Archive | August, 2016

Emerging Threats ETOpen – Anti-malware IDS/IPS Ruleset

Use Netsparker


The ETOpen Ruleset is an excellent anti-malware IDS/IPS ruleset that enables users with cost constraints to significantly enhance their existing network-based malware detection. The ETOpen Ruleset is not a full coverage ruleset, and may not be sufficient for many regulated environments and should not be used as a standalone ruleset.

Emerging Threats ETOpen - Anti-malware IDS IPS Ruleset

The ET Open ruleset is open to any user or organization, as long as you follow some basic guidelines. The ET Open ruleset is available for download any time without login.

Requirements

To use this ruleset you needs an IDS such as Snort or Suricata.

For much deeper information on what you should do, how to tune your ruleset and more check here:

What Every IDS User Should Do

You can’t and definitely shouldn’t try and run every rule.


Rule Categories

  • Attack-Response Rules – These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened. Note: Trojan and virus post-infection activity is included generally in the VIRUS ruleset, not here.
  • BotCC Rules – These are autogenerated from several sources of known and confirmed active Botnet and other Command and Control hosts. Updated daily, primary data source is Shadowserver.org.
  • Compromised Rules – This is a list of known compromised hosts, confirmed and updated daily as well. This set varied from a hundred to several hunderd rules depending on the data sources. This is a compilation of several private but highly reliable data sources. Warming: Snort does not handle IP matches well load-wise. If your sensor is already pushed to the limits this set will add significant load. We recommend staying with just the BotCC rules in a high load case.
  • Current_Events Rules – These are rules that we don’t intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID’s of newly found vulnerable apps where we don’t have any detail on the exploit, etc. Useful sigs, but not for the long term.
  • DOS Rules – Intended to catch inbound DOS activity, and outbound indications. Relatively self-explanatory.
  • DROP Rules – This is a daily updated list of the Spamhaus DROP (Don’t Route or Peer) list. Primarily known professional spammers. More info at http://www.spamhaus.org
  • DShield Rules – Daily updated list of the DShield top attackers list. Also very reliable. More indo at http://www.dshield.org
  • Exploit Rules – Rules to detect direct exploits. Generally if you’re looking for a windows exploit, Veritas, etc, they’ll be here. Things like SQL injection and the like, whie they are exploits, have their own category.
  • Game Rules – World of Warcraft, Starcraft, and other popular online games have sigs here. We don’t intend to label these things evil, just that they’re not appropriate for all environments.
  • Inappropriate Rules – Porn, Kiddy porn, sites you shouldn’t visit at work, etc. Warning: These are generally quite Regex heavy and thus high load and frequent false positives. Only run these if you’re really interested.
  • Malware Rules – My personal favorite. This set was originally intended to be just spyware. That’s enough to several rule categories really. The line between spyware and outright malicious bad stuff has blurred to much since we originally started this set. There is more than just spyware in here, but rest assured nothing in here is something you want running on your net or PC. There are URL hooks for known update schemed, User-Agent strings of known malware, and a load of other goodies. If you can only run one ruleset to jsutify your IDS infrastructure, this is it!
  • P2P Rules – Peer to Peer stuff. Bittorrent, Gnutella, Limewire, you name it. We’re not labeling these things Bad(tm), just not appropriate for all networks and environments.
  • Policy Rules – Rules for things that are often disallowed by company or organizational policy. Myspace, Ebay, that kind of thing.
  • RBN Rules – The Russian Business Network. These rules track the networks they’re known to own and regularly used. Updated whenever information changes.
  • Scan Rules – Things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc. Early warning stuff.
  • VOIP Rules – A new and emerging ruleset. Small at the moment, but we expect it to grow soon.
  • Web Rules – Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you’re running web servers, and pretty reasonable load.
  • Web-SQL-Injection Rules – This is a large ruleset that intends to catch specific attacks on specific applications. There are some general SQL injection rules that work pretty well to catch most of what’s covered here. But these rules are much more specific to apps and web servers. Run this if you run a highly critical web farm, or are interested in having exact information about incoming web attacks.

The entire ruleset is available for download here:

https://rules.emergingthreats.net/

Or read more here.

Posted in: Countermeasures, Security Software

Topic: Countermeasures, Security Software


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Bearded – Security Automation Platform

The New Acunetix V12 Engine


Bearded is an open source Security Automation platform. The platform allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed. All tools can be executed in the cloud in docker containers. Bearded has a default web interface which integrates all core options and makes it possible to manage large pentests easily.

Bearded - Security Automation Platform

All tools can be executed in the cloud in a Docker container, Bearded has a faultless web interface which integrates all the core options and allows you manage large scale penetration tests easily.


Demo

The project is in pre-alpha though, so use at your own risk.

You can download Bearded here:

bearded-0.0.2.zip

Or read more here.

Posted in: Countermeasures, Security Software

Topic: Countermeasures, Security Software


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


An Introduction To Web Application Security Systems

The New Acunetix V12 Engine


In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways. They come packed with all the elements necessary to play an action-packed round of buzzword bingo, but they often overlap in some ways that may make them sometimes seem similar. After the second or third pitch of how each product delivers whatever acronym, it sometimes becomes difficult to ask yourself which one you need the most.

In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways.

Well, quite frankly, you probably need all of them.

The potential for overlap can often cause pause for question: Why is one solution not the best fit for all problems? 

This sounds like an absurd question when phrased this way, but as is the case more often than not in IT, this very question is posed in one form or another from management to the security engineering team. In this article, we will provide a brief, high-level breakdown of what each type of web application security systems is, and why you likely need a mixture of all of them.

WAF – Web Application Firewall

In the Open Systems Interconnection, or OSI model, a network connection is abstracted into seven layers. A typical firewall may exist on layers 3 or 4, handling border routing or connection gatekeeping, but the most damaging attacks against web services are at the 7th layer, against the web application itself. This is where a Web Application Firewall (WAF) becomes a crucial asset.

Pros

  • Especially in situations where a web application cannot be subjected to a source code audit or other security methods (such as in cases of proprietary, closed-source applications like JIRA or Outlook 365), a WAF can help prevent common attack methods from being executed (like typical cross-site scripting or SQL injection vulnerabilities).
  • Typically adaptive, meaning that it is capable of reacting dynamically to an attack, rather than operating solely on strict thresholds (more usual of a typical firewall). This allows a WAF to apply heuristics to attacks that would otherwise normally escape detection.

Cons

  • A WAF is highly complex due to the incredibly dynamic nature of web application security. Both configuring and maintaining a WAF requires a very deep understanding of the web application being protected, as well as requiring a thorough grasp on common web vulnerabilities to be most effective.
  • A WAF is reactive rather than proactive, meaning it is acting only when triggered by an attack. If a web application is already vulnerable (such as having a 0-day in the code, something that should be discovered and fixed during a scan or source code audit), a WAF can do only so much to protect it – assuming it ‘knows’ how.

If you’re on Amazon they recently introduced their own WAF solution, there’s also NAXSI and the evergreen ModSecurity of course.

SCA – Source Code Audit

The oldest and most mature security methodology in this list, security source code audit remains a critical core component of a strong security posture to this day due to its invaluable benefits.  Code audit is part of a process known as “defensive programming,” where a software is designed to be resilient and resistant to invalid data or misuse of the software. Commonly, this named practice is applied to lower level languages that have far more restrictive bounds (e.g. strcpy in C), but web applications also have critical bounds that a SCA can detect (such as XSS and SQL injection vulnerabilities).

Pros

  • A source code audit, if executed effectively, will lead software developers and testing teams to discover bugs and, more importantly, vulnerabilities before they make it into production.
  • To reduce impact and delays on deliverables, source code audits can be done real-time during an agile development cycle, especially when using unit and integration testing. These tests can be leveraged for threshold testing, ensuring that data is properly within bounds, sanitized, and that errors are handled appropriately and not leaking information.

Cons

  • Source code audits can be done only against assets for which the code is available. Proprietary web applications where the code is closed-source cannot be subjected to the SCA process.
  • A source code audit requires deep familiarity with the code being audited in order to be as thorough as possible. This makes it difficult to properly and effectively apply the SCA process to even open-source projects (such as WordPress) where the code is written by a third party and thus not as familiar to the personnel doing the source code audit.
  • Source code audits are proactive rather than reactive, which while this sounds like a very desirable thing, it should not be relied upon as the only approach (as is usually the case). Code is infinitely complex, automation suites can only look for patterns (explicit or inferred), and human eyes are even more fallible.  With each additional line of code, the complexity increases and, thus, so, too, does the probability of a vulnerability going undetected (a statement deserving of its own eponymous law or adage).

There are various static analysis tools that can help you run code audits such as:

Brakeman – Static Analysis Rails Security Scanner
Codesake::Dawn – Static Code Analysis Security Scanner For Ruby
Graudit – Code Audit Tool Using Grep
Yasca – Multi-Language Static Analysis Toolset
RIPS – Static Source Code Analysis For PHP Vulnerabilities

And more..

Web Application Security Scanners/Web Vulnerability Scanners

A source code audit normally focuses only on the components of the whole application, applying methods of unit or integration testing that simulate certain conditions or data. However, much like how car manufacturers not only test the components but also the assembled car itself, web application security is no different. A thorough test must not only include the components, but the summation of the parts as a whole as well. A web security scanner does just this, emulating real-world traffic (specifically attacks) in order to find areas of weakness.

Pros

  • A scanner may be able to detect vulnerabilities that escape detection during the development phase, including passing a source code audit. This can happen where individual unit tests may not see error in the way functions or methods are executed, but the summation of these parts run together may yield a vulnerability – something that may be detectable only during a security scan of the web application in full working action.
  • Scanners are proactive and typically employed against code in development or staging environments (rather than in production, although it should be noted that scanning production is always a good idea regardless), which allows them to detect problems before they are discovered by users or, worse, by attackers.
  • Scanners are automated tools that can do the work of hundreds of QA testers in a matter of minutes or hours. Since humans are prone to error and often begin to slip up the more repetitious an action is, a scanner can precisely execute and repeat a test over and over without making a mistake.
  • Good web application security scanners apply heuristics to their scans and discoveries – such as digging deeper and attempting creative attacks upon finding a questionable but not exactly directly exploitable vulnerability – to find previously unknown attack vectors (sometimes called 0-day attacks) that could otherwise likely escape detection in all the other security methodologies mentioned in this article.

Cons

  • Scanners can be invasive, therefore one must be very familiar with the tool prior to running a scan in a live environment.
  • While scanners are proactive, they are also highly dependent upon pattern recognition of known attack vectors. As stated earlier, code is infinitely complex and, as such, vulnerabilities can escape the detection of a scanner (most notably uniquely exploited 0days).

IDP – Intrusion Detection and Prevention

Even with the most thorough and intensive source code audit, web vulnerability scan, and adaptive web application firewall, there still exists potential for a hacker to compromise a system.  As stated previously, humans are fallible and problems can still slip through.  If a web application or ancillary system (such as a database or key/value store) is connected to the Internet, directly or indirectly, one should assume it can be compromised, no matter what protections you put in place.  Intrusion detection and prevention exists to find and limit when this happens.

Pros

  • When tightly coupled with monitoring and off-machine logging in general, a well-configured IDP can provide immediate, deep insight into an intrusion that is being attempted or has successfully been committed. This allows a first-level response team to work far quicker in discovering and mitigating a threat before it becomes a more serious problem.
  • An IDP provides a thorough mechanism of proving compliance with various regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Not only are intrusion detection and prevention systems sometimes are a requirement in general (like with PCI DSS), but they act as an efficient tool during audits to demonstrate a strong security posture.

Cons

  • Much like web application firewalls, IDPs are highly complex and require finely-tuned configuration and testing in order to be effective. Too restrictive and you will end up ignoring your IDP due to all the false-positives; too permissive and you may end up missing an intrusion when it happens.
  • Also like web application firewalls, intrusion detection and prevention is mostly reactive rather than proactive, meaning it is acting only when triggered by an attack. If a web application is already vulnerable (such as having a 0-day in the code, something that should be discovered and fixed during a scan or source code audit), a properly configured IDP should notify the appropriate people immediately.  But even in doing so, once an attacker has gained access, a lot of damage – especially reputation – has likely already been done.

There are various options here too like:

Smooth-Sec – IDS/IPS (Intrusion Detection/Prevention System) In A Box
pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework
Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

Summary of Web Application Security Systems

As demonstrated above, there is indeed some overlap between all these web application security solutions, so it is easy to see how one could think that not all are necessary. However, also as demonstrated above, there are many things that are highly unique to each solution. The overlap is also a good thing. A source code audit and web vulnerability scanner, for example, may both highlight similar potential problems, but they do so in largely different ways. What may be discoverable during an SCA may go undetected by a scanner, and vice versa.

The overlap, therefore, is actually a net gain in the end. Not only will each solution in combination provide many tangible benefits for the security posture of the web application, but they also act as a sort of check against each other to ensure that what goes missed in one solution may be detecting in another. Indeed, the most appropriate response is to, wherever possible, implement all of the aforementioned solutions, not just some.

Posted in: Countermeasures

Topic: Countermeasures


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4

The New Acunetix V12 Engine


IGHASHGPU is an efficient and comprehensive command line GPU based hash cracking program that enables you to retrieve SHA1, MD5 and MD4 hashes by utilising ATI and nVidia GPUs.

IGHASHGPU - GPU Based Hash Cracking - SHA1, MD5 & MD4

It even works with salted hashes making it useful for MS-SQL, Oracle 11g, NTLM passwords and others than use salts.

IGHASHGPU is meant to function with ATI RV 7X0 and 8X0 cards, as well as any nVidia CUDA video cards, providing a variable speed in accordance with the users GPU. The program also features a ‘-cpudontcare’ command that allows you to tell IGHASHGPU that it can use the maximum level of GPU, without any particular regard for CPU usage.

At the same time, you can set a temperature threshold for tracking your hardware (’-hm’), so you can make sure to desist any activity that causes your system to go over the permitted value (the default is 90 degrees Celsius).

It also has a feature that lets you set the block size so as to adjust the video response time and reduce any possible lags; if on the other hand, this is a characteristic that does not bother you in any particular way, you can input a higher value (as IGHASHGPU supports block sizes ranging between 16 and 23).

Hashes Supported for Cracking

As IGHASHGPU supports salted hashes it’s possible to use it for:

  • Plain MD4, MD5, SHA1.
  • NTLM
  • Domain Cached Credentials
  • Oracle 11g
  • MySQL5
  • MSSQL
  • vBulletin
  • Invision Power Board

Supported Cards/Requirements

  • Only currently supported ATI cards are:
    • HD RV7X0
    • RV830/870
    • 4550
    • 4670
    • 4830
    • 4730
    • 4770
    • 4850
    • 4870
    • 4890
    • 5750
    • 5770
    • 5850
    • 5870
  • Catalyst 9.9+ must be installed.
  • Only supported nVidia cards are the ones with CUDA support, i.e. G80+.
  • Systems with multiple GPUs supported.

Usage

You can download IGHASHGPU here:

ighashgpu_v0.80.16.1.zip

Or read more here.

Posted in: Hacking Tools, Password Cracking

Topic: Hacking Tools, Password Cracking


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

The New Acunetix V12 Engine


PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”. PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.

PowerOPS - PowerShell Runspace Portable Post Exploitation Tool

It tries to follow the KISS principle, being as simple as possible. The main goal is to make it easy to use PowerShell offensively and help to evade antivirus and other mitigations solutions. It does this by:

  1. Doesn’t rely on powershell.exe, it calls PowerShell directly through the .NET framework, which might help bypassing security controls like GPO, SRP and App Locker.
  2. The payloads are executed from memory and never touch disk, evading most antivirus engines.

Since PowerOPS offers basically an interactive PowerShell command prompt you are free to use the PowerShell tools included the way you want, and additionally execute any valid PowerShell command.

What’s Inside The Runspace

  • PowerShellMafia/Powersploit
    • Get-Keystrokes
    • Invoke-DllInjection
    • Invoke-Mimikatz
    • Invoke-NinjaCopy
    • Invoke-Shellcode
    • Invoke-ReflectivePEInjection
    • Invoke-TokenManipulation
    • Invoke-WMICommand
    • PowerUp
    • PowerView
  • Nishang
    • Get-Information
    • Get-PassHashes
    • Port-Scan
  • Auto-GPPPassword
  • PowerCat
  • Empire
    • Invoke-Psexec
    • Invoke-SSHCommand
  • mimikittenz
  • SMBAutoBrute
  • PowerUpSQL

Additionally you can run any valid PowerShell command.


Powershell functions within the Runspace are loaded in memory from Base64 Encoded Strings.

Usage

Just run the binary and type ‘show’ to list available modules.

You can download PowerOPS here:

PowerOPS-v1.0-beta.zip

Or read more here.

Posted in: Hacking Tools

Topic: Hacking Tools


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities

The New Acunetix V12 Engine


Right now there’s a ton of people talking about the NSA Hack, the severity, the repercussions and the value of what has been leaked. It seems the 0-day exploits in the cache of stolen aren’t super recent ones, as it appears they are from 2013.

Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities

But even so, some of them haven’t been patched as both Cisco and Fortinet have warned customers about the vulnerabilities revealed in the data posted by Shadow Brokers.

A group calling itself the Shadow Brokers has started an online auction for top-of-the-range tools it claims were stolen from the Equation Group, a digital attack squad linked to the NSA.

The Shadow Brokers posted up news of the auction saying (in broken English) that they had been monitoring the Equation Group’s servers, had stolen the advanced hacking tools, and will auction them off to the highest bidder. The group said that if it gets Bitcoins worth $1m they will release the tools for free to everyone.

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data,” the group said [the link has since been taken down].

“You see what ‘Equation Group’ can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems?”

Claims about stuff like this for sale online are often fake, so to prove their case the team posted sample code, which it says is around 40 per cent of the total, online. Postings on Github and other download sites have since been taken down, but not before some people got copies.


Now it seems NSA wasn’t hacked directly, but via an agency called Equation Group which is believed to be a digital cyber-terrorism arm of the NSA.

Even so, it brings up some well debated issues about the NSA reporting zero-day flaws to vendors rather than hoarding them (which the White House promised they would stop doing).

A preliminary analysis shows the revealed list seems to be focusing on router flaws, some of them quite old. Some files also share names with exploits listed in the NSA’s Tailored Access Operations hacking team’s catalogue for agents, revealed in 2013 by Edward Snowden.

Kaspersky, who first linked the Equation Group to the NSA, said it was analyzing the files but had no clue as to their veracity as yet. But Timo Steffens, a member of the German CERT-Bund team, is taking a skeptical line, although he acknowledged that if this is a fake, the scammers had put in a lot of effort.

Initial analysis by the likes of Kaspersky Labs, NSA whistleblower Edward Snowden, and a host of independent security researchers shore up claims by a hacking group calling itself Shadow Brokers that the exploits and toolsets it hopes to auction for millions of dollars in Bitcoins are legitimate Equation group weaponry.

Kaspersky Labs last year revealed the Equation group to be almost certainly a state-sponsored actor and, according to deep analysis of its activities, highly likely to be a wing of the National Security Agency given a series of very striking operational and technical similarities.

The Shadow Brokers group seems to likely originate from Russia, so this is a nation state vs nation state attack possibly at the highest levels of each countries intelligence agencies.

It’s an interesting story and it’s creating a lot of news and drama, it’s a tough call for NSA as they have to maintain their attack capabilities against Russia and China whilst also balancing the health of American commerce and the safety of all the users utilising equipment from those vendors.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hacking Tools

Topic: Exploits/Vulnerabilities, Hacking Tools


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.