Posts Tagged hacking
Hell Pizza’s Customer Database Hacked
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, News on July 25, 2010
An online database for a Pizza store chain has been compromised this is According risky.biz, there is no credit card numbers but it contains about 400MB of customer’s information.
Currently Pizza stores are located in New Zealand, England, Australia and Ireland. Customers information are very important for this case as if a hacker managed to get access to these information (full names, addresses, phone numbers, e-mail addresses, passwords and order history ) the emails/phones can be used to extend the spam list and attack while all records and information can be lost.
One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a ‘feature’ of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) – and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as “about 50 steps of fail”.
Another penetration tester says the Hell Pizza database is an excellent example of “non critical” information
that could still be used by attackers for great benefit.
Now the Hell Pizza invited to notify all costumers about the breach so they can take the security measures regarding thier credentials.
make sure you subscribe to my RSS feed!
Spreading Ghosts Attacks
Posted by Mourad Ben Lakhoua in Anti-Viruses, Vulnerabilities & attacks, hacking on July 23, 2010
Leonardo Da vinci is widely considered to be one of the greatest painters of all time, and perhaps the most diversely talented person ever to have lived. Leonardo said that there are three types of people that one may encounter: “Those who see. Those who see when they are shown. Those who do not see.”
But here I want to add a class of people who see even if they are prevented – we are talking about the Hacker class.
One of the first things an attacker will do to compromise a remote system is use a Backdoor. I am referring to a ghost – a piece of software that by running it an attacker can have access to a remote system and collect all activities on the targeted machine.
USBsploit is a tool that is still in beta version and has been created by an Infosec researcher and owner of the popular portal Secubs. This tool makes it simple for any person looking to generate Backdoors within a few steps.
First, you need to start with choosing the right distribution, this can be Backtrack/Debian or Ubuntu with the original dependency from Metasploit, than you can follow the clear and easy steps mentioned on the official website.
When you run USBsploit you will find a menu with the list of action you are looking to perform:
1. Create a Backdoor
2. Create a Backdoor and launch a Listener only for the USB Dump attack
3. Launch a Listener for the USB Dump attack from the last Dump configuration file
4. Update the USBsploit Framework
5. Edit the last Dump configuration file (needs vi)
6. Edit the global options (needs vi)
7. Edit the file extensions set to dump (needs vi)
If you choose to create a Backdoor you will be asked to select the IP address of the listener, and by default it will detect local machine IP.
Next you will be asked to select the kind of backdoor you are looking to deploy, depending on victim’s Operating system:
1. Windows Meterpreter Reverse_TCP Spawn a shell on victim and send back to attacker.
2. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64)
3. Windows Meterpreter Egress Buster Spawn a shell and find a port home via multiple ports
And here an important step you will be choosing the kind of encodings to try and bypass weak Antiviruses.
Select one of the below, Backdoored Executable is typically the best.
1. shikata_ga_nai (Very Good)
2. Multi-Encoder (Excellent)
3. Backdoored Executable (BEST)
After encoding you will find the executable file in “/opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe”
This amazing tools helps to create a backdoor that can bypass most popular antiviruses in just a few steps.
My experience was interesting because when testing the generated executable file that had been encoded by msfencode, only 10 out of 42 antiviruses detected it as a Trojan.
You can run the .exe file on a windows machine even if it contains one of the Antiviruses that was not able to detect the malicious code, even with the latest definition such as Kaspersky and activate the listener.
Here you will access all activities on the target machine and have total visibility of the whole system.
make sure you subscribe to my RSS feed!
Black Hat USA 2010
Posted by Mourad Ben Lakhoua in Security events, hacking on July 11, 2010
By the end of this month in Las Vegas there will be the interesting meeting Black Hat USA 2010, where will be presented new vulnerabilities, tools and programs.
BlackHat is the most important and biggest hacking event on the planet, it attracts thousands of experts around the world. This year BlackHat celebrates the 13 Years Anniversary. Among the conferences we can find Cyber War discussion by General Michael V. Hayden, former director of the National Security Agency and Central Intelligence Agency.
There will be about 30 new vulnerabilities, 46 tools and 25 independent researchers will be demonstrating latest cutting-edge Technology.
Widely known speakers will contribute to the event including:
• “Cyber war…Are we at war? And if we are, how should we fight it?” presented by General Michael V. Hayden, former Director, National Security Agency and Central Intelligence Agency
• “Jackpotting Automated Teller Machines Redux” by Barnaby Jack
• “Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios” by Shawn Moyer and Nathan Keltner
• “How to Hack Millions of Routers” by Craig Heffner
• “These Aren’t the Permissions You’re Looking For” by Anthony Lineberry
• “App Attack: Surviving the Mobile Application Explosion” by John Hering and Kevin Mahaffey
• “Hacking and Protecting Oracle Database Vault” by Esteban Martinez Fayo
• “Token Kidnapping’s Revenge” by Cesar Cerrudo
• “HTTPS Can Byte Me, Robert Hansen” by Josh Sokol
• “USB – HID, The Hacking Interface Design” by Richard Rushing.
for More information you can visit the Official website.
make sure you subscribe to my RSS feed!
Hacking Approach to VoIP & Skype
Posted by Mourad Ben Lakhoua in VoIP Security on June 13, 2010
Skype certainly provides a very nice way for voice communication and chat, but questions remains: Is the system is secure and reliable? Can outsiders capture the conversation or intercept data?
To answer these questions, we will be searching different previous ways demonstrated by security researchers to hack Skype.
Intercepting data on VoIP systems is no different than traditional packet sniffing, the method is the same. The media is transmitted over UDP using the RTP (Real Time Protocol).
Now to analyze the data, we should use an advanced sniffer such as Wireshark, which can decode the session automatically and also provides graphs for results about different communication.
Recording VoIP is possible by using tools such as UCSniff (http://ucsniff.sourceforge.net/) this allows to:
• Targeting of VoIP Users based on Corporate Directory and/or extensions
• Support for automatically recording private IP video conversations
• Automatically re-creates and saves entire voice conversation to a single file that can be played back by media players
• Support for G.729, G.723, G.726, G.722, G.711 u-law, and G.711 a-law compression codecs
• Support for H.264 Video codec
• Automated VLAN Hop and VLAN Discovery support
• A UC Sniffer (VoIP and Video) combined with a MitM re-direction tool
• Monitor Mode
• Sniffs entire conversation if only one phone is in source VLAN
• Gratuitous ARP Disablment Bypass support
• TFTP MitM Modification of IP Phone features
• Realtime VoIP and Video Monitor
Intercepting video conferencing over the network is also possible unless the transition is encrypted. As security measures for signals TLS (Transport Layer Security) is used to protect SIP signals and RTP (Secure Real Time Protocol), but in most cases the voice is transmitted in just clear signal.
Skype mandates encryption of all transmitted traffic, but catching Skype calls is still possible.
Ruben Unteregger, a 33-year-old software developer from Switzerland, has made public the source code of a Trojan that taps into Skype conversations, The Trojan receives commands from a dedicated server, and then sends hackers the desired Audio files.
When the user opens up the Skype Client and starts a conversation, the Trojan performs a DLL injection that will allow it to attach itself to the Skype process and record all audio/video conversations.
The recorded audio files are then transformed from a PCM audio format to MP3, encrypted and sent to a server on the web.
As demonstrated, the method not only catches the keystroke, but all data transmitted by Skype audio and video. You can find more about it here: http://www.megapanzer.com.
Finally it is important to note that listening and recording conversation of other people is illegal and it is classified as a crime while these tools can be used to make a backup of your own conversations and as a Proof of Concept demonstration tool and a method of creating awareness around VoIP/UC threats.
make sure you subscribe to my RSS feed!
Sniffing/MITM Attacks on Tor network
Posted by Mourad Ben Lakhoua in Internet, hacking on January 1, 2010
Tor is wonderful tool to ensure your privacy on the Internet ,Tor software is a program that you can run on your computer to helps keep you safe on the Internet.Tor prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. but if you think that this is the only role than you are wrong, since this is just one function of the main purposes of Tor, because another good role of Tor is to create a server and make it available for other users to pass through it.
By installing a sniffer on the server you will be able to see all non encrypted traffic, and you will be able to gather data and sensitive information…
To start you have to get Linux distribution like Backtrack or Ubuntu on a virtual machine it is free and available online. Next download the latest Tor version (currently O.2.1.20). After installing the packages it is better to create a new user on the system trouser: uid=111(toruser) gid=10(wheel) groups=0(wheel),10(wheel). Now Tor use to store the config file .tor in the home directory (/home/toruser) so you need to open this file on the text editor.
In the setting we customize the following:
ControlPort – this is the port used for the remote management of Tor server. Most use the value of 9051.
DirPort – Advertise the directory service on this port. The value is 9030.
ControlPort 9051
DirPort 9030
ExitPolicy – determines what traffic we will receive and forward. By default the policy is as follows:
reject *: 25 , reject *: 119 ,reject * :135-139 , reject *: 445, reject *: 563, reject *: 1214
reject * :4661-4666 ,reject * :6346-6429 ,reject *: 6699 ,reject * :6881-6999 ,accept *: *
here we need to choose the services that we need to receive on our Node and forward (HTTP,HTTPS,POP3,IMAP,IMAPS, POP3S) .so it will be as follows:
ExitPolicy
accept *: 80, accept *: 443, accept *: 110, accept *: 143,accept *: 993, accept *: 995, reject *: *
HashedControlPassword – this to configure the password for remote Tor server configuration and to not allow a malicious user control the server.
Nickname – the server name.
ORPort – port to connect with other nodes 9001.
SocksListenAddress – this will be the localhost (127.0.0.1)
Save the changes and close the file. Now the server is ready to lunch:
$ Tor-f /home/toruser/.tor/torrc
You will take approximately 20 minutes to check the system and ports. Than you can go to http://moria.seul.org:9032/tor/status/authority and you will find our server among other server names.
So Excellent our server is working and it’s time to choose the favorite sniffer Wireshark , Wireshark is already exists in the Backtrack4 select the interface and enable packets capturing. Wireshark will give you all non encrypted traffic like website browsing and other HTTP navigation while it’s in clear. Not bad so far.
Now what about the encrypted traffic, here it’s time to use SSLStrip to get it you go to the official Moxie Marlinspike website and download the last version there is already an update released 2 days ago.
Run the command:
$ Python sslstrip.py-a-l 8080-w today.log
If we are not the last node the traffic will be transmitted in an encrypted form so to decrypt this traffic before it goes to the final destination we need to pass it over the sslstrip by adding this rule to iptable:
$ Iptables-t nat-I OUTPUT-p tcp-m owner-uid-owner 111 – dport 80-j DNAT – to-destination 127.0.0.1:8080
This will make all outdoing HTTP-traffic from user toruser pass through sslstrip automatically, and at this point we need just to wait till that we collect some logs and check the log file.
On next post we will explain the way to perform scanning for Blackbox peneteration testing behind a Tor Proxy.
It is important to note that all programs are used just for educational purposes.
make sure you subscribe to my RSS feed!
Idenifying the real ip address of a hidden Hacker
Posted by Mourad Ben Lakhoua in Web Security on July 5, 2009
I want in this post to discuss some issues concerning proxy uses by hackers and how to address these issues, Many hackers used to hide themselves behind proxies in order to not give IDS’s WAF’s and firewalls the opportunity to find there ip addresses, there are some proxies like Freegate ,tor and others changes IP addresses of user constantly so the attacker can’t be traced at the web server side.
To solve this problem I advise you to take a look at Metasploit-Declocking project. Metasploit Decloaking Engine tool purpose is to identify the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services and without exploiting vulnerabilities in the client system.
The decloaking engine uses eight techniques to identify the ip address:
1. When a web client tries to resolve a host name, it will send a lookup request to its configured DNS server. The client’s DNS server will then send a query to the name server for the particular domain. If the host name contains a unique identifier, it is possible to correlate the IP address of the client with that of its DNS server. This can leak the ISP or company from which a given client is accessing the web, even if a proxy is in use. This leak does not occur when the proxy server is responsible for performing DNS resolution (socks4a, but not socks4).
2. When a Java applet tries to resolve a host name using the socket API, and the host name is not the same as the web site that served the applet, a security exception is raised. However, even though a security exception is triggered, the DNS request itself is still sent to the client’s DNS server. This can leak the ISP or company from which a given client is accessing the web, even in cases when a DNS enabled proxy server is in use.
3. When a Java applet sends UDP packets back to the originating host, the packets are usually sent without passing through the proxy service. This will leak the real external IP address of the web client. This method may not work with newer versions of Java and the packet destination is limited to the IP address that served up the applet.
4. When Java is enabled, the host name and IP address of the web client are available by accessing the socket API. This method will leak the name of the user’s workstation and the IP address, as the system sees itself. In other words, this will leak the internal IP address of the system, even if the system is behind a NAT gateway or a proxy server.
5. When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user’s workstation.
6. When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user.
7. When the Quicktime plugin is installed, it can be loaded with a parameter which explicitly tells it to use a direct connection for the movie and to ignore the browser’s settings.
8. When the iTunes is installed, it registers the itms:// protocol handler. This protocol handler will open iTunes and do a direct connection to the specified URL. There are some restrictions on the URL you can pass, but we found a nice way around them 
So for the security of your business make sure that you have the router and firewall logs, intrusion detection logs, network monitoring data, Web server logs, and server event and performance-monitoring logs. To document everything that happens on the network. And of course to monitor your web client log to detect any intrusion that harms your web application early and avoids it.
make sure you subscribe to my RSS feed!
Astalavista.com Owned!
Posted by Mourad Ben Lakhoua in News, hacking on June 6, 2009
Astalavista website was hacked by hackers referring themselves as anti-sec group.
Astalavista used to be a hacking and security community that started in 1994 and was one of the first search engines for exploit and computer security information. It has provided a board for hacking & security community to share the latest techniques for software cracking, spyware editing, and viruses.
According to anti-sec group they targeted http://astalavista.com to the fact that they are not doing any of this for the “community” but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services. We wanted to see how good that “team of security and IT professionals” really is.
And they also shared the shell command to getting into the webserver which you can find on the Zone-h website.
L0phtcrack 6: the old guard is back!
Posted by Mourad Ben Lakhoua in Best Practices, Password Security, Pentesting on June 1, 2009
After more than three years since Symantec stopped the support and development of L0phtcrack the tool that provided a titanic opportunity for passwords auditing and recovery.
Here comes yesterday the same team with the new version L0phtcrack 6.
As the project rights being reacquired by the original authors from Symantec it was possible for them to continue developing this utility. In the last five years many things have been changed in the operating system security so they improved some features like the Support for x64 processors and the latest releases from Microsoft (Vista, XP and windows 7),Ubuntu and others.
I used the LC4 and LC5 and they worked perfectly to recover lost password that are less than 14 characters so update your corporate password policy and make sure that you meet password security best practices.
subscribe to my RSS feed!
Yemen ranked high on hacking
Posted by Mourad Ben Lakhoua in News on May 27, 2009
An international report has put Yemen among the world’s top ten countries with highest rates of computer hacking, ranking it 8th.
The report issued by the Business Software Alliance for 2008 on world programming companies noted that hacking rates in Yemen reached 89 percent.
Georgia was top and Bangladesh, Armenia, Zimbabwe, Sri Lanka, Azerbaijan, Moldova came higher than Yemen.
At the Arab level, Yemen was top and Libya second while a single Muslim state came below Yemen.
Computer hacking in the last year grew by 41 percent for computer programs, causing huge losses for programming companies estimated at $ 53 billion.
Specialists and experts blame the increase in hacking on bad legislation, the absence of world programming companies representation in the country, unfit facilitations provided by global programming companies in Yemen; all these besides the absence of the people’s awareness about the significance of licensing and technical support for original copies of programs.
Because of ineffective legislation to protect intellectual property and difficult economic situation with computer program users being unable to buy original programs, hacking is prevailed in Yemen, director general of the Yemeni Information Corporation Aws al-Eryani said.
In 2007, Yemen lost almost $ 13 million due to computer hacking.
In addition, another reason for the surge in hacking in Yemen is that web-hosting companies and overseers don’t pay more attention to security measures to protect their websites.
[Source: Saba Net]
DNS hole leads to hack Google.co.ma!
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities on May 11, 2009
The Google Morocco domain (Google.co.ma) was briefly hacked on Saturday May 10 by hackers referring to themselves as ‘PAKbugs’.
Google.co.ma is functioning again, but for several hours on Saturday the site was down and this gave enough opportunity for people visiting the site to generate screenshots of the hacked domain. When users visited the site, they briefly saw a message that said “HackeD By PAKbugs. We are ZombiE_KsA Cyber Criminal spo0fer x00mx00m”.
The domain was pointed to a different server, and the message mentioned above was shown when people tried to access the search engine. Google at one point reportedly relayed visitors from Morocco to Google.com instead of Google.co.ma, but it took a while before Google Morocco was functioning correctly again.
PAKbugs.com is a forum of Pakistani hackers, and the forum boasts of the successful hack here.
Popular blog TechCrunch suggests that the hackers hacked the site by possibly finding a way through NIC.ma, which controls the DNS (Domain Name Service) for Morocco.
At Sectech we have published the DNS cache-poisoning flaw this vulnerability allow a hackers to redirect Web traffic and e-mails to systems under their control this hole affects several products from multiple vendors so the only solution to mitigate the risks currently is to patch the Domain Name Server and apply the latest update.
You can find mirror of the attack here
[Source: ITP]
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments