Affichage des articles dont le libellé est network. Afficher tous les articles
Affichage des articles dont le libellé est network. Afficher tous les articles

Tor messenger allow anonymous chat





For the users who are concerned about the security of their messages when they chat online via various messaging apps, there is a good news in the form or Tor Messenger. Tor Messenger is a product of the Tor Project which operates the Tor Network. Tor Project is a non-profit organisation that is primarily concerned with the safety of the online users.

The Tor Network is a secure network that enhances the security and the privacy of the users making it difficult for the attackers and hackers to snoop on them when they are online. The new messenger that has been named Tor Messenger by the Tor Project uses the transmission protocols of Instantbird. The Tor Messenger’s beta version supports off the record or ORT cryptographic protocol that do not exist in the original Instantbird messenger.

The beta version of this new messenger supports various regular messaging services that include Google Talk, Yahoo messenger, Twitter, IRC and Facebook Chat. For the users, it will give a similar feel of using their regular apps whereas at the backend their messages will be a part of the secure transmission.

All the communication over Tor messenger will be hidden and encrypted and will be transmitted though server routes that will remain hidden. Currently this messenger is available for Windows, Linux and Mac. Tor Project has always tried to provide a secure network to its users.


The new beta version of Tor Messenger is a step in this direction. Users no longer have to worry about their privacy being compromised. However, it will also mean that many of the messages that the governments or the intelligence agencies world over could also not be tracked. The services of this messenger can be misused by the terrorist organisations for sending secret messages without the fear of getting caught.

Read more

by Malik korrich ~ lundi 2 novembre 2015 0 commentaires

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes



MEMSCAN A Memory Scanning Tool.. 
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process


  1. Obtain the target process PID, using ps.
  2. Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s  

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.


Download
Read more

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

GitHub Announces To Support Universal 2nd Factor Authentication



GitHub Announces To Support Universal 2nd Factor Authentication (U2F) 
A rapidly growing open authentication standard!

When you insert them, these physical USB keys automatically generates a second-factor code. And you don't even enter a Six-digit code from Google Authentication and similar Apps. GitHub announced that its partnership with Yubico.

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

The FIDO U2F Security Key by Yubico is a specially designed YubiKey, relying on high-security, public-key cryptography. U2F is built to protect against phishing and man-in-the-middle attacks, allowing one U2F authenticator to access any number of services without any shared secrets.

What is U2F — FIDO UNIVERSAL 2ND FACTOR

U2F is an open authentication standard that enables internet users  to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance.



U2F is used with USB devices, including YubiKeys, as one of many authentication methods

In order to take advantage of the security improvements provided by U2F, you'll need to purchase a hardware key. You can purchase the U2F key of your choice from a range of vendors. GitHub are partnering with Yubico, inventor of the YubiKey, co-creator of the U2F protocol, and a leading provider of U2F authenticators.

Together with Yubico we are offering discounts to GitHub users for a limited time through a special offer page where you will verify your GitHub account and place your order:

  • While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
  • After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
  • In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.
Read more

by Malik korrich ~ vendredi 2 octobre 2015 0 commentaires

Whonix - Privacy And Anonymity Operating System



Whonix - Privacy And Anonymity Operating System

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Interested? Look Below! ;-)

Whonix for Qubes
https://www.whonix.org/wiki/Qubes


Whonix for KVM
https://www.whonix.org/wiki/KVM


Whonix for VirtualBox
https://www.whonix.org/wiki/VirtualBox


If you want to upgrade existing Whonix version using Whonix’s APT repository Special instructions required:

https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11




Download


About the Author:
Christian Galeone is an IT Security Specialist from Italy. He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as Author of Cyber Security & VA Research Articles.
Read more

by Malik korrich ~ jeudi 1 octobre 2015 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?


How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. 

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.


In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:


  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.


The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download
Read more

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

NowSecure Developed Android Vulnerability Test Suite For Recent Devices


NowSecure Developed Android Vulnerability Test Suite For Recent Devices.

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.

This tool was meant to show the end user the attack surface that a given device is susceptible to. In implementing these checks we attempt to minimize or eliminate both false positives/false negatives without negatively affecting system stability.

Rationale for necessity

When a vulnerability is discovered, Google receives word and applies a patch to Android. The Nexus devices are usually the devices that receive these patches quickest as they deviate the least (read: not at all) from AOSP (Android Open Source Project - The core of Android, where Google commits to). The lag time between learning about a bug and the time when a patch is applied to a device can still be significant (for OEMs, it can be > 1 year or never). For example, the futex bug (CVE-2014-3153/Towelroot) was known about in late May, early June. This bug took multiple months to get patched on the flagship (at the time) Nexus 5. This leaves users extremely vulnerable to attack from applications. Users mostly do not know that their devices are vulnerable and this tool is meant to give visibility into the vulnerabilities a given device is susceptible to.

Lifecycle of a patch

Samsung, HTC, and every other OEM keep heavily customized versions of Android. The patch deployment infrastructure from OEMS -> carriers -> users is in disarray. The OEMs receive the patches from Google and spend weeks or months applying these to some devices and testing. Then they ship off the device updates to the carrier who is responsible for pushing them to the end user. They then go through another QA cycle from the carrier.

Implementation

Vulnerabilities in a device can exist at many layers inside of Android. For example, a bug can exist in the kernel (Towelroot, for example) or it can exist in the Android specific framework (Android Masterkeys/FakeID). Some of the kernel bugs can sometimes be difficult to check for without potentially causing system instability. This implementation takes care to not include checks that could cause instability problems for the end user and therefore may omit checks that could cause these types of issues. The framework is very thin at the current time and consists of a vector of vulnerability checks. Their concrete implementations vary wildly depending on the bug.

Download
Read more

by Malik korrich ~ dimanche 20 septembre 2015 0 commentaires

PATDroid Collection of Tools And Data Structures For Analyzing Android Applications


PATDroid Collection of Tools And Data Structures For Analyzing Android Applications 

PATDroid is a collection of tools and data structures for analyzing Android applications and the system itself. We intend to build it as a common base for developing novel mobile software debugging, refactoring, reliability/security tools. 

We also collect various resources, links, related papers and tips for various innovative Android program analysis tasks.

Packages

Here is a one-sentence description for each package. Find the detailed usage tutorials on our wiki by clicking on the package name. PATDroid requires Java6. It goes well with Oracle/OpenJDK 1.6, 1.7, Dalvik (Yes, you can run it on a smartphone). We provide gradle, Intellij IDEA and Eclipse support for the project.
  • patdroid.core: provide abstractions for method, class, field, and primitive Java type values
  • patdroid.permission: specify what Android permissions are needed by every Android APIs
  • patdroid.fs: an emulated Android file system
  • patdroid.dalvik: Android Dalvik JVM instructions and representations
  • patdroid.smali: using SMALI to extract classes, methods, fields and instructions from an APK

According to our blueprint, we plan to release the following components one by one in the near future:
  • patdroid.dex2jar: using dex2jar to extract classes, methods, fields and instructions from an APK
  • patdroid.manifest: the model for AndroidManifest.xml and Android components such as activity, service, broadcast receivers
  • patdroid.sdk: modeling different Android API levels
  • patdroid.taint: sources, sinks and taint propagation support for taint analysis
  • patdroid.lifecycle: modelling the life cycles for important Android components
  • patdroid.layout: understanding layout.xml
  • patdroid.soot: my tribute to Sable's Soot. I learned a lot from attending Sable's seminars held at McGill McConnell 2rd floor

Using PATDroid

PATDroid uses Apache License 2.0. Additionally, if you intend to use it in academic work, please cite our paper:

@inproceedings{appaudit,
 author = {Mingyuan Xia and Lu Gong and Yuanhao Lyu and Zhengwei Qi and Xue Liu},
 title = {Effective Real-time Android Application Auditing},
 booktitle = {Proceedings of the 2015 IEEE Symposium on Security and Privacy},
 series = {SP '15},
 year = {2015},
 publisher = {IEEE Computer Society},


History and Philosophy

PATDroid was part of AppAudit, which is a security tool that checks if an Android app leaks personal data. You can find out more details from our S&P'15 paper. We make part of AppAudit public to be useful to researchers and developers. Overall, we try to make the entire project

  1. concise (with fewer abstractions as possible such that users wont feel like searching a needle in the ocean)
  2. properly documented (javadoc, and wiki tutorial)
  3. loosely coupled (packages trying to be self-contained)
  4. efficient (graduate students need life with bf/gf not with computers)
  5. look like good code

Download
Read more

by Malik korrich ~ vendredi 11 septembre 2015 0 commentaires

UK Govt National Crime Agency Website Got DDOS Attack By Hackers Group Lizard Squad


UK Govt. National Crime Agency Website Got DDOS Attack By Hackers Group Lizard Squad.

NCA Website was down for 2 hrs after the DDOS attack by Hackers group. According to report this attack for taking revenge on latest arrest. 

An NCA spokesman said in the statement to media:

“The NCA website is an attractive target. Attacks on it are a fact of life.

“DDoS is a blunt form of attack which takes volume and not skill. It isn’t a security breach, and it doesn’t affect our operational capability.

“At worst it is a temporary inconvenience to users of our website. We have a duty to balance the value of keeping our website accessible with the cost of doing so, especially in the face of a threat which can scale up endlessly.

“The measures we have in place at present mean that our site is generally up and running again within 30 minutes, though occasionally it can take longer. We think that’s proportionate.”

Lizard Squad tweeted,


What is DDOS attack?
DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.
The DDoS attack uses multiple computers and Internet connections to flood the targeted resource.

The Hacker News reported last week that,

Six British teenagers arrested and released on bail on suspicion of launching cyber attacks on websites and services with the help of Lizard Squad DDoS attack tool, called Lizard Stresser.

The law enforcement didn't name the teenagers, but their age and city they belong to are given below:
  • An 18-year-old from Huddersfield, West Yorkshire
  • An 18-year-old from Manchester
  • A 16-year-old from Northampton
  • A 15-year-old from Stockport
  • A 17-year-old from Cardiff
  • A 17-year-old from Northolt, north-west London

All the six suspects have been bailed while two 18-year-olds from Manchester and Milton Keynes respectively were interviewed under caution.
Read more

by Malik korrich ~ mercredi 2 septembre 2015 0 commentaires

SubBrute - The Ultime Subdomain Bruteforcer


SubBrute - The Ultime Subdomain Bruteforcer

Are you under a Security Pentest and you need to find all the Subdomains of a WebSite Right?...
This updated tool may give a good spin up accelleration to your Security Test!


What's it?
SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool.



Options:

SubBrute is now a DNS spider that recursively crawls enumerated DNS records.

This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)

--type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)

-s can now read subdomains from result files.


How to compile it?

./subbrute.py google.com -o google.names
        ...162 subdomains found...

    ./subbrute.py -s google.names google.com --type TXT
        google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
        adwords.google.com,"v=spf1 redirect=google.com"
        ...

    ./subbrute.py -s google.names google.com --type CNAME
        blog.google.com,www.blogger.com,blogger.l.google.com
        groups.google.com,groups.l.google.com
        ...
                         ...or from Windows...

Open the CMD, navigate to your subbrute folder, open the windows directory and paste the following command:

subbrute.exe google.com

Enjoy! ;-)

Download


About the Author :
Christian Galeone is an IT Security Specialist from Italy. He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as Author of Cyber Security & VA Research Articles.
Read more

by Malik korrich ~ mardi 1 septembre 2015 0 commentaires

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions


Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions, built for node.js/io.js.

It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services.

toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

toxy can be fluently used programmatically or via HTTP API. It's compatible with connect/express, and it was built on top of rocky, a full-featured middleware-oriented HTTP proxy.

Requires node.js +0.12 or io.js +1.6


Why toxy?

There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure and/or extend. Additionally, most of the those solutions only operate at TCP level stack instead of providing high-level abstraction to cover common requirements of the specific domain and nature of the HTTP protocol, like toxy does.

toxy provides a powerful hackable and extensible solution with a convenient abstraction, but also a low-level interface and programmatic capabilities exposed as a simple, concise and fluent API, with the implicit power, simplicity and fun of node.js.

Concepts

toxy introduces two core directives that you can plug in the proxy and should knowing before using: poisons and rules.

Poisons are the specific logic to infect an incoming or outgoing HTTP flow (e.g: injecting a latency, replying with an error). HTTP flow can be poisoned by one or multiple poisons, and poisons can be plugged to infect both global or route level incoming traffic.

Rules are a kind of validation filters that can be reused and applied to global incoming HTTP traffic, route level traffic or into a specific poison. Their responsability is to determine, via inspecting each incoming HTTP request, if the registered poisons should be enabled or not, and therefore infecting or not the HTTP traffic (e.g: match headers, query params, method, body...).

How it works

↓   ( Incoming request )  ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Toxy Router |    ↓ --> Match the incoming request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Exec Rules  |    ↓ --> Apply configured rules for the request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     | Exec Poisons |    ↓ --> If all rules passed, then poison the HTTP flow
↓     ----------------    ↓
↓        /       \        ↓
↓        \       /        ↓
↓   -------------------   ↓
↓   | HTTP dispatcher |   ↓ --> Proxy the HTTP traffic, either poisoned or not
↓   -------------------   ↓


Installation

npm install toxy


Download
Read more

by Malik korrich ~ vendredi 28 août 2015 0 commentaires

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts


SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

Works via WebRTC IP scanning combined with external resource fingerprinting.

How does it work?

Upon loading the sonar payload in a modern web browser the following will happen:
  • sonar will use WebRTC to scan the internal network for live hosts.
  • If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via and and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
  • If the user changes networks, sonar starts the process all over again on the newly joined network.

Fingerprints

Sonar works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
    {
        'name': "ASUS RT-N66U",
        'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
    {
        'name': "Linksys WRT54G",
        'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

  • name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
  • fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
  • callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
  • By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension



What can be done using sonar?

By using sonar a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download
Read more

by Malik korrich ~ lundi 24 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code


BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar
java -jar target/binnavi-all.jar


Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

  1. Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
  2. Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
  3. Select '"javac" task found in target "build-binnavi-jar"
  4. Open the "Project Properties" dialog.
  5. Edit the source folders to have the following properties:
  6. Linked Folder Location: $SRCDIR/src/main/java
  7. Folder Name: java
  8. Click on "Next"
  9. Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
  10. Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
  11. You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download
Read more

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

SniffLab: Setup Your Own MITM, Packet Sniffing WiFi Access Point


Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

PROXYIP=your.proxy.ip
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1
/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
        ssid=""
        psk=hashofyourpassword
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=TKIP
        auth_alg=OPEN
}

Getting the network running correctly on boot

/etc/init.d/network.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:     network.sh
# Short-Description:    Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start:    2 3 4 5
# Default-Stop:     0 1 6
# Required-Start:   $remote_fs $syslog
# Required-Stop:    $remote_fs $syslog
### END INIT INFO
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service

/etc/init/sniffer.conf

#sniffer.conf
start on runlevel [2345]
stop on runlevel [016]

script
    cd /home/pi/snifflab
    exec python sniffer.py -i bond0 -s 100 -t 1200
end script

MITM proxy service

mitm.conf

start on filesystem

script
    sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
    SSLKEYLOGFILE=/var/log/mitmkeys.log
    export SSLKEYLOGFILE
    echo "MITM Keys being logged here: $SSLKEYLOGFILE"
    exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine

#!/bin/bash
remote_server=yourservername
pcap_dir=/pcaps
keylogfile=/var/log/mitmkeys.log
local_dir=~/Documents/snifflab

rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir

Download
Read more

by Malik korrich ~ lundi 17 août 2015 0 commentaires

NetRipper - Smart Traffic Sniffing For Penetration Testers


NetRipper - Smart Traffic Sniffing For Penetration Testers

Description
NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract
The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications
NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components
NetRipper.exe - Configures and inject the DLL
DLL.dll       - Injected DLL, hook APIs and save data to files
netripper.rb  - Metasploit post-exploitation module

Command line
Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe

Generate DLL:

  -h,  --help          Print this help message
  -w,  --write         Full path for the DLL to write the configuration data
  -l,  --location      Full path where to save data files (default TEMP)

Plugins:

   -p,  --plaintext     Capture only plain-text data. E.g. true  
 -d,  --datalimit     Limit capture size per request. E.g. 4096  
 -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example:
NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit module

msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

Set PROCESSNAMES and run.

Metasploit installation (Kali)
  • cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
  • mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
  • g++ -Wall netripper.cpp -o netripper
  • cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
  • cd ../Release
  • cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
  • Plugins
  • PlainText - Allows to capture only plain-text data
  • DataLimit - Save only first bytes of requests and responses
  • Stringinder - Find specific string in network traffic

To do
  • Support multiple applications
  • Support for x64 processes
  • Thread-safe API hooking
  • Monitor loading of DLLs and new processes

Author
Ionut Popescu, Senior Security Consultant at KPMG Romania

Read more

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

PortDog: Port Scanning Tool In Python


PortDog: Port Scanning Tool In Python

PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface. 

It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'm thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.


Usage:

sudo python portdog.py -t time_for_sniff_in_minutes

For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5

For infinite detection use:

sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).


Download
Read more

by Malik korrich ~ 0 commentaires

FruityWifi: The Open Source Tool To Audit Wireless Networks


FruityWifi: The Open Source Tool To Audit Wireless Networks

It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. 

Rhe application can be installed in any Debian based system adding the extra packages. Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.


What’s New

With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository.

A more flexible control panel. Now it is possible to use FruityWifi combining multiple networks and setups:

Ethernet <--> Ethernet,
Ethernet <--> 3G/4G,
Ethernet <--> Wifi,
Wifi <--> Wifi,
Wifi <--> 3G/4G, etc.


Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely.


Features:

FruityWifi is based on modules making it more flexible. These modules can be installed from the control panel to provide FruityWifi with new functionalities.
  • Hostapd Karma
  • URLsnarf
  • DNSspoof
  • Kismet
  • Squid (code injection capabilities)
  • SSLstrip (code injection capabilities)
  • nmap
  • mdk3
  • ngrep
  • Captive Portal
  • Nessus
  • Ettercap
  • Tcpdump
  • AutoSSH
  • Supplicant
  • 3G/4G

Video:


Read more

by Malik korrich ~ mercredi 12 août 2015 0 commentaires

BetterCap: A New MITM Framework Tool


BetterCap A New MITM Tool And Framework Tool

Bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.

How to install ?

Stable Release ( GEM )

gem install bettercap

From Source

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

DEPENDS
All dependencies will be automatically installed through the GEM system, in some case you might need to install some system dependency in order to make everything work:

sudo apt-get install ruby-dev libpcap-dev



Read more: Bettercap
Read more

by Malik korrich ~ mardi 4 août 2015 0 commentaires

Oops! New Microsoft Windows 10 Is Spying On You


Oops! New Microsoft Windows 10 Is Spying On You
Did You Know ? I think not .

You are happy to see that Windows 10 officially launched and you get a new Windows with attractive, stylish graphics. But wait..

By downloading and introducing Windows 10, you give Microsoft exceptionally to gather things you do, allow to access your data.

Microsoft will synchronize your settings by default with its servers. This would be included your program history, website surfing, hotspot and Wi-Fi network names passwords

Today i am telling you about its Privacy policy, where we easily tick this notification without read. I just pick some point out which is very necessary to know about it as below.


Microsoft can unveil your data:
This is the part you ought to be most worried about. Microsoft's new security approach allocates is free regarding the matter of when it will or won't get to and unveil your own information.


How Microsoft Windows 10 Is Spying On YOU?

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.

By Turning on Cortana:

To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device.
Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.”


Advertisers knows Who you are:
Windows 10 creates an one of a kind promoting ID for every client on system. That can be utilized by developers and Ad networks. But you can turn it off this service, however you have to know where to look.

These new policies take impact on 1 August and there are a couple unsettling things to settling in there that you ought to be pondering in case you're in the Business organization's.

How can we Turn off these settings?

To turn this off Go into the Setting menu > Privacy> general > Change privacy option.


Microsoft spokesperson talked with Business Insider and said,

"To effectively provide Windows as a service, Microsoft collects some performance, diagnostic and usage information that helps keep Windows and apps running properly," said the spokesperson.

"Microsoft does not sell this data or use it for advertising purposes. We give a select number of Microsoft employees and third party engineers access to select portions of the information to repair or improve Microsoft products and services."

Read all privacy statement of Windows 10

Also Watch >>  Microsoft Windows 10 Bugs Fixed After Official Released
Read more

by Malik korrich ~ samedi 1 août 2015 0 commentaires

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB




Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system.

This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes

  1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
  2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
  3. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
  4. HTTP challenge/response captures are performed with a dedicated listener.
  5. The local LLMNR/NBNS services do not need to be disabled on the host system.
  6. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
  7. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
  8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
  9. Output files will be created in current working directory.
  10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.


Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.

To execute with default settings:
Inveigh.ps1 -i localip

To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N


Download


Read more

by Malik korrich ~ jeudi 30 juillet 2015 0 commentaires

« Articles plus anciens