I ran across this site today and wanted to share.
thebroken is an underground technology show with a hacker mentality that caters to the elite (or wannabe 1337) computer user using a mixture of seriousness and irreverent comedy … If it’s shady or underground, it’s thebroken.
I thought Ramzi’s tips were especially useful. Very funny … and educational. Some of the videos in the other sections of the site are worth a look too, so check those out.
Personally, I have an AdBlock entry that blocks Google AdWords and a lot of other advertising sites. I know that by displaying ads, you’re opening yourself up to HTML, Javascript, and any other nastiness that doesn’t originate from the site you’re trying to visit. I also don’t click on those paid advertising links from a Google search because usually they’re for a commercial product when all I need are simple instructions.
Here are two sites by people that have personally dealt with the maliciousness of Google AdWords.
http://www.dynamoo.com/blog/2007/04/malware-via-adwords.html
http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html
Originally posted on cocoacrusty.com on Monday, April 16th, 2007.
This post is the reason I posted my previous blog entry on installing the Metasploit framework on my Apple MacBook. Chris sent me a link to this movie showing someone exploiting a vulnerability in Microsoft’s Windows. The .ANI Header Stack Overflow vulnerability allows a remote attacker to send a malicious e-mail to an unsuspecting user with an unpatched Windows machine and gaining remote shell access.
After Metasploit was installed on my MacBook, I followed the steps in the movie as they were shown and it worked like a champ. The recipient of the e-mail has to be viewing the e-mail in HTML. I was only able to exploit this vulnerability when using Microsoft Outlook or Microsoft’s Outlook Express e-mail client’s when the client was setup to view messages in HTML. Either way, I gained access to one of my own machines using this exploit and it showed me just how easy it would be for someone with malicious intent to really wreak havoc on a novice or unsuspecting user.
I am impressed at the whole concept behind the Metasploit framework for exploiting known vulnerabilities and delivering payloads with basically the push of a button. The interface and command logic is easy to understand, for this exploit anyway, and I look forward to learning more about the framework, the exploits, and the payloads in the near future.
Until next time…
Originally posted at cocoacrusty.com on Monday, April 16th, 2007.
I have known about the Metasploit framework for quite some time but have never really known how to use it or taken the time to learn. Recently, Chris inspired me to try it by showing me a movie explaining how to exploit a vulnerability in Microsoft Windows related to the .ANI Header Stack Overflow Vulnerability (more on this in my next post).
Before I could begin working with this nifty little exploit in Metaspolit I had to get the framework installed on my MacBook. Metasploit is a suite of Ruby scripts and will run on virtually any Unix based operating system and Windows (with some minor tweaking). I checked the MacPorts for Metasploit and it was available as a port install but the latest version in the ports tree was 2.7. I needed at least version 3.0, and later determined I needed a development version, version 3.1, from the trunk to get the exploit I was after.
The first thing I did was upgrade my Subversion client on Mac OS X. I got the universal binary from here and installing and upgrading my Subversion was pretty painless. It installed like most other Mac applications from a package.
http://www.darknet.org.uk/…tools/
http://www.security-database.com/…FireCAT.html
Security-Database.com team is happy to announce its new Firefox Framework Map collection of the most useful security oriented extensions. We called the framework FireCAT. It stands for FireFox Catalog of Auditing Toolbox.
FireCAT is based upon a paper we wrote some weeks before (Turning firefox to an ethical hacking platform) and downloaded more than 25 000 times. We also thank all folks that encouraged us and sent their suggestions and ideas to make this project a reality.
This initial release is presented as a mindmap and we are open to all your suggestions to make it a really good framework for all the community of security auditors and ethical hackers.
This is for those of you that haven’t seen this yet. The blurb from their site basically says it all.
I haven’t read all of this yet, but it looks like an awesome article describing the research involved in finding the vulnerabilities and in writing the exploit code.
http://isc.sans.org/diary.html?storyid=2375
Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Published: 2007-03-07,
Last Updated: 2007-03-07 13:35:22 UTC
by Arrigo Triulzi (Version: 1)
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.
Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the “easy bit”, that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.
It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute. The final result is that he runs calc.exe from Snort.
http://scratchpad.wikia.com/wiki/Reverse_Engineering_Mentoring
Wow, this is very cool!
Didier Stevens has started a mentoring program to teach newbies how to reverse engineer software. The instructions are very well written and very easy to follow.
If you’re interested in RE, then this is a great place to start.
I remember reading a cool article a long time ago about how it was possible for someone to create a backdoored image and use it to gain access to the internal network of the company he was targeting. The article was called Wardriving Into GIAC Enterprises with JPEG’s and is available here: http://www.giac.org/certified_professionals/practicals/gcih/0651.php
Well, apparently it’s STILL possible to backdoor an image, but this time it’s with JavaScript. I don’t know JavaScript very well but I can only assume that it’s possible to code a quick script to download any imaginable tool and execute it.
http://www.gnucitizen.org/blog/backdooring-images
Surely you’ve heard of how it’s possible, by just visiting a website, to have a JavaScript script sent to your computer which can do any number of things … such as port scanning your internal network, for example. SPIDynamics has written a POC that does just that. You can read about there here: http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html. Now you know how to incorporate that code in a simple image.
If you want to test this out yourself and you don’t have a webserver for uploading images, try downloading XAMPP and setting up a webserver on your local machine. It’s perfect for testing web applications such as this.
Here’s a quick rundown on what’s new
Cain & Abel v4.1 released
New features:
- Cain’s MitM NTLM Challenge Spoofing. (Requires APR to be active and a MitM condition between victim hosts).
You can now spoof server challenges in NTLM authentications; this feature enables the use of RainbowTables for cracking network hashes.
WARNING !!! Enabling Challenge Spoofing cause users to fail authentications so use it carefully.
- NTLM Session Security authentications downgrade to LM&NTLMv1. The following protocols are supported: SMB, DCE/RPC, TDS, HTTP, POP3, IMAP, SMTP.
- LM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
- HALFLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
- NTLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
- New types of RainbowTables have been added to Winrtgen v2.2.
“lmchall” and “ntlmchall” tables can be used against LM and NTLM response hashes for spoofed challenges (0×1122334455667788).
“halflmchall” tables can be used against the first 8 bytes LM response hashes for spoofed challenges to recover the first 7 characters of the original password.
Looks interesting … I’ll definitely be playing around with some of the new features.
Upon receiving my unlocked Nokia E61 smartphone from MyWorldPhone.com I had a lot of customizing I wanted to do to the phone. However, for some reason, there was some “Planet3″ branding on the phone which disallowed some configuration changes, like customizing the soft keys and the active standby applications on the phone’s standby screen. After Jason and I did some research, here is what we came up with.
The Nokie E61, when shipped from MyWorldPhones.com, has a firmware installed on it with some “Planet3″ branding. Since this firmware is the most recent release from Nokia, I was unable to reflash it with the Nokia firmware because Nokia’s firmware updater recognized my installed version as the latest version and there were no upgrades available. I was unable to format and reinstall the phone to the defaults since the installed firmware had the “Planet3″ software built-in. I found a way around this by doing some digging and it all started at ,e-series.org.