Jack In The Box

New phishing scam

2010-03-11T01:38:00.000-08:00

Attorney General Jim Hood is warning credit union members of an apparent phishing scam.

Read this

altalsec

2010-01-13T08:13:00.000-08:00

Dear Friends,

altalsec urity provide the following services:

- Penetration Testing
- Vulnerability Research
- Information Secuity Training

Backtrack 4 Final --> out

2010-01-12T02:16:00.000-08:00

Mazal tov to Muts, Irissan && Remote-exploit team.

Decaf Please

2009-12-15T01:12:00.000-08:00

A new Anti Forensics tool have been released this week, Download link:decaf

"According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks."

Read the full article:

Hackers Brew Self-Destruct Code to Counter Police Forensics

iPhone new Worm - ikee

2009-11-11T04:18:00.000-08:00

Source code available on line....here

Ready? ./set

2009-10-07T01:32:00.000-07:00

Social Engineer Toolkit:

The Social Engineering Toolkit (SET) is a python-driven suite of custom tools,
SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing.

The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize a robust framework for penetration tests.

SET works with metasploit and basicaly targets on automatic mail and website attack.

Email password leak update

2009-10-07T00:35:00.000-07:00

After the leak of 10,000 Hotmail and Windows live email passwords and details yesterday, this morning it emerges that another list containing 20,000 e-mail addresses and passwords from Hotmail, Yahoo, AOL, Gmail and others service providers has been posted online.

There were more then 10,028 pairs of user names and passwords posted to multiple pages of public upload website like Pastebin.com, some of which remained live at time of writing. The stash is likely only a small sample of a much larger file,

Wouldn't it be great if this phishing was somehow linked to Mafia Wars or any other FB APP? could it be a phising attack?

Clarification

2009-08-25T02:15:00.000-07:00

I would like to clarify the article that have been posted yesterday @themarker regards the security breach in Cellcom website. I didn`t do any penetration testing or auditing on the website.

I just got the link and been asked for my professional opinion. As far as i know, the security department knew about the risks that this info can lead. that`s all.

M4y th3 S0urce b3 w1th u5.

Audit VoiP++

2009-08-25T02:10:00.000-07:00

A great suite of exploring, classifying, and auditing telephone systems that can be found in Warvox

the suite of tools provides the unique ability to classify all telephone lines in a given range, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.

WarVOX is intended for legal security assessment, asset inventory, and research purposes only.

DirectShow 0day in the wild

2009-07-07T00:42:00.000-07:00

DirectShow 0day is a high rate of 0day exploit, the current outbreak has already begun last week online. In order for the attack to work the victim needs to use XP built-in Windows Media Player to play media files which in turn triggers internal loopholes.

This is a client side (IE) exploit, so visiting a malicious site will result in infection.

Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)

var appllaa='0';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

\x1 Create the following Key

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.

Let it sn0w

2009-06-27T00:20:00.000-07:00

The iPod/iPhone 3G jailbreak is out. The iphone-dev team just released the 24kpwn LLB patch to allow for a persistent jailbreak. The team had been hanging on to this patch because there was the possibility the exploit could be used on future iPhone versions. Unfortunately, a group started selling the code, so the team was forced to release it for free. There is a tutorial available for updating a factory reset iPod/iPhone (backup link).

That means the same sort of technique can be used with the current redsn0w tool to jailbreak and unlock the iPhone 3GS.

Let it ultrasn0w....

Infosec 2009

2009-06-17T01:20:00.000-07:00

Open world, Open standards, Open source...
Infosec2009

Going to be very interesting ;)

[Sum]mation ILHack

2009-05-26T02:34:00.000-07:00

Good morning All! First, I would like to thank Yaniv Miron for organizing such a great conference and inviting me to speak about VoIP Tactics && Exploitaion at ILHack 2009.

Next, this one goes to all of my Students/Friends/Colleages thanks for the BIG support. You are all in my local subnet ;)

Special 10x to SIPM4ST3R yossef cohen for the lab organization, coding, and talking about the SIP Protocol as a part of the lecture.

The presentation, video of the lecture and source code for(SIPy and sip00fer) will be available --> ILHack download section during this weekend.

Hope to see you all, soon.

Jacky Altal

2009-05-20T04:25:00.000-07:00

sip00fer

2009-05-09T23:02:00.000-07:00

After a looong week, i`ve finished my case study on PBX (Asterisk). A new 1.6.1.0 Asterisk version was installed on CentOS, a great disto. and by the help of the SIP M4ST3R Yossef{at}maxxvoice{dot}com I managed to \install\ AND \configure\ my new PBX up&&running in few hours. [./configure; make; make install] simple as that.

Then, I started testing my Asterisk box, as i saw a sample code that can create a fake call to any extension on metasploit framework. The code didn`t work on against a new 1.6.0.5 as Yossef found that the CSeq var is missing so i decided to implement it by my self, i used RFC3261 to deeply understand the protocol and to expend my research to this fascinating area.

I wrote a POC code in python and then convert it to C++ the POC will build a fake packet and send it to sip client.

The code will be posted soon -> ilHack 2009 <- along with a new SIPcliFuzzer.

Usage: sip00fer [host] [port] [fake_extension] [Fake_Caller]
Example: sip00fer 13.37.7.1 31317 101 jackjack

Sidejacking

2009-04-27T22:37:00.000-07:00

Hamster is a tool for HTTP session hijacking with passive sniffing. It eavesdrops on a network, captures the session cookies, then imports them into the browser to allow you to hijack their session.

Download Link

Web (rat)Proxy

2009-04-06T03:42:00.000-07:00

"Ratproxy is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

Download ratproxy from the following Link

OR use the following commands:

$> wget http://ratproxy.googlecode.com/files/ratproxy-1.56.tar.gz
$> tar xvf ratproxy-1.56.tar.gz
$> make

On Firefox go to |Tools|Options|Advanced|Network|settings choose manual proxy (rat address). and execute ratproxy with the following command:
$> ./ratproxy -w logfile -d domaintoscan -rlextifscpjm

To get a report in html file use:
$> -./ratproxy-report.sh logfile > report.html

Jacky Altal

WPA Rainbow tables

2009-04-06T03:28:00.000-07:00

Offensive security released a list of Cowpatty WPA tables, SSID Specific, using a 49 Million WPA optimised password dictionary file. Each Table is 1.9 GB.

Any one can help by seeding these files.

Infected with Confliker?

2009-04-06T02:35:00.000-07:00

Conficker Test is a simple visual test that any one can take in order to evaluate a windows pc just by surfing to this page. Conficker is known to block access to over 100 anti-virus and security websites. This page will loads images from blocked security and antivirus websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

This test was originally developed by Joe Stewart. As you can see it is a simple test method which can be used by any one.

a link to Confliker removal tool can be found HERE

Jacky Altal

Manipulating Client Side Scripts

2009-04-02T05:46:00.000-07:00

As you can see in the following link posted by Lament just yesterday, there is a big security flow in Ynet forums.

I have read the mails between yaniv and Ynet respone team. And it seams like they are really dosent care. I`m not sure if yaniv did the right thing and post this movie, but no doubt that something had to be done.

I have to admit that this particular flow was known for a while, and to be honest there are many others.....

Attacking SMM Memory via Intel® CPU Cache Poisoning

2009-04-02T05:42:00.000-07:00

Attacking SMM Memory via Intel® CPU Cache Poisoning (March 2009) - a research paper published by Rafal Wojtczuk and Joanna Rutkowska describing a new attack that allows to compromise the integrity of the System Management Mode on Intel-based systems.

PDF

ilHack \x32\x30\x30\x39

2009-03-01T23:01:00.000-08:00

ifis.org.il the israeli security forum and yaniv Miron (CISO grad) announced the 2009 Hacking convention.

Additional information can be found in the following link:

-ilhack 2009 convention 4/5/09

SQL Queries

2009-02-26T00:15:00.000-08:00

Still in the top 10 security threats for 2009 Web Application attacks. During my work i`m facing DB`s that i`m not working on regular basis, which got me to c0mpile a list of queries for mssql, oracle, mysql, postgresql and msaccess. In the following xls file you can find the most used sql injection queries. The list >> constructed from data that i picked from several web sites and dring the days and n1ght of /me @work ;)

iPhone 2.2 Backup

2009-02-17T05:32:00.000-08:00

In order to make a bit by bit copy use the following method:

On your *nix box open up netcat:
nc -lvp 1337 | dd of=./imagem.dmg bs=4096

On your iPhone/ssh execute the following:
dd if=/dev/rdisk0s2 bs=4096 | netcat 192.168.1.100 1337

If you want to browse y0ur iPhone contents just follow the following directories:
Calendar /mobile/Library/Calendar/calendar.sqlitedb
Call history /mobile/Library/CallHistory/call_history.db
Notes /mobile/Library/Notes/notes.db
SMS /mobile/Library/SMS/sms.db
Adress book /mobile/Library/AddressBook/AddressBook.sqlitedb
voicemail /var/root/Library/Voicemail/voicemail.db
Photos /mobile/Media/DCIM/
Photos /mobile/Media/Photos
Google Maps /moblie/Library/Caches/MapTiles/MapTiles.sqlitedb
Cookies /mobile/Library/Cookies/Cookies.plist
iPhone Recorder /private/var/mobile/Media/iPhoneRecorder

ג'קי אלטל

Advanced Exploitation with Metasploit

2009-02-17T01:31:00.000-08:00

I decided to write a post about the new/advanced features in my favorite exploitation framework Metasploit. Those improved tools/features in the advanced framework includes wmap (application mapping), autopwn (what does it sounds like?)

WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

STEP 1: load sqlite3 database
>load db_sqlite3
STEP 2: Create new database
>db_create wmapjack.db
STEP 3: Load wmap Database
>load db_wmap
STEP 4: Connect to wmap database
>db_connect wmap.db

Now just add web application target address
>wmap_targets -a http://127.0.0.1
Set it to the new target with the following command:
>wmap_targets -s 1

wmap_run - execute application mapping

The active modules are:
wmap_ssl_vhost WMAP_SERVER
frontpage_login WMAP_SERVER
version WMAP_SERVER
wmap_vhost_scanner WMAP_SERVER
wmap_file_same_name_dir WMAP_DIR - this will take a while (bruteforcing directory names)

wmap_reports - view web application report

Test your application

BackTrack 4 Beta released

2009-02-11T00:47:00.000-08:00

BT4 - New & improved version, The best so far......another great work by the remote exploit team. some new and exciting features. The most significant of these changes is the expansion from the realm of a Pentesting LiveCD towards a full blown "Distribution".

DOWNLOAD: BackTrack 4 Beta

Flow hiJACKing

2008-07-20T06:38:00.000-07:00

Application flow hijacking is one of the popular methods to infect EXE files, by the use of this method one can inject malicious \xHEXa code into application code section and then ask the instruction pointer to execute it as a part of the original code. Read More here... hiJACKing

Tools In The Box

2008-07-12T23:26:00.000-07:00

New / 0ld applications in the tools section......

Super ShellCode - Superman shell code sound track. Isntead of running calc as a shell code I decided to code my own super rintchi shell code. open the file with olly and copy/use the relevant code as a shell code.

ShareWatcher - A small .NET application that will watch NetBios connection to your PC. It will alert and log all connections.

TrafficViewer - Israeli road cameras (watch 8 cams in one window).

PS Whats that? data = google.doGoogleSearch(query,maxResults=20)

Enjoy.

XSS UTF-7

2008-07-08T01:28:00.000-07:00

Lament (my best student so far....) discovered a new XSS vulnerability in Apache server (two months ago and still unfixed). read about Cross-site Scripting here.

This vulnerability can show us that we can`t blindly TRUST links from known domain names. In the following POC we can see that walla.co.il is vulnerable just like all the other websites that running Apache server.

POC

Open new Explorer and paste the following link:

http://www.walla.co.il/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqz
bX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblM
XsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYe
Ogc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont
%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('I XSSedYOU!!!')+ADw-/script+AD4---//--

Next, right click on the page and change encoding to auto select. BOOM. A message box should be opened now.

Conclusion, if you recieve a long encrypted link just dont open it. BE AWARE.

iJackPhone

2008-07-04T01:57:00.000-07:00

In the last few days while been paralyzed and unable to move from bed I had time to do some cool stuff with my iPhone. It all started when my L33T H@X0R bro - Muts invited me to join him on a iPhone journey - install Metasploit framework on a new iPhone.

First, we needed to Unlock, jailbreak and install Cydia on the iPhone. Good old Ziphone helped us to open the iPhone for third party applications and then we installed Cydia with the installer.application. Cydia is a distribution of GNU and BSD`s userspace for the iPhone. In other words, if you want to use bash, chmod, nc, passwd, su, tcpdump commands then you need Cydia.

Once all packges have been installed apt-get install wget,ruby,ruby-gems we downloaded the Metasploit framework to the iPhone, tar it and execute it. Fast and Simple!!!

Now, I`m working on a tool that will track Calls,SMS,History and Location of the iPhone. Hopefully it will be ready before BlackHat 2008.

A sample script that logs cordination from wifi,cellular every $Time can be found here. (still on progress)

REQUIREMENTS
This script is based on findLocation and findme-muchbetter scripts.

iPhone Remote Shell

iPhone Terminal

PS - Rintchi /me L0V3S Y0U

ג'קי אלטל