosure of a breach at vBulletin comes a week after forum site MacRumors (which runs on vBulletin) was hacked, exposing the credentials of more than 860,000 users. In a statement acknowledging the compromise, MacRumours apologised for the breach and advised commentards to change up their passwords.

The attacks against MacRumors and vBulletin may be linked.

A hacking group called Inj3ct0r Team claimed responsibility for both the MacRumours and vBulletin attacks before offering to sell the vulnerability exploit used – supposedly targeting an unpatched security hole in multiple versions of vBulletin’s server software – for $700 a pop through various exploit marketplaces, The Hacker News reports.

The quality and provenance of the goods on sale remains unclear, but even the possibility that the sale could lead to widespread attacks against online forums has given some site admins the jitters. Hacking conference DEF CON, for one, has suspended its forums as a precaution, pending the availability of a suitable patch; a move it is making out of an abundance of caution and during its quiet season, months before its annual hacker jamboree in Las Vegas.

https://forum.defcon.org/ was also taken down for a while until the whole thing got sorted out. You can find the code for sale on the groups site here for $7000USD:

vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execute (0day)

Let’s see who pops next.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

Topic: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


LANs.py ARP Spoofer – Multithreaded Asynchronous Packet Parsing/Injecting

Outsmart Malicious Hackers


LANs.py is a multithreaded asynchronous packet parsing/injecting ARP spoofer & poisoner.

Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.

This script uses a python nfqueue-bindings queue wrapped in a Twisted IReadDescriptor to feed packets to callback functions. nfqueue-bindings is used to drop and forward certain packets. Python’s scapy library does the work to parse and inject packets.

Requirements

  • Linux
  • Scapy
  • Python nfqueue-bindings 0.4.3+
  • aircrack-ng
  • Python twisted
  • BeEF (optional)
  • A wireless card capable of promiscuous mode if you choose not to use the -ip option

You can download LANs.py here:

LANs.py

Or read more here.

Posted in: Hacking Tools, Networking Hacking

Topic: Hacking Tools, Networking Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Cupid Media Hack Exposes 42 Million Passwords In Plain Text

Keep on Guard!


42 Million Passwords – now that’s a big number, and the worst part – they aren’t even hashed. Nope, not at all – not even badly. Apparently the intrusion took place earlier this year, in January 2013 – but there was no public announcement.

The data was found on the same server where the hacked data from some other big heists was stored (Adobe/PR Newswire/NW3C etc). And to make it even worse, at least 10% of the users (which itself is over 4 million) use absolutely terrible passwords – passwords that would have been useless even if they were hashed.

Cupid Media Plain Text Passwords
Image Source: Cupid Media Hack Exposed 42M Passwords

Almost 2 million of the users had the password ‘123456‘ followed by 1.2 million with ‘111111‘ (I’m guessing they had a 6 char minimum password requirement).

A hack on niche online dating service Cupid Media earlier this year has exposed names, e-mail addresses and—most notably—plain-text passwords for 42 million accounts, according to a published report.

The cache of personal information was found on the same servers that housed tens of millions of records stolen in separate hacks on sites including Adobe, PR Newswire, and the National White Collar Crime Center, KrebsonSecurity journalist Brian Krebs reported Tuesday night. An official with Southport, Australia-based Cupid Media told Krebs that user credentials appeared to be connected to “suspicious activity” that was detected in January. Officials believed they had notified all affected users, but they are in the process of double-checking that all affected accounts have had their passwords reset in light of Krebs’s discovery.

The compromise of 42 million passwords makes the episode one of the bigger passcode breaches on record. Adding to the magnitude is the revelation the data was in plaintext, instead of a cryptographically hashed format that requires an investment of time, skill, and computing power to crack.

Standing at 42 million passwords, it is indeed one of the biggest breaches ever – and whoever got hold of this had to put no time, effort or computing power into brute forcing hashes. They just opened the DB dump and had 42 million e-mail addresses and passwords.

With many people re-using their passwords across multiple sites, this is indeed like striking the lottery for hackers.

Back in 2011 when Canadian Dating Site PlentyofFish.com was Hacked, they exposed 30 million user accounts – so they weren’t far behind. Notice any similarities? Yah both dating sites…and both storing passwords in plain text.


Making matters worse, many of the Cupid Media users are precisely the kinds of people who might be receptive to content frequently advertised in spam messages, including male enhancement products, services for singles, and diet pills.

The Cupid Media user records reviewed by Krebs contain the usual assortment of weak passwords. More than 1.9 million accounts were protected by 123456. Another 1.2 million used 111111. Users who used the same e-mail address and password to secure accounts on other sites are vulnerable to hijacking. Word of the Cupid Media compromise follows recent reports of password leaks from a host other sites or companies, including Adobe (150 million reversibly encrypted passwords), MacRumors forums (860,000), and web software developer vBulletin (number not disclosed).

Ars has long advised readers to use a password manager that stores a long, randomly generated password that’s unique for every important site. That way, when breaches hit a particular site, users are left scrambling to change credentials for other accounts that used the same password.

You can read more here too:

Cupid Media Hack Exposed 42M Passwords
42 million passwords exposed following massive dating website hack

Once again, another good reason to use PassPack/LastPass/KeePass etc. It once again reinforces the fact that reusing passwords is a terrible idea, especially when sites like this still exist in 2013 that store your password in plain text.

Source: Ars Technica

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

Topic: Exploits/Vulnerabilities, Privacy, Web Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


HashTag – Password Hash Type Identification (Identify Hashes)

Keep on Guard!


HashTag.py is a Python script written to parse and identify the password hash type used.

HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes (use the command line switch -hc to output the hashcat modes). It is also able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.

One of the biggest aspects of this tool is the identification of password hashes. The main attributes used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. ‘$1$’). A lot of password hash strings can’t be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases the author made an exhaustive list of possible types and has the tool output reflect that.


HashTag

It has three main arguments:

  • Identifying a single hash type (-sh)
  • Parsing and identifying multiple hashes from a file (-f)
  • Traversing subdirectories to locate files which contain hashes and parse/identify them (-d)

Usage:

You can download HashTag here:

HashTag.py

Or read more here.

Posted in: Cryptography, Password Cracking

Topic: Cryptography, Password Cracking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

Keep on Guard!


Earlier this week we wrote about an Internet Explorer 0-day which used an in-memory drive by attack, which was pretty smart. Now another new type of malware (a backdoor in this case), this time targeting Linux known as Fokirtor.

There is no real discussion of the exploit used to plant this backdoor (if it was an exploit, there are other channels), but the way it operates is pretty interesting and certainly nothing I’ve seen before.

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

It’s a pretty interesting method, assuming most Linux servers do have SSH enabled (which they do tend to) – it enables attackers to communicate covertly without setting off any alarms. The part I find really interesting is that the malware uses a pretty serious encryption algorithm (Blowfish), rather than the average backdoor or trojan which just uses XOR or Base64 encoding.

The conspiracists amongst us will likely find this pointing to governmental involvement in the development of this backdoor.


The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.
This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Most sources mark this threat as pretty low, and it hasn’t been seen much – so it may have been a very targeted attack and some speculate it may be something to do with the GCHQ/Belgacom case.

It’ll be interesting to see if Fokirtor is found anywhere else, there is some very basic information about it from Symantec here: Linux.Fokirtor and a little more here Linux Back Door Uses Covert Communication Protocol.

In some ways it reminds me of pork knocking – fwknop – Port Knocking Tool with Single Packet Authorization.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Networking Hacking

Topic: Cryptography, Exploits/Vulnerabilities, Networking Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.