February 22, 2012

You are here: Home / Archives for Tools

Updates Released for IPFire Open Source Firewall

January 10, 2012 By

(LiveHacking.Com) – Two new core updates for the IPFire firewall distribution have been released. Core update 54 contains minor feature enhancements and bugfixes, while core update 55 incorporates the six security updates recently released for OpenSSL.

Core update 54
Update 54 adds the latest Intel network drivers (for igb 3.2.10, e1000 8.0.53 and e1000e 1.6.3) and updates the web proxy service to consumes less memory in some occasions. The intrusion detection system rules download is working again for the latest ruleset and the hardware status section on the web user interface recognizes more harddrives.

The detail are as follows:
Package updates: squid 3.1.18, snort 2.9.1.2 (daq 0.6.2), smartmontools (5.42)
Network drivers: Intel network drivers (igb 3.2.10, e1000 8.0.53, e1000e 1.6.3), ath9k-htc (USB) firmware 1.3, timezone and hardware database, GeoIP database
Small bugfixes: Syntax error in DHCP client script, H.323 connection tracking modules are not loaded when the system starts.

Core update 55
The recent updates to OpenSSL, the popular open source toolkit for SSL/TLS, which fixed a total of six security flaws made the bulk of the changes for update 55. The only other update of interest is that OpenSSH has also been updated to version 5.9p1.

More information about these updates can be found in the release announcement, plus in the Core 54 & Core 55 change logs. IPFire 2.11 Core 55 is available to download from  here.

Filed Under: Open Source, Tools Tagged With:

Wi-Fi Protected Setup Vulnerable to Brute Force Attack

January 3, 2012 By

(LiveHacking.Com) – Security researcher Stefan Viehböck has revealed a design and implementation flaw in Wi-Fi Protected Setup (WPS) that that makes Wi-Fi networks vulnerable to brute-force attacks.  US CERT has issued an advisory which suggests disabling WPS. The WPS specification has three methods of simplifying the connection of wireless devices to WPA2 protected access points. One of those methods involves using an eight digit PIN from a label on the router which authorizes the client to obtain the WPA2 configuration details.

An eight digit pin should have 100,000,000 different combinations, however a design flaw means that one of the digits is just a checksum and so reduces the possibilites down to 10,000,000. However the real weakness is that the protocol is designed in such a way that the first half and second half are sent separately and the protocol will confirm if just that half is correct. This reduces the number of PIN possibilities to 10,000 (4 digits) plus 1,000 (3 digits as checksum can be calculated) which is just 11,000 possibilities.

According to Viehböck  this means that some routers, which don’t employ any mechanisms to slow down brute force attacks, can be cracked within 44 hours. More information about this vulnerability can be found in Stefan’s paper: Brute forcing Wi-Fi Protected Setup. He has also released a PoC Brute Force Tool that can be found here.

Note: This vulnerability was also independently discovered by Craig Heffner (/dev/ttyS0Tactical Network Solutions) who has released a tool called “Reaver” on Google Code.

Filed Under: Attack, Cryptography, Security, Tools, Vulnerability Tagged With: , , , , ,

New Version of Secpoint Google Hacking Database and Tool Released

December 22, 2011 By

(LiveHacking.Com) – Danish IT security company Secpoint has released the new version of its Google Hacking database and tool.New Version of Secpoint Google Hacking Database and Tool Released

The new version of Secpoint Google Hacking database and tool have more than 7800 updates in its Google Hacking database in addition to friendly output and support for multiple sites in its tool.

This open source tool could help the security professionals and penetration testers to submit automated queries to Google and save the output in a file for further investigation.

The following Google hacking databases are included in the Secpoint Google Hacking tool:

  1. devices_and_cameras.txt
  2. errors.txt
  3. files.txt
  4. interesting_directories.txt
  5. interesting_info.txt
  6. login_pages.txt
  7. misc.txt
  8. network_or_vulnerability data.txt
  9. passwords_and_usernames.txt
  10. sql_injection_list.txt
  11. vulnerabilities.txt
  12. vulnerable_systems.txt
  13. webserver_banners.txt

The Secpoint Google Hacking database and tool is available to download here.

Disclaimer: It is against Google’s Terms of Service to send automated queries to Google’s System.

Filed Under: Google, Tools Tagged With: , , ,

New PuTTY Release Fixes Password-not-wiped Vulnerability

December 12, 2011 By

(LiveHacking.Com) - Simon Tatham has released a new version of PuTTY, the ubiquitous SSH client for Windows, that fixes a bug that left passwords in active memory. Since PuTTY needs to authenticate with remotes servers using passwords or private/public keys and that it needs to store sessions keys etc in memory while running, it is important that any information that is no longer needed be wiped from memory.

The reason for this is that it is feasible that malware could gain access to PuTTY’s memory or read any parts of the memory swapped to disk or any memory written to a crash dump. Accessing this memory could then lead to password discovery.

Although this scenario isn’t 100% avoidable (as PuTTY needs to keep some sensitive information on hand), the risks can be reduced as much as possible. PuTTY 0.59, 0.60 and 0.61 contained a bug in which the password entered was not wiped from memory, even though it was no longer needed.

Since most modern SSH-2 servers use the keyboard-interactive method for password logins (rather than SSH-2′s dedicated password method), this meant that those versions of PuTTY would store your login password in memory for as long as they were running.

Other bugs squashed in 0.62 include:

  • Pageant 0.61 would not accept connections from PuTTY 0.60 and earlier, or from other software (such as WinSCP) that used 0.60′s method of talking to Pageant. Pageant 0.62 accepts connections from both types of client.
  • If PuTTY 0.61 attempted GSSAPI authentication and failed, it printed a spurious and confusing ‘Access denied’ message in the terminal window, even though it was still possible to log in by other means.
  • If PSCP or PSFTP 0.61 was told to load a saved session which specifies SSH on a port other than 22, they would wrongly try to connect to port 22 instead of the specified port.
  • Pageant 0.61 leaked a file mapping handle every time it received a message with the wrong authentication.
  • PuTTYtel 0.61 crashed with an assertion failure message when saving a session.
  • PuTTY 0.61 could display underlined text with the underlines in the wrong place, to the right of the characters they should have been under.
  • PuTTY 0.61 could display VT100 line-drawing characters at the wrong vertical offset if they appeared next to the offset horizontal line characters.

Pre-built binaries, and the source code, are now available from the PuTTY website at http://www.chiark.greenend.org.uk/~sgtatham/putty/

Filed Under: Security, Tools, Vulnerability Tagged With: ,

Cache Timings Allow Browser History Extraction

December 6, 2011 By

(LiveHacking.Com) - Security Researcher and author of the book “The Tangled Web” Michal Zalewski has created a proof of concept web page which can extract browser history (without relying on browser quirks) using a non-destructive cache timings inspection method. A visit to the “cachetime” web page (after you give your permission) runs the script to reveal which of the top Internet sites you have visited including Facebook, YouTube and Amazon.com.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Over the past two years the major browsers changed the way the CSS :visited selectors work in order to prevent websites from stealing your browsing history.

Attacks on the cache timings, although theoretically possible, have until now been deemed infeasible as they relied on destructive, one-shot testing that alters the state of the examined cache. However Zalewski’s proof of concept offers non-destructive cache inspection.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects.

Michal has released the source code which outlines the algorithm in more detail.

Filed Under: Chrome, Firefox, Google, Intenet Explorer, Mozilla, Tools

CrySyS Releases Duqu Detector

November 14, 2011 By

(LiveHacking.Com) - The lab that participated in the discovery of the Duqu trojan has developed a detector toolkit that can find Duqu infections on a computer or in a whole network. The toolkit, released by the Laboratory of Cryptography and System Security (CrySyS), uses signature and heuristics methods to find traces of Duqu infections even when bits of the malware have already been removed from a PC.

The toolkit searches for a range of different Duqu related suspicious files and known indicators to detect the current or past presence of the trojan. However, as with all anomaly detection tools, it is possible that it generates false positives.

Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

The toolkit, which includes the source code, can be downloaded from here.

Recently NSS Labs also released its a Duqu detector. Their solution is based is Python script which uses pattern match to scan the system drivers. The script, which is published under BSD-licensed, is available from the their GitHub repository.

Filed Under: Malware, Tools Tagged With: ,

SecPoint Releases New Version of its Multi-threaded TCP Port Scanner

November 4, 2011 By

(LiveHacking.Com) - SecPoint, a Danish IT security network company, has released a new version of its multi-threaded TCP port scanner. The new version, which is released under a BSD style license and includes the source codes, adds new features like SYN scanning.

Other new features include:

  • Added host name resolution
  • Added option -o for output to file in plain text format
  • Added option -oh for output to file in html format
  • Added option -ox for output to file in xml format
  • Reversed the meaning of -r : by default shows port names, with -r does not show them
  • Skipping duplicated open ports: Due to the low delay between two sends, the pcap library may call the receive function multiple times for the same port. Increasing the delay time, this problem can be bypassed, but it will slow down processing. With this solution, it’s possible to keep a low delay and avoid duplicates at once.
  • Changed name to “portscanner”
  • Added target host name to output, if given
  • Removed printing of options -w and -n for Connect scan
  • Help message changed according to the new options

Using the program is simple and the ability to start multiple scanning threads makes the program quite fast. Running the following command will scan the common ports (ports 1-2000 plus a special selection that makes scanning more efficient):

./portscanner IP

Port ranges can be specified as follows:

./portscanner IP -p 21-80

Use the -s option to perform a SYN scan and -n to increase the number of threads. The default is 10. On our test machine running with -n 100 reduced the scan time for 7473 ports by 75%!

You can find out more here and the tool can be downloaded for Windows and Linux (including the source code) here.

Filed Under: Open Source, Security, Tools, Tutorials Tagged With: , ,

Wireshark Updated to Fix Vulnerabilities and Bugs

November 3, 2011 By

(LiveHacking.Com) - Two new versions of Wireshark,the popular network protocol analyzer, have been released. The stable branch has been updated to V1.6.3 and the “old stable” branch has been updated to 1.4.10. These versions don’t contain any new functionally but they do have several vulnerability and bug fixes.

The following vulnerabilities have been fixed.

  • wnpa-sec-2011-17: The CSN.1 dissector could crash. (Bug 6351)Versions affected: 1.6.0 to 1.6.2.
  • wnpa-sec-2011-18: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • wnpa-sec-2011-19: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.

Also the following bugs have been fixed:

  • Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
  • Wrong PCEP XRO sub-object decoding. (Bug 3778)
  • Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
  • Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
  • ISUP party number dissection. (Bug 5221)
  • wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
  • Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
  • SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
  • Wireshark crashes when attempting to open a file via drag & drop when there’s already a file open. (Bug 5987)
  • Adding and removing custom HTTP headers requires a restart. (Bug 6241)
  • Can’t read full 64-bit SNMP values. (Bug 6295)
  • Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
  • RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
  • packet-csn1.c doesn’t process CSN_CHOICE entries properly. (Bug 6328)
  • BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
  • GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
  • [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
  • ICMPv6 router advertisement Prefix Information Flag R “Router Address” missing. (Bug 6350)
  • Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
  • Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
  • Added cursor type decoding to MySQL dissector. (Bug 6396)
  • Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
  • WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
  • S1AP protocol can’t decode IPv6 transportLayerAddress. (Bug 6435)
  • RTPS2 dissector doesn’t handle 0 in the octestToNextHeader field. (Bug 6449)
  • packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
  • Network Instruments Observer file format bugs. (Bug 6453)
  • Wireshark crashes when using “Open Recent” 2 times in a row. (Bug 6457)
  • Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
  • wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
  • Display filter Expression Dialog Box Error. (Bug 6472)
  • text_import_scanner.l missing. (Bug 6531)

Wireshark can be downloaded from http://www.wireshark.org/download.html

Filed Under: News, Tools Tagged With: ,

SSL Denial Of Service Tool Released

October 26, 2011 By

 

(LiveHacking.Com) - The Hacker’s Choice (THC) has added a new program to its repository of  hacking tools. The new tool is designed to verify the performance of the encryption algorithms used in SSL. However since most servers are not designed to handle large amounts of SSL handshakes, running the test will cause a denial of service.

To establish a secure SSL connection generally requires 15 times more CPU power on the server than on the client and so the THC-SSL-DOS tool has been built to exploit this asymmetry by overloading the server. The overload will result in a denial of service as the server struggles to cope with the incoming SSL connections.

Although is isn’t a new problem, it has been observed and discussed since 2003, it is the first time a compact tool has been written to expose the problem from the client end. A simple laptop can issue 300 SSL handshakes per second and only use around 10 to 25% of the client CPU power. The result is that a laptop on a DSL connection can challenge a server on a 30Gbit link.

The denial of service attack can be launched on any SSL connection including HTTPS, POP3S and SMTPS.

This problem affects all SSL implementations today.

Filed Under: Cryptography, Security, Tools Tagged With: , , , ,

Rapid7 Introduces Metasploit Community Edition

October 19, 2011 By

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7′s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7′s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

Filed Under: Ethical Hacking, Penetration Test, Security, Tools Tagged With: , , ,
« Older Posts