Posts Tagged hacking
Sniffing/MITM Attacks on Tor network
Posted by Mourad Ben Lakhoua in Internet, hacking on January 1, 2010
Tor is wonderful tool to ensure your privacy on the Internet ,Tor software is a program that you can run on your computer to helps keep you safe on the Internet.Tor prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. but if you think that this is the only role than you are wrong, since this is just one function of the main purposes of Tor, because another good role of Tor is to create a server and make it available for other users to pass through it.
By installing a sniffer on the server you will be able to see all non encrypted traffic, and you will be able to gather data and sensitive information…
To start you have to get Linux distribution like Backtrack or Ubuntu on a virtual machine it is free and available online. Next download the latest Tor version (currently O.2.1.20). After installing the packages it is better to create a new user on the system trouser: uid=111(toruser) gid=10(wheel) groups=0(wheel),10(wheel). Now Tor use to store the config file .tor in the home directory (/home/toruser) so you need to open this file on the text editor.
In the setting we customize the following:
ControlPort – this is the port used for the remote management of Tor server. Most use the value of 9051.
DirPort – Advertise the directory service on this port. The value is 9030.
ControlPort 9051
DirPort 9030
ExitPolicy – determines what traffic we will receive and forward. By default the policy is as follows:
reject *: 25 , reject *: 119 ,reject * :135-139 , reject *: 445, reject *: 563, reject *: 1214
reject * :4661-4666 ,reject * :6346-6429 ,reject *: 6699 ,reject * :6881-6999 ,accept *: *
here we need to choose the services that we need to receive on our Node and forward (HTTP,HTTPS,POP3,IMAP,IMAPS, POP3S) .so it will be as follows:
ExitPolicy
accept *: 80, accept *: 443, accept *: 110, accept *: 143,accept *: 993, accept *: 995, reject *: *
HashedControlPassword – this to configure the password for remote Tor server configuration and to not allow a malicious user control the server.
Nickname – the server name.
ORPort – port to connect with other nodes 9001.
SocksListenAddress – this will be the localhost (127.0.0.1)
Save the changes and close the file. Now the server is ready to lunch:
$ Tor-f /home/toruser/.tor/torrc
You will take approximately 20 minutes to check the system and ports. Than you can go to http://moria.seul.org:9032/tor/status/authority and you will find our server among other server names.
So Excellent our server is working and it’s time to choose the favorite sniffer Wireshark , Wireshark is already exists in the Backtrack4 select the interface and enable packets capturing. Wireshark will give you all non encrypted traffic like website browsing and other HTTP navigation while it’s in clear. Not bad so far.
Now what about the encrypted traffic, here it’s time to use SSLStrip to get it you go to the official Moxie Marlinspike website and download the last version there is already an update released 2 days ago.
Run the command:
$ Python sslstrip.py-a-l 8080-w today.log
If we are not the last node the traffic will be transmitted in an encrypted form so to decrypt this traffic before it goes to the final destination we need to pass it over the sslstrip by adding this rule to iptable:
$ Iptables-t nat-I OUTPUT-p tcp-m owner-uid-owner 111 – dport 80-j DNAT – to-destination 127.0.0.1:8080
This will make all outdoing HTTP-traffic from user toruser pass through sslstrip automatically, and at this point we need just to wait till that we collect some logs and check the log file.
On next post we will explain the way to perform scanning for Blackbox peneteration testing behind a Tor Proxy.
It is important to note that all programs are used just for educational purposes.
make sure you subscribe to my RSS feed!
Idenifying the real ip address of a hidden Hacker
Posted by Mourad Ben Lakhoua in Web Security on July 5, 2009
I want in this post to discuss some issues concerning proxy uses by hackers and how to address these issues, Many hackers used to hide themselves behind proxies in order to not give IDS’s WAF’s and firewalls the opportunity to find there ip addresses, there are some proxies like Freegate ,tor and others changes IP addresses of user constantly so the attacker can’t be traced at the web server side.
To solve this problem I advise you to take a look at Metasploit-Declocking project. Metasploit Decloaking Engine tool purpose is to identify the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services and without exploiting vulnerabilities in the client system.
The decloaking engine uses eight techniques to identify the ip address:
1. When a web client tries to resolve a host name, it will send a lookup request to its configured DNS server. The client’s DNS server will then send a query to the name server for the particular domain. If the host name contains a unique identifier, it is possible to correlate the IP address of the client with that of its DNS server. This can leak the ISP or company from which a given client is accessing the web, even if a proxy is in use. This leak does not occur when the proxy server is responsible for performing DNS resolution (socks4a, but not socks4).
2. When a Java applet tries to resolve a host name using the socket API, and the host name is not the same as the web site that served the applet, a security exception is raised. However, even though a security exception is triggered, the DNS request itself is still sent to the client’s DNS server. This can leak the ISP or company from which a given client is accessing the web, even in cases when a DNS enabled proxy server is in use.
3. When a Java applet sends UDP packets back to the originating host, the packets are usually sent without passing through the proxy service. This will leak the real external IP address of the web client. This method may not work with newer versions of Java and the packet destination is limited to the IP address that served up the applet.
4. When Java is enabled, the host name and IP address of the web client are available by accessing the socket API. This method will leak the name of the user’s workstation and the IP address, as the system sees itself. In other words, this will leak the internal IP address of the system, even if the system is behind a NAT gateway or a proxy server.
5. When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user’s workstation.
6. When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user.
7. When the Quicktime plugin is installed, it can be loaded with a parameter which explicitly tells it to use a direct connection for the movie and to ignore the browser’s settings.
8. When the iTunes is installed, it registers the itms:// protocol handler. This protocol handler will open iTunes and do a direct connection to the specified URL. There are some restrictions on the URL you can pass, but we found a nice way around them 
So for the security of your business make sure that you have the router and firewall logs, intrusion detection logs, network monitoring data, Web server logs, and server event and performance-monitoring logs. To document everything that happens on the network. And of course to monitor your web client log to detect any intrusion that harms your web application early and avoids it.
make sure you subscribe to my RSS feed!
Astalavista.com Owned!
Posted by Mourad Ben Lakhoua in News, hacking on June 6, 2009
Astalavista website was hacked by hackers referring themselves as anti-sec group.
Astalavista used to be a hacking and security community that started in 1994 and was one of the first search engines for exploit and computer security information. It has provided a board for hacking & security community to share the latest techniques for software cracking, spyware editing, and viruses.
According to anti-sec group they targeted http://astalavista.com to the fact that they are not doing any of this for the “community” but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services. We wanted to see how good that “team of security and IT professionals” really is.
And they also shared the shell command to getting into the webserver which you can find on the Zone-h website.
L0phtcrack 6: the old guard is back!
Posted by Mourad Ben Lakhoua in Best Practices, Password Security, Pentesting on June 1, 2009
After more than three years since Symantec stopped the support and development of L0phtcrack the tool that provided a titanic opportunity for passwords auditing and recovery.
Here comes yesterday the same team with the new version L0phtcrack 6.
As the project rights being reacquired by the original authors from Symantec it was possible for them to continue developing this utility. In the last five years many things have been changed in the operating system security so they improved some features like the Support for x64 processors and the latest releases from Microsoft (Vista, XP and windows 7),Ubuntu and others.
I used the LC4 and LC5 and they worked perfectly to recover lost password that are less than 14 characters so update your corporate password policy and make sure that you meet password security best practices.
subscribe to my RSS feed!
Yemen ranked high on hacking
Posted by Mourad Ben Lakhoua in News on May 27, 2009
An international report has put Yemen among the world’s top ten countries with highest rates of computer hacking, ranking it 8th.
The report issued by the Business Software Alliance for 2008 on world programming companies noted that hacking rates in Yemen reached 89 percent.
Georgia was top and Bangladesh, Armenia, Zimbabwe, Sri Lanka, Azerbaijan, Moldova came higher than Yemen.
At the Arab level, Yemen was top and Libya second while a single Muslim state came below Yemen.
Computer hacking in the last year grew by 41 percent for computer programs, causing huge losses for programming companies estimated at $ 53 billion.
Specialists and experts blame the increase in hacking on bad legislation, the absence of world programming companies representation in the country, unfit facilitations provided by global programming companies in Yemen; all these besides the absence of the people’s awareness about the significance of licensing and technical support for original copies of programs.
Because of ineffective legislation to protect intellectual property and difficult economic situation with computer program users being unable to buy original programs, hacking is prevailed in Yemen, director general of the Yemeni Information Corporation Aws al-Eryani said.
In 2007, Yemen lost almost $ 13 million due to computer hacking.
In addition, another reason for the surge in hacking in Yemen is that web-hosting companies and overseers don’t pay more attention to security measures to protect their websites.
[Source: Saba Net]
DNS hole leads to hack Google.co.ma!
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities on May 11, 2009
The Google Morocco domain (Google.co.ma) was briefly hacked on Saturday May 10 by hackers referring to themselves as ‘PAKbugs’.
Google.co.ma is functioning again, but for several hours on Saturday the site was down and this gave enough opportunity for people visiting the site to generate screenshots of the hacked domain. When users visited the site, they briefly saw a message that said “HackeD By PAKbugs. We are ZombiE_KsA Cyber Criminal spo0fer x00mx00m”.
The domain was pointed to a different server, and the message mentioned above was shown when people tried to access the search engine. Google at one point reportedly relayed visitors from Morocco to Google.com instead of Google.co.ma, but it took a while before Google Morocco was functioning correctly again.
PAKbugs.com is a forum of Pakistani hackers, and the forum boasts of the successful hack here.
Popular blog TechCrunch suggests that the hackers hacked the site by possibly finding a way through NIC.ma, which controls the DNS (Domain Name Service) for Morocco.
At Sectech we have published the DNS cache-poisoning flaw this vulnerability allow a hackers to redirect Web traffic and e-mails to systems under their control this hole affects several products from multiple vendors so the only solution to mitigate the risks currently is to patch the Domain Name Server and apply the latest update.
You can find mirror of the attack here
[Source: ITP]
make sure you subscribe to my RSS feed!
Hacked to Pieces
Posted by Mourad Ben Lakhoua in News on April 27, 2009
Jolyon Jenkins investigates whether we have lost the war on cybercrime and looks at a new criminal economy which has grown to feed the demand for our most private details.
Jolyon finds that the security details of ordinary members of the public – their bank details, passwords, and secret security questions are being openly traded in cybercrime forums. He hands over his own laptop computer to an ‘ethical hacker’ and finds that it takes two minutes for its password to be cracked. Within a few more minutes, the hacker has installed a key-logging Trojan that secretly passes all his computer activity – passwords, emails and all – back to the hacker’s own computer.
He finds that we are all vulnerable to criminals who trade on our human weaknesses: our magpie-like obsession with gaudiness and trivia, and our willingness to click the OK button without thinking through the consequences.
Ever since the internet became mainstream, we have been hearing warnings about hackers, spammers and other renegades of the online world. The internet security business now threatens to overtake the Chinese army as the largest employer on earth. But what has this army of consultants achieved, apart from spending billions of dollars? Every year the situation gets steadily worse.
[Source: BBC]
make sure you subscribe to my RSS feed!
International hackers, many from China, are attacking NYPD computers
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on April 24, 2009
A network of mystery hackers, most based in China, have been making 70,000 attempts a day to break into the NYPD’s computer system, the city’s top cop revealed Wednesday.
Commissioner Raymond Kelly said the perpetrators have yet to succeed, but their relentless activities have prompted the force to raise its guard against high-tech crime.
“It’s a threat that we must continue to pay close attention to every day,” Kelly said in a speech to the Council on Foreign Relations.
Kelly said the threat is similar to a shocking cyber espionage plot recently uncovered at the Pentagon.
China-based hackers successfully cracked the Pentagon’s computers and gleaned design features of the F-35 Joint Strike Fighter jet program being developed by Lockheed Martin, the Wall Street Journal reported Monday.
[Source: Daily News]
If you enjoyed this post, make sure you subscribe to my RSS feed!
Cyberspies hack into U.S. fighter project
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on April 21, 2009
Computer spies have repeatedly breached the Pentagon’s costliest weapons program, the $300 billion Joint Strike Fighter project, The Wall Street Journal reported on Tuesday.
The newspaper quoted current and former government officials familiar with the matter as saying the intruders were able to copy and siphon data related to design and electronics systems, making it potentially easier to defend against the plane.
The spies could not access the most sensitive material, which is kept on computers that are not connected to the Internet, the paper added.
Citing people briefed on the matter, it said the intruders entered through vulnerabilities in the networks of two or three of the contractors involved in building the fighter jet.
Lockheed Martin Corp is the lead contractor. Northrop Grumman Corp and BAE Systems PLC also have major roles in the project. Lockheed Martin and BAE declined comment and Northrop referred questions to Lockheed, the paper said.
[Source: Reuters]
HACKING AT RANDOM 2009
Posted by Mourad Ben Lakhoua in News, hacking on April 10, 2009
Preparations are going well for this year’s European outdoor hacker festival, Hacking At Random, this event will be taking place in The Netherlands August 13-16, 2009. The special discounted rate for people buying tickets early has now been extended to April 14.
The Dutch hacker camps take place every four years. The last one (What The Hack) was held in 2005 and was a great experience overall. Those of you who vowed not to miss the next one should be especially careful not to miss this one.
To subscribe and receive the latest news visit the official website
SUBSCRIBE
