Archive | January, 2016

Fortinet SSH Backdoor Found In Firewalls


So the Fortinet SSH Backdoor, apparently it’s just a management authentication issue. Sorry, what’s that? It looks like a passphrase based admin level access login via SSH to me personally.

Which is scary.

Fortinet SSH Backdoor Found In Firewalls

They are adamantly shouting from rooftops that it was not planted by a 3rd party (NSA? Like Juniper..) or any kind of malicious activity.

Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.

It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.


It was actually patched by Fortinet in July 2014, but with edge devices like Firewalls – they don’t often get updated as it usually causes network downtime. So I’d guess there are plenty of firewalls out there very vulnerable to this, which basically gives you full admin access.

You can find the ‘exploit’ script in Python here: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

It’s also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.

The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.

If you are running older code and can’t upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.

Whether you call it a backdoor or a “management authentication issue,” it’s still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.

One significant part of Fortinet’s statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.

In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets.

There are some work arounds, what I’d personally like to see though is more transparency about the process and decisions made that led to this code being on production firewalls. How does this even happen?

And how did they only find it during scheduled review and testing? What kind of testing/QA/CI process do they have?

It all sounds rather fishy to me.

Source: The Register

Posted in: Exploits/Vulnerabilities, Networking Hacking

Topic: Exploits/Vulnerabilities, Networking Hacking


Latest Posts:


SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.


dnscat2 – DNS Tunnel Tool


This DNS tunnel tool named dnscat2 creates an encrypted tunnel over the DNS protocol primarily as a command-and-control (C&C) channel for penetration testers as outbound DNS is rarely blocked in networks.

dnscat2 - DNS Tunnel Tool

This makes it a very effective tunnel out of almost every network.

Overview

dnscat2 comes in two parts: the client and the server.

The client is designed to be run on a compromised machine. It’s written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesn’t compile or run, please file a ticket, particularly if you can help me get access to said system).

When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).

If you don’t have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). They’ll be faster, and still look like DNS traffic to the casual viewer, but it’s much more obvious in a packet log (all domains are prefixed with “dnscat.”, unless you hack the source). This mode will frequently be blocked by firewalls.


The server is designed to be run on an authoritative DNS server. It’s in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.

How is it different from…

dnscat2 strives to be different from other DNS tunnelling protocols by being designed for a special purpose: command and control.

This isn’t designed to get you off a hotel network, or to get free Internet on a plane. And it doesn’t just tunnel TCP.

It can tunnel any data, with no protocol attached. Which means it can upload and download files, it can run a shell, and it can do those things well. It can also potentially tunnel TCP, but that’s only going to be added in the context of a pen-testing tool (that is, tunnelling TCP into a network), not as a general purpose tunnelling tool. That’s been done, it’s not interesting (to me).

It’s also encrypted by default. I don’t believe any other public DNS tunnel encrypts all traffic!

You can download dnscat2 here:

Win32 Client – dnscat2-v0.05-client-win32.zip
Linux x86 Client – dnscat2-v0.05-client-x86.tar.bz2
Linux x64 Client – dnscat2-v0.05-client-x64.tar.bz2
Server – dnscat2-v0.05-server.zip

Or read more here.

Posted in: Networking Hacking

Topic: Networking Hacking


Latest Posts:


SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.


FastIR Collector – Windows Incident Response Tool


FastIR Collector is Windows incident response tool that offers the possibility to extract classic artefacts such as memory dump, auto-started software, MFT, MBR, Scheduled tasks, Services and records the results in csv files. The tool can also perform smart acquisitions thanks to the filecatcher, certificate filtering or support of Yara rules.

FastIR Collector - Windows Incident Response Tool

The first part of the name “Fast” was chosen because one of the prerequisite before the beginning of the development was to be able to perform forensic collections as quickly as possible. A standard collection (without filecatcher or dump) takes less than 1 minute 30 seconds on a Windows 7 system.

FastIR is designed to counter the growing size of hard drives, traditional forensics tools can take several hours to make a copy of the data and the volume of the data may be too large to make a reasonably speedy analysis.

Features

FastIR looks for various artefacts, including (but not limited to):

  • Drive Identification – Archives all PE files not signed by Microsoft in Windows directories.
  • Persistence Identification – Collects several persistence mechanisms.
  • Named Pipes Identification – Rootkits often use named pipes to communication between components.
  • Virtual File Systems – Collects & analyses Windows Prefetch files.
  • Malware Identification – Using various artefacts and techniques.
  • Process & Injection Identification – Able to identify various RATs, malware and rootkits from these artefacts.

The full documentation can be found here – FastIR_Documentation.pdf

Requirements

If you aren’t using the prebuilt exe:

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

There is also a more extensive paper about the tool here: FastIR-Collector-on-advanced-threats_v1.5.pdf

You can download FastIR Collector here:

FastIR_x64.exe
FastIR_x86.exe

Or read more here

Posted in: Forensics, Security Software, Windows Hacking

Topic: Forensics, Security Software, Windows Hacking


Latest Posts:


SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.


A Look Back At 2015 – Tools & News Highlights


So here we are in 2016, yet still writing 2015 in our chequebooks (yah lolpls like anyone uses cheques any more). Following on from last year and our 2014 summary, here is our 2015 highlights post with interesting happenings over the past 12 months – including tools and news stories.

A Look Back At 2015 – Tools & News Highlights

2015 News Stories

The theme for 2015 seemed to be LARGE SCALE OWNAGE, everything and everyone was getting hacked left right and center. Right at the start of the year we already had the GHOST vulnerability and a Flash zero day in the wild – which left us happy to say goodbye to Flash on Facebook towards the end of the year (After their record breaking patch which contained 78 CVE-classified Vulnerabilities).

One of the big dramas of the year was Hacking Team getting Hacked – oh the irony. Other notable stuff would be the vulnerabilities in Jeep cars, the WhatsApp Web vCard Vulnerability, and the Hilary Clinton e-mail leak.

It was also the year of mega DDoS attacks with Telegram suffering a HUGE 200GBps pounding mid-year, then the prolonged, sustained and rather sophisticated DDoS on the crypto-mail service ProtonMail and to finish the year (and the one that affected me) the multi-day mega DDoS Seige on Linode over xmas and new years (thanks for wrecking many people’s holidays).

Other interesting stuff would be the Dell backdoor root cert fiasco, the TalkTalk hack which they tried to initially downplay and cover up, Logjam (which was a very interesting attack vector based on the the forward secrecy implementation).

2015 Best Hacking Tools

There’s been some pretty neat stuff released this year, the below are tools that’s I’ve personally found interesting but haven’t been super high traffic:

You may have overlooked some of these, so do check them out if you did!

You’ve probably already seen those below in the most viewed list, but well if you haven’t check out the below for the hottest tools in 2015.

Bonus – Top 10 Most Viewed Posts From 2015

  1. Infernal Twin – Automatic Wifi Hacking Tool
  2. EvilFOCA – Network Attack Toolkit
  3. FruityWifi – Wireless Network Auditing Tool
  4. Windows Credentials Editor (WCE) – List, Add & Change Logon Sessions
  5. Hacking Team Hacked – What You Need To Know
  6. Gcat – Python Backdoor Using Gmail For Command & Control
  7. Zarp – Network Attack Tool
  8. ATM Hacked Using Samsung Galaxy S4 & USB Port
  9. Parrot Security OS – Debian Based Security Oriented Operating System
  10. WinRAR Vulnerability Is Complete Bullshit

Enjoy 2016!

Posted in: Site News

Topic: Site News


Latest Posts:


SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.


Dradis – Reporting Platform For IT Security Professionals


Dradis is an open source reporting platform for IT Security, tailored towards the types of information that need to be shared amongst an information security team during a professional engagement. It provides a centralized repository of information using a web interfaced based client/server architecture.

Dradis - Reporting Platform For IT Security Professionals

It also supports 15+ different tools including Burp, Nessus, Nmap, Qualys (listed below).

The goals of the project are to:

  • Share the information effectively.
  • Easy to use, easy to be adopted.
  • Flexible: with a powerful and simple extensions interface.
  • Small and portable.
    • You should be able to use it while on site (no outside connectivity).
    • It should be OS independent (no two testers use the same OS).

Features

  • Platform independent
  • Markup support for the notes: text styles, code blocks, images, links, etc.
  • Integration with existing systems and tools:
    • Burp Scanner
    • Metasploit
    • Nessus
    • NeXpose
    • Nikto
    • Nmap
    • OpenVAS
    • OSVDB
    • Retina
    • SureCheck
    • VulnDB
    • w3af
    • wXf
    • Zed Attack Proxy

New in v3.0

  • Support for Issue/Evidence separation
  • New HTML/CSS interface
  • Use BCrypt for password storage.
  • Gemified plugins in external repositories
  • Enhanced background workers
  • New plugins:
    • Export: CSV, PDF
    • Upload: Acunetix, Qualys
  • Rails 4.1

You can download Dradis 3.0.0.rc3 here:

Linux – dradis-3.0.0.rc3-linux-x86.tar.gz
Mac – dradis-3.0.0.rc3-osx.tar.gz

Or read more here.

Posted in: Hacking News, Security Software

Topic: Hacking News, Security Software


Latest Posts:


SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.