Archive for the 'Articles' Category

Pass-The-Hash Toolkit v1.3

Published at April 27, 2008 in Windows Hacking, Hacking Tools, Applications and Articles. Comments

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is comprised of three tools: IAM.EXE, WHOSTHERE.EXE and GENHASH.EXE.

GENHASH.EXE
This is just a utility that uses some undocumented Windows functions to generate the LM and NT hash of a password. This tool is useful to test IAM.EXE and WHOSTHERE.EXE and perhaps to do some other things. Pretty simple and small tool.

IAM.EXE
This tools allows you to change your current NTLM credentials without having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE.

WHOSTHERE.EXE
This tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let’s say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller.

You can download Pass-The-Hash Toolkit v1.3 here:

Source Code

Latest stable release (1.3), updated on February 29, 2008.

Win32 binaries

Latest stable release (1.3), updated on February 29, 2008.

Or read more here.

Technorati Tags: , , , , , , , , , , ,

WifiZoo v1.3 Released - Passive Info Gathering for Wifi

Published at April 22, 2008 in Penetration Testing, Hacking Tools, Wireless Hacking, Applications and Articles. Comments

WifiZoo is a tool to gather wifi information passively. It is created to be helpful in wifi pentesting and was inspired by ‘Ferret‘ from Errata Security.

The tool is intended to get all possible info from open wifi networks (and possibly encrypted also in the future, at least with WEP) without joining any network, and covering all wifi channels.

WifiZoo does the following:

  • gathers bssid->ssid information from beacons and probe responses
  • gathers list of unique SSIDS found on probe requests
  • gathers the list and graphs which SSIDS are being probed from what sources
  • gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with “802.11 bssids->clients”.
  • gathers ‘useful’ information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.

You can download WifiZoo v1.3 here:

wifizoo_v1.3.tgz

Or read more here.

Technorati Tags: , , , , , ,

HDIV - Java Web Application Security Framework

Published at April 22, 2008 in Hack, Applications and Articles. Comments

HDIV (HTTP Data Integrity Validator) is a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).

Functionality

INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering.

EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).

CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc.

ANTI-CROSS SITE REQUEST FORGERY (CSRF) TOKEN: Random string called a token is placed in each form and link of the HTML response, ensuring that this value will be submitted with the next request. This random string provides protection because not only does the compromised site need to know the URL of the target site and a valid request format for the target site, it also must know the random string which changes for each visited page.

You can download HDIV here:

hdiv 2.0.4

Or read more here.

Technorati Tags: , , , , , , ,

Download: Windows Vista One Year Vulnerability Report

Published at April 15, 2008 in Articles and Vulnerabilities & Exploits. Comments

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.

This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.

The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.

Download PDF List

Technorati Tags: , , , , ,

sqlninja 0.2.2 Released for Download - SQL Injection Tool

Published at April 15, 2008 in Hacking Tools, Applications and Articles. Comments

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

Features

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
  • Bruteforce of ’sa’ password, both dictionary-based and incremental
  • Privilege escalation to ’sa’ if its password has been found
  • Creation of a custom xp_cmdshell if the original one has been disabled
  • Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

What’s new

  • Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
  • A more sophisticated upload module
  • A new ‘blind execution’ attack mode, useful to issue commands and performs diagnostics when other modes fail
  • Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings

You can download Sqlninja 0.2.2 here:

sqlninja-0.2.2.tgz

Or read more here.

Technorati Tags: , , , , , , , , , , ,