Evilgrade - What Next ?

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit

http://www.infobyte.com.ar/developments.htm
http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

==== Google Talk and Password Saving Feature's Security ====

Do you save Passwords ?

This is a WRITEUP about Google Talk Application and its Password Saving facility.
Tested on Google Talk 1.0.0.104 GTalk when set to save password, hashes and stores it like any other application for convenience but in a very secured manner.

I've developed a small application (Client-Server) which when executed by the target sends you its login name and hashed (/ encrypted) password string.When successfully dropped into and executed from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ the application tricks Windows Firewall and doesn't ask with the unblock / cancel popup box.

The application running on the attacker's end will obtain the hash sent to it and will display the hash string on its side. The attacker can then replace/create his password hash with the target's hash.After this, when the attacker launches Google Talk we expect the (asterisked) password to be the same as the target's.
A password unhider tool can now aide the attacker to reveal (unmask) what the actual password of the target is.

[ Demonstration ]
 

 Save svch0st.exe(attached) to C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Execute CollectGTPass.exe(attached)
- CollectGTPass.exe opens port 2803 on Localhost and will wait for signal from its Target/s (In our case the Target will connect to 127.0.0.1 since the Client and Server both are running on 127.0.0.1, locally) Note that the The target IP and Attacker Connection IP have been hardcoded in the exe since this is not a malware (trojan-tool) for everyone and is just for demonstration purpose.
- In the demonstration video(attached) XP Firewall prompted for the CollectGTPass.exe (GPWS2.exe) and the application has been unblocked in the XP Firewall now.
- When you will test this, Firewall won't popup any alert since the Target is connecting to loopback. In remote scenario, to avoid the alert svch0st.exe adds itself in List of AuthorisedApplications residing in HKLM before trying to connect remotely (Successfully Tested as shown in Video)
- Execute svch0st.exe
- svch0st.exe sends the encrypted password to Target:2803
- CollectGTPass.exe will now receive the encrypted Password and will wait for the next one.
- CollectGTPass waits forever to collect more password hashes from other sources.
- This tool has been successfully tested to obtain a target's hash remotely both in a local network as well as over public IPs.
- Screenshots and a Video of a successful local and remote respective retrieval attempt are attached.

[ Question ]
So does it work ? Do we get the Target's Password ?
[ Answer ]
NO !!
We get the hash and using a password unmasking tool we view the password. 
But the hashing algorithm is still unknown to me.
[ Moral of the Story ]
Don't save passwords. Everything isn't GTalk.

[ What's Next ? ]
Skype.
Video..>http://senduit.com/96f520

.:credit:. .=.QuakerD00mer.=.

Built-in Windows commands to determine if a system has been hacked

1) WMIC: A world of adventure awaits

C:\> wmic process
C:\> wmic process list brief
C:\> wmic process list full
C:\> wmic startup list full
C:\> wmic process list brief /every:1
Hitting CTRL+C will stop the cycle.

2) The net command: An oldie but a goodie

3) Openfiles: Deep scrutiny

C:\> openfiles /local on
C:\> openfiles /query /v
C:\> openfiles /local off

4) Netstat: Show me the network

C:\> netstat -nao
C:\> netstat –s –p icmp
C:\> netstat –na 2

5) Find: Searching output for useful stuff

C:\> wmic process list brief /every:1 | find "cmd.exe"
C:\> wmic startup list brief | find /i "hklm"

Researching output

With these five tools, users can get a great deal of information about the configuration and security state of a Windows machine. To use each command in identifying a compromise, however, a user needs to compare the current settings of the machine under analysis to a "normal," uninfected machine.
For detailed use of the commands and interpreting outputs read this

Pen_Testing_Tools.xls

One of the bigger challenges for anyone getting into penetration testing is the amount of tools available and their purpose in the overall penetration test.This excel sheet was the first step for me to get to know and understand the tools available for penetration testers. Each tools is grouped, ordered and rated (based on my own personal rating). This excel sheet also lists the website to download the tool and which OS/environment the tool runs under.The PenTools.xls file can be downloaded from the URL below, and is approximately 40KB
http://www.shanedevane.net/PenTools.xls

Taken from: www.governmentsecurity.org

Goolag Scanner, a webauditing tool

LUBBOCK, TX, February 20th -- Today CULT OF THE DEAD COW (cDc), the world'smost attractive hacker group, announced the release of Goolag Scanner, a webauditing tool. Goolag Scanner enables everyone to audit his or her own website via Google. The scanner technology is based on "Google hacking," a formof vulnerability research developed by Johnny I Hack Stuff. He's a lovelyfellow. Go buy him a drink.

"It's no big secret that the Web is the platform," said cDc spokesmodelOxblood Ruffin. "And this platform pretty much sucks from a securityperspective. Goolag Scanner provides one more tool for web site owners topatch up their online properties. We've seen some pretty scary holes throughrandom tests with the scanner in North America, Europe, and the Middle East.If I were a government, a large corporation, or anyone with a large web site,I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

Goolag Scanner will be released open source under the GNU Affero GeneralPublic license. It is dedicated to the memory of Wau Holland, founder of theChaos Computer Club, and a true champion of privacy rights and social justice.

GOOLAG SCANNER FUNCTIONS AND FEATURES

Goolag Scanner is a standalone windows GUI based application. It uses onexml-based configuration file for its settings. All dorks coming with thedistribution of gS are kept inside one file.

http://www.goolag.org/

http://www.goolag.org/download.html#exe

Cold Boot Attacks on Encryption Keys

Abstract : Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.

These guys have come up with a new and interesting type of attack to recover the encryption keys from the DRAM.
http://citp.princeton.edu/memory/