May 17, 2012

You are here: Home / Archives for Tools

CrySyS Releases Duqu Detector

November 14, 2011 By

(LiveHacking.Com) - The lab that participated in the discovery of the Duqu trojan has developed a detector toolkit that can find Duqu infections on a computer or in a whole network. The toolkit, released by the Laboratory of Cryptography and System Security (CrySyS), uses signature and heuristics methods to find traces of Duqu infections even when bits of the malware have already been removed from a PC.

The toolkit searches for a range of different Duqu related suspicious files and known indicators to detect the current or past presence of the trojan. However, as with all anomaly detection tools, it is possible that it generates false positives.

Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

The toolkit, which includes the source code, can be downloaded from here.

Recently NSS Labs also released its a Duqu detector. Their solution is based is Python script which uses pattern match to scan the system drivers. The script, which is published under BSD-licensed, is available from the their GitHub repository.

Filed Under: Malware, Tools Tagged With: ,

SecPoint Releases New Version of its Multi-threaded TCP Port Scanner

November 4, 2011 By

(LiveHacking.Com) - SecPoint, a Danish IT security network company, has released a new version of its multi-threaded TCP port scanner. The new version, which is released under a BSD style license and includes the source codes, adds new features like SYN scanning.

Other new features include:

  • Added host name resolution
  • Added option -o for output to file in plain text format
  • Added option -oh for output to file in html format
  • Added option -ox for output to file in xml format
  • Reversed the meaning of -r : by default shows port names, with -r does not show them
  • Skipping duplicated open ports: Due to the low delay between two sends, the pcap library may call the receive function multiple times for the same port. Increasing the delay time, this problem can be bypassed, but it will slow down processing. With this solution, it’s possible to keep a low delay and avoid duplicates at once.
  • Changed name to “portscanner”
  • Added target host name to output, if given
  • Removed printing of options -w and -n for Connect scan
  • Help message changed according to the new options

Using the program is simple and the ability to start multiple scanning threads makes the program quite fast. Running the following command will scan the common ports (ports 1-2000 plus a special selection that makes scanning more efficient):

./portscanner IP

Port ranges can be specified as follows:

./portscanner IP -p 21-80

Use the -s option to perform a SYN scan and -n to increase the number of threads. The default is 10. On our test machine running with -n 100 reduced the scan time for 7473 ports by 75%!

You can find out more here and the tool can be downloaded for Windows and Linux (including the source code) here.

Filed Under: Open Source, Security, Tools, Tutorials Tagged With: , ,

Wireshark Updated to Fix Vulnerabilities and Bugs

November 3, 2011 By

(LiveHacking.Com) - Two new versions of Wireshark,the popular network protocol analyzer, have been released. The stable branch has been updated to V1.6.3 and the “old stable” branch has been updated to 1.4.10. These versions don’t contain any new functionally but they do have several vulnerability and bug fixes.

The following vulnerabilities have been fixed.

  • wnpa-sec-2011-17: The CSN.1 dissector could crash. (Bug 6351)Versions affected: 1.6.0 to 1.6.2.
  • wnpa-sec-2011-18: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • wnpa-sec-2011-19: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.

Also the following bugs have been fixed:

  • Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
  • Wrong PCEP XRO sub-object decoding. (Bug 3778)
  • Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
  • Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
  • ISUP party number dissection. (Bug 5221)
  • wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
  • Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
  • SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
  • Wireshark crashes when attempting to open a file via drag & drop when there’s already a file open. (Bug 5987)
  • Adding and removing custom HTTP headers requires a restart. (Bug 6241)
  • Can’t read full 64-bit SNMP values. (Bug 6295)
  • Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
  • RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
  • packet-csn1.c doesn’t process CSN_CHOICE entries properly. (Bug 6328)
  • BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
  • GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
  • [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
  • ICMPv6 router advertisement Prefix Information Flag R “Router Address” missing. (Bug 6350)
  • Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
  • Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
  • Added cursor type decoding to MySQL dissector. (Bug 6396)
  • Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
  • WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
  • S1AP protocol can’t decode IPv6 transportLayerAddress. (Bug 6435)
  • RTPS2 dissector doesn’t handle 0 in the octestToNextHeader field. (Bug 6449)
  • packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
  • Network Instruments Observer file format bugs. (Bug 6453)
  • Wireshark crashes when using “Open Recent” 2 times in a row. (Bug 6457)
  • Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
  • wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
  • Display filter Expression Dialog Box Error. (Bug 6472)
  • text_import_scanner.l missing. (Bug 6531)

Wireshark can be downloaded from http://www.wireshark.org/download.html

Filed Under: News, Tools Tagged With: ,

SSL Denial Of Service Tool Released

October 26, 2011 By

 

(LiveHacking.Com) - The Hacker’s Choice (THC) has added a new program to its repository of  hacking tools. The new tool is designed to verify the performance of the encryption algorithms used in SSL. However since most servers are not designed to handle large amounts of SSL handshakes, running the test will cause a denial of service.

To establish a secure SSL connection generally requires 15 times more CPU power on the server than on the client and so the THC-SSL-DOS tool has been built to exploit this asymmetry by overloading the server. The overload will result in a denial of service as the server struggles to cope with the incoming SSL connections.

Although is isn’t a new problem, it has been observed and discussed since 2003, it is the first time a compact tool has been written to expose the problem from the client end. A simple laptop can issue 300 SSL handshakes per second and only use around 10 to 25% of the client CPU power. The result is that a laptop on a DSL connection can challenge a server on a 30Gbit link.

The denial of service attack can be launched on any SSL connection including HTTPS, POP3S and SMTPS.

This problem affects all SSL implementations today.

Filed Under: Cryptography, Security, Tools Tagged With: , , , ,

Rapid7 Introduces Metasploit Community Edition

October 19, 2011 By

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7′s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7′s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

Filed Under: Ethical Hacking, Penetration Test, Security, Tools Tagged With: , , ,

New Metasploit Module Exposes Hole in Opera Web Browser

October 18, 2011 By

(LiveHacking.Com) - Security Researcher José A. Vázquez has released details of a vulnerability in the Opera web browser which is caused by bugs in its SVG processing code. What is more startling is that José actually reported this vulnerability and some others, via the SecuriTeam Secure Disclosure program over 10 months ago, but Opera have done nothing about it.

So now José has decided to go public and with the help of the guys over at metasploit.com he has also released a metasploit module.

Due to the nature of the vulnerability, visiting a specially crafted web page is enough to trigger the exploit and allow the attacker to run malicious code. However the exploit isn’t successful 100% of the time. According to his testing the succes rate differs on different version of Opera:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts
Opera did fix a related problem that José submitted, however he reported several vulnerabilities at the same time and the SVG processing has so far been ignored.
Filed Under: Security, Tools, Vulnerability Tagged With: , ,

ElcomSoft Launches New Software To Crack BlackBerry Device Passwords

September 30, 2011 By

(LiveHacking.Com) – ElcomSoft have released a new version of their Phone Password Breaker (EPPB), with the ability to recover passwords protecting BlackBerry phones. Data on a BlackBerry can be protected using a password (known as the the device password) which needs to be entered every time the device it being switched on, or optionally, after a certain timeout. If the wrong password is entered more than 10 times in a row all the data on the phone is erased.

It was previously thought that cracking this device password was impossible, however now ElcomSoft say that it can be cracked in a matter of hours without any danger to the data on the phone.

However there is a caveat. To work, Media Card encryption needs to be configured and set to either “Security Password” or “Device Password” mode.

ElcomSoft estimates that about 30 per cent of all BlackBerry smartphone users opt to protect their media cards with this option, making their devices open to this attack.

To crack the password EPPB only needs the media card from the device. Using a PC with an Intel i7-970, EPPB can try 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode.

 

Filed Under: Cyber Forensic, Tools Tagged With: , ,

Why Do We Need Patch Management?

September 23, 2011 By

(LiveHacking.Com) – Patch management is a key function for anyone working in IT and is responsible for the network. There are various reasons why patch management is so important and how, if neglected, can lead to service disruptions or give cyber criminals access to the network where they can steal data or cause serious damage.

Computers work by running software that performs different operations. Operating systems, for example, are a list of instructions which the computer runs one after the other in order to do a task that the vendor intended.

From time to time, vendors will see the need to update their products to improve performance or to address some security issue and patch management is the process that makes changes to a program as per vendor’s specifications.

Why Would a Vendor want to update their software?

GFI LanGuard shows missing updates

GFI LanGuard shows missing updates

The primary reason is that the software contains errors. Errors in coding or more specifically in the logic flow of a program can lead to a malicious attacker exploiting the logic to make the program perform in a way that the vendor never intended it to. This could cause either a service disruption or, even worse, allow an attacker to manipulate the program so that it runs the code the attacker wants and, in so doing, giving him or her control over the system.

Programs are quite complex and based on millions of lines of such instructions. It is fair to say that every piece of software contains errors which cause some type of side effect. In many cases, these errors often go unnoticed, however if an error causes a major problem, then a vendor is in a race against time to correct the problem. The longer it takes to correct the errors, the greater the window of opportunity for malicious people exploit the error and target those who are using the software.

What are the risks if a system is unpatched?

Systems that are not regularly patched can experience a number of issues, including:

  • Intrusions – Malicious attackers can gain access to your system and:
    • Turn it into a botnet – your computer is taken over and used to launch attacks on other computers or used to send spam
    • Steal Information and/or install mechanisms to spy on all that happens on that computer and other PCs on your network in the future
    • Create /Install a Backdoor or Rootkit – The attacker might install software allowing him easy access to the computer even if the issue is subsequently patched
    • Hacktivism – The attacker might gain access to your web server in order to change it to display political/activism messages
    • Beachhead – the attacker might use this machine to run further attacks on your network to gain access to more critical/valuable systems
  • Denial of Service – The attacker might use the coding error to crash your system
  • Stability – Coding Errors are a problem not only when someone tries to exploit them but bad code can cause a system to fail on its own if not fixed.
  • Performance – Sometimes a vendor may issue a patch to boost the program’s performance and provide additional value to the customer.

Vendors do not issue patches if it is not essential for their customers. Creating a Patch involves a lot of work for a vendor in terms of development and testing. A robust patch management policy and system can help administrators promptly install patches when a vendor issues them and thereby ensure that systems are up-to-date and error-free.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on patch management.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

 

Filed Under: Tools, Tutorials Tagged With: , , ,

Metasploit 4.0 Released With 20 New Exploits

August 3, 2011 By

(LiveHacking.Com) – The first iteration of the 3.x series of Metasploit was released five years ago. Now after uncountable hours of coding and testing, the Metasploit Framework 4.0 has been released. This new release ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules. As well as 20 new exploits, 3 new auxiliary modules, and 14 new post modules since V3.7.2.

Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. There are 14 new post modules including new password-stealing post modules. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https.

Six of the twenty new exploits came via the recent Exploit Bounty where contributors were paid $500 or $1000 (in the form of American Express gift cards) for creating any exploit module for an item from Metasploit’s top 5 or top 25 exploit lists.

Also new in V4.0 is a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

Metasploit 4 is available to download from the project’s site where you can also find update instructions. Full details of this release can be found in the Release Notes.

Filed Under: Penetration Test, Security, Tools Tagged With: ,

ElcomSoft Releases New Software to Recover Passwords on NIST Certified BlackBerry PlayBook Backups

August 2, 2011 By

(LiveHacking.Com) - Only a few days ago the BlackBerry PlayBook became the first tablet to be certified for US government use by passing the FIPS 140-2 certification from the National Institute of Standards and Technology (NIST). No other tablet, including the iPad, has gained this certification and the PlayBook is the only tablet ready for deployment within the U.S. federal government.

Since this particular FIPS (Federal Information Processing Standard) certification is about cryptography, you would think that any government data on a PlayBook would be secure… Not so… ElcomSoft has updated its Phone Password Breaker with the ability to recover passwords protecting BlackBerry PlayBook backups. This means that it can recover the original plain-text password protecting the PlayBook backups. Once the password is known the backup can be restored to and analyzed on another PlayBook device.

The result is that forensic investigators (or hackers, spies and foreign governments) can access email messages, call history, contacts, web browsing history, voicemail and email accounts stored in those backup files.

To crack the passwords on the Backups, ElcomSoft use GPU-accelerated attacks, offloading parts of the computation-intensive jobs onto highly parallel units available in today’s ATI and NVIDIA video cards. The result is that the Elcomsoft Phone Password Breaker can try tens of thousands of passwords per second.

ElcomSoft plans to add a PlayBook backup decryption module, which allows the backups to be cracked open without restoring them to another PlayBook device, to the next version of Elcomsoft Phone Password Breaker.

Filed Under: Security, Tools Tagged With: , , ,
« Older Posts
Newer Posts »