SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).
For error based SQL injection, SQLBrute should work, if you can either:
* Get an identifiable difference between adding the exploit strings AND 1=1 and AND 1=2 to your SQL injection point (usually works if the query is normally valid)
* Get an identifiable difference between adding the exploit strings OR 1=1 and OR 1=2 to your SQL injection point (usually works if the query is normally invalid)
For time based SQL injection, SQLBrute should work if you can use exploit syntax similar to ;waitfor delay ‘0:0:5′ to generate a time delay in Microsoft SQL Server.
Here is the options printed from SQLBrute when you run it with no options:
_______________________________________________________________________________
___ _____ __ ____ ____ __ __ ____ ____
/ __)( _ )( ) ( _ \( _ \( )( )(_ _)( ___)
\__ \ )(_)( )(__ ) _ < ) / )(__)( )( )__) (___/(___/\\(____)(____/(_)\_)(______) (__) (____) Usage: ./sqlbrute.py options url [--help|-h] [--verbose|-v] [--server|-d oracle|sqlserver] [--error|-e regex] [--threads|-s number] [--cookie|-k string] [--time|-n] [--data|-p string] [--database|-f database] [--table|-t table] [--column|-c column] [--where|-w column=data] [--header|-x header::val] _______________________________________________________________________________ More about SQLBrute to brute force :: Using SQLBrute to brute force data from a blind SQL injection point
[Source: Darknet ]
Read more on this article...
Priamos Project - SQL Injector and Scanner
You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.
You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).
The first release of PRIAMOS contain only SQL Server Database module.
More about Priamos Project :: http://www.priamos-project.com/
If you want something to test you can create your own local vulnerable test platform using this script:
Download Vulnerable ASP page and Database script
Read more on this article...
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):
____________________________________________________________________________
C:\\>hping -p 81 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms
_____________________________________________________________________________
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:
____________________________________________________________________________
C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
____________________________________________________________________________
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
More about TCP :: www.rhyshaden.com
[Source: Darknet ]
Read more on this article...
There has been an explosion of fuzzing tools lately, quite a few we have mentioned here on Darknet.
Someone else noticed this, and wondered where is the Perl framework to complete the family? With that in mind he spent the last few months working on something that should fill the gap - Fuzzled.
Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them.
All in PERL!
It’s a pretty comprehensive framework with a lot of functionality, so do check it out and let us know what you think.
Read more on this article...
Trinity Rescue Kit - Free Recovery and Repair for Windows
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
It is possible to boot TRK in three different ways:
* As a bootable CD which you can burn yourself from a downloadable isofile
* From a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd
* From network over PXE, which requires some modifications on your local network.
TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander
It’s recommend to keep a copy of TRK in your toolkit, we at Darknet do find it useful, especially for reseting passwords and fixing messed up file systems.
A summary of the main features:
* easily reset windows passwords
* 4 different virusscan products integrated in a single uniform commandline with online update capability
* full ntfs write support thanks to ntfs-3g (all other drivers included as well)
* clone NTFS filesystems over the network
* wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
* easy script to find all local filesystems
* self update capability to include and update all virusscanners
* full proxyserver support.
* run a samba fileserver (windows like filesharing)
* run a ssh server
* recovery and undeletion of files with utilities and procedures
* recovery of lost partitions
* evacuation of dying disks
* UTF-8 international character support
Read more on this article...
FakeNetBIOS is a family of tools designed to simulate Windows hosts on a LAN. The individual tools are:
* FakeNetbiosDGM (NetBIOS Datagram)
* FakeNetbiosNS (NetBIOS Name Service)
Each tool can be used as a standalone tool or as a honeyd responder or subsystem.
FakeNetbiosDGM sends NetBIOS Datagram service packets on port UDP 138 to simulate Windows hosts bradcasts. It sends periodically NetBIOS announces over the network to simulate Windows computers. It fools the Computer Browser services running over the LAN and so on.
FakeNetbiosNS is a NetBIOS Name Service daemon, listening on port UDP 137. It responds to NetBIOS Name requests like real Windows computers: for example ‘ping -a’, ‘nbtstat -A’ and ‘nbtstat -a’, etc.
[Source: Darknet ]
Read more on this article...
Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…
Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):C:\\>hping -p 81 -S lx.ro
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms
Now for the moment we all were waiting for:C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
Read More: www.rhyshaden.com
[Source: Darknet ]
Read more on this article...
sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.
It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. It is written in PERL and runs on Unix-like boxes.
Features
* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
* Bruteforce of ’sa’ password
* Privilege escalation to ’sa’ if its password has been found
* Creation of a custom xp_cmdshell if the original one has been disabled
* Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Read More - http://sqlninja.sourceforge.net
[Source: Darknet ]
Read more on this article...
The Kcpentrix Project - Penetration Testing Toolkit LiveDVD
The Kcpentrix Project was founded in May 2005 , KCPentrix 1.0 was liveCD designed to be a standalone Penetration testing toolkit for pentesters, security analysts and System administrators
What’s New in KcPentrix 2.0
Now release 2.0 is a liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities
Kcpentrix is based on SLAX 5, a Slackware live DVD, the Powerful modularity which Kcpentrix uses, allow it to be easily customised and include relevant modules.
It has switched to 2.6 kernel line and Zisofs compression was replaced by SquashFS, which provides better compression ratio and higher read speed.
Read more on this article...
ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication. ProxyFuzz is protocol agnostic so it can randomly fuzz any network communication. Download ProxyFuzz 0.1 Source Code Download ProxyFuzz 0.1 Windows Binary
ProxyFuzz is a good tool for quickly testing network protocols and provide with basic proof of concepts. Using this tool you will be amazed by the poor quality of software and you will see clients and servers dying upon unexpected input, just be prepared to see the very weird behaviours.
Syntax of ProxyFuzz:
ProxyFuzz 0.1, Simple fuzzing proxy by Rodrigo Marcos
usage():
python proxyfuzz -l
[options]
-w: Number of requests to send before start fuzzing
-c: Fuzz only client side (both otherwise)
-s: Fuzz only server side (both otherwise)
-u: UDP protocol (otherwise TCP is used)
-v: Verbose (outputs network traffic)
-h: Help page
The video shows ProxyFuzz proxying traffic between a VMWare Console and a VMWare Server. This is just a dumb example of the things you can do with this tool.
tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.
Other tools that fill a similar need are driftnet and EtherPEG. driftnet and EtherPEG are tools for monitoring and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across packet boundries.
tcpxtract features the following:
* Supports 26 popular file formats out-of-the-box. New formats can be added by simply editing its config file.
* With a quick conversion, you can use your old Foremost config file with tcpxtract.
* Custom written search algorithm is lightning fast and very scalable.
* Search algorithm searches across packet boundries for total coverage and forensic quality.
* Uses libpcap, a popular, portable and stable library for network data capture.
* Can be used against a live network or a tcpdump formatted capture file.
Read more on this article...
ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.
Formerly announced as ScarabMon as part of BlackHat EU 2007, proxmon monitors proxy logs and reports on security issues it discovers. ProxMon was also presented at CanSecWest 2007.
t’s compatible with WebScarab.
ProxMon handles routine tasks like
* Checking server SSL configuration
* Looking for directories that allow listing or upload
It’s real strength is that it also helps with higher level analysis such as
* Finding values initially sent over SSL that later go cleartext
* Finding Secure cookie values also sent in the clear
* Finding values that are sent to 3rd party sites
It’s key features are
* automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
* proxy agnostic
* included library of vulnerability checks
* active testing mode
* cross platform
* open source license
* easy to program extensible python framework
[Source: Darknet ]
Read more on this article...
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.
The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
Features:
* Firewall testing
* IDS testing
* Simulation of real TCP connections for stateful inspection firewalls and IDS
* Connection spoofing
* IP fragmentation / TCP segmentation
* IDS evasion techniques
Requirements:
The following PERL modules are required: Net::RawIP, Net::PcapUtils, NetPacket
Read more on this article...
The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).
We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.
This tool can check the rules without depending on the way of the Firewall is configured.
There is two modules in Dr. Morena - similar to the Firewal Tester (FTester). The first module is a check engine, and the second module is a packet list making engine.
Checker, which is the check engine, makes the check packet according to given packet information, and sends and receives this packet. Also, the check engine confirms whether the packet passed through the firewall, and returns the checked result.
Ideally, it is good to be able to check all packets of all services from all Internet Protocol addresses to all Internet Protocol addresses when we check the rules of a firewall. However, it is impossible to check all packets in appropriate time. Therefore, it is necessary to check the firewall by using only some limited packets. However, efficiency is bad in the check which uses packets chosen at random. Then, it is necessary to check the firewall by using the packet intended for an important address and the service listed in the security policy etc. by priority.
ListMaker, which is the check packet list making engine, lists necessary packets for the check, from information classified according to the importance degree.
Read more on this article...
This is some pretty interesting news, rather than trying to cover things up like normal during July the Philippine government will be soliciting hackers to test the security of their Internet voting system.
I think it’s a great initiative from the International Foundation for Electoral System.
Local and foreign computer hackers will be tapped to try and break into an Internet-based voting system that will be pilot tested by the country’s Commission on Elections (Comelec) starting July 10.
The Internet voting system, developed by Spanish firm Scytl Consortium, is worth $452,000. Comelec will pilot test the system from July 10 to 30 for voters in Singapore, where there are 26,853 registered absentee voters.
The results of the polls, which will use survey questions, will be non-binding, which means it will not affect official elections results.
I think it might work out better if some kind of prize or at least incentive was offered for anyone who could successfully compromise the voting system, things usually work out better that way.
Comelec commissioner Florentino Tuason Jr. told local reporters they have already asked the help of the International Foundation for Electoral System (IFES), a Washington-based IFES non-profit organization, in getting professional hackers to test the security of the Internet voting system.
“When Scytl presented the system, everybody was impressed on the security features. It is covered by international patent and it has been declared secured by no less than Switzerland and everyone in the global community should respect that decision,” Tuason told reporters in a conference Tuesday.
Scytl’s computerized voting system is also being used in countries such as the U.S., Switzerland, and Belgium.
It’ll certainly be interesting to see how the systems ‘impressive security’ stands up against a bunch of random hackers.
[Source: Darknet ]
Read more on this article...
The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.
I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.
About 1,500 unclassified e-mail users at the Pentagon had their service disrupted yesterday when a hacker infiltrated the e-mail system, forcing the accounts to be taken offline.
In a briefing today with reporters in Washington at the Pentagon, Secretary of Defense Robert M. Gates confirmed the incident and said that the users were disconnected from the system after the intrusion was discovered.
“The reality is that the Defense Department is constantly under attack,” Gates said during the briefing. “Elements of the [Office of the Secretary of Defense] unclassified e-mail system were taken offline yesterday afternoon, due to a detected penetration. A variety of precautionary measures are being taken. We expect the system to be online again very soon.”
The funny thing is the Secretary of Defense himself doesn’t even use e-mail…so I doubt he even noticed what had happened.
Hopefully the government will sharpen up it’s ideas.
Gates said that he was not sure why the 1,500 users were removed temporarily from the system. “Well, I don’t know the answer to that, and they’re still investigating it.”
Gates said he doesn’t use e-mail, so he didn’t know if his account was affected.
“I don’t do e-mail,” he said. “I’m a very low-tech person.”
A spokesman at the Department of Defense late this afternoon said he had no additional information about the incident.
[Source: Darknet ]
Read more on this article...
Seems like a social engineering type attack again relying on human ignorance and stupidity. Based around some kind of malware reporting back to a central repository.
Remember kids if a deal is too good to be true…it isn’t.
Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said.
The victims include consulting firm Booz Allen, computer services company Unisys Corp, computer maker Hewlett- Packard Co and satellite network provider Hughes Network Systems, a unit of Hughes Communications Inc, said Mel Morris, chief executive of British Internet security provider Prevx Ltd.
Of the list, only Unisys acknowledged that viruses had been detected and removed from two PCs, saying no information had been leaked. A Department of Transportation spokeswoman said the agency could not find any indication of a breach and a spokeswoman for Hughes said she was unaware of any breaches.
They were fairly selective about their targets which meant they stayed under the radar for some time.
Prevx said the malware it identified uses a program named NTOS.exe that probes PCs for confidential data, then sends it to a Web site hosted on Yahoo Inc. That site’s owner is likely unaware it is being used by hackers, Morris said.
He believes the hackers have set up several “sister” Web sites that are collecting similar data from other squadrons of malware. It was not clear whether the hackers used any information stolen from more than 1,000 PCs.
The hackers only targeted a limited group of computers, which kept traffic down and allowed them to stay under the radar of security police, who tend to identify threats when activity reaches a certain level.
The fact is off the shelf AV solutions CANNOT detect custom malware, this has been known about for a long time but it’s never really sunken in to the brains of the people in charge.
A little bit of programming and a little bit of imagination and most companies can still be owned with a custom trojan.
Source: Darknet ]
Read more on this article...
An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.
Is it ethical? Should they be doing this to their users?
I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.
Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.
Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.
They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.
IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.
Freenode is pretty happening for open source projects though.
Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.
IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.
[Read more]
[Source Darknet ]
Read more on this article...
Link Layer Discovery Protocol Fuzzer
The first Link Layer Discovery Protocol Fuzzer is now available, test cases are also ready to be used along with the tool. The fuzzing architecure makes it easy to extend the tool with new test cases and more LLDP compliant devices arise.
LLDP is a Layer 2 protocol which allows network devices to advertise their identity and capabilities on the local network, it helps to keep track of devices and the packets are multi-casted.
CDP, EDP and NDP are similar to LLDP.
The LLDP fuzzer is meant for black box testing techniques on LLDP enabled networks/devices. Its aim is to find security vulnerabilities by using test cases as it’s important to be able to replicate a test case.
It can be automated and it tries to find bugs by sending malformed packets and look for corner cases.
It can find vulnerabilities in any agent receiving LLDP packets and is programmed in Python. It works fine on Linux but won’t work on Windows due to RAW socket limitations.
LLDPfuzzer.tar
Download the paper - LLDPpaper.pdf
Download the presentation - LLDPpresentation.ppt
[Source Darknet ]
Read more on this article...
RTP Break - RTP Analysis & Hacking Tool
rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.
The RTP sessions are composed by an ordered sequence of RTP packets. Those packets transport the Real Time data using the UDP transport protocol.
The RTP packets must respect some well defined rules in order to be considered valid, this characteristic allows to define a pattern on the single packet that is used to discriminate the captured network traffic from packets that can be
RTP and those that securely are not.
Read more on this article...
KGB Keylogger is a multifunctional keyboard tracking software (a.k.a. key logger) that is widely used by both regular users and IT security specialists.
The reason for such popularity is that this program does not just record keystrokes; it is capable of recording language specific characters (ex. umlauts), date and time certain window was initiated as well as the caption of that window.
Thus, this software combines two very important qualities - it records all typed data, so that you won't lose it when your computer unexpectedly crashes, and it keeps the record of all keyboard activity.
KGB Keylogger is a tool that allows you track keyboard activity.
KGB Keylogger allows you to monitor your children's activity at home or to make sure your employees do not use company's computers inappropriately.
There are three versions of keylogger - Free KGB Key Logger, KGB Keylogger and KGB Spy.
Free KGB Key Logger is absolutely free, contains all basic features described above and is intended for non-commercial use at home as a keylogger. KGB Keylogger and KGB Spy is a well known, highly praised IT security oriented software that goes beyond recording keystrokes.
While KGB Keylogger was originally created for corporations and small businesses, it is becoming increasingly popular for home use as well. The main reason for that is extended capabilities of KGB Spy or KGB Keylogger.
Industry experts regard KGB Spy and KGB Keylogger as the best low-cost non-invasive software from the keylogger family.
Here are some key features of "KGB Keylogger":
· Stealth mode and visible mode of work;
· Logs keyboard input, including language-specific characters;
· Logs Clipboard entries;
· Monitors and logs network activities;
· Custom list of monitored applications;
· Detailed information for each log entry, including the time stamp, application name and window caption;
· Screenshots at custom frequency (regular intervals or on mouse clicks);
· Export of logs into HTML.
Read more on this article...
Turn Firefox into a Security Platform
FireCAT is a Firefox Framework Map collection of the most useful security oriented extensions. It can be used to turn your favorite browser (Firefox) into a powerful security framework.
Changes for FireCAT 1.1
+ Category Network Utililies
- Added ffsniff to subcat “Sniffers”
- Added CrossFTP to subcat FTP (thanks to Benjamin Picuira)
- Added JiWire to subcat Wi-Fi (thanks to Mike from google.com)
- Added Oracle DBA Toolbar to Subcat Database (thanks to Laurent Chouraki)
+ New category “IT Security Related”
- Added Open Source Vulnerability Database Search (OSVD)
- Added US Homeland Security Threat Level.
free Download
[Source Darknet ]
Read more on this article...
pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.
fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.
Read more on this article...
ServiceCapture - HTTP Traffic Capture for Debugging Flash
ServiceCapture runs on your pc and captures all HTTP traffic sent from your browser or IDE. It is designed to help Rich Internet Application(RIA) developers in the debugging, analysis, and testing of their applications.
Remote Service Deserialization
ServiceCapture is the only tool of its kind to deserialize and display all Flash Remoting or AMF traffic in a simple-to-use interface. ServiceCapture now also deserializes SOAP and JSON-RPC traffic into easy to use object trees.
Bandwidth Simulation
ServiceCapture also has a unique bandwidth simulation feature. This allows engineers to throttle their bandwidth to simulate dial-up, dsl, and cable connection speeds, even when your entire application is being served locally.
Read more on this article...
PIRANA - Exploitation Framework for Email Content Filters
PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform.
PIRANA’s goal is to test whether or not any vulnerability exists on the content filtering platform.
This Ethical Hacker Kit from Hackers Center comes into play for those guys starting out who don’t even know what we are talking about when we say the app is vulnerable to a LFI..
The kit is aiming to be a fairly comprehensive collection of tools and papers to speed up the learning curve of someone who is interested in ethical hacking.
There are many unpublished (completely new) papers written by Doz (author of the kit and member of hackerscenter.com). It is made easy to use by the division into folders for each main area of hacking, so in each folder there are tools and papers related to the area (including source code, compiled tools and setup).
You can find the list of contents here:
Ethical Hacker Kit - Contents
So if you’re interested grab it here:
Ethical Hacker Kit
[Source Darknet ]
Read more on this article...
The video shows to how crack WEP- or WPA-secured networks. It also shows how to prevent people from cracking your wireless network(s). ... (more)
1)open internet explorer
2)enter home in the address bar
3)go to home network (at top)
4)go to wireless settings at top)
5)find your system password on your router box.
6)type in the pass
7)changed wireless security to shared
How to get wifi even if the connection port is locked password protected free no without jailbreak
FLARE - Flash Decompiler to Extract ActionScript
Flare processes an SWF and extracts all scripts from it. The output is written to a single text file. Only ActionScript is extracted, no text or images. Flare is freeware. Windows, Mac OS X and Linux versions are available.
The main purpose of decompiler is to help you recover your own lost source code. However, there are other uses, like finding out how a component works, or trying to understand poorly documented interface. Depending on where you live, some of them may be forbidden by law. It’s your responsibility to make sure you don’t break the law using Flare.
If you develop Flash applications for living, you probably know that your code is not secure in SWF. It’s not the existence of decompiler that makes your code insecure though, it’s design of SWF format. Although no ActionScipt is stored there, most of it can be recovered from bytecodes.
Windows Explorer Shell Extension
Download flare06setup.exe. After installation right-click on any SWF file in Windows Explorer and choose Decompile from context menu. Flare will decompile somename.swf and store decomiled code in somename.flr in the same folder. somename.flr is a simple text file, you can open it with your favorite text editor. If Flare encounters problems during decompilation, it will display some warnings. If everything goes well, it will quit silently. That’s all, Flare has no other GUI. To unistall, execute Start>Programs>Flare>Uninstall.
Mac OS X Droplet
Get flare06.dmg. After mounting the disc image drop an SWF file onto the Flare icon in Finder. The decompiled ActionScript will be stored in SWF’s folder with FLR extension. Open it with your text editor. You can decompile multiple SWF files at once. The droplet is compiled on OS X 10.3. It should work on 10.2 and 10.4. There is no Flare for OS 9.
Note:There is no installation procedure for command line versions. Just create a folder named flare somewhere and unpack the archive there. To uninstall, delete the folder and you’re done.
DOS/Windows binary: flare06doswin.zip
Mac OS X binary: flare06mac.tgz
Linux x86 binary: flare06linux.tgz
Linux x86 64-bit binary: flare06linux64.tgz
Solaris x86 binary: flare06solaris.tgz
[Read More]
IPAudit - Network Activity Monitor with Web Interface
IPAudit monitors network activity on a network by host, protocol and port. It listens to a network device in promiscuous mode, and records every connection between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them, and the port numbers (if they are communicating via udp or tcp).
IPAudit can be used to monitor network activity for a variety of purposes. It has proved useful for monitoring intrusion detection, bandwith consumption and denial of service attacks. It can be used with IPAudit-Web to provide web based network reports.
IPAudit is a free network monitoring program available and extensible under the GNU GPL.
IPAudit is a command line tool that uses the libpcap library to listen to traffic and generate data. The IPAudit-Web package includes the IPAudit binary in addition to the web interface that creates reports based on the collected data. Using the Web package is recommended, as it gives you a slick graphical interface complete with traffic charts and a search feature.
FREE DOWNLOAD
IPAudit 0.95
[Read More]
Read more on this article...
I was looking through my toolbox to see what else is useful and I came across this one, httprint - the only caveat is that it’s a little out of date. It still does a good job though.
httprint is a web server fingerprinting tool.
It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.
Main Features
* Identification of web servers despite the banner string and any other obfuscation. httprint can successfully identify the underlying web servers when their headers are mangled by either patching the binary, by modules such as mod_security.c or by commercial products such as ServerMask. Click here to see an example of how httprint detects disguised servers.
* Inventorying of web enabled devices such as printers, routers, switches, wireless access points, etc. Click on the sample HTML report.
* Customisable web server signature database. To add new signatures, simply cut and paste the httprint output against unknown servers into the signatures text file.
* Confidence Ratings. httprint now picks the best matches based on confidence ratings, derived using a fuzzy logic technique, instead of going by the highest weight. More details on the significance of confidence ratings can be found in section 8.4 of the Introduction to HTTP fingerprinting paper.
* Multi-threaded engine. httprint v301 is a complete re-write, featuring a multi-threaded scanner, to process multiple hosts in parallel. This greatly saves scanning time.
* SSL information gathering. httprint now gathers SSL certificate information, which helps you identify expired SSL certificates, ciphers used, certificate issuer, and other such SSL related details.
* Automatic SSL detection. httprint can detect if a port is SSL enabled or not, and can automatically switch to SSL connections when needed.
* Automatic traversal of HTTP 301 and 302 redirects. Many servers who have transferred their content to other servers send a default redirect response towards all HTTP requests. httprint now follows the redirection and fingerprints the new server pointed to. This feature is enabled by default and can be turned off, if needed.
Read more on this article...
WEP is a protocol for securing wireless LANs. WEP stands for “Wired Equivalent Privacy” which means it should provide the level of protection a wired LAN has. WEP therefore uses the RC4 stream to encrypt data which is transmitted over the air, using usually a single secret key (called the root key or WEP key) of a length of 40 or 104 bit.
A history of WEP and RC4
WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir published an analysis of the RC4 stream cipher. Some time later, it was shown that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK improved the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.
In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.
The aircrack-ptw attack
The aircrack team were able to extend Klein’s attack and optimize it for usage against WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.
Countermeasures
We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.
aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.
Aircrack-ng is the next generation of aircrack with lots of new features:
* Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
* More cards/drivers supported
* New WEP attack: PTW
* More OS and platforms supported
* Fragmentation attack
* Improved cracking speed
* WEP dictionary attack
* Capture with multiple cards
* New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng and airserv-ng
* Optimizations, other improvements and bug fixing
aircrack-ng - 0.9.1 - Linux(gz file)
aircrack-ng - 0.9.1 - Windows(zip file)
[Read More]
Remember you need this to use aircrack-ptw - the fast WEP cracking tool.
