Today the German hacker group “The Hacker’s Choice” officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.
Technical details can be found at http://www.thc.org/thc-ssl-dos.
“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago” said a member of THC who wants to remain anonymous.
The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (“bot”).
“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using
an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.
Read full article:
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
To download:
http://www.thc.org/thc-ssl-dos/
Monday, October 31, 2011
Wednesday, October 12, 2011
OWASP Mantra Security Toolkit -3rdBeta
Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.
Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.
The third beta of OWASP Mantra Security Toolkit has been released. One of the main features of this version is the multi-language support. Mantra now supports Hindi and Spanish, in addition to English. If you can give us a helping hand by translating Mantra into more languages, feel free to contact us and we will look forward to see you in Team Mantra. This version is based on Firefox 7.0.1 and comes with some new extensions which you will definitely find useful. One of the other changes is renaming the "Ayudha" menu back to "Tools". We all are comfortable with "Tools" and we decided to keep it intact.
Download the file:
http://www.getmantra.com/download/index.html
Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.
The third beta of OWASP Mantra Security Toolkit has been released. One of the main features of this version is the multi-language support. Mantra now supports Hindi and Spanish, in addition to English. If you can give us a helping hand by translating Mantra into more languages, feel free to contact us and we will look forward to see you in Team Mantra. This version is based on Firefox 7.0.1 and comes with some new extensions which you will definitely find useful. One of the other changes is renaming the "Ayudha" menu back to "Tools". We all are comfortable with "Tools" and we decided to keep it intact.
Download the file:
http://www.getmantra.com/download/index.html
Backdoor Trojan alleged to have been created and used by German law enforcement authorities
Under German law, the police are allowed to use spyware to snoop on suspected criminals – but only under strict guidelines. The spyware must not alter any code on the suspect’s computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.
The Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse that is capable of spying on online activity such as recording Skype conversations and monitoring online behaviour. The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA.
Sophos’s analysis of the malware confirms that it has the following functionality:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls
* The Trojan attempts to communicate with a remote website
“While it’s not possible to *prove* who authored the malware, it’s beginning to look more and more likely that the German authorities were involved,” said Graham Cluley, senior technology consultant at Sophos. “The malware targets Windows computers and to become infected, you typically might receive an email containing an attached file, or a link to the web which would then infect the computer. SophosLabs detects all malware that we know about – regardless of who the author might be. So whether this malware is state-sponsored or not, we’ve added protection against this attack.”
Source: SecurityPark
The Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse that is capable of spying on online activity such as recording Skype conversations and monitoring online behaviour. The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA.
Sophos’s analysis of the malware confirms that it has the following functionality:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls
* The Trojan attempts to communicate with a remote website
“While it’s not possible to *prove* who authored the malware, it’s beginning to look more and more likely that the German authorities were involved,” said Graham Cluley, senior technology consultant at Sophos. “The malware targets Windows computers and to become infected, you typically might receive an email containing an attached file, or a link to the web which would then infect the computer. SophosLabs detects all malware that we know about – regardless of who the author might be. So whether this malware is state-sponsored or not, we’ve added protection against this attack.”
Source: SecurityPark
Monday, October 10, 2011
Facebook's URL scanner is vulnerable to cloaking attacks
Members of a hacking think-tank called Blackhat Academy claim that Facebook's URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.
Such attacks involve Web pages filtering out requests that come from specific clients and feeding them content that is different from what is displayed to regular users. Attackers have been using this method to poison search results on Google for years now by serving keyword-filled pages to its indexing robot, but redirecting visitors to malware when they click on the links. However, it turns out that Facebook is also vulnerable to this type of content forging. "Hatter," one of the Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.
Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file.
"While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable," the Blackhat Academy hackers said.
"These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name," they explained.
Earlier this week, Facebook signed a partnership with Websense to use the security vendor's cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.
Websense doesn't believe that to be the case. "This is nothing new. We use numerous methodologies and systems to ensure that our analysis of content (in real time) is not manipulated by malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that it is Websense analyzing the content," the company said.
"Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are also not attributable to Websense.com. It is because of technologies like this that Facebook chose Websense to provide protection for their growing user base of more than 750 million users," it added.
That could well be true, but it's worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to assume that relying on its customers' appliances to scan URLs on the social networking website might not have an immediate impact.
Hatter says that as a security research outfit Blackhat Academy follows responsible disclosure and notified Facebook of the content cloaking issue at the end of July. Despite this, the method still works.
"We're well aware of the content forgery technique described and have built protections into our systems to account for it," a Facebook spokesman said via email.
"The content returned when we crawl a shared link is only one of many signals we use to combat spam and abuse on Facebook. We know that this content can change between visits, and therefore can't always be trusted, and our systems account for that," he added.
Earlier this year, Facebook signed a partnership with Web of Trust (WOT), an organization that maintains a community-driven spam URL block list. However, it's well-known that blacklisting is not very efficient and there can be a significant window of exposure between the time when a URL starts being spammed and the time when it's flagged by such a system.
At the very least, content cloaking can be a powerful social engineering technique. A link with a .jpg termination accompanied by a thumbnail can look harmless enough to trick a lot of users into clicking on it.
Facebook and Websense are not the only ones with this problem. Google+ and Digg are also vulnerable to cloaking attacks, but other sites such as Twitter have developed strong protections against them.
Source: http://www.networkworld.com/news/2011/100711-facebooks-url-scanner-is-vulnerable-251737.html
Tuesday, October 04, 2011
OWASP Zed Attack Proxy (ZAP) 1.33
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
The current version of ZAP is is 1.3.3
For more information about ZAProxy:
http://code.google.com/p/zaproxy/
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
The current version of ZAP is is 1.3.3
For more information about ZAProxy:
http://code.google.com/p/zaproxy/
Monday, October 03, 2011
JBoss, JMX Console, misconfigured DeploymentScanner
Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner
Date: Oct 3 2011
Author: y0ug codsec.com
Version:
Tested on: Linux
CVE : CVE-2010-0738
POC against misconfigured JBoss JMX Console
It use the addUrl method in DeploymentScanner module
More information
http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html
You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
( only if you want to use reverse_shell("ip", "port") )
The JSP shell is not mine is available every where
I add a -b param that build the war contener to do this you need java
Is a fast POC coded this morning for fun so maybe it don't cover all case/version
Usage:
Build the war contener (need java)
# ./jboss -b
Hack
# ./jboss http://www.vuln.com:8080
For more information, please refer to this ExploitDB link:
http://www.exploit-db.com/exploits/17924/
You also can refer to this whitepaper,JBOSS Exploitation:
http://www.exploit-db.com/download_pdf/17915
Date: Oct 3 2011
Author: y0ug codsec.com
Version:
Tested on: Linux
CVE : CVE-2010-0738
POC against misconfigured JBoss JMX Console
It use the addUrl method in DeploymentScanner module
More information
http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html
You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
( only if you want to use reverse_shell("ip", "port") )
The JSP shell is not mine is available every where
I add a -b param that build the war contener to do this you need java
Is a fast POC coded this morning for fun so maybe it don't cover all case/version
Usage:
Build the war contener (need java)
# ./jboss -b
Hack
# ./jboss http://www.vuln.com:8080
For more information, please refer to this ExploitDB link:
http://www.exploit-db.com/exploits/17924/
You also can refer to this whitepaper,JBOSS Exploitation:
http://www.exploit-db.com/download_pdf/17915
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Additional information can be found in the developer's blog: http://sectooladdict.blogspot.com/
Project WAVSEP currently includes the following test cases:
Vulnerabilities:
To see more information and download this tool:
http://code.google.com/p/wavsep/downloads/list
This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Additional information can be found in the developer's blog: http://sectooladdict.blogspot.com/
Project WAVSEP currently includes the following test cases:
Vulnerabilities:
- Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
- Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST )
- Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST )
- Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST )
- 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
- 10 different categories of false positive SQL Injection vulnerabilities (GET & POST)
- A simple web interface for accessing the vulnerable pages
- Sample detection & exploitation payloads for each and every test case
- Database connection pool support, ensuring the consistency of scanning results
To see more information and download this tool:
http://code.google.com/p/wavsep/downloads/list
Arachni v0.3 is out!
Arachni - a dramatic improvement in the detection accuracy of Reflected XSS exposures, and a dramatic improvement in the detection accuracy of SQL Injection exposures (verified on mysql).
Arachni uses various techniques to compensate for the widely heterogeneous environment of web applications.
This includes a combination of widely deployed techniques (taint-analysis, fuzzing, differential analysis, timing/delay attacks) along with novel technologies (rDiff analysis, modular meta-analysis) developed specifically for the framework.
This allows the system to make highly informed decisions using a variety of different inputs; a process which diminishes false positives and even uses them to provide human-like insights into the inner workings of web applications.
Version v0.3 has just been released and it includes a lot of goodies including:
http://arachni.segfault.gr/news
To download Arachni:
https://github.com/Zapotek/arachni/downloads
Arachni uses various techniques to compensate for the widely heterogeneous environment of web applications.
This includes a combination of widely deployed techniques (taint-analysis, fuzzing, differential analysis, timing/delay attacks) along with novel technologies (rDiff analysis, modular meta-analysis) developed specifically for the framework.
This allows the system to make highly informed decisions using a variety of different inputs; a process which diminishes false positives and even uses them to provide human-like insights into the inner workings of web applications.
Version v0.3 has just been released and it includes a lot of goodies including:
- A new custom-written, lightweight Spider
- Add-on support for the WebUI
- Scan scheduler
- AutoDeploy -- Convert any SSH enabled Linux box into a Dispatcher
- Improved accuracy of differential analysis audits
- Improved accuracy of timing attack audits
- Highly optimized timing attacks
http://arachni.segfault.gr/news
To download Arachni:
https://github.com/Zapotek/arachni/downloads
HITB SecConf2011 Malaysia (October 10 to 13)
Run as a not for profit, community backed effort, the Hack in The Box Security Conference (HITBSecConf) series has become the ‘must attend’ event in the calendars of security professionals from around the world.
Having started as a small gathering of Malaysian security specialists in 2002, the event has since expanded out of its home base in Kuala Lumpur to Dubai and in 2010, The Netherlands. Our events are put together by a team of dedicated crew and volunteers and through the continued support of our sponsors, HITBSecConf has grown into the largest network security conference in the Asia Pacific and Middle East region!
The main aim of our conferences has always been to enable the dissemination, discussion and sharing of deep knowledge network security information. Our main focus is on new and groundbreaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf events bring together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground under one roof and our flagship event in Malaysia sees over 1000 attendees.
The event runs over a 4 day period with 2 days of intensive hands on training sessions followed by a two-day conference with either three or four concurrent tracks inclusive of a hands on lab session (HITB Labs) and 15 minute lightning talks (HITB SIGINT). The HITB Labs caters for only 50-100 attendees and these sessions are intensive, hands-on presentations that require audience interaction. The HITB SIGINT (Signal Intelligence/Interrupt) sessions on the other hand, are designed to provide a quick 15 minute overview for material and research that's 'up and coming' - stuff that isn't quite ready for the mainstream tracks of the conference but deserve a mention nonetheless.
In addition to the conference tracks, our events are also further enhanced with an open-to-public technology and exhibition area, lock picking villages, hackerspace villages and of course, our ever popular Capture The Flag competition (CTF) !
For more information about agenda and speaker, please see the link below:
http://conference.hitb.org/hitbsecconf2011kul/
Having started as a small gathering of Malaysian security specialists in 2002, the event has since expanded out of its home base in Kuala Lumpur to Dubai and in 2010, The Netherlands. Our events are put together by a team of dedicated crew and volunteers and through the continued support of our sponsors, HITBSecConf has grown into the largest network security conference in the Asia Pacific and Middle East region!
The main aim of our conferences has always been to enable the dissemination, discussion and sharing of deep knowledge network security information. Our main focus is on new and groundbreaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf events bring together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground under one roof and our flagship event in Malaysia sees over 1000 attendees.
The event runs over a 4 day period with 2 days of intensive hands on training sessions followed by a two-day conference with either three or four concurrent tracks inclusive of a hands on lab session (HITB Labs) and 15 minute lightning talks (HITB SIGINT). The HITB Labs caters for only 50-100 attendees and these sessions are intensive, hands-on presentations that require audience interaction. The HITB SIGINT (Signal Intelligence/Interrupt) sessions on the other hand, are designed to provide a quick 15 minute overview for material and research that's 'up and coming' - stuff that isn't quite ready for the mainstream tracks of the conference but deserve a mention nonetheless.
In addition to the conference tracks, our events are also further enhanced with an open-to-public technology and exhibition area, lock picking villages, hackerspace villages and of course, our ever popular Capture The Flag competition (CTF) !
For more information about agenda and speaker, please see the link below:
http://conference.hitb.org/hitbsecconf2011kul/
Twitter’s t.co URL spoofing.
I saw this article from LY_GS Security Weblog. I'm not sure whether this bug still exploitable or not, but I think Twitter's team has fixed this vulnerability. You can refer to these blog for more information:
http://blog.12k.nl/post/10604842941/twitters-t-co-url-spoofing-updated-again
http://ximen.es/?p=534
http://blog.12k.nl/post/10604842941/twitters-t-co-url-spoofing-updated-again
http://ximen.es/?p=534
Armitage - Cyber Attack Management Tool (Metasploit)
Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework.
Advanced users will find Armitage valuable for managing remote Metasploit instances and collaboration. Armitage's red team collaboration features allow your team to use the same sessions, share data, and communicate through one Metasploit instance.
Armitage makes Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.
Please refer to Armitage manual here:
http://www.fastandeasyhacking.com/manual
Armitage Screencast:
http://www.fastandeasyhacking.com/media
Advanced users will find Armitage valuable for managing remote Metasploit instances and collaboration. Armitage's red team collaboration features allow your team to use the same sessions, share data, and communicate through one Metasploit instance.
Armitage makes Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.
Please refer to Armitage manual here:
http://www.fastandeasyhacking.com/manual
Armitage Screencast:
http://www.fastandeasyhacking.com/media
Sunday, October 02, 2011
JBOSS Exploitation
Whitepaper called JBoss Exploitation. This paper goes into detail on popping a shell on open JMX consoles.
http://www.exploit-db.com/download_pdf/17915
http://www.exploit-db.com/download_pdf/17915
Monday, March 14, 2011
Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit
This is the exploit used in my Austin bsides presentation that returns a shell.
The slides are at http://www.slideshare.net/mjza/bsides email: mkeith@exploitscience.org
Thursday, February 24, 2011
Spyware compromises 150,000+ Symbian devices
A new variant of spyware "Spy.Felxispy" on Symbian devices causing privacy leakage has recently been captured by the National Computer Virus Emergency Response Centre of China.
According to NetQin Mobile, there are more than a dozen variants of the spyware since the first was spotted, and the latest has affected 150,000+ devices.
Once installed, the spyware will turn on the Conference Call feature of the device without users' awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation.
"The Conference Call feature allows more than two parties to join a conversation, and it's easily available to most smart-phone users. The privacy stealers exploit the vulnerability of this feature for financial purposes. The privacy protection on mobile devices becomes more important than ever," said Dr. Zou Shihong, Vice President of R&D from NetQin.
NetQin Cloud Security Centre detects that the spyware can remotely turn on the speaker on the phone to monitor sounds around users without the users' awareness. Apart from that, the spyware is also capable of synchronizing the messages the user received and delivered to the monitoring phone. These performances will compromise users' privacy.
The privacy stealers usually install the spyware on the phone or send MMS containing the spyware to users to lure them to click. As the spyware is artfully disguised, users will easily be trapped.
NetQin warns that smart-phone users are exposed to more mobile security threats than ever and users should always be cautious whenever performing operations on their mobile devices.
To stay safe, NetQin experts give the following tips in using your phone:
1. Never click open MMS from unknown numbers as they may get your phone infected. Instead, delete them upon receipt.
2. Be on alert for unusual behavior on your phone, such as unusual SMS.
3. Don't leave your phone out of your sight in public environments.
4. Install a trusted security application to protect your phone from security threats.
Article taken from HELP NET SECURITY
According to NetQin Mobile, there are more than a dozen variants of the spyware since the first was spotted, and the latest has affected 150,000+ devices.
Once installed, the spyware will turn on the Conference Call feature of the device without users' awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation.
"The Conference Call feature allows more than two parties to join a conversation, and it's easily available to most smart-phone users. The privacy stealers exploit the vulnerability of this feature for financial purposes. The privacy protection on mobile devices becomes more important than ever," said Dr. Zou Shihong, Vice President of R&D from NetQin.
NetQin Cloud Security Centre detects that the spyware can remotely turn on the speaker on the phone to monitor sounds around users without the users' awareness. Apart from that, the spyware is also capable of synchronizing the messages the user received and delivered to the monitoring phone. These performances will compromise users' privacy.
The privacy stealers usually install the spyware on the phone or send MMS containing the spyware to users to lure them to click. As the spyware is artfully disguised, users will easily be trapped.
NetQin warns that smart-phone users are exposed to more mobile security threats than ever and users should always be cautious whenever performing operations on their mobile devices.
To stay safe, NetQin experts give the following tips in using your phone:
1. Never click open MMS from unknown numbers as they may get your phone infected. Instead, delete them upon receipt.
2. Be on alert for unusual behavior on your phone, such as unusual SMS.
3. Don't leave your phone out of your sight in public environments.
4. Install a trusted security application to protect your phone from security threats.
Article taken from HELP NET SECURITY
Arachni v0.2.2.1 is out!
Updated: Added link to CDE package.
Update #2: Watch the new WebUI v0.1-pre screencast on Vimeo.
Hello good people,
I’m very glad to announce the release of the v0.2.2.1 version of the Arachni framework which bears a lot of new features, improvements, optimizations and a brand new, although experimental, Web user interface.
There are new plugins, new modules, new system components, support for high-level meta-analysis using meta-module components, a brand new HTML report and much more.
Acknowledgements
Before continuing, I’d like to thank all the people who helped make this release as good as it turned out to be.
First and foremost, I’d like to thank Christos Chiotis (of Survive the Internet ) for volunteering his time, designer talent and good taste in order to create the new HTML scan report.
I’d also like to thank Matt and Michelangelo for their relentless testing and plethora of feature suggestions.
If you don’t feel like installing anything at all you can download the self-contained Linux CDE package from the downloads section.
The CDE package will allow you to run Arachni out of the box without requiring installation or any sort of root access.
ChangeLog
- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (New)
- Basically a front-end to the XMLRPC client
- Support for parallel scans
- Report management
- Can be used to monitor and control any running Dispatcher
- Changed classification from "Vulnerabilities" to "Issues" (New)
- Improved detection of custom 404 pages.
- Reports updated to show plug-in results.
- Updated framework-wide cookie handling.
- Added parameter flipping functionality ( cheers to Nilesh Bhosale )
- Major performance optimizations (4x faster in most tests)
- All modules now use asynchronous requests and are optimized for highest traffic efficiency
- All index Arrays have been replaced by Sets to minimize look-up times
- Mark-up parsing has been reduced dramatically
- File I/O blocking in modules has been eliminated
- Crawler
- Improved performance
- Added '--spider-first" option (New)
- Substituted the XMLRPC server with an XMLRPC dispatch server (New)
- Multiple clients
- Parallel scans
- Extensive logging
- SSL cert based client authentication
- Added modules (New)
- Audit
- XSS in event attributes of HTML elements
- XSS in HTML tags
- XSS in HTML 'script' tags
- Blind SQL injection using timing attacks
- Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
- Blind OS command injection using timing attacks (*nix, Windows)
- Recon
- Common backdoors -- Looks for common shell names
- .htaccess LIMIT misconfiguration
- Interesting responses -- Listens to all traffic and logs interesting server messages
- HTML object grepper
- E-mail address disclosure
- US Social Security Number disclosure
- Forceful directory listing
- Added plugins (New)
- Dictionary attacker for HTTP Auth
- Dictionary attacker for form based authentication
- Cookie collector -- Listens to all traffic and logs changes in cookies
- Healthmap -- Generates sitemap showing the health of each crawled/audited URL
- Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
- WAF (Web Application Firewall) Detector
- MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
- AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
- TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
- Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
- New behavior on Ctrl+C
- The system continues to run in the background instead of pausing
- The user is presented with an auto-refreshing report and progress stats
- Updated module API
- Timing/delay attacks have been abstracted and simplified via helper methods
- The modules are given access to vector skipping decisions
- Simplified issue logging
- Added the option of substring matching instead of regexp matching in order to improve performance.
- Substituted regular expression matching with substring matching wherever possible.
- Reports:
- Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (New)
- New HTML report (Cheers to Christos Chiotis for designing the new HTML report template.) (New)
- Updated reports to include Plug-in results:
- XML report
- Stdout report
- Text report
I sincerely hope that you enjoy and find it useful, if you have any suggestions or problems don’t hesitate to open a ticket @ https://github.com/Zapotek/arachni/issues.
Cheers,
Tasos “Zapotek” Laskos (Lead Developer)
To download this tool, please click this link:
https://github.com/Zapotek/arachni/zipball/v0.2.2.1
To watch a video about this tool:
http://vimeo.com/19928281
Update #2: Watch the new WebUI v0.1-pre screencast on Vimeo.
Hello good people,
I’m very glad to announce the release of the v0.2.2.1 version of the Arachni framework which bears a lot of new features, improvements, optimizations and a brand new, although experimental, Web user interface.
There are new plugins, new modules, new system components, support for high-level meta-analysis using meta-module components, a brand new HTML report and much more.
Acknowledgements
Before continuing, I’d like to thank all the people who helped make this release as good as it turned out to be.
First and foremost, I’d like to thank Christos Chiotis (of Survive the Internet ) for volunteering his time, designer talent and good taste in order to create the new HTML scan report.
I’d also like to thank Matt and Michelangelo for their relentless testing and plethora of feature suggestions.
If you don’t feel like installing anything at all you can download the self-contained Linux CDE package from the downloads section.
The CDE package will allow you to run Arachni out of the box without requiring installation or any sort of root access.
ChangeLog
- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (New)
- Basically a front-end to the XMLRPC client
- Support for parallel scans
- Report management
- Can be used to monitor and control any running Dispatcher
- Changed classification from "Vulnerabilities" to "Issues" (New)
- Improved detection of custom 404 pages.
- Reports updated to show plug-in results.
- Updated framework-wide cookie handling.
- Added parameter flipping functionality ( cheers to Nilesh Bhosale )
- Major performance optimizations (4x faster in most tests)
- All modules now use asynchronous requests and are optimized for highest traffic efficiency
- All index Arrays have been replaced by Sets to minimize look-up times
- Mark-up parsing has been reduced dramatically
- File I/O blocking in modules has been eliminated
- Crawler
- Improved performance
- Added '--spider-first" option (New)
- Substituted the XMLRPC server with an XMLRPC dispatch server (New)
- Multiple clients
- Parallel scans
- Extensive logging
- SSL cert based client authentication
- Added modules (New)
- Audit
- XSS in event attributes of HTML elements
- XSS in HTML tags
- XSS in HTML 'script' tags
- Blind SQL injection using timing attacks
- Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
- Blind OS command injection using timing attacks (*nix, Windows)
- Recon
- Common backdoors -- Looks for common shell names
- .htaccess LIMIT misconfiguration
- Interesting responses -- Listens to all traffic and logs interesting server messages
- HTML object grepper
- E-mail address disclosure
- US Social Security Number disclosure
- Forceful directory listing
- Added plugins (New)
- Dictionary attacker for HTTP Auth
- Dictionary attacker for form based authentication
- Cookie collector -- Listens to all traffic and logs changes in cookies
- Healthmap -- Generates sitemap showing the health of each crawled/audited URL
- Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
- WAF (Web Application Firewall) Detector
- MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
- AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
- TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
- Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
- New behavior on Ctrl+C
- The system continues to run in the background instead of pausing
- The user is presented with an auto-refreshing report and progress stats
- Updated module API
- Timing/delay attacks have been abstracted and simplified via helper methods
- The modules are given access to vector skipping decisions
- Simplified issue logging
- Added the option of substring matching instead of regexp matching in order to improve performance.
- Substituted regular expression matching with substring matching wherever possible.
- Reports:
- Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (New)
- New HTML report (Cheers to Christos Chiotis for designing the new HTML report template.) (New)
- Updated reports to include Plug-in results:
- XML report
- Stdout report
- Text report
I sincerely hope that you enjoy and find it useful, if you have any suggestions or problems don’t hesitate to open a ticket @ https://github.com/Zapotek/arachni/issues.
Cheers,
Tasos “Zapotek” Laskos (Lead Developer)
To download this tool, please click this link:
https://github.com/Zapotek/arachni/zipball/v0.2.2.1
To watch a video about this tool:
http://vimeo.com/19928281
Tuesday, February 22, 2011
Emergency Message to all Inj3ct0r Users
Dear Inj3ct0r users =]
Inj3ct0r blocked the domain again. =\
Nothing! Inj3ct0r Team will live forever. Our new domain : http://www.1337day.com/
Official sources with Inj3ct0r.com is:
http://twitter.com/inj3ct0r
http://www.facebook.com/inj3ct0rs
mr.inj3ct0r@gmail.com
if the domain is unavailable, Inj3ct0r project is available at http://77.120.120.218/
------------------------------------------------
Unavailable :
inj3ct0r.com , inj3ct0r.org , inj3ct0r.net , 0xr00t.com , 0x0day.com, 1337db.com
------------------------------------------------
Help us financially. We will be very happy.
As more domains will be closed the more we'll register ;)
Please distribute this message on their blogs!
Underground h4x0r forever!
//r0073r
# 1337day.com [2011-02-21]
Inj3ct0r blocked the domain again. =\
Nothing! Inj3ct0r Team will live forever. Our new domain : http://www.1337day.com/
Official sources with Inj3ct0r.com is:
http://twitter.com/inj3ct0r
http://www.facebook.com/inj3ct0rs
mr.inj3ct0r@gmail.com
if the domain is unavailable, Inj3ct0r project is available at http://77.120.120.218/
------------------------------------------------
Unavailable :
inj3ct0r.com , inj3ct0r.org , inj3ct0r.net , 0xr00t.com , 0x0day.com, 1337db.com
------------------------------------------------
Help us financially. We will be very happy.
As more domains will be closed the more we'll register ;)
Please distribute this message on their blogs!
Underground h4x0r forever!
//r0073r
# 1337day.com [2011-02-21]
Monday, February 21, 2011
How to Get Rapidshare Premium Account
Today I will show how you can earn money online and that too without much difficulty. Just follow the steps given below:
1. Create a Paypal Premium Account( Don’t Worry its free) https://www.paypal.com/ . When asked for credit card details simply say cancel. You do not need to fill it.
2. Then Go to the following link:
3. On joining this website, you will get 27 USD just for writing 7 simple surveys which will take not more than 30 minutes.
4. Now the only problem is that the minimum payout limit for this website is 75 USD. But you can earn 1.25 USD on referring this website to your friend.
5. So you just take the referral link from this website and paste it on your facebook status. Don’t forget to mention about it benefits so that your friends register through that link.
6. Suppose you have 500 friends on facebook and out of them only 10% register through your link then also you earn 62.5 USD which gets added to 27 USD that you had earned from surveys. Thus the total 89.5 USD crosses the Payout limit.
7. Now you can get that money into your Paypal Account use it not only to buy your own Rapidshare premium account but also for buying other stuff online.
8. That’s it. So Simple and I swear it works.
Update: Some people have a compliant that Awsurveys doesn’t pay them what they have earned and that it is a SPAM. I would like to tell you that I have already used this website earlier and I had received the payment every time. I am not saying that these guys are lying about their experience with Awsurveys but there are few reasons why they may not have received the payment. The only problem with this website is that it doesn’t communicate with the user if he is violating any terms and conditions instead of that it just cancels their payments. When you request some payout from this website, they have a policy to verify if the accounts that were referred by the user are not fraudulent and they remove the amount gained from these fraudulent accounts from the total amount in your account. Sometimes the reduced amount is less than the amount redeemed by the user and their harsh policy is to cancel the whole payment without even reimbursing the remaining amount. Now you might be thinking how to avoid this? One advice i would give you is to keep atleast 20-25 USD in excess when you are redeeming the amount. In this way you are making sure that even if there were 15 accounts which the website found to be fraudulent still the total wont get below the amount requested by you. Another condition is of the maximum amount that one can redeem in a year. A user can redeem at max 550 USD in one year if you request for payout more than that then hey will just cancel that payment without reimbursing the money in your account. I already faced the latter one which indicates that I have atleast earned upto 550 USD
Article from Hungry Hackers (Hacking Truth)
Sunday, February 20, 2011
Pyrit Tool- GPU Cracker for Attacking WPA/WPA2 PSK Protocols
Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world's most used security-protocols.
WPA/WPA2-PSK is a subset of IEEE 802.11 WPA/WPA2 that skips the complex task of key distribution and client authentication by assigning every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. The "shortcut" of using a single master key instead ofper-user keys eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see this article on the project's blog.
The author does not encourage or support using Pyrit for the infringement of peoples' communication-privacy. The exploration and realization of the technology discussed here motivate as a purpose of their own; this is documented by the open development, strictly sourcecode-based distribution and 'copyleft'-licensing.
Pyrit is free software - free as in freedom. Everyone can inspect, copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors.
Attacking WPA/WPA2 by brute-force boils down to to computing Pairwise Master Keys as fast as possible. Every Pairwise Master Key is 'worth' exactly one megabyte of data getting pushed through PBKDF2-HMAC-SHA1. In turn, computing 10.000 PMKs per second is equivalent to hashing 9,8 gigabyte of data with SHA1 in one second. The following graph shows various performance numbers measured on platforms supported by Pyrit.
You can see Youtube how to use this tool:
http://www.youtube.com/watch?v=HY9Y99bOyhE
To download the latest Pyrit 0.40, please see this link:
http://www.youtube.com/watch?v=HY9Y99bOyhE
To download the latest Pyrit 0.40, please see this link:
For more information about this Pyrit tool, please see the link below:
Thursday, February 10, 2011
Inguma - Penetration Testing Toolkit
Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits.
While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing. Inguma is still being heavily developed so be sure to stay current and check back for news and updates.
You can see more details about Inguma and documentations here:
http://code.google.com/p/inguma/
While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing. Inguma is still being heavily developed so be sure to stay current and check back for news and updates.
http://code.google.com/p/inguma/
Mantra - Free and Open Source Browser Based Security Framework
The Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. You can also always suggest any tools/ scripts that you would like see in the next release.
http://www.getmantra.com/download/index.html
- Access Me
- Add N Edit Cookies+
- Chickenfoot
- CookieSwap
- DOM inspector
- Domain Details
- Firebug
- Firebug Autocompleter
- Firecookie
- FireFTP
- Firesheep
- FormBug
- FoxyProxy
- Google Site Indexer
- Greasemonkey
- Groundspeed
- HackBar
- Host Spy
- HttpFox
- iMacros
- JavaScript Deobfuscator
- JSview
- Key Manager
- Library Detector
- Live HTTP Headers
- PassiveRecon
- Poster
- RefControl
- Refspoof
- RESTClient
- RESTTest
- Resurrect Pages
- Selenium IDE
- SQL Inject ME
- Tamper Data
- URL Flipper
- User Agent Switcher
- Vitzo WHOIS
- Wappalyzer
- Web Developer
- XSS Me
http://www.getmantra.com/download/index.html
Subscribe to:
Posts (Atom)
Posts
