Darknet – The Darkside

Darknet – The DarksidePrisoners Hack Prison From Inside Prisonspectrology – Basic Audio Steganography ToolPowerMemory – Exploit Windows Credentials In MemoryMicrosoft Azure Web Application Firewall (WAF) LaunchedHashData – A Command-line Hash Identifying ToolEuropean Commission Pushing For Encryption BackdoorsHashPump – Exploit Hash Length Extension AttackKadimus – LFI Scanner & Exploitation ToolLastPass Leaking Passwords Via Chrome ExtensionSessionGopher – Session Extraction Tool

http://www.darknet.org.uk Ethical Hacking, Penetration Testing & Computer Security Wed, 12 Apr 2017 17:23:30 +0000 en-US hourly 1 https://wordpress.org/?v=4.7.3 http://www.darknet.org.uk/2017/04/prisoners-hack-prison-from-inside-prison/ http://www.darknet.org.uk/2017/04/prisoners-hack-prison-from-inside-prison/#respond Wed, 12 Apr 2017 14:41:20 +0000

Prisoners Hack Prison! Sounds exciting right? This time it’s actually pretty entertaining with the prisoners managing to hack a prison network from INSIDE the prison using scavenged PC parts from a rehabilitation class. Some pretty resourceful guys managing to build 2 functional PCs from scrapped parts AND connect to the prison network AND try and […]

The post Prisoners Hack Prison From Inside Prison appeared first on Darknet – The Darkside.

]]>

Prisoners Hack Prison! Sounds exciting right? This time it’s actually pretty entertaining with the prisoners managing to hack a prison network from INSIDE the prison using scavenged PC parts from a rehabilitation class.

Some pretty resourceful guys managing to build 2 functional PCs from scrapped parts AND connect to the prison network AND try and hack their way out of the proxy.

We are impressed by prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction’s (ODRC) network to engage in cyber shenanigans.

Compliment are less forthcoming from the State of Ohio’s Office of the Inspector General, which published its 50-page report [PDF] into this incident yesterday, following a lengthy investigation.

The Inspector General was alerted to the issue after ODRC’s IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC’s Operation Support Centre (OSC) that a computer operating on the network had exceeded a daily internet usage threshold. Further alerts, seven regarding “hacking” and 59 regarding “proxy avoidance”, reported that the user was committed to network mischief.

From there the search for the miscreant began, and once the log-in credentials used were found to be illicit, the ODRC’s IT employees attempted to find the unauthorised computer by locating the network switch it was connected into.

Judging from the way the scenario is described I’d assume (fairly safely) this is a low-security prison, probably THE lowest security AKA a white-collar prison.

There’s no way these kind of shenanigans could happen in a high-security facility. Plus whoever pulled this off is definitely tech-savvy so most likely a white-collar criminal rather than a violent murderer.

The computers were cobbled together from spare parts which prisoners had collected from Marion Correction Institution’s RET3, a programme that helped to rehabilitate prisoners by getting them to break down old PCs into component parts for recycling.

Forensic analysis of the computers completed by the Ohio Inspector General revealed that the users exploited their access to the ODRC’s systems to issue passes for inmates to gain access to multiple areas within the institution. They also used the Departmental Offender Tracking System to steal the personal information of another inmate and use those details to successfully apply for five credit cards.

Additional forensics by a more technical team reported finding “a large hacker’s toolkit with numerous malicious tools for possible attacks. These malicious tools included password-cracking tools, virtual private network tools (VPN), network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for various types of malicious activity.”

In addition to the above, the forensics team found “self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software” in addition to evidence that malicious activity had been occurring within the ODRC inmate network.

Some pretty advanced stuff going on there, delving into the darknet with Tor, self-signed SSL certs (probably trying to MiTM the proxy or something else on the network). Sounds like fun!

Apparently the 5 perps have been identified and split up, funs over boys.

Source: The Register

The post Prisoners Hack Prison From Inside Prison appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/04/prisoners-hack-prison-from-inside-prison/feed/ 0 http://www.darknet.org.uk/2017/04/spectrology-basic-audio-steganography-tool/ http://www.darknet.org.uk/2017/04/spectrology-basic-audio-steganography-tool/#respond Mon, 10 Apr 2017 13:03:42 +0000

spectrology is a Python-based audio steganography tool that can convert images to audio files with a corresponding spectrogram encoding, this allows you to hide hidden messages via images inside audio files. Using this tool you can select range of frequencies to be used and all popular image codecs are supported. Usage [crayon-58ee645340188229838957/] Example [crayon-58ee645340198930357510/] You […]

The post spectrology – Basic Audio Steganography Tool appeared first on Darknet – The Darkside.

]]>

spectrology is a Python-based audio steganography tool that can convert images to audio files with a corresponding spectrogram encoding, this allows you to hide hidden messages via images inside audio files.

spectrology - Basic Audio Steganography Tool

Using this tool you can select range of frequencies to be used and all popular image codecs are supported.

Usage

usage: spectrology.py [-h] [-o OUTPUT] [-b BOTTOM] [-t TOP] [-p PIXELS]
                      [-s SAMPLING]
                      INPUT

positional arguments:
  INPUT                 Name of the image to be converted.

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        Name of the output wav file. Default value: out.wav).
  -b BOTTOM, --bottom BOTTOM
                        Bottom frequency range. Default value: 200.
  -t TOP, --top TOP     Top frequency range. Default value: 20000.
  -p PIXELS, --pixels PIXELS
                        Pixels per second. Default value: 30.
  -s SAMPLING, --sampling SAMPLING
                        Sampling rate. Default value: 44100.

Example

python spectrology.py test.bmp -b 13000 -t 19000

You can download spectrology here:

spectrology-master.zip

Or read more here.

The post spectrology – Basic Audio Steganography Tool appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/04/spectrology-basic-audio-steganography-tool/feed/ 0 http://www.darknet.org.uk/2017/04/powermemory-exploit-windows-credentials-memory/ http://www.darknet.org.uk/2017/04/powermemory-exploit-windows-credentials-memory/#respond Fri, 07 Apr 2017 17:27:01 +0000

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows. The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, […]

The post PowerMemory – Exploit Windows Credentials In Memory appeared first on Darknet – The Darkside.

]]>

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

PowerMemory - Exploit Windows Credentials In Memory

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

  • It’s fully written in PowerShell
  • It can work locally as well as remotely
  • It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
  • It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
  • PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
  • It breaks undocumented Microsoft DES-X
  • It works even if you are on a different architecture than the target architecture
  • It leaves no trace in memory
  • It can manipulate memory to fool software and operating system
  • It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

The post PowerMemory – Exploit Windows Credentials In Memory appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/04/powermemory-exploit-windows-credentials-memory/feed/ 0 http://www.darknet.org.uk/2017/04/microsoft-azure-web-application-firewall-waf-launched/ http://www.darknet.org.uk/2017/04/microsoft-azure-web-application-firewall-waf-launched/#comments Thu, 06 Apr 2017 05:38:08 +0000

Not too long after Amazon launched their cloud protection WAF the Microsoft Azure Web Application Firewall (WAF) has been made generally available in all public Azure DCs. It’s a good move with the majority of websites and services moving into one of the big 3 cloud providers (AWS, Google or Azure) and the vast majority […]

The post Microsoft Azure Web Application Firewall (WAF) Launched appeared first on Darknet – The Darkside.

]]>

Not too long after Amazon launched their cloud protection WAF the Microsoft Azure Web Application Firewall (WAF) has been made generally available in all public Azure DCs.

Microsoft Azure Web Application Firewall (WAF) Launched

It’s a good move with the majority of websites and services moving into one of the big 3 cloud providers (AWS, Google or Azure) and the vast majority of attacks coming from the same few patterns (SQL Injection, XSS etc). A WAF can mitigate against a lot of that without too much worry of false positives.

Microsoft is making it harder for cyber-attackers to target web applications hosted on its Azure cloud computing platform.

Azure Web Application Firewall (WAF), a component of the company’s Azure Application Gateway offering, is now generally available in all public Azure data center regions. Azure Application Gateway is a cloud-based HTTP (Hypertext Transfer Protocol) load-balancing and SSL (Secure Sockets Layer) offloading system that enables businesses to build and deliver scalable and secure web applications.

With the addition of the Web Application Firewall, customers can now fortify their applications, making them less susceptible to cross-site scripting attacks, SQL injection and other methods of exploiting or disrupting web applications. The firewall provides protection for up to 20 websites per gateway.

In its analysis of web security landscape for the fourth quarter of 2016, Akamai found that SQL injection was responsible for 51 percent of all web application attacks. As the term suggests, SQL injection involves inserting or “injecting” code into database-driven applications for the purposes of tampering with data, extracting information and other activities that pose a risk to sensitive or critical business data.

The Azure WAF is part of their Application Gateway and is now available across all public data center regions.

As with most things Microsoft it seems to be a bit more automated and a bit less manual than the AWS option which is basically just a glorified regex engine you have to configure yourself.

In addition to blocking SQL injection and cross-site scripting attempts, Azure Web Application Firewall can stop other common attack methods like remote file inclusion, command injection and HTTP request smuggling and response splitting, explained Yousef Khalidi, corporate vice president of Azure Networking at Microsoft, in a March 30 blog post.

It can also thwart attacks that depend on HTTP protocol anomalies and violations, along with misconfigured Apache and Internet Information Services (IIS) deployments, among other servers and applications involved in delivering a web application.

Automated tools like bots and crawlers are similarly blocked. Finally, the firewall helps customers stand up to debilitating HTTP denial-of-service attacks, added Khalidi.

Packing a big punch, courtesy of vast armies of compromised PCs and Internet of Things (IoT) devices, denial-of-service attacks have emerged into one of the leading threats affecting today’s web-facing businesses.

Last September, a website belonging to renowned security blogger Brian Krebs was hit with a massive distributed denial-of-service (DDoS) attack that overwhelmed his site with 665 Gbps of disruptive traffic.

The scale of the attack forced Akamai, the content delivery network who provided DDoS protection to the blog, to drop its support Krebs. Around the same time, French cloud computing company OVH reported a DDoS attack approaching 1 Tbps.

It also by default mitigates against more types of attacks, and some common misconfigurations – which you see a lot of in the cloud space (hello MongoDB).

Now we’ll have to wait and see if Google Cloud Platform comes out with a similar offering, then they will all be on par again.

Source: eWeek

The post Microsoft Azure Web Application Firewall (WAF) Launched appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/04/microsoft-azure-web-application-firewall-waf-launched/feed/ 2 http://www.darknet.org.uk/2017/04/hashdata-command-line-hash-identifying-tool/ http://www.darknet.org.uk/2017/04/hashdata-command-line-hash-identifying-tool/#respond Mon, 03 Apr 2017 15:19:14 +0000

HashData is a Ruby-based command-line REPL Hash Identifying Tool with support for a lot of different (most popular) hash types. Installation [crayon-58ee645340bab325469610/] Usage Command Line When installed, run hashdata and paste in hashes when prompted. Library Example Script: [crayon-58ee645340bb8506613187/] The above should output true. The library only matches the start of your second input, this […]

The post HashData – A Command-line Hash Identifying Tool appeared first on Darknet – The Darkside.

]]>

HashData is a Ruby-based command-line REPL Hash Identifying Tool with support for a lot of different (most popular) hash types.

HashData - A Command-line Hash Identifying Tool

Installation

$ gem install hashdata

Usage

Command Line

When installed, run hashdata and paste in hashes when prompted.

Library

Example Script:

require 'hashdata'
hash = HashData.new
puts(hash.check_type("1111111111111",'DES'))

The above should output true. The library only matches the start of your second input, this means that you can check something is an MD5 hash without having to worry about if it is from Joomla or Unix for example.

Hashes Supported

  • Adler32
  • Blowfish(Eggdrop), Blowfish(OpenBSD)
  • CRC-16, CRC-16-CCITT
  • CRC-32, CRC-32B
  • CRC-96(ZIP)
  • Domain Cached Credentials, Domain Cached Credentials 2
  • DES(Unix), DES(Oracle)
  • FCS-16, FCS-32
  • FNV-132, FNV-164
  • GOST R 34.11-94
  • GHash-32-3, GHash-32-5
  • Haval-128, Haval-160, Haval-192, Haval-224, Haval-256
  • Joaat
  • Lineage II C4
  • LM
  • Lotus Domino
  • MD2, MD4, MD5
  • MD5(Joomla), MD5(osCommerce), MD5(PalshopCMS)
  • MD5(APR), MD5(Cisco PIX), MD5(Unix)
  • MD5(IP.Board), MD5(MyBB), MD5(phpBB3), MD5(WordPress)
  • MySQL3.x, MySQL4.x, MySQL5.x
  • MSSQL(2000), MSSQL(2005), MSSQL(2008)
  • NTLM
  • RAdmin v2.x
  • RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
  • SAM(LM_Hash:NT_Hash)
  • SHA-1, SHA-1(Django), SHA-1(MaNGOS), SHA-1(MaNGOS2)
  • SHA-224
  • SHA-256, SHA-256(Django), SHA-256(Unix)
  • SHA3-224, SHA3-256, SHA3-384, SHA3-512
  • SHA-384, SHA-384(Django)
  • SHA-512, SHA-512(Drupal), SHA-512(Unix)
  • SSHA-1
  • Skein-256, Skein-256(128), Skein-256(160), Skein-256(224)
  • Skein-512, Skein-512(128), Skein-512(160), Skein-512(224), Skein-512(256), Skein-512(384)
  • Skein-1024, Skein-1024(384), Skein-1024(512)
  • Snefru-128, Snefru-256
  • Tiger-128, Tiger-160, Tiger-192
  • VNC
  • Whirlpool
  • XOR-32

You can download HashData here:

HashData-v0.0.3.zip

Or read more here.

The post HashData – A Command-line Hash Identifying Tool appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/04/hashdata-command-line-hash-identifying-tool/feed/ 0 http://www.darknet.org.uk/2017/03/european-commission-pushing-for-encryption-backdoors/ http://www.darknet.org.uk/2017/03/european-commission-pushing-for-encryption-backdoors/#respond Fri, 31 Mar 2017 03:30:57 +0000

The debate surrounding encryption backdoors has been raging on for years with governments (that typically don’t really understand the things they are pushing for) requesting all software have government ‘secured’ backdoor keys. This is now getting more serious in Europe with the EC actually forcing the issue (in a passive aggressive kind of way for […]

The post European Commission Pushing For Encryption Backdoors appeared first on Darknet – The Darkside.

]]>

The debate surrounding encryption backdoors has been raging on for years with governments (that typically don’t really understand the things they are pushing for) requesting all software have government ‘secured’ backdoor keys.

European Commission Pushing For Encryption Backdoors

This is now getting more serious in Europe with the EC actually forcing the issue (in a passive aggressive kind of way for now) and promising legislation to back it up within 2 years or so.

The European Commission will in June push for backdoor access to encryption used by apps, according to EU Justice Commissioner Věra Jourová.

Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline “three or four options” that range from voluntary agreements by business to strict legislation.

The EC’s goal is to provide the police with a “swift and reliable” way to discover what users of encrypted apps have been communicating with others.

“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said, according to EU policy site Euractiv.

Typically governments will use the threat of legislation to push companies into agreeing to offer what they want voluntarily. But Jourová clearly expects some significant pushback from the tech industry – particularly US corporations such as Facebook and Apple – and so argued that the voluntary, non-legislative approaches would only be provisional in order to get to “a quick solution,” with laws coming later.

The intended message is that the EC is not bluffing and although it will take a few years to pass such legislation, it is prepared to do so, and may do so regardless of what app-makers offer.

The issue is always the same, if the government has a universal backdoor key for an app (let’s say for example Whatsapp) and they get hacked, and all the bad guys get hold of this Whatsapp universal decryption key – how many people do you think are going to die? Yah, a lot.

But the governments always say nooo, that won’t happen, we won’t/don’t/can’t get hacked – it’s totally safe. Or they’ll describe some kind of hair-brained protection scheme that makes no sense.

The announcement comes close on the heels of a number of aggressive pushes by European governments against social media companies.

Earlier this month, the German government proposed a €50m fine if companies like Facebook and Twitter do not remove “obvious” criminal content within 24 hours. A few days later, the EC said it was going to insist that social media companies change their terms and conditions to remove various efforts to insulate them legally from content issues – such as the requirement for anyone to sue them in a California court rather than in their home country.

And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they “can and must do more.”

That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.

The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.

For anyone in the tech or security communities, we will always be fundamentally against this as it breaks the very base tenets of using cryptography properly in the first place.

But from a government perspective, it’s a trade-off, security and/or privacy of the masses vs getting critical information on terrorists or from other threats.

Source: The Register

The post European Commission Pushing For Encryption Backdoors appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/03/european-commission-pushing-for-encryption-backdoors/feed/ 0 http://www.darknet.org.uk/2017/03/hashpump-exploit-hash-length-extension-attack/ http://www.darknet.org.uk/2017/03/hashpump-exploit-hash-length-extension-attack/#respond Mon, 27 Mar 2017 15:46:06 +0000

HashPump is a C++ based command line tool to exploit the Hash Length Extension Attack with various hash types supported, including MD4, MD5, SHA1, SHA256, and SHA512. There’s a good write-up of how to use this in practical terms here: Plaid CTF 2014: mtpox Usage [crayon-58ee645340ee5051047345/] You can download HashPump here: [crayon-58ee645340eed065570130/] Or read more […]

The post HashPump – Exploit Hash Length Extension Attack appeared first on Darknet – The Darkside.

]]>

HashPump is a C++ based command line tool to exploit the Hash Length Extension Attack with various hash types supported, including MD4, MD5, SHA1, SHA256, and SHA512.

HashPump - Exploit Hash Length Extension Attack

There’s a good write-up of how to use this in practical terms here: Plaid CTF 2014: mtpox

Usage

$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
    <Developed by bwall(@botnet_hunter)>

You can download HashPump here:

$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install

Or read more here.

The post HashPump – Exploit Hash Length Extension Attack appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/03/hashpump-exploit-hash-length-extension-attack/feed/ 0 http://www.darknet.org.uk/2017/03/kadimus-lfi-scanner-exploitation-tool/ http://www.darknet.org.uk/2017/03/kadimus-lfi-scanner-exploitation-tool/#respond Fri, 24 Mar 2017 19:19:23 +0000

Kadimus is an LFI scanner and exploitation tool for Local File Inclusion vulnerability detection and intrusion. Installation [crayon-58ee645341207764064915/] Then you can run the configure file: [crayon-58ee64534120e579752467/] Then: [crayon-58ee645341211745725850/] Features Check all url parameters /var/log/auth.log RCE /proc/self/environ RCE php://input RCE data://text RCE Source code disclosure Multi thread scanner Command shell interface through HTTP Request Proxy support […]

The post Kadimus – LFI Scanner & Exploitation Tool appeared first on Darknet – The Darkside.

]]>

Kadimus is an LFI scanner and exploitation tool for Local File Inclusion vulnerability detection and intrusion.

Kadimus - LFI Scanner & Exploitation Tool

Installation

$git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus

Then you can run the configure file:

./configure

Then:

$ make

Features

  • Check all url parameters
  • /var/log/auth.log RCE
  • /proc/self/environ RCE
  • php://input RCE
  • data://text RCE
  • Source code disclosure
  • Multi thread scanner
  • Command shell interface through HTTP Request
  • Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
  • Proxy socks5 support for bind connections

Usage

-h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect
    --b-proxy STRING            IP/Hostname of socks5 proxy
    --b-port NUMBER             Port number of socks5 proxy

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)

You can download Kadimus here:

Kadimus-master.zip

Or read more here.

The post Kadimus – LFI Scanner & Exploitation Tool appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/03/kadimus-lfi-scanner-exploitation-tool/feed/ 0 http://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/ http://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/#comments Wed, 22 Mar 2017 18:16:53 +0000

LastPass Leaking Passwords is not new, last week its Firefox extension was picked apart – now this week it’s Chrome extension is giving up its goodies. I’ve always found LastPass a bit suspect, even though they are super easy to use, and have a nice UI they’ve had TOO many serious security issues for a […]

The post LastPass Leaking Passwords Via Chrome Extension appeared first on Darknet – The Darkside.

]]>

LastPass Leaking Passwords is not new, last week its Firefox extension was picked apart – now this week it’s Chrome extension is giving up its goodies. I’ve always found LastPass a bit suspect, even though they are super easy to use, and have a nice UI they’ve had TOO many serious security issues for a company protecting millions of people.

LastPass Leaking Passwords Via Chrome Extension

It’s a shame Passpack isn’t being updated actively as architecturally it seems like a much better product, the UI is shit though and it’s buggy for managing mass user accounts.

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims’ passphrases.

The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google’s crack Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager’s internal mechanisms, which is rather bad news.

The script can also be abused to execute commands on the victim’s computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. A malicious website could exploit this hole to drop malware on a visiting machine. A victim must have the binary component of LastPass installed to be vulnerable to this attack.

This is a pretty major vulnerability for a company that is supposed to make your passwords MORE secure, not leak them to any malicious site that has also figured out the same stuff Tavis spotted.

After advocating password managers for a long time, this is not a good look.

The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter’s passwords just by visiting the wrong website.

“We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement,” Joe Siegrist, cofounder and VP of LastPass, told The Register.

“We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions.”

It appears LastPass’s fix for the Chrome extension issue was to quickly disable 1min-ui-prod.service.lastpass.com – although some say the server is still working for them, so they are still vulnerable. That LastPass backend system resolves to 23.72.215.179 for us right now, and is still up.

There’s also the flip-side that LastPass is a popular product so it’s more likely people are going to find flaws in it, more eyes on it and all that – and in the end, these discovered flaws make the product much more secure than smaller competitors that undergo less public scrutiny.

Or not, who knows.

Source: The Register

The post LastPass Leaking Passwords Via Chrome Extension appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/feed/ 3 http://www.darknet.org.uk/2017/03/sessiongopher-session-extraction-tool/ http://www.darknet.org.uk/2017/03/sessiongopher-session-extraction-tool/#respond Mon, 20 Mar 2017 14:59:53 +0000

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. The tool can find and decrypt saved session information for remote access tools. It has WMI functionality built in so it can be run remotely, its […]

The post SessionGopher – Session Extraction Tool appeared first on Darknet – The Darkside.

]]>

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

SessionGopher - Session Extraction Tool

The tool can find and decrypt saved session information for remote access tools. It has WMI functionality built in so it can be run remotely, its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.

How it Works

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

Usage

. .SessionGopher.ps1
Invoke-SessionGopher -option

-Thorough: searches all drives for PuTTY private key (.ppk), Remote Desktop Connection (.rdp), and RSA (.sdtid) files.
-o: outputs the data to a folder of .csv files
-iL: provide a file with a list of hosts to run SessionGopher against, each host separated by a newline. Provide the path to the file after -iL.
-AllDomain: SessionGopher will query Active Directory for all domain-joined systems and run against all of them.
-Target: a specific host you want to target. Provide the target host after -Target.

You can download SessionGopher here:

SessionGopher.ps1

Or read more here.

The post SessionGopher – Session Extraction Tool appeared first on Darknet – The Darkside.

]]>
http://www.darknet.org.uk/2017/03/sessiongopher-session-extraction-tool/feed/ 0

Leave a Reply

Your email address will not be published.