Tuesday, 2024-03-19, 12:58 PM
Welcome Guest | RSS
Statistics

Total online: 1
Guests: 1
Users: 0
Site menu
Our Documentations
1* METASPLOIT
Blog Category
# Only for beginners [39]
This category contains some introductions and tutorials about UBUNTU and BACKTRACK for those who just start using LINUX.
# Computer Security [11]
In this category, you will find all courses about the Informatique Security
# LINUX [2]
EVERYTHING ABOUT LINUX - UBUNTU & BACKTRACK - (NEWS, VIDEOS, TUTORIALS, ... )
# BackTrack 5 Tutorials [6]
In this categorie, I will post all tutorials about BackTrack5 (Installation, Configuration, Update, Hacking...)
# TechnicDynamic Tutorials [12]
Technic Dynamic is a source of education focused in the following categories of technology: (Computer - Design - Gadgets - Networking - Security) Link : http://technicdynamic.com
# Vishnuvalentino Tutorials [2]
He is a computer security specialist, and also freelance website designer. Read more : http://vishnuvalentino.com/about/
# Hackers News [6]
All news about the hackers of the world ...
# Tools [18]
All Security Tools
MEMES PICTURES [0]
Entries archive
Shopping


Follow us
facebook
Category: # Tools | Views: 3931 | Added by: Administrator | Date: 2012-04-09 | Comments (1)



Following the hacking of Med Elaouni account on Facebook, we advise all users Moroccan, especially those for motion # Feb20, to change their password in social networks using a secure connection.

All major sites borne encryption of data transfer (GMail, Twitter, Facebook ..), but unfortunately not so automatic. Therefore the security force by typing the following addresses:
httpS :/ / www.facebook.com/ instead of http://facebook.com
httpS :/ / gmail.com instead of http://gmail.com
httpS :/ / twitter.com instead of http://twitter.com
If you use Mozilla Firefox, there is a plugin-Force TLS and you could install that does this job automatically.
We recommend using a public unsecure connection in a cafe for example, without using the httpS.
If you have errors and may not use this connection method, thank you prevent, we will try to give you alternatives.
Category: # Computer Security | Views: 57459 | Added by: Administrator | Date: 2012-04-09 | Comments (0)

Today we are going to be hacking a remote computer using metasploit framework!

Hacking a computer in a local area network (LAN) is quite simple since we can issue direct connections among little traffic. Hacking a remote computer on a

wide area network, on the other hand, isn’t as simple as you would imagine…

Things to consider during the attack:

  • Anti Virus
  • Firewall
  • Intrusion Detection System
  • Intrusion Prevention System
  • Latency
  • Routers

Let’s face it: it’s a wild west out there… anything goes. All these devices will surely slow down the attack or perhaps even completely prevent it!

In order to make sure the attack endures this harsh environment we need to account for some type of encryption on our part, for this we will use vanish

(seen previously) to create a backdoor. Let’s use a reverse tcp connection to the secure http port (443) back on the attacker.

This port will need to be forwarded if it is a routed network (as most are)… you can see how to do this in the video.

Once the victim executes this backdoor he will trigger a connection back to the attacker’s machine (forwarded on the public IP address of course).

Since most routers allow connections on ports 80 and 443 using this payload should be fine.

Click here to download vanish: [ DOWNLOAD ]

Check out the video!


P.S: The settings shown are the ones that I played with and managed to get to work, if you have other payloads or parameters, etc. that were useful to you,

feel free to share in the comments sections below!

Source : http://technicdynamic.com/2012/03/hacking-a-remote-computer-using-metasploit-framework/

Category: # TechnicDynamic Tutorials | Views: 4569 | Added by: Administrator | Date: 2012-04-08 | Comments (0)




One of the most famous and widely used source code editor for windows, Notepad++ now have version 6. The tool is written in C++ and supports plugins, macros, and text highlighting for many programming languages including C, C++, C#, Visual Basic, Java, Lua, Python, Perl, SQL, HTML and XML. 
Newest Features:
  • PCRE (Perl Compatible Regular Expressions) is supported.
  • Add Document Map feature (via Menu View->Document Map)
  • Enhance the loading performance for the large file
Included plugins (Unicode):
  • Spell Checker v1.3.3
  • NppFTP 0.24.1
  • NppExport v0.2.8
  • Plugin Manager 1.0.8
  • Converter 3.0
Note that Notepad++ Document Map is only available in Unicode release. The source code for ANSI release is not maintained anymore, therefore ANSI binary will be removed in the future releases.
As usual, if you find any critical problem, post a commentary under this article.

To Download Notepad++ (Installer, Zip, Binary Source Code) Click Here

Category: # Tools | Views: 4065 | Added by: Administrator | Date: 2012-03-29 | Comments (0)

========================================================
Type : Tutorial
Level : Easy
Purpose : As a website owner you can also aware with this kind of attack to your web server
========================================================

Why I wrote this tutorial about Google Hacking is because there are some people keep messaging me about how to perform Google Hacking…
A lot of people that learn about hacking they just think that hacking was going through a webserver or computer and make defacement or stealing data or erase the victim disk drive by running rm -rf, etc….but I told you that the purpose isn't that…because this method also can be used to secure your website from bad hackers also(you can view the countermeasure part below).

If you just think that it's really cool if you have defaced some website and then put your name on its website such as "Hacked by v4L" and then put the screenshot as a profile picture of your facebook for pride(I've saw this kind of guys…ROFL ) I just suggest forget doing this kind of stupid things, before the interpol caught you 
Google hacking doesn't mean that you can hack into another system instantly(even sometimes you can get through it instantly), because Google Hacking is a trick to gain and reveal some sensitive information..

While you're in Google, it's impossible you find specifications about program that running by someone computer(except he/she wrote it on facebook status or he wrote it somewhere on the net  ), because Google is a Web Search Engine(wikipedia) so Google will only listed a computer/server that act as web server. Do not think too much about complex hacking steps….because before you move to a higher level you need to know the basic things.

In this tutorial actually I will wrote the simple basic thing to perform a Google hacking and also perform a very really basic SQL injection like ' OR 1=1;– …I believe that some of you that read this tutorial even have a great skill in SQL scripting so you can fit it with your needs.

Okay let's start….

intitle : The intitle operator is used to search websites only within the tags, or the actual page title as defined by the website’s author.
inurl : is used to search within a site’s URL itself. This is very useful if you are familiar with a URL string or with standard URL strings used by different content management systems.

We will try to find the administrator log in page address by using some of Google parameter above. Usually the programmer will use word "Administrator Login" , "Admin Login", Super User", "Owner Login", etc…etc as the title of administrator page authentication.



As you can see from picture above there's about 4,310 search result for that query, but you can narrowing your search result by change some parameter, such as change the .com into .nz , .com.au, .co.id, .com.my, .sg, and many more…. While I'm searching about Google Hacking material on the internet, actually I found about more than 10 website that vulnerable with basic SQL injection above…see example below

Before :

 After :

Countermeasure :
1. For webmaster, put this script in your web page between to prevent the search engine crawler indexing your private page
2. Still for webmaster, you also can create or modify a robots.txt file to disallow a user agent crawling some of your web server folder.
example:

User-agent: *
Disallow: /administrator/
Disallow: /user/
Disallow: /modules/

FYI : If you want to know what folder was disallowed by a website, you can look into my simple tools here :
http://vishnuvalentino.com/services/website-information-lookup-beta-v01/
3. Again for programmers, filter the user input and make sure the data was safe to execute by server. Just that….hope it's useful

Category: # Vishnuvalentino Tutorials | Views: 4498 | Added by: Administrator | Date: 2012-03-28 | Comments (0)

Nowadays maybe there's a lot of people know about cracking (network cracking), it is a modification or disable features which are considered undesirable by the person cracking the network. Maybe for some people when they hear about cracking the network it looks like a very hard to do because it involved a high skill programming language or understanding networking.

What is Session Hijacking
Every time you connected to the web application (usually a dynamic web application) you will have a unique ID called "session", this session will identifies you as a valid user and will always valid until you kill the session (log out process) or the session has expired. Some bad people trying to identifies or guessing the session ID value to gain privileges as a valid user in a web application.

Firesheep HTTP Session Hijacking
Firesheep is a firefox extension to do the session hijacking. I was very surprised that this tools can hijack Facebook, Twitter, WordPress, Amazon, etc from the valid user. The most important thing that this tools is very easy to configure and to launch an attack. Just a few step :
1. Download Firesheep
2. Sit on a unencrypted wireless network
3. Turn on your wireless card(support promiscuous mode, such as : atheros, orinocco, etc) and join the network
4. Start capturing with firesheep
5. Just wait until some user authenticate at the facebook, twitter, etc.

Step by Step Firesheep Configuration
1. The picture below is the interface of firesheep(click view –> sidebar –> firesheep) and you can click the red circle for preferences.



2. In this picture you should choose which interface you want to capture the data. for example when you're in a wireless network, you should activate the wireless adapter.



3. This picture below tells you which website session can hijacked handle by this addons.



4. Usually when capturing data, will use TCP port 80, because if it's 443 I think will be encrypted, but I still didn't try for another port :-) .

Read more : http://vishnuvalentino.com/computer/firesheep-http-session-hijacking-tools/
4. Usually when capturing data, will use TCP port 80, because if it's 443 I think will be encrypted, but I still didn't try for another port


5. When you finish, click the "Start Capturing" and wait until someone authenticate some website on the website list.



Prevention:
1. You can use Blacksheep,
2. You can tunnel your internet connection,
3. Don't use "Remember Me" feature in public internet area(Hotspot), and logout after you finish use the internet.
4. Some people says that clear the browser cache and history may be another way, but you can read my other posts why it's not the really good way That's it.

I hope you can use this tutorials in a good way :-) if any question, you can contact me or drop some comment.


Category: # Vishnuvalentino Tutorials | Views: 4704 | Added by: Administrator | Date: 2012-03-28 | Comments (0)

GRIM WEPA was written in Java and is intended for use with the Linux Operating System (specifically the Backtrack 4,5 distribution).

GrimWepa 1.1 has been translated for Português-Brasil users. It is available in the downloads section.

Update

GRIM WEPA is no longer being supported

GRIM WEPA is on an indefinite hiatus while I work on other projects.

Please use Wifite instead of GRIM WEPA. Wifite is a newer wifi cracker with more functionality and stability than GRIM WEPA. Wifite is available here: http://code.google.com/p/wifite/

Please update your bookmarks and links accordingly.

This project will remain open so that I may eventually update GrimWepa.

Overview

GRIM WEPA is a password cracker for both WEP and WPA-encrypted access points (routers). This program uses the following applications and suites:

  • aircrack-ng suite:
    • aircrack-ng, to crack WPA and WEP;
    • airodump-ng, to capture packets and find access points;
    • airmon-ng, to enumerate devices in monitor mode;
    • aireplay-ng, to forge and replay packets;
    • and packetforge-ng, to create replay packets.
  • iwconfig, to see if devices are in monitor mode;
  • xterm, to show output to user;
  • ifconfig, to get the MAC address of devices;
  • macchanger, to change MAC address of wifi cards.
These applications are required for GRIM WEPA to run properly. All of these applications come standard with Backtrack4.

note: the settings & configuration file for Grim Wepa is saved to /etc/grimwepa.conf

About

GRIM WEPA's cracking methods are archaic and have been around for years. It simply uses the existing cracking methods in aireplay-ng (for WEP) and aircrack-ng (for WPA). Grim Wepa is similar in style and functionality to shamanvirtuel's Spoon series (SpoonWEP, SpoonWPA, and SpoonDRV). The Spoon suite is still available, though it is not kept updated.

The Backtrack 4 Linux distribution has a default WEP/WPA cracker, but it does not work properly for me; also, the Spoon series does not run properly for me on BT4, so I created GRIM WEPA foforforr myself and as an homage to shamanvirtuel.

Options

GRIM WEPA has only two options: Crack WEP-encrypted access points (routers) and crack WPA-encrypted access points. The program can search for new targets, and auto-selects your cracking method. The options for each method are as follows:

Attacks for WEP-encrypted Access Points

  • ARP-Replay attack
  • Chop-chop attack
  • Fragmentation attack
  • p0841 attack
  • Cafe-Latte attack
  • Cracking options:
    • aircrack-ng is able to crack just about any WEP password after about 20,000 IV (Initialization Vector) data packets have been captured. The capture usually takes about 2 minutes, and the crack another 2-3 minutes.

Attacks for WPA-encrypted Access Points

  • Basic deauthorization attack to get handshake.
  • Cracking:
    • GRIM WEPA includes a 2MB default password list containing approximately 250,000 commonly-used passwords.
    • Wordlist / Dictionary / Brute-force attack: Currently, there is only one consistent method of cracking WPA, and that is by brute force. aircrack-ng can crack hundreds of passwords per second, so this method is not nearly as arbitrary as has been proposed.

Execution

To run GRIM WEPA, navigate to the file's location in Terminal and type:

java -jar grimwepa_X.X.jar

at the command line prompt, where X.X is your version of grimwepa.

Run GRIM WEPA as root!

I have posted a Step-by-Step Tutorial, and also a Troubleshooting Guide.

Installation

Installation is not required for GRIM WEPA to run properly, but it is recommended if you use are going to GRIM WEPA frequently.

GrimWepa can be downloaded and installed by running the "grimstall.sh" script.

For Backtrack Users: To download the install script via wget, change permissions on it, and run the install script (which will download the latest version of grimwepa and install it), copy-and-paste the below code into console (as root!):

wget http://grimwepa.googlecode.com/files/grimstall.sh
chmod
755 grimstall.sh
./grimstall.sh install

Note: Change the directory from /pentest/wireless/grimwepa/ to whichever directory you want to install to ; /pentest/wireless is commonly found in Backtrack distributions ; all files in the selected directory will be deleted (a prompt will confirm this); don't forget the / at the end!

A more-detailed installation guide can be found here, in the wiki.

Sample Video



          
Download GrimWepa | Download Wordlist

Source : http://www.linux-security.ucoz.com
Category: # BackTrack 5 Tutorials | Views: 7022 | Added by: Administrator | Date: 2012-03-25 | Comments (0)

A unique ‘fileless’ bot attacks news site visitors


Sergey Golovanov
Kaspersky Lab Expert
Posted March 16, 15:12  GMT
Tags: Vulnerabilities and exploits

In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.

The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.

Infection sources

For purposes of analysis, we selected two information resources which we knew had been used to distribute the malware— http://www.ria.ru/ (a major Russian news agency) and http://www.gazeta.ru/ (a popular online newspaper). Regularly saving the contents of these resources did not identify any third-party JS scripts occasionally showing up, iframe tags, 302 errors or any other formal attributes indicating that the resources have been compromised. The only thing they had in common was that they both used AdFox advertisement management system codes, through which teaser exchange was arranged.

 

The code on the main page of RIA.ru that is used to download additional content from AdFox.ru

We discovered that the malware is loaded via the teasers on AdFox.ru.

Here is how the infection was carried out. A JS script for one of the teasers loaded on the site included an iframe that redirected the user to a malicious site in the .EU domain containing a Java exploit.

 

The contents of an infected and a clean JS script

Analysis of the exploit’s JAR file demonstrated that it exploits a Java vulnerability (CVE-2011-3544). Cybercriminals have been exploiting this vulnerability since November in attacks targeting both MacOS and Windows users. Exploits for this vulnerability are currently among the most effective and are included in popular exploit packs.

However, the exploit used in this case was unique and had not been included in any exploit packs: the cybercriminals used their own payload in the attack.

 

Part of the JAR file’s payload

‘Fileless’ malware

As a rule, the operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive. However, in this case we were in for a surprise: no new files appeared on the hard drive.

After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. The address from which the library is to be downloaded is encrypted in the iframe that was included in the JS script downloaded from AdFox.ru:

<applet code="Applet.class" archive="/0GLMFss"><param name="cookie" value="j::eHff8dCis:ys4iNfnUWP7yy"></applet>

 

A new malicious RWE section in the JAVAW.exe process

After successfully injecting and launching the malicious code (dll), Java begins to send requests to third-party resources, which look like Google search requests: "search?hl=us&source=hp&q=%s&aq=f&aqi=&aql=&oq=”…

These requests include data on the browsing history taken from the user’s browser, as well as a range of additional technical information about the infected system.

In other words, what we are dealing with here is a very rare kind of malware – the so-called ‘fileless’ malicious programs that do not exist as files on the hard drive but operate only in the infected computer’s RAM. The best known examples of such threats are the CodeRed and Slammer worms, which caused mass outbreaks at the beginning of the last decade.

This kind of malware only remains operational until the operating system is restarted, but in this case this is not a critical issue for the Trojan’s authors.

One reason for this is that the ‘fileless’ malware operates as a bot: after sending a series of requests to the command server and receiving replies, the exploit uses several different methods to disable UAC (User Account Control). After this the bot can install the Lurk Trojan on the infected machine. It is worth noting that the decision as to whether to install Lurk on the system is made on the cybercriminals’ server.

The second reason is that the chances of the user returning to the infected website after rebooting the system are high. This would result in re-infection, with the bot returning to the victim computer’s RAM.

Because no file is written to the hard drive, it becomes much harder to detect the problem using antivirus software. If the exploit is not detected, the bot can be successfully loaded into RAM, becoming virtually invisible.

Lurk

The Trojan-Spy.Win32.Lurk malware can be installed either using commands "regsrv32” and "netsh add helper dll” or via the ShellIconOverlayIdentifiers branch of the system registry. Lurk installs its additional modules as encrypted dll files.

 

Part of the Lurk code responsible for downloading additional modules

The analysis of the additional modules used by Lurk has provided an insight into the malicious program’s functionality: it steals users’ sensitive data to gain access to online banking services at several large Russian banks. Kaspersky Lab first detected this malware in July 2011. Based on our analysis of the protocol used by Lurk to communicate to the command servers, we determined that over a period of several months, these servers processed requests from up to 300,000 infected machines.

Reasons behind the incident

After sorting out the technical side of the problem, we notified the Adfox administration of the incident. They promptly took action, resulting in the detection and removal of the malware from the infected banner.

In the course of the investigation it was determined that the cybercriminals had used the account of an Adfox customer to change the code of news headline banners by adding an iframe redirecting users to the malicious site.

After modifying code in one of the banners, they were able to attack not only users on one news site, but also visitors to other resources carrying this banner. As a result, there could be tens of thousands of users who were attacked. At the same time, banners of other AdFox clients did not contain the malicious code.

Conclusion

This is a unique attack, because the cybercriminals used their own PE file downloader (payload) that can work without creating malicious files in the infected system, operating entirely inside a trusted Java process.

Using a teaser network is one of the most effective methods that attackers can used to install malicious code, since it results in a large number of popular resources linking to the code.

This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.

As regards protection against this threat, we strongly suggest that all users install a patch that closes the CVE-2011-3544 vulnerability in Java. This is currently the only reliable way to prevent an infection. As we mentioned above, exploits for CVE-2011-3544 are the most effective there are and can be used to install a variety of malicious programs.

In addition, a security solution that includes web antivirus features should be used at all times. We also recommend that Kaspersky Lab users enable the Geo Filter feature, which provides manual control of the browser’s access to resources in different geographical domains, and block connections to sites in the .eu zone unless accessing them is essential. We have been detecting numerous malicious resources in this domain, including those described above, as well as servers used to distribute the Hlux Trojan, which we discussed in a recent post.

 

PS. Our heartfelt thanks go to the independent researcher, who wishes to remain anonymous, for invaluable help in preparing this publication.

SOURCE : http://www.securelist.com/en/blog/687/A_unique_fileless_bot_attacks_news_site_visitors

Category: # Hackers News | Views: 4217 | Added by: Administrator | Date: 2012-03-24 | Comments (0)

Anonymous-OS is not available anymore

Terrible rumor spread in the center out recently on the technical system operation Anonymous is based on the Linux kernel, but its note went out through the group account on Twitter denies this and asserts that this account is fake and full of gaps and that Anonymous has no intention to command such as this.

The Anon OS is fake it is wrapped in trojans. RT



On the other hand was responsible for the operating system, Anonymous added a post to their blog the official pointed them to the comments of Anonymous on the operating system is misleading and incorrect "and that in the world of open source and Linux there is no such gaps and used the old Linux will know this but it is difficult to convince users naive! ".

The time of writing this post was off work running Anonymous.

" First, we want say thanks to all users where download and test Anonymous-OS and all you people for your thousands positive feedback. We tried to answer all your questions and we hope to do it. For your protection, we deleted all emails and not available anywhere. Also we apologize from the creators of  themes and wallpapers that was included on Anonymous-OS, because we don’t thank them earlier and of course without they knowing that we choose their creations. So, we thanks them.

We disappointed for all these we continue to read on various websites that the Anonymous-OS is fake and full of viruses, trojan, etc. Until now we think that nothing reported yet. That say something. All these sites misinform the world, and continue to do this without having checked the Anonymous-OS.
Anyway, from time to publish this project was attacked by several well known sites in the technology field and we believe the reason is to fight one more time Linux and opensource software. Before we starting Anonymous-OS we said that if we feel that our efforts cause a bad thing for Linux and opensource software, then we will stop this effort. For now, is not available link to download Anonymous-OS.
Please don’t try to download it from any host site or torrent without trusting the user to upload the Anonymous-OS. If you not sure, is better to use another Linux distro. There are many distros where you can use all of these tools including Anonymous-OS.

Maybe we come back in the future and continue Anonymous-OS or something like that.

P.S.
Sorry, we forgot say for one more time that of course there is not trojans, malware,etc on Anonymous-OS.

——————————————————————————————

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.

Expect Us! "

SOURCE : http://anonymous-os.tumblr.com/post/19578183791/anonymous-os-is-not-available-anymore

Category: # Hackers News | Views: 4358 | Added by: Administrator | Date: 2012-03-23 | Comments (0)

Anonymous Deface page - "POPE is not welcome, out out !!!”


POPE+is+not+welcome,+out+out%21%21%21%21%21

Anonymous blocked access to two websites linked to the upcoming visit to Mexico by Pope Benedict XVI. Anonymous Hispano, the hackers succeeded in temporarily knocking the websites offline and defacing them with their own message: "Hacked system. The POPE is not welcome, out out!!!!!

In its profile on the social network Facebook, Anonymous Hispano said the Comfil site was "hacked for supporting Benedict XVI." Benedict is scheduled to visit Mexico Friday through Monday, prior to a three-day trip to Cuba.

In a video that was posted on YouTube, the hackers said that the pope's visit comes at the start of the campaign ahead of Mexico's July 1 presidential election, and that it seeks to benefit the ruling-party candidate. The Roman Catholic church, the video said, seeks "to keep the population shrouded in lies." According to Anonymous, the pope will not see either the poverty or the violence that are ravaging Mexico. He will instead encounter "a country of lies and facades where everything will apparently be wonderful," the cyberactivists said.

Anonymous has conducted operations in Mexico before, targeting the notorious drug cartels in the past when members of the hacktivist collective were held captive by the Mexican warlords. ... Read more »
Category: # Hackers News | Views: 4739 | Added by: Administrator | Date: 2012-03-23 | Comments (0)

1 2 3 ... 9 10 »
Visitors

Share This On:
Google Translator
Search
Login form
Our poll
Rate my site
Total of answers: 20
Clock & Calendar

«  March 2024  »
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31