Thursday, October 30, 2008

Scan your system with 8 different anti-malware applications

Hitman Pro Runs Eight Different Anti-Malware Apps With One Click

Free application Hitman Pro scans your system for malware using not one, not two, but eight different anti-malware applications. Essentially, Hitman Pro is a helper utility that runs up to eight different cleaning tools when you tell it to. Some are favourites we all know and love, like Ad-Aware and Spybot S&D, while others are a bit more obscure. The idea behind Hitman Pro is that you've got a one-stop shop for killing off any malware that hits your system—regardless of whether it's spyware, adware, or some nasty virus. As the MakeUseOf post points out, scanning your system with each app can be a time-consuming process, so it's best to use when your computer is idle.

Refer here to download and for more details.

Microsoft NT Hash cracker from LM Password


lm2ntcrack provides a simple way to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known. lm2ntcrack is Free and Open Source software. This sofware is entirely written in Perl, so its easily ported and installed.

lm2ntcrack must be used with the password cracker John the Ripper.

Please refer here for more details.

Tuesday, October 28, 2008


Browser-based NTLM Attack Toolkit

The purpose of this little doodad is to help you prove to your employer, your client, your best friend, your dog, or God that NTLM is truly dead. It does this by taking control of any browser that comes into contact with it and making it perform NTLM authentication at will. By using a set of API calls you can imbed Squirtle into existing penetration toolkits, proxies or otherfun tools at your disposal.

Please refer here for more details and to download.

pyrit - A tool to estimate the real-world security

Advances in attacking WPA-PSK

Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocol that today de-facto protects public WIFI-airspace. The project's goal is to estimate the real-world security provided by these protocols. Pyrit does not provide binary files or wordlists and does not encourage anyone to participate or engage in any harmful activity. This is a research project, not a cracking tool.

Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of GPUs, this is currently by far the most powerful attack against one of the world's most used security-protocols.

Pyrit compiles and runs fine on Linux and MacOS X. None of the BSD systems were tested but all posix systems should be fine anyway. I don't care about Windows; drop me a line (read: patch) if you make Pyrit work without copying half of GNU in binary form...

Refer here to read more details and to download or refer here to read their blog.

Sunday, October 26, 2008

Emergency Patch released by Microsoft

Microsoft Says Windows Flaw Could Bring Worm Attack

Microsoft fixed a critical bug in its Windows operating system Thursday, saying that it is being exploited by online criminals and that it could eventually be used in a widespread "worm" attack.

Microsoft took the unusual step of issuing an emergency patch for the flaw, several weeks ahead of its regularly scheduled November security updates, saying that it is being exploited in "limited targeted attacks."

Please refer here to read full article on CIO.

I quote from Microsoft's Security Vulnerability Research & Defense website:

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

This basically means, if you have strong filtration at firewall you are still safe from this exploit but this doesn't mean we should take vulnerability easy. I recommend all my readers and especially home users to deploy this patch as soon as possible.

More useful links can be found on Roger Halbheer's blog.

Hackers Use Nvidia Graphics Card to Smash WPA2 10,000 Percent Faster

WiFi is no longer a viable secure connection

Global Secure Systems has said that a Russian's firm's use of the latest NVidia graphics cards to accelerate WiFi ‘password recovery' times by up to an astonishing 10,000 per cent proves that WiFi's WPA and WPA2 encryption systems are no longer enough to protect wireless data.

David Hobson, managing director of GSS, claimed that companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity. He also said that the use of VPNs is arguably now mandatory for companies wanting to comply with the Data Protection Act.

He said: “This breakthrough in brute force decryption of WiFi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data. As a result, we now advise clients using WiFi in their offices to move on up to a VPN encryption system as well.

Please refer here to read full article.

WPA and WPA2 is the secure method after WEP which is commonly used by home users and perhaps many small-to-large size companies. This basically means, all wireless users using WPA and WPA2 are at risk and we should start looking at more secure wireless methods before we get victim of these types of attacks.

Thursday, October 23, 2008


Monitor Ethernet Activity

Arpwatch tool monitors ethernet or fddi activity and maintain a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libpcap, a system-independent interface for user-level packet capture. Before building arpwatch, you must first retrieve and build libpcap. Once libpcap is built (either install it or make sure arpwatch and libpcap share the same parent directory), you can build arpwatch using
the procedure in the INSTALL file.

Refer here for more details and more interesting tools.

Active Reconnaissance network security tool

Firewalk - OpenSource Network Security tool

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway.

If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

To read more details about Firewalk please refer here.

Data breaches are common in Australia

Four in five Australian companies suffered data breach in past five years

A new survey reveals almost 80% of local companies have experienced data breaches in the past five years, with 40% recording between six and 20 breaches.

The Symantec Australian data loss survey shows 59% of businesses suspect they have been the victim of data breaches, but are unable to identify stolen information. A whopping 34% of respondents report an average breach cost them $5000, while 14% say breaches cost them between $100,000 and $999,999, and 7% over $1 million.

But the main cause of data breaches, the survey reports, was lost laptops at 45%, while human error accounted for 42% of cases. Malicious attacks were responsible for 28% of breaches, while hacking and malware were responsible for 24%.

Monday, October 20, 2008

Be Careful With Your Bank Account Information

A new virus electronic extremely dangerous threatening the owners of cards

A new type of virus "Trojan horse" threatening the owners of bank cards and electronic payment users, integrating into the sites and deceive consumers to provide confidential data such as credit card numbers and PIN. Moreover, the virus can infect any computer with a simple operation of a browser update.

According to IDG News Service, the malware known as Limbo “integrates itself into a Web browser using a technique called HTML injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions. Because it’s so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.”

I quote from the article,

“Nothing tells you that something is wrong here, with one exception: You’re being asked to provide some information that you were never asked to do before,” Rivner said during a briefing for reporters and analysts earlier this week. “If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like.”

Limbo can get onto a user’s computer through many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.

And like other malware programs, Limbo is becoming available to more fraudsters through an underground market that includes a complex supply chain and falling prices, according to Rivner. Limbo costs about $350 (U.S.), down from about $1,000 a year ago and $5,000 two years ago, he said.

“The big trend here is that it’s becoming affordable,” Rivner said.

The online fraud marketplace consists of so-called harvesters, who collect user information and “cash-out” operations that use the information to do whatever has to be done to translate that information into money. For example, harvesters may capture credit card numbers and cash-out operations may use those cards to buy products online, have them delivered to an address and sell them on the black market, Rivner said. The two classes of fraudsters typically meet and do business with each other in IRC chatrooms and dedicated Web forums, where the most successful fraudsters are the ones who develop a reputation for working reliably and honestly with other participants, Rivner said.

In line with this, internet users are advised to update their antivirus softwares and enable strict online security and privacy measures through their web browsers like Google Chrome, Firefox 3.0.1 or later versions and Internet Explorer 8.

An antivirus software that has a capability to protect you from accessing unsecure websites (Like McAffee Antivirus software and AVG Pro) can also help.

Just beware of this malware or else you will lose a lot of money if you’re into online banking.

Wednesday, October 15, 2008

Wabisabilabi expanding their business in more unethical way...

Wabisabilabi puts 'zero day' shield into UTMs

I recently come across an interesting news that WabiSabilabi joined hands with UTMs and they will be using the "Zero Day Threats" into UTMs hardwares.

I quote from the article:

According to Roberto Preatoni, the company's chief technical officer, the original researchers of these flaws will be rewarded as subscribers pay for updates to the database, in essence earning them ongoing revenue.

"No more ‘one shot peanuts' as the researchers used to get as a treatment from the traditional hardware/software security producers; as long as their signatures will be useful, they will keep cashing money," he said.

If i understand this correctly, this means bad guys can sell the vulnerabilities of the copyright software plus they will get monthly loyalty subscribers pay?

I quote again from the news:

The company also planned to create a portal to allow researchers to sell their vulnerabilities directly to OneShield customers, he indicated.

If monthly subscibers pay is not enough, you can even directly sell the vulnerabilities to the customers.

Is this some kind of Internet Italian Mafia bringing their unethical principals in our security industry? In the eyes of world, they are trying to help researchers but in real sense they are supporting them!

Becareful before opening PDF files

PDF Files and Flash Ads Can Contain Malicious Code

Flash and PDF files on the Internet can contain hidden malicious code that's so sophisticated that most antivirus software won't detect the attacks even after they infiltrate vulnerable computers, according to a report released by the company Finjan, a provider of Web gateway and content-inspection solutions.

On Sept. 23, 2008, Finjan released its Malicious Page of the Month report detailing how malevolent hackers use Web 2.0 technologies to infest operating systems with the latest malware. The report's data, compiled by the company's Malicious Code Research Center, tracks the evolution of "obfuscated code," or code that is encrypted so well by its authors that it's difficult to recognize. This code can be built into Flash and PDF files by people with bad intentions.

"This vulnerability will enable them to gain access to our local disk so they can install their Trojan horse or keylogger software," said Yuval Ben-Itzhak, Finjan's chief technology officer. This gives them the opportunity to slip in undetected and wreak havoc.

The report divulges the following details of this trend:

In 2008, obfuscated code was embedded in rich-content files, such as Flash-constructed ads on Web pages or the ever-popular PDFs that millions of Internet users download regularly. Some hapless Web surfers are unwittingly compromising their computers merely by visiting sites with code-infested Flash ads on them or by downloading seemingly harmless PDFs containing the same type of code.

In 2007, obfuscation techniques mimicked legitimate encryption-decryption processes. In this method, a malicious hacker sends a "key" to users that seems legitimate. After a user obtains and activates the key, it unlocks malicious code that goes to work on the user's machine.

In 2006, malicious hackers wrote harmful code into programs that are activated once users input passwords or other forms of typed input.

In 2005, obfuscated code attacks consisted of two formats: scrambling code to make it more complicated, and character-based encoding to use it in any format a browser can interpret.

Again, my advice is same. Don't open files or attachment from the source you don't know or trust.

Monday, October 13, 2008

New Metasploit 3.2 adds new features including DNS, WiFi hacking

Metasploit 3.2 Offers More 'Evil Deeds'

"It will abuse the HTTP security model, stealing cookies and saved form data," Moore said.

Hacking into systems is apparently getting easier with the upcoming open source Metasploit 3.2 framework, according to its creator. During a packed presentation at that SecTor conference here yesterday, Metasploit creator H. D. Moore detailed some of the new features in the upcoming Metasploit 3.2 release. They include names such as Browser AutoPwn, Metasploit in the Middle and the Evil Wireless Access Point.

"For http we do a whole bunch of evil things to a browser," Moore mentioned, addressing an audience of security and networking professionals from sectors such as government and leading corporations.

If that's not enough to give security researchers a taste of the latest developments in security vulnerabilities, there is the Evil Wireless Access Point feature. Moore said it can create an access point that consumes all other access points around it. Adding insult to evil, it has the ability to spoof any access point that is already on a user's preferred access point list.
Moore also added that Metasploit 3.2 now has full IPv6 support.

It seems that Metasploit 3.2 will be sporting a BSD 3-Class license. That basically means that MSF can be forked or modified and repackaged and sold by commercial entities. The 3-Class license basically means that the source code and binaries keeps the copyright but they can’t say the mutant product is endorsed by HD.

DarkReading has an article about it and one of the ideas tossed around is Core Impact integrating MSF into their tool. Aside from the thousands of dollars that Core cost, the lack of reporting functionality is one of the reasons MSF is kept in the shadows with researchers and pen-testers. MSF is awesome and it is regularly used by auditors/pen-testers and other security researchers. I have always thought someone should build some reporting plug-in’s for MSF maybe someone will now.

Metasploit is an open source attack framework first developed by Moore in 2003.

Saturday, October 11, 2008

Fake Microsoft email contains "backdoor" virus

Spammers using "Microsoft" name to trick users to install Malware

A fake phishing email making the rounds seemingly comes from Microsoft, but actually contains a “backdoor” trojan.

The email has a subject line that reads, “Security Update for OS Microsoft Windows” and supposedly came from the "Microsoft Official Update Center" at a domain named securityassurance[at]microsof[dot]com.

The message urges users to run an attached file to install an update that the email said will protect from the recipient from security threats and performance problems.

The malicious attachment is not a Microsoft update, but rather malware identified as “Trojan.Backdoor.Haxdoor,” which has the potential to turn computers into bots or enable an attacker to access corporate networks.

Please refer here to read advice from Roger Halbheer, as mentioned by him, Microsoft will never send updates or any kind of software as attachment via e-mail.

Friday, October 10, 2008

Attackers using Youtube to trick users

Fake YouTube pages used to spread viruses

Savvy Internet users know that downloading unsolicited computer programs is one of the most dangerous things you can do online. It puts you at great risk for a virus or another time bomb from a hacker.

But even some sophisticated surfers could get taken in by a sneaky new attack in which criminals create fake YouTube pages _ dead-on replicas of the real site _ to push their malicious software and make it look like it's safe stuff coming from a trusted source.

A program circulating online helps hackers build those fake pages. Users who follow an e-mail pointing them to one of the pages would see an error message that claims the video they want won't play without installing new software first. That error message includes a link the hacker has provided to a malicious program, which delivers a virus.

Even worse: once the computer is infected, it's simple for the hacker to silently redirect the victims to a real YouTube page to see videos they were hoping to see _ and hide the crime.

My advice will be same as usual, don't click links and open emails from the people you don't know.

Hackers able to fool browsers into redirection

Adobe warns of 'clickjacking' attacks

Adobe has issued a security alert about its Flash software that makes it vulnerable to being abused by hackers in a practice known as clickjacking. Clickjacking involves subverting a web page so that when a visitor clicks on a link they are redirected to a site the hackers wants them to see. It is a variant of cross-site scripting attacks but appears to be more serious.

The details of the attack were due to be published at the OWASP NYC AppSec 2008 Conference but the talk was withheld at Adobe’s request until a workaround could be developed.

“Let’s be clear though, the responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider,” said Jeremiah Grossman, co-founder of Whitehat Security and one of the researchers who uncovered the technique.

Refer here to read full details.

Tuesday, October 7, 2008

Clickjacking - should you be worried?

Nearly all browsers are vulnerable to this new attack class, but details are scarce

Worth reading Q&A on clickjacking:

Excellent explanation by Schneier:
In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.
"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.

Refer here to read full details on Clickjacking.

Saturday, October 4, 2008

The Internet is full of hosts that do not comply with the RFC

Port Scanning the Internet

I have come across to
THC ’s blog today and found an interesting post that i would like to share with my blog readers.

Port Scanning the Internet

Today fyodor/nmap gave a talk at defcon ("Nmap: Scanning the Internet"). It was one of the better if not the best presentation at defcon for me. Fyodor presents his research with a lot of charm, fun and motivation.

Nmap can now be used to scan the entire Internet.

Before joining THC I was doing research for Team-Teso. In 2000 one of our problems at Teso was that many script kiddies entered the arena and started setting up DDoS hosts and owning like mad. Hacking became mainstream.

At Teso we did not like script kiddies and we abhorred those doing DDoS. A small group of Teso and some friends reverse engineered the backdoors and started scanning for them. Our objective was to discourage script kiddies and stop DDoS attacks (by removing the DDoS agents).


We developed a new scanner (called 'bscan', not published but a handful of people had it) that was capable of scanning the internet.

The main features of bscan were:

- Raw SYN scanner. Full TCP/IP stack in userland.
- Using ghost IP and ghost MAC (untraceable)
- Modular. We developed loadable modules for telnet handshake, bind, http (HEAD / HTTP/1.0), ...
- Sending out 50.000 or more syn packets per second.
- Running on linux, sunos/solaris and bsd.

In short the scanner was capable of scanning the entire Internet ( - The scanner retrieved all Web Server versions or telnet banners within hours.

Fyodor's nmap was developed for a different reason. The features of nmap are far superior to bscan. Bscan was a tool and nmap is a professional application.


All this is history now and I think that 7 years after the development the time has come to share some of the stuff that we learned while scanning the Internet:

1. The Internet is full of hosts that do not comply with the RFC.

2. There are hosts on the Internet that keep sending ACK packets for hours even if you send back FIN, RST or ICMP error messages. They just wont stop sending!

3. Sometimes you send a SYN to one host and you get the SYN/ACK back from a different host (asymmetric NAT).

4. There are entire class A networks with no hosts in them at all (The Black Holes of the Internet).

5. Never scan sequential. If a remote class B or class C is hit with 50k SYNCs per second the serving router of the target network will start sending out ARP requests to resolve the MAC of all these hosts. ARP requests are broadcast messages. This will overload some hosts on the target 'local' network which will crash or not respond for several seconds while processing the ARP requests. You will miss those hosts. Scan 'spread spectrum' and increment the IP by 256 or a similar value.

6. The first syn packet is often lost. When scanning 10-20 class A networks in 'spread spectrum mode (-X option in bscan) then the router of a large network (e.g. class B) still has to resolve several hundred ARP entries per second. Some routers can not handle this and will start dropping SYN packets if the MAC is not known and can not be resolved because the router is already busy resolving other MAC addresses.

7. Coordinate with your people that you are the only one scanning the Internet. Same reason as above: If two people scan at the same time the target hosts have to process to many ARP requests and both of you will miss hosts.

8. Never wait longer than 3 seconds for a host to complete. If it takes longer than 3 seconds for a host to reply you are not interested in owning that host anyway.

9. Be kind to other administrators. We set up a charity ("The Institute for Internet Statistics") to have a reasonable explanation for any IT administrator who complained about our scanning activities.

The scanner was usually started on 5-10 Internet hosts in parallel. A big thanks at this point to the IT Administrators of the various universities in Germany who let us use their hosts for scanning (legally!).

A typical TCP port scan of the Internet took between 8-16 hours.


There was a nice side effect of cleaning the internet from script kiddies and their backdoors: Teso had a full list of all server versions of all hosts on the Internet. No longer had team teso to scan for vulnerable hosts. We just looked them up in our log files.

One day one of the German hackers who helped Teso came home drunk and decided to start another scan for a script kiddie backdoor that was running on TCP port 33645. He initiated a scan and set source port to 443 and destination port to 33645. The morning after (and being sober again) he saw that various security mailing lists discussed a new 0-day vulnerability against HTTPS (port 443). Apparently someone was scanning with massive speed the HTTPS ports on the Internet. He looked again of what scan he started the night before: He mistakenly swapped source and destination port while drunk and scanned for port 443 instead for port 33465.

These mails can still be found on the archives of various mailing lists around xmas 2002.

Lesson learned: Do not drink & hack.

We were not the only ones who scanned the Internet. We heard of an Israeli research group who did it in 1998.

In 2002/2003 Dan Kaminsky published another tool called scanrand. His tool is public. Try it.

Final Notes

These days bscan is old and not up to date anymore.

Whatever you do make sure it's legal and does not cause trouble to other people.



Computer Forensic Live CD

Helix 3

Helix is a ubuntu based linux distro that aims to help your work on Computer Forensic , Incident Response and Electronic Discovery. It almost has everything you need for your live forensic. By using Helix live cd , you can still boot into customized linux environment, that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special live side for Incident Response and Forensics.

Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques.

Refer here to download HELEX3.

Friday, October 3, 2008

Dutch researcher claims e-passport hack

A Dutch researcher has published code that purports to emulate and clone e-passports, and has released a video to prove it works.

A Dutch researcher has published code that purports to emulate and clone e-passports, and has released a video to prove it works. The researcher claims the proof-of-concept video, posted this week to The Hackers Choice website, shows an e-passport self-reader at Schiphol airport in Amsterdam accepting a passport and chip with fake details — those of Elvis Presley — with no alarm apparently being raised.

The hacker, who goes by the name 'vonJeek', also published emulation code for use with a blank JCOP v4.1 72k smartcard. Once the code is uploaded to the card, the chip can be cloned using a customised version of Adam Laurie's RFIDIOT tool, the researcher claimed.

"Regardless how good the intention of the government might have been, the facts are that tested implementations of the e-passports inspection system are not secure," wrote vonJeek on The Hacker's Choice website. "E-passports give us a false sense of security: We are made to believe that they make use more secure. I'm afraid that's not true: current e-passport implementations don't add security at all."

The UK Identity and Passport Service said UK passports remained secure. A spokesperson said: "We take security and privacy very seriously, which is why the British biometric passport meets international standards as set out by International Civil Aviation Organisation and we remain confident that it is one of the most secure passports available."

Please refer here to read full details.

As we all are aware that Australia launched ePassports back in 2005 and they claimed it to be the most secure passport ever. After reading this post, is Australian ePassport and other countries ePassport still the most secure passport ever as they claimed or this will change soon?

Wednesday, October 1, 2008

VoIP eavesdropping made easy


A security consultant with expertise in protecting phone conversations as they travel over the internet has unveiled a new tool that demonstrates just how vulnerable voice over internet protocol, or VoIP, calls are to interception.

UCSniff bundles a hodgepodge of previously available open-source applications into a single software package that helps penetration testers assess the security of VoIP calls carried over a client's network. It also introduces several new features that make eavesdropping on specific targets a point-and-click undertaking.

UCSniff runs on a laptop that can be plugged in to the ethernet port of the organization being probed. From there, a VLAN hopper automatically traverses the virtual local area network until it accesses the part that carries VoIP calls. Once the tool has gained unauthorized access, UCSniff automatically injects spoofed ARP, or address resolution protocol, packets into the network, allowing all voice traffic to be routed to the laptop.

UCSniff streamlines eavesdropping by allowing an attacker to zero in on the conversations of particular users. Targets can be selected by extension number or dial-by-name features, making it easy to listen to all calls made by a specific individual - such as an organization's CEO. Eavesdropping can be further fine-tuned by listening only to calls the CEO makes to a specific person - such as a chief financial officer.

Refer here to read full details.