Kidz Debian: April 2011

Saturday, April 30, 2011

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Thursday, April 28, 2011

Hacker Used SQL-injection to Get 675K Credit Card

A computer hacker from Georgia has pleaded guilty to fraud and identity theft after authorities found him with more than 675,000 stolen credit card accounts on his home computers, Credit card companies have traced more than $36 million in fraudulent transactions to the accounts that were breached by Rogelio Hackett.

How he did it? Hacker briefly used the SQL-injection attack on web resources he was able to use different SQL vulnerabilities despite that this kind of vulnerability is well known. SQL injection is one of the popular attacks on web application’s backend database it is not like XSS vulnerability where attacker uses JavaScript to target the client browser, SQL injection targets the SQL statement being executed by the application on the backend database.

Hackers usually identify the SQL injection vulnerability by adding invalid or unexpected characters to a parameter value and watch for errors in application’s response. For example:

http://www.example.com/users.asp?id=mark’

If the request generates an error, it is a good indication of a mishandled quotation mark and the application may be vulnerable to SQL injection attacks. While I think that automated tools can do fast job in checking these vulnerabilities such as Havij a very fast tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

Attack with SQL-code uses poorly written Web-based applications that directly write data into the database. In fact, SQL-injection does not depend on application language as mistakes in programming allow SQL-injection use almost any programming language.

That’s why it is very important to conduct Application black-box penetration testing as this can reveal OWASP Top 10 application vulnerabilities, including SQL injection, parameter manipulation, cookie poisoning, and XSS.

An attacker who wishes to grab usernames and passwords might try phishing and social engineering attacks against some user’s application. On the other hand, Hackers can try to pull everyone’s credentials directly from the database.

Hacker Used SQL-injection to Get 675K Credit Card

Hackers usually identify the SQL injection vulnerability by adding invalid or unexpected characters to a parameter value and watch for errors in application’s response. For example:

http://www.example.com/users.asp?id=mark’

Infondlinux: Install Useful Security Tools & Firefox Addons for hackers

Infondlinux is a script that installs most of the hacking tools, that we use during penetration tests and capture the flag tournaments. It is a post configuration script for Ubuntu Linux. We can also install it on other *nix system but not all of the below mentioned tools may work depending on environment. It has been actively tested on Ubuntu 10.10.

It installs useful security tools and Firefox addons. Tools installed by script are listed at the beginning of source code, which we can edit as per our requirement.

List of security tools included:
Debian packages:

imagemagick
vim
less
gimp
build-essential
wipe
xchat
pidgin
vlc
nautilus-open-terminal
nmap
zenmap
sun-java6-plugin et jre et jdk
bluefish
flash-plugin-nonfree
aircrack-ng
wireshark
ruby
ascii
webhttrack
socat
nasm
w3af
subversion
mercurial
libopenssl-ruby
ruby-gnome2
traceroute
filezilla
gnupg
rubygems
php5
libapache2-mod-php5
mysql-server
php5-mysql
phpmyadmin
extract
p0f
spikeproxy
ettercap
dsniff :
- arpspoof Send out unrequested (and possibly forged) arp replies.
- dnsspoof forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
- dsniff password sniffer for several protocols.
- filesnarf saves selected files sniffed from NFS traffic.
- macof flood the local network with random MAC addresses.
- mailsnarf sniffs mail on the LAN and stores it in mbox format.
- msgsnarf record selected messages from different Instant Messengers.
- sshmitm SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
- sshow SSH traffic analyser.
- tcpkill kills specified in-progress TCP connections.
- tcpnice slow down specified TCP connections via “active” traffic shaping.
- urlsnarf output selected URLs sniffed from HTTP traffic in CLF.
- webmitm HTTP / HTTPS monkey-in-the-middle. transparently proxies.
- webspy sends URLs sniffed from a client to your local browser
unrar
torsocks
secure-delete
nautilus-gksu
sqlmap

Third party packages:

tor
tor-geoipdb
virtualbox 4.0
google-chrome-stable

Manually downloaded software’s and versions:

DirBuster (1.0RC1)
truecrypt (7.0a)
metasploit framework (3.6)
webscarab (latest)
burp suite (1.3.03)
parosproxy (3.2.13)
jmeter (2.4)
rips (0.35)
origami-pdf (latest)
pdfid.py (0.0.11)
pdf-parser.pym (0.3.7)
fierce (latest)
wifite (latest)
pyloris (3.2)
skipfish (1.86 beta)
hydra (6.2)
Maltego (3.0)
SET

Author made scripts:

hextoasm
md5crack.py (written by Corbiero)
chartoascii.py
asciitochar.py
rsa.py
Firefox extensions:
livehttpheaders
firebug
tamperdata
noscript
flashblock
flashgot
foxyproxy
certificatepatrol
chickenfoot 1.0.7

Pretty good list of applications we must say.
How to install/download

# download:
$ wget http://infondlinux.googlecode.com/svn/trunk/infondlinux.sh
# install:
$ sudo infondlinux.sh

enjoy it :)

Infondlinux: Install Useful Security Tools & Firefox Addons for hackers

imagemagick
vim
less
gimp
build-essential
wipe
xchat
pidgin
vlc
nautilus-open-terminal
nmap
zenmap
sun-java6-plugin et jre et jdk
bluefish
flash-plugin-nonfree
aircrack-ng
wireshark
ruby
ascii
webhttrack
socat
nasm
w3af
subversion
mercurial
libopenssl-ruby
ruby-gnome2
traceroute
filezilla
gnupg
rubygems
php5
libapache2-mod-php5
mysql-server
php5-mysql
phpmyadmin
extract
p0f
spikeproxy
ettercap
dsniff :
- arpspoof Send out unrequested (and possibly forged) arp replies.
- dnsspoof forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
- dsniff password sniffer for several protocols.
- filesnarf saves selected files sniffed from NFS traffic.
- macof flood the local network with random MAC addresses.
- mailsnarf sniffs mail on the LAN and stores it in mbox format.
- msgsnarf record selected messages from different Instant Messengers.
- sshmitm SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
- sshow SSH traffic analyser.
- tcpkill kills specified in-progress TCP connections.
- tcpnice slow down specified TCP connections via “active” traffic shaping.
- urlsnarf output selected URLs sniffed from HTTP traffic in CLF.
- webmitm HTTP / HTTPS monkey-in-the-middle. transparently proxies.
- webspy sends URLs sniffed from a client to your local browser
unrar
torsocks
secure-delete
nautilus-gksu
sqlmap

Third party packages:

tor
tor-geoipdb
virtualbox 4.0
google-chrome-stable

Manually downloaded software’s and versions:

DirBuster (1.0RC1)
truecrypt (7.0a)
metasploit framework (3.6)
webscarab (latest)
burp suite (1.3.03)
parosproxy (3.2.13)
jmeter (2.4)
rips (0.35)
origami-pdf (latest)
pdfid.py (0.0.11)
pdf-parser.pym (0.3.7)
fierce (latest)
wifite (latest)
pyloris (3.2)
skipfish (1.86 beta)
hydra (6.2)
Maltego (3.0)
SET

Author made scripts:

hextoasm
md5crack.py (written by Corbiero)
chartoascii.py
asciitochar.py
rsa.py
Firefox extensions:
livehttpheaders
firebug
tamperdata
noscript
flashblock
flashgot
foxyproxy
certificatepatrol
chickenfoot 1.0.7

Pretty good list of applications we must say.
How to install/download

# download:
$ wget http://infondlinux.googlecode.com/svn/trunk/infondlinux.sh
# install:
$ sudo infondlinux.sh

enjoy it :)

Tuesday, April 26, 2011

Data Breach Investigations Report for 2011

Latest data breach reports for 2011 with comparisons is out with some shocking statistics.
361 million >> 144 million >> 4 million. Thus goes the tally of total records compromised across the combined caseload of Verizon and the United States Secret Service (USSS) over the last three years. After four years of increasing losses culminating in 2008’s record-setting 361 million, we speculated whether 2009’s drop to 144 million was a fluke or a sign of things to come. 2010’s total of less than four million compromised records seems to suggest it was a sign.But of what? And is it a permanent change in direction or a temporary detour?To help us answer that, we are very glad to have the United States Secret Service (USSS) back with us for the 2011 DBIR.

Additionally, we have the pleasure of welcoming the Dutch National High Tech Crime Unit (NHTCU) to the team. Through this cooperative effort, we had the privilege—and challenge—of examining about 800 new data compromise incidents since our last report (with 761 of those for 2010). To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very nearly doubled the size of our dataset in 2010 alone!

Download pdf report here

Data Breach Investigations Report for 2011

Monday, April 25, 2011

Armitage 04.24.11

Armitage is a graphical attack management tool for Metasploit that visualize your target, recommends exploits, and expose the advanced capabilities of the framework. Armitage's aim is to make Metasploit usable for security practitioners who understand hacking but do not use Metasploit every day.

New features in Armitage updated version.

Armitage -> Listeners -> Reverse now binds to 0.0.0.0.
Host import now posts an event to the collab mode shared event log

Added an option to display an MOTD message to clients that connect to Armitage in the collaboration mode. Use -m or –motd before –server and specify a file, e.g.

armitage -m /path/to/motd.txt --server ...

Fixed a potential dead-lock condition with the screenshot/webcam shot tab.

_ User message on connect _

Added Meterpreter -> Access -> Pass Session to send a meterpreter session to a handler set up on another host.
Armitage now sets ExitOnSession to false for multi/handlers started within Armitage.
Pivoting and ARP Scan dialogs now highlight first option by default.
Added a sanity check to the Route class to prevent malformed IPs from screwing up sorting.
Removed sqlite3 from the database options. I should have done this long ago–it has no place in Armitage.
Armitage now intercepts meterpreter “shell” command and opens a new tab with the cmd.exe interaction in it.

You can download Armitage from

WINDOWS-here
LINUX-here
MacOS X - here

Learn more about Armitage -fastandeasyhacking

Armitage 04.24.11

New features in Armitage updated version.

Armitage -> Listeners -> Reverse now binds to 0.0.0.0.
Host import now posts an event to the collab mode shared event log

Added an option to display an MOTD message to clients that connect to Armitage in the collaboration mode. Use -m or –motd before –server and specify a file, e.g.

armitage -m /path/to/motd.txt --server ...

Fixed a potential dead-lock condition with the screenshot/webcam shot tab.

_ User message on connect _

Added Meterpreter -> Access -> Pass Session to send a meterpreter session to a handler set up on another host.
Armitage now sets ExitOnSession to false for multi/handlers started within Armitage.
Pivoting and ARP Scan dialogs now highlight first option by default.
Added a sanity check to the Route class to prevent malformed IPs from screwing up sorting.
Removed sqlite3 from the database options. I should have done this long ago–it has no place in Armitage.
Armitage now intercepts meterpreter “shell” command and opens a new tab with the cmd.exe interaction in it.

You can download Armitage from

WINDOWS-here
LINUX-here
MacOS X - here

Learn more about Armitage -fastandeasyhacking

Sunday, April 24, 2011

How to Disable Geolocation in Specific Programs

Geolocation is a rather secret feature of some browsers and toolbars. It allows the creator of that program to get a fix on the location of your computer to within a few meters of where you actually live.

If you want to see how to disable geolocation on Twitter, Thunderbird,Internet ExplorerX, Apple Safari , GMAIL , etc. Please go to the Source.

- Facebook (initially just for the iPhone client):

• Goto Privacy Settings
• Click ‘Custom’
• Click ‘Custom Settings’
• Disable ‘Places I check in’
• Disable ‘People here now’
• Disable ‘Friends can check me in to places’

- Google Chrome:
• Goto the ‘Customize and control Google Chrome’ icon (the little blue wrench on the top right)
• Goto ‘Options’
• Goto ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’

- Mozilla Firefox:
• Type ‘about:config’ in the address bar (without the ‘’)
• Discard the warning by hitting ‘yes’
• [1] Scroll down until you reach ‘geo.enabled’ or you can simply search for 'geo.enabled'
• Doubleclick the item and it will change from its default value ‘True’ to ‘False’
• [2] Scroll down until you reach ‘geo.wifi.uri’or you can simply search for 'geo.wifi.uri'
• Rightclick the Value of ‘geo.wifi.uri’ and click ‘Modify’
• Type in ‘localhost’ and hit ‘OK’

How to Disable Geolocation in Specific Programs

- Facebook (initially just for the iPhone client):

Metasploit (Video Tutorials)

Metasploit is one of the tool that every hacker have in his tool kit which contains lots of modules and exploits which can be used with various payloads to break into boxes.

In this video series you will go through the metasploit framework starting from the very basics of metasploit and slowly more towards intermediate and advanced functionality, including creation of Meterpreter scripts and extending the framework.

Video Series Link (Original source)

1. Metasploit Megaprimer Part 1 (Exploitation Basics and need for Metasploit)

http://www.securitytube.net/video/1175

2. Metasploit Megaprimer Part 2 (Getting Started with Metasploit)
http://www.securitytube.net/video/1176

3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)
http://www.securitytube.net/video/1181

4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)
http://www.securitytube.net/video/1182

5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)
http://www.securitytube.net/video/1183

6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)
http://www.securitytube.net/video/1184

7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)
http://www.securitytube.net/video/1185

8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)
http://www.securitytube.net/video/1187

9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)
http://www.securitytube.net/video/1188

10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)
http://www.securitytube.net/video/1189

11. Metasploit Megaprimer Part 11 (Post Exploitation and Stealing Data)
http://www.securitytube.net/video/1190

12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)
http://www.securitytube.net/video/1191

13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)
http://www.securitytube.net/video/1192

14. Metasploit Megaprimer Part 14 (Backdooring Executables)
http://www.securitytube.net/video/1198

15. Metasploit Megaprimer Part 15 (Auxiliary Modules)
http://www.securitytube.net/video/1199

16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)
http://www.securitytube.net/video/1215

17. Metasploit Megaprimer Part 17 (Scenario Based Hacking)
http://www.securitytube.net/video/1219

Download (Part - Part )

http://www.filesonic.com/file/105648012/metasploit_megaprimer.part1.rar

http://www.filesonic.com/file/105647782/metasploit_megaprimer.part2.rar

http://www.filesonic.com/file/105648392/metasploit_megaprimer.part3.rar

http://www.filesonic.com/file/105647932/metasploit_megaprimer.part4.rar

http://www.filesonic.com/file/105641352/metasploit_megaprimer.part5.rar

I take no authorization of the content.

Metasploit (Video Tutorials)

Metasploit is one of the tool that every hacker have in his tool kit which contains lots of modules and exploits which can be used with various payloads to break into boxes.

Video Series Link (Original source)

Download (Part - Part )

http://www.filesonic.com/file/105648012/metasploit_megaprimer.part1.rar

http://www.filesonic.com/file/105647782/metasploit_megaprimer.part2.rar

http://www.filesonic.com/file/105648392/metasploit_megaprimer.part3.rar

http://www.filesonic.com/file/105647932/metasploit_megaprimer.part4.rar

http://www.filesonic.com/file/105641352/metasploit_megaprimer.part5.rar

I take no authorization of the content.

Friday, April 22, 2011

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot

. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions.

This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

Detecting Google hacking against your Website

Monday, April 18, 2011

European Space Agency (ESA.INT) Hacked – Full Disclosure

( European Space Agency )

The European Space Agency (ESA), established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011).
ESA’s space flight program includes human spaceflight, mainly through the participation in the International Space Station program, the launch and operations of unmanned exploration missions to other planets and the Moon, Earth observation, science, telecommunication as well as maintaining a major spaceport, the Guiana Space Centre at Kourou, French Guiana, and designing launch vehicles. The main European launch vehicle Ariane 5 is operated through Arianespace with ESA sharing in the costs of launching and further developing this launch vehicle.
More here.

******************************************************************
(+) Authors : TinKode
(+) WebSite : TinKode27.BayWords.Com
(+) Date    : 17.04.2011
(+) Hour    : 17:17 PM
(+) Targets : www.esa.int (European Space Agency)
(+) Document: ESA.int Full Disclosure (Hacked)
(+) Method  : UnKn0Wn
******************************************************************

Text Files:

Main informations about server. Click here.
Main accounts from ESA.INT (Root Accounts, Emails, FTPs, Admins, Editors, etc). Click here.

Emails:

Preview of Root accounts, Emails, FTPs, etc:

[Root Account]
---------------------------------------------------------------------
Username = root
Password = *8009BCFDDF013C178B831737138F2A3D8E652B8E (SHA1)

[DB Accounts]
---------------------------------------------------------------------
Username = jbossuser
Password = 49c6641168b072d0

Username = psocrat
Password = 49c6641168b072d0 

Username = root
Password = 49c6641168b072d0 

Username = jbossuser
Password = 7fe05ad56133d52b 

Username = psocrat
Password = 7fe05ad56133d52b 

[Administrator Account]
---------------------------------------------------------------------
username = rnay06
password = eduxxxr3
admin    = y

[Editor account]
---------------------------------------------------------------------
Username = editor
Password = editor2005

[FTP Accounts]
---------------------------------------------------------------------
Password : service2004
Username : nrtservice
Webserver: localhost
Protocol : scp

Username : riverusr
Password : usrriver
WebServer: styx.esrin.esa.it
Protocol : ftp

Username : mapinject
Password : .mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : fire
Username : wfaa
WebServer: twin.esrin.esa.int
Protocol : ftp

Password : MMvomir07.
Username : uvomir
Webserver: 193.204.231.156
More     : http://whois.domaintools.com/193.204.231.156
Protocol : sftp

Password : 12qwas
Username : kimv
Webserver: kes.esrin.esa.int
Protocol : ftp

Password : Bk7Wdkf6hY
Username : emathot
Webserver: testlab4.esrin.esa.int
Protocol : ftp

Password : MecoGPOD123
Username : MecoGPOD
Webserver: metheny.esrin.esa.int
Protocol : ftp

Password : brteon
Username : betlem
Webserver: uranus.esrin.esa.it
Protocol : ftp

Password : ch9l
Username : ftpriv
Webserver: uranus.esrin.esa.int
Protocol : ftp

Password : .mapinject
Username : mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : esa2004
Username : Olivier
Webserver: dummy.server.esa.int
Protocol : ftp

Password : .passWIL
Username : wilkinsa
Webserver: esa-mm.esa.int
Protocol : ftp

The ESA Logs:

source:tinkode