Saturday, November 30, 2013
DOS Attack Types And Tools
Denial of service (DOS) attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.
Types:-
Teardrop attack is type of attack where fragmented packets are forged to overlap each other when the receiving host tries to reassemble them.
Ping of death type of DoS attack in which the attacker sends a ping request that is larger than 65,536 bytes, which is the maximum size that IP allows. While a ping larger than 65,536 bytes is too large to fit in one packet that can be transmitted, TCP/IP allows a packet to be fragmented, essentially splitting the packet into smaller segments that are eventually reassembled. Attacks took advantage of this flaw by fragmenting packets that when received would total more than the allowed number of bytes and would effectively cause a buffer overload on the operating system at the receiving end, crashing the system. Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.
DDOS Attack: A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. This is the result of multiple compromised systems (for example a botnet) flooding the targeted system(s) with traffic. When a server is overloaded with connections, new connections can no longer be accepted.
Peer to Peer Attack: Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of attack can overwhelm mitigation defenses.
For all known DOS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks.
Top 10 Dos Attack Tools:-
1. LOIC (Low Orbit Ion Canon)
This tool was used by the popular hackers group Anonymous. This tool is really easy to use, even for a beginner. This tool performs a DOS attack by sending UDP, TCP, or HTTP requests to the victim server. You only need to know the URL of IP address of the server and the tool will do the rest.
Download
2. HOIC: High Orbit Ion Canon HOIC
HIgh Orbit Ion Canon HOIC is Anonymous DDOS Tool. HOIC is an Windows executable file
High-speed multi-threaded HTTP Flood
- Simultaenously flood up to 256 websites at once
- Built in scripting system to allow the deployment of 'boosters', scripts
designed to thwart DDoS counter measures and increase DoS output.
- Easy to use interface
- C an be ported over to Linux/Mac with a few bug fixes (I do not have
either systems so I do
- Ability to select the number of threads in an ongoing attack
- Ability to throttle attacks individually with three settings: LOW, MEDIUM,
and HIGH -
Download
3. XOIC
XOIC is another nice DOS attacking tool. It performs a DOS attack an any server with an IP address, a user-selected port, and a user-selected protocol.
XOIC have 3 modes:
-Test Mode
-Normal DoS attack mode (No request counter and TCP HTTP UDP ICMP message because of performance )
-DoS attack with a TCP/HTTP/UDP/ICMP Message
Download
4. Tor Hammer
Tor's Hammer is a slow post dos testing tool written in Python. It can also be run through the Tor network to be anonymized. If you are going to run it with Tor it assumes you are running Tor on 127.0.0.1:9050. Kills most unprotected web servers running Apache and IIS via a single instance. Kills Apache 1.X and older IIS with ~128 threads, newer IIS and Apache 2.X with ~256 threads.
Download
5. Anonymous-DoS
Anonymous-DoS is a http flood program written in hta and javascript, designed
to be lightweight, portable, possible to be uploaded to websites whilst still
having a client version, and made for Anonymous ddos attacks.
How does it work?
It will flood a chosen web server with HTTP connections, with enough it will
crash the server, resulting in a denial of service.
Download
6. DAVOSET
It is a tool for committing distributed denial of service attacks using execution on other sites.
Download
7. PyLoris is a scriptable tool for testing a server's vulnerability to connection exhaustion denial of service (DoS) attacks. PyLoris can utilize SOCKS proxies and SSL connections, and can target protocols such as HTTP, FTP, SMTP, IMAP, and Telnet.
Download
8. Dereil
Dereil is professional (DDoS) Tools with modern patterns for attack via tcp , udp and http protocols . In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
Download
9. Moihack Port-Flooder
This is a simple Port Flooder written in Python 3.2 Use this tool to quickly stress test your network devices and measure your router's or server's load. Features are available in features section below. Moihack DoS Attack Tool was the name of the 1st version of the program. Moihack Port-Flooder is the Reloaded Version of the program with major code rewrite and changes.
Download
10. DDOSIM
DDOSIM simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, DDOSIM starts the conversation with the listening application (e.g. HTTP server).
Download
Botnets
A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.
Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.
A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)
There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.
Different Types of Bots
Here is a list of the most used bots in the internet today, their features and command set.
XtremBot, Agobot, Forbot, Phatbot
These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.
UrXBot, SDBot, UrBot and RBot
Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.
GT-Bots and mIRC based bots
These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets
Types Of Botnet Attack
Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilized to increase the effects of an attack is also termed as spidering.
Spyware
Its a software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.
Adware
Its exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.
Spamming and Traffic Monitoring
A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking appications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.
Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.
Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).
Keylogging and Mass Identity Theft
An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.
Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing mails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.
Botnet Spread
Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.
Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.
Labels:
Botnet,
Zeus,
Zeus Malware
Anti Sniffer Tools List To Protect You From Sniffing Attacks
As we known spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
So today we are posting some Antisniffer tools to protect you from sniffing attacks.
1. Trafscrambler:
sniffer/IDS LKM(Network Kernel Extension) for OSX
SYN decoy - sends out number of SYN pkts before the original SYN pkt
TCP reset attack - sends out RST/FIN pkt with bad sequence
Pre-connection SYN - sends out SYN with wrong TCP-checksum
Post-connection SYN - sends out fake SYN after connection establishment
Zero Window - send out pkt with “0” window set
Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences
Userland binary(tsctrl) for controlling trafscrambler NKE
Plugged an mbuf leak
Download
2. Sniff joke:
SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and inject fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer).
Download
3. Kitty-Litter
Its a small size tool and configured and installed by all types of userrs. This tool is protect from data leakage from the websites and online accounts.
Download
4. ACiD (ARP Change intrusion Detector)
ACID is a network monitoring tool that detects anomalies in IP to MAC pairs.
ACiD has been designed to evidence the anomalies that are due to active attacks on the network. For example is possible to detect arpspoof-like attacks.
Download
So today we are posting some Antisniffer tools to protect you from sniffing attacks.
1. Trafscrambler:
sniffer/IDS LKM(Network Kernel Extension) for OSX
SYN decoy - sends out number of SYN pkts before the original SYN pkt
TCP reset attack - sends out RST/FIN pkt with bad sequence
Pre-connection SYN - sends out SYN with wrong TCP-checksum
Post-connection SYN - sends out fake SYN after connection establishment
Zero Window - send out pkt with “0” window set
Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences
Userland binary(tsctrl) for controlling trafscrambler NKE
Plugged an mbuf leak
Download
2. Sniff joke:
SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and inject fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer).
Download
3. Kitty-Litter
Its a small size tool and configured and installed by all types of userrs. This tool is protect from data leakage from the websites and online accounts.
Download
4. ACiD (ARP Change intrusion Detector)
ACID is a network monitoring tool that detects anomalies in IP to MAC pairs.
ACiD has been designed to evidence the anomalies that are due to active attacks on the network. For example is possible to detect arpspoof-like attacks.
Download
Friday, November 29, 2013
NVIDIA to Release Overclocking Tools for Linux Gamers
NVIDIA is considering the development and launch of specific gaming tools for the Linux fans, which should bring platforms at the same level with Windows.
NVIDIA is providing much better drivers for the Linux platform, especially now that Steam has been launched and a lot of games have started to make an appearance.
The one thing that's missing from Linux is some control over the video graphics card, like overclocking. According to a phoronix.com report, this is about to change.
“Unfortunately, I can’t comment on unannounced features. However, I can tell you that we’re definitely taking Linux gaming serious so we’ll be arming gamers with the tools they need to get the best gaming experience possible. Stay tuned! ;),” said NVIDIA's Sean Pelletier.
This is extremely good news for the gamers who like to make the best of their hardware and for the platform in general, which will get more control over the functionality of the graphics card.
OWASP TOP 10 2013
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
DOWNLOAD LINK: LINK 1
Labels:
E Books
Two PHP.net Servers Hacked, Set Up to Serve Malware
On Thursday, we reported that Google started flagging php.net, the official website of the PHP scripting language, as hosting suspicious content. After analyzing the incident, The PHP Group has determined that two of their servers had been hacked and set up to serve malware.
PHP users are not affected by the breach. However, the passwords of individuals committing code to svn.php.net and git.php.net have been reset.
PHP developers are confident that their Git repository has not been impacted. Currently, it’s unknown how the cybercriminals managed to hack the PHP servers.
It appears that a piece of JavaScript malware was served between October 22 and October 24. However, The PHP Group says that only a small percentage of php.net users are impacted.
What’s interesting about this incident is the fact that, initially, The PHP Group was almost certain that Google’s warning was a false positive.
Additional details on this incident will be made available most likely next week.
Security researchers from Trustwave, Panda Security, Avast, Barracuda Networks and other companies have analyzed the attack. Kaspersky’s Fabio Assolini has identified a malicious iframe pointing to the Magnitude Exploit Kit that had been set up to serve the Tepfer Trojan, a piece of ransomware that’s designed to encrypt files.
Panda’s Bart Blaze has also analyzed some of the payloads served in this attack. In addition to ransomware, he has also identified versions of Fareit, ZeroAccess and ZeuS.
PHP.net compromised
Unless you didn't have any internet access today, you must have heard about the compromise of PHP.net today. An excerpt:
One of the first confirmations that PHP.net is was in fact compromised
Google Safe Browsing warning
You can read the full discussion on whether PHP was compromised or not here:
LINK 1
Statements by PHP.net itself:
LINK 2
I think it's pretty clear by now how it (could have) happened: insertion of a malicious - or change of- a Javascript file on their website.
Let's start with the first entry of infection, most likely userprefs.js on the main page. Some heavily obfuscated Javascript is present, which redirects to either:
Redirects
Here's a Pastebin link containing the modified userprefs.js: Link 1
After either of those redirects, PluginDetect (which is a legit Javascript library to detect browser plugins) determines your version of Adobe & Java. If you have any of those vulnerable versions installed, you'll get served with several flavors of malware. Your browser will either crash or "hang" for a while.
Interestingly enough, another PluginDetect was also trying to check for vulnerable versions of VLC, SilverLight and Flash.
If you don't have any of these installed, you're possibly being redirected to a website with the text "He took over Russia with a wooden plough, but left it equipped with atomic weapons" (seems to be a letter about Stalin, see here) which contains the following fancy YouTube video:
http://www.youtube.com/watch?v=9Mnmhtr4ThE
Let's move on to the actual payload. Thanks to a blogpost by Barracuda Labs, I was able to download the PCAP file they gathered.
The PCAP file proved to be very interesting. Besides being able to pull the usual malicious Javascript files, I was able to gather some payloads as well, which aren't very friendly to your machine.
The following malware was seen to be downloaded: Fareit, ZeroAccess (GoogleUpdate/Google Desktop variant), Zeus and even ransomware (unknown) in one instance!
Fareit and Zeus/Zbot have been known for going hand in hand for some time now, see here for an earlier blogpost. When executed, you'll either have to pay up a fine (ransomware), get a rootkit (ZeroAccess) or get your information stolen (Fareit & Zeus). An overview of the information that will be stolen:
Your data being stolen
I don't need to mention that this is quite bad. Have you visited PHP.net yesterday or today and saw your browser crash? Did you notice any strange behavior? Yes? No? Either way, perform a scan of your machine right away. We'll get back to that though.
MD5s of samples gathered:c73134f67fd261dedbc1b685b49d1fa4
406d6001e16e76622d85a92ae3453588
dc0dbf82e756fe110c5fbdd771fe67f5
78a5f0bc44fa387310d6571ed752e217
18f4d13f7670866f96822e4683137dd6
Callbacks:
85.114.128.127
Prevention
Patch your Java & Adobe or uninstall it if you don't need it.
Same goes for their browser plugins or add-ons!
Keep your browser of choice up-to-date.
Install an antivirus and antimalware product and keep it up-to-date & running.
Use NoScript in Firefox or NotScripts in Chrome.
Block the above IP. (either in your firewall or host file)
Disinfection
Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.
Conclusion
Every website can be injected with malicious Javascript, even well-known websites!
Received a Google Safe Browsing warning? Don't simply ignore it, either look up if anything's known about that website being hacked or if you're not sure, stay away from it for a while. (best case is to contact the site owner as well.)
Google Safe Browsing warning
You can read the full discussion on whether PHP was compromised or not here:
LINK 1
Statements by PHP.net itself:
LINK 2
I think it's pretty clear by now how it (could have) happened: insertion of a malicious - or change of- a Javascript file on their website.
Let's start with the first entry of infection, most likely userprefs.js on the main page. Some heavily obfuscated Javascript is present, which redirects to either:
Redirects
Here's a Pastebin link containing the modified userprefs.js: Link 1
After either of those redirects, PluginDetect (which is a legit Javascript library to detect browser plugins) determines your version of Adobe & Java. If you have any of those vulnerable versions installed, you'll get served with several flavors of malware. Your browser will either crash or "hang" for a while.
Interestingly enough, another PluginDetect was also trying to check for vulnerable versions of VLC, SilverLight and Flash.
If you don't have any of these installed, you're possibly being redirected to a website with the text "He took over Russia with a wooden plough, but left it equipped with atomic weapons" (seems to be a letter about Stalin, see here) which contains the following fancy YouTube video:
http://www.youtube.com/watch?v=9Mnmhtr4ThE
Let's move on to the actual payload. Thanks to a blogpost by Barracuda Labs, I was able to download the PCAP file they gathered.
The PCAP file proved to be very interesting. Besides being able to pull the usual malicious Javascript files, I was able to gather some payloads as well, which aren't very friendly to your machine.
The following malware was seen to be downloaded: Fareit, ZeroAccess (GoogleUpdate/Google Desktop variant), Zeus and even ransomware (unknown) in one instance!
Fareit and Zeus/Zbot have been known for going hand in hand for some time now, see here for an earlier blogpost. When executed, you'll either have to pay up a fine (ransomware), get a rootkit (ZeroAccess) or get your information stolen (Fareit & Zeus). An overview of the information that will be stolen:
Your data being stolen
I don't need to mention that this is quite bad. Have you visited PHP.net yesterday or today and saw your browser crash? Did you notice any strange behavior? Yes? No? Either way, perform a scan of your machine right away. We'll get back to that though.
MD5s of samples gathered:c73134f67fd261dedbc1b685b49d1fa4
406d6001e16e76622d85a92ae3453588
dc0dbf82e756fe110c5fbdd771fe67f5
78a5f0bc44fa387310d6571ed752e217
18f4d13f7670866f96822e4683137dd6
Callbacks:
85.114.128.127
Prevention
Patch your Java & Adobe or uninstall it if you don't need it.
Same goes for their browser plugins or add-ons!
Keep your browser of choice up-to-date.
Install an antivirus and antimalware product and keep it up-to-date & running.
Use NoScript in Firefox or NotScripts in Chrome.
Block the above IP. (either in your firewall or host file)
Disinfection
Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.
Conclusion
Every website can be injected with malicious Javascript, even well-known websites!
Received a Google Safe Browsing warning? Don't simply ignore it, either look up if anything's known about that website being hacked or if you're not sure, stay away from it for a while. (best case is to contact the site owner as well.)
Labels:
Java,
Malware,
Zeus,
Zeus Malware
WellsFargo spam serving infostealing malware
Mail from "Georgina Franks"
Some example senders (where it seems to come from):
Evelyn_Piper@wellsfargo.com
Georgina_Franks@wellsfargo.com
Noe_Zavala@wellsfargo.com
As far as I could find, these email addresses do not even exist.
The mail itself is actually coming from the Pushdo botnet. Example IPs:
173.167.205.149 - IPVoid Result
209.181.66.178 - IPVoid Result
All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:
MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report
This malware is known as Fareit (or Tepfer). According to Microsoft:
Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.
When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:
List of programs it tries to extract username/password from
So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:
Cyber Theft Ring details
The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!
Conclusion
Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:Enable Viewing of Filename Extensions for Known File Types
Install an antivirus and antimalware product and keep it up-to-date & running.
If you're in an organisation, you might want to block the following IPs (quite a long list):
173.255.213.171
5.199.171.133
50.141.158.229
62.149.131.162
62.149.131.162
69.115.119.227
69.128.126.198
76.226.112.216
76.226.112.216
78.140.131.151
82.211.180.109
89.122.155.200
90.156.118.144
95.241.244.184
107.193.222.108
107.211.213.205
108.233.198.131
108.240.232.212
116.202.222.102
142.136.161.103
173.255.213.171
188.217.207.224
198.118.112.110
211.209.241.213
212.182.121.226
108.254.22.166
108.74.172.39
112.78.142.66
122.178.149.88
173.194.67.105
173.194.67.94
173.201.59.32
173.201.59.32
173.254.68.134
173.254.68.134
178.40.101.100
181.67.50.91
182.68.130.230
184.80.8.18
187.153.52.160
189.254.111.2
190.153.51.122
190.21.64.25
199.30.90.80
199.7.177.218
2.180.24.120
2.230.133.66
200.180.176.65
201.122.96.80
201.245.14.237
201.245.14.237
207.204.5.170
207.204.5.170
216.227.73.207
24.115.24.89
24.120.165.58
41.34.11.17
64.4.10.33:123
65.131.15.62
66.63.204.26
68.162.220.34
69.26.171.181
69.77.132.197
69.92.6.139
71.43.167.82
74.120.9.245
74.125.24.105
74.125.24.94
74.240.17.144
78.100.36.98
78.152.96.70
79.29.227.158
79.52.113.31
81.111.62.181
83.172.126.39
84.59.129.23
84.59.138.75
85.100.41.9
87.29.153.193
87.66.14.62
87.66.14.62
90.189.54.253
91.236.245.22
94.67.83.244
94.67.83.244
95.101.0.104
95.249.114.32
98.103.34.226
98.67.162.178
99.159.193.22
99.36.163.147
99.48.126.246
99.5.234.38
99.98.209.3
Note that these are IPs the malware communicates to. In most cases, they are harmful, but keep in mind some IPs might be legit, as the malware authors want to test for connectivity by connecting to Google for example. So, if you plan to block on IP, be sure to cross-check on IPvoid or DomainTools.
Stay safe.
Labels:
Banking Trojan,
Malware,
Spam,
Zeus
Session Hijacking
In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).
A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".
HISTORY
HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0 has been designated as a fallback for HTTP 1.1 since the early 2000s -- and as HTTP 1.0 servers are all essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security risk.
The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the hijacking problem to become an ongoing security problem. Webserver and browser state machine standardization has contributed to this ongoing security problem.
Methods
There are four main methods used to perpetrate a session hijack. These are:
Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
Prevention
Methods to prevent session hijacking include:
Encryption of the data traffic passed between the parties; in particular the session key, though ideally all traffic for the entire sessionby using SSL/TLS. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. In response, scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session hijacking by correlating the application session with the SSL/TLS credentials
Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after s/he has logged in.
Users may also wish to log out of websites whenever they are finished using them.However this will not protect against attacks such as Firesheep.
Firesheep
WhatsApp sniffer
DroidSheep
CookieCadger
Labels:
Session
MAN-IN-THE-MIDDLE ATTACK
As discussed earlier, IPSec does not provide protection for protocols other than IP, leaving other protocols unprotected and vulnerable to attacks. One such attack uses the Address Resolution Protocol (ARP) to fool a client into sending data to a malicious peer. An attacker could launch a man-in-the-middle (MITM) attack by using forged ARP messages to insert a rogue entity into the data path.
Labels:
Tutorial
Developing Backbone.js Applications
If you want to build your site’s frontend with the single-page application (SPA) model, this hands-on book shows you how to get the job done with Backbone.js. You’ll learn how to create structured JavaScript applications, using Backbone’s own flavor of model-view-controller (MVC) architecture.
Start with the basics of MVC, SPA, and Backbone, then get your hands dirty building sample applications—a simple Todo list app, a RESTful book library app, and a modular app with Backbone and RequireJS. Author Addy Osmani, an engineer for Google’s Chrome team, also demonstrates advanced uses of the framework.
Learn how Backbone.js brings MVC benefits to the client-side
Write code that can be easily read, structured, and extended
Work with the Backbone.Marionette and Thorax extension frameworks
Solve common problems you’ll encounter when using Backbone.js
Organize your code into modules with AMD and RequireJS
Paginate data for your Collections with the Backbone.Paginator plugin
Bootstrap a new Backbone.js application with boilerplate code
Use Backbone with jQuery Mobile and resolve routing problems between the two
Unit-test your Backbone apps with Jasmine, QUnit, and SinonJS
DOWNLOAD LINK: LINK 1
Labels:
E Books
Play Your Favorite Windows Games with PlayOnLinux 4.2.1
PlayOnLinux, a software based on Wine (Wine is not an emulator) which allows users to easily install and use numerous games and apps designed to run with Microsoft Windows, has reached version 4.2.1.
The PlayOnLinux updates are a little too far in between but, given the fact that the software is based on Wine, which is updated regularly, they are not all that important. Nonetheless, you should upgrade to the latest version.
According to the changelog, when removing shortcuts or virtual drives from the Configure window, the desktop icons, menu entries, etc. are now also removed.
Also, the Python's VersionLower has been fixed, and a huge problem in bug reporting introduced in 4.2 has been corrected.
A complete list of new features and changes can be found in the official changelog, which is inside the source archive.
The PlayOnLinux updates are a little too far in between but, given the fact that the software is based on Wine, which is updated regularly, they are not all that important. Nonetheless, you should upgrade to the latest version.
According to the changelog, when removing shortcuts or virtual drives from the Configure window, the desktop icons, menu entries, etc. are now also removed.
Also, the Python's VersionLower has been fixed, and a huge problem in bug reporting introduced in 4.2 has been corrected.
A complete list of new features and changes can be found in the official changelog, which is inside the source archive.
Download PlayOnLinux 4.2.1 : LINK 1
Thursday, November 28, 2013
Sqlmap: Automatic SQL injection attack tool
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Features :
* Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
* Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
* Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
* Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
* Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
* Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
* Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables.
* This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
* Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
* Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
* Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system.
* Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
* Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
* Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system.
* This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
*Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.
*Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.
Video Demo:
ACCESS DENIED: THE PRACTICE AND POLICY OF GLOBAL INTERNET FILTERIN
Many countries around the world block or filter Internet content, denying access to information that they deem too sensitive for ordinary citizens--most often about politics, but sometimes relating to sexuality, culture, or religion. Access Denied documents and analyzes Internet filtering practices in more than three dozencountries, offering the first rigorously conducted study of an accelerating trend. Internet filtering takes place in more than three dozen states worldwide, including many countries in Asia, the Middle East, and North Africa. Related Internet content-control mechanisms are also in place in Canada, the United States and a cluster of countries in Europe. Drawing on a just-completed survey of global Internet filtering undertaken by the OpenNet Initiative (a collaboration of the Berkman Center for Internet and Society at Harvard Law School, the Citizen Lab at the University of Toronto, the Oxford Internet Institute at Oxford University, and the University of Cambridge) and relying on work by regional experts and an extensive network of researchers, Access Denied examines the political, legal, social, and cultural contexts of Internet filtering in these states from a variety of perspectives. Chapters discuss the mechanisms and politics of Internet filtering, the strengths and limitations of the technology that powers it, the relevance of international law, ethical considerations for corporations that supply states with the tools for blocking and filtering, and the implications of Internet filtering for activist communities that increasingly rely on Internet technologies for communicating their missions. Reports on Internet content regulation in forty different countries follow, with each two-page country profile outlining the types of content blocked by category and documenting key findings. ContributorsRoss Anderson, Malcolm Birdling, Ronald Deibert, Robert Faris, Vesselina Haralampieva [as per Rob Faris], Steven Murdoch, Helmi Noman, John Palfrey, Rafal Rohozinski, Mary Rundle, Nart Villeneuve, Stephanie Wang, Jonathan Zittrain
DOWNLOAD LINK: LINK 1
DOWNLOAD LINK: LINK 1
Labels:
E Books
Termineter : smart meter testing framework
Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.
Basic Steps
Below is a summary of the basic steps to get started with Termineter after the environment has been configured.
* Connect the optical probe to the smart meter and start termineter
* Configure the connection options. On Windows, this would be something like COM1 and on Linux something like /dev/ttyS0. Check Configuring the Connection for more details.
* Use the connect command, this will also check that the meter is responding.
Will Termineter integrate with Metasploit?
No, Termineter will not integrate with Metasploit. Because of the highly specialized nature of the application there is no need to integrate with Metasploit at this time.
Will Termineter work with Non-ANSI Meters?
No, Termineter will only support meters that conform to the ANSI standards, specifically ones that support C12.18 and C12.19.
Can Termineter read how much power is being used?
Technically, yes if the tables can be accessed. The information would however be raw and unparsed. Because Termineter was designed with a focus on the need for a security orientated tool, most consumer-related features have not been fully developed. This may change at a later point in time as development continues.
Download Termineter : LINK 1
Chapcrack: A tool for cracking MS-CHAPv2 network handshakes
Chapcrack is a tool for parsing and decrypting MS-CHAPv2 network handshakes. In order to use it, a packet with an MS-CHAPv2 network handshake must be obtained. The tool is used to parse relevant credentials from the handshake. In other words, Chapcrack parses the credential information out of MS-CHAPv2 handshakes, sends to Cloudcracker which in turn will return a packet that can be decrypted by Chapcrack to recover the password.
The resulting file (“token”) is then submitted to CloudCracker, an online password cracking service for penetration testers and network auditors, which returns the cracked MD4 hash in under a day. For each handshake, it outputs the username, known plaintext, two known ciphertexts, and will crack the third DES key. Whats interesting to know is that Cloudcracker forwards your handshake information to a Pico Computing’s DES cracking box, which is powered by a FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second!
The hash is inserted into chapcrack, and the entire network capture is decrypted. Alternatively, it can be used to login to the user’s VPN service or WPA2 Enterprise radius server. All of this is possible only because of the weak protocol architecture that allows MD4 hash of the user’s password to be authenticated as them, as well as to decrypt any of their traffic.
How to use chapcrack?
* Obtain a packet capture with an MS-CHAPv2 network handshake in it (PPTP VPN or WPA2 Enterprise handshake, for instance).
* Use chapcrack to parse relevant credentials from the handshake (chapcrack parse -i path/to/capture.cap).
* Submit the CloudCracker token to www.cloudcracker.com
* Get your results, and decrypt the packet capture (chapcrack decrypt -i path/to/capture.cap -o output.cap -n )
Download chapcrack : LINK 1
AntiDef Defacement Protector V-1.0 - Anti defacement command line tool
AntiDef is developed by Nir Valtman, in order to handle with defacement attacks. This tool written in Java in a fast-and-dirty manner; However is works.
How AntiDef works?
AntiDef compares two directory paths - the web application and its backup foder. Then, it performs hash (MD5 - we need performance) on each file in the folders and a final hash on all hashed files. The final hashes of the source and the destination are compared. If they are different, then defacement is found. In this case, only the defaced files are moved (by default) to pre-defined "Defaced" folder and then replaced by the backup legitimate files. Then "Defaced" folder includes the malicious files, a timestamp of the defacement and a log.
AntiDef compares the two paths above every 60 seconds, but it can be defined differently.
The full manual is described by running the tool without parameters, i.e.
java -jar AntiDef.jar
Download AntiDef : LINK 1
WAppEx : Web Application Exploiter
WAppEx is an integrated platform for performing penetration testing and exploiting of web applications on Windows or Linux. It can automatically check for all type of security vulnerabilities in the given target and then let you to run various payloads to exploit and take advantages of the vulnerability.
WAppEx is a multi platform application and it is executable in Linux and Windows.
WAppEx's database which includes hundreds of exploits provides an automated, comprehensive and reliable exploit for penetration testers and security professionals worldwide.
Regular database update is available. Top priorities are high-risk and zero-day vulnerabilities.
Payloads for using in exploits are reliable payloads which contains connect-back, listener shell, arbitrary code execution, arbitrary file upload,...
WAppEx's script based engin let experienced users write their own scripts and payloads to test and exploit any vulnerability in web applications.
Software and vulnerability updates are available at any time and a daily support is available via phone or email.
WAppEx can exploit the following web application vulnerabilities:
SQL Injection:
The most dangerous vulnerability in web applications. WAppEx uses Havij - Advanced SQL Injection Tool engine to find and exploit this vulnerability.
Remote File Inclusion:
It allows an attacker to include a remote file. WAppEx can check for this vulnerability and run various payloads to execute commands on web server.
Local File Inclusion:
It allows an attacker to include a local file. Just like RFI WAppEx tests and exploits this vulnerability.
OS Commanding:
It let the attacker to execute OS commands on server. WAppEx tests and exploits this vulnerability to execute custom commands to get a reverse shell.
Script injection:
It can be used by an attacker to introduce (or "inject") script into a web application. WAppEx automatically tests and exploit this vulnerability to escalate access to web server and get a reverse shell.
Local File Disclosure:
as the name says it disclosure content of local files on the web server. WAppEx can exploit this vulnerability to read sensitive files on the server.
WAppEx contains the following tools to help you in penetration testing and exploiting web apps.
* Online Hash Cracker: A tool for cracking hashes using the reverse lookup in online sites.
* Encoder/Decoder: An encoder/decoder with a complete encryption algorithms.
* Find Login Page: It looks for login pages on a target.
* Browser: A small browser you can use to view source code and HTTP headers.
WAppEx is so easy to use and also so flexible. It doesn't matter you're a beginner or a professional, using WAppEx makes your works easier, faster and more effective.
Download : LINK 1
Hash Code Cracker v 1.2.1
This password cracker was written in Java and is intended for Pen Testers and Security Professionals.
Features:
* This software will crack the MD5, SHA,NTLM(Windows Password),CISCO 7 hash codes.
* No need to install.
* Supports All platforms.
* Online Cracking option is available(can search the hash in multiple sites)
How to run the software?
Download the HashCodeCrackerv121.jar
Download the "Hash Code Cracker v121.jar" file. Method 1: Double click the jar file, it will automatically run with JRE. Method 2: Open the Terminal and navigate to the jar file path. Type this command "java -jar HashCodeCracker v121.jar".
Download it from Here : LINK 1
Labels:
BTS,
Cracking Tools,
Tools
Automated Browser-in-The-Middle attack tool
- uses ettercap to launch a man in the middle attack
- ettercap modifies traffic so evil javascript or iframes are added
- victim's browser will be redirect to the attackers webserver
- the webserver will be running the msf autopwn module or the beEF framework to launch browserexploits are other browser related attacks.
Download : LINK 1
Satori 0.7.4 released : Passive OS fingerprinting TOol
Download it from here : LINK 1
NinjaWPass for WordPress: protect WordPress login form against keyloggers and stolen passwords
NinjaWPass is a free WordPress plugin written to protect your blog administration console. It makes it basically impossible for a hacker who stole your password to log in to your console.
The way it works is simple but very efficient and it is being used by some large banking corporations in order to protect their customers online accounts
All you need to do is to define a second password (AKA the NinjaWPass password) from 10 to 30 characters.
At the WordPress login prompt, besides your current password, you will be asked to enter 3 randomly chosen characters from your NinjaWPass password. Whether your computer is infected by a keylogger or someone is spying over your shoulder, this protection will keep them away.
Additionally, the plugin offers the possibility to receive an alert by email whenever someone logs into your WordPress admin interface.
Installation :
NinjaWPass can be installed just like any other WP plugins.
1) Download the plugin to your local computer
2) Log into your WordPress admin console and click on the 'Plugins' menu, then 'Add New' submenu and select 'Upload'.
3) Upload the zip files; the plugin will be automatically installed.
4) Click on the 'Plugins' menu again, then 'Installed Plugins' submenu and activate NinjaWPass.
5) Click on its 'Settings' link and setup your new password.
Afterward, simply log out of WordPress and you will see NinjaWPass nicely integrated into the login form.
Download NinjaWPass : LINK 1
GUI for sqlmap : Automated Sql Injection tool
Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting,over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Download : LINK 1
Burp Suite, a tool for performing security testing of web applications
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Burp Suite contains the following key components:
* An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.
* An application-aware spider, for crawling content and functionality.
* An advanced web application scanner, for automating the detection of numerous types of vulnerability.
* An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
* A repeater tool, for manipulating and resending individual requests.
* A sequencer tool, for testing the randomness of session tokens.
* The ability to save your work and resume working later.
* Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.
Download Burp Suite : LINK 1
* An advanced web application scanner, for automating the detection of numerous types of vulnerability.
* An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
* A repeater tool, for manipulating and resending individual requests.
* A sequencer tool, for testing the randomness of session tokens.
* The ability to save your work and resume working later.
* Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.
Download Burp Suite : LINK 1
Subscribe to:
Posts (Atom)