Reinventing the weel
An Anonymous hacker de-compiles StuxNet, and posts source code on Github.
Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
This brief text file shows how simple it was for anonymous to get access to Greg Hoglands website rootkit.com:
oIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in Cisco, Avaya, and Nortel environments. VoIP Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure security.
In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do. It will send two CDP packets, requesting the Voice VLAN ID. After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.
In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.
In Nortel IP Phone networks, VoIP Hopper sends an Option 55 parameter request list, requesting Option 191. When the DHCP Server sends Option 191 data, it decodes the VLAN-A: string for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.
The paper highlights risks that accompany losing a locked iOS device regarding confidentiality of passwords stored in the key chain. It presents results of Handson tests that show the possibility for attackers to reveal some of the key chain entries. For the described approach, the knowledge of the user’s secret pass code is not needed, as the protection provided by the pass code is bypassed.
This utility will dump the SAFESEH exception handlers in a process or binary. It is intended for the vulnerability researcher trying to exploit a vulnerability that requires bypassing SAFESEH.
If you ever wondered how hackers hack their way out of a speeding ticket, well wonder no longer. So next time you need to get out of a speeding ticket….
Cuckoo is a very simple automated malware analysis sandbox.
It started as a project developed during Google Summer of Code 2010 within The Honeynet Project organization. During that period, under the guidance of my mentor Felix Leder, the basis were thrown to what Cuckoo has grown to be now.
The ideas behind the development of Cuckoo are:
• provide a completely Open Source product to be released under GPL, both in order to allow everyone to customize it as much as possible, as well as in order to make it grow to what could become a community-effort designed tool.
• provide an instrument able to analyze any kind of malicious file and get the best behavioral analysis out of it.
• provide a sandbox which can be configured to run both on virtual machines as well as on metal.
• make it able to be distributed.
Cuckoo still has a long road ahead before achieving all the goals that were initially set, but it is on the right path ;-).
- Retrieve files from remote URLs and analyze them.
- Trace relevant API calls for behavioral analysis.
- Recursively monitor newly spawned processes.
- Dump generated network traffic.
- Run concurrent analysis on multiple machines.
- Support custom analysis package based on AutoIt3 scripting.
- Intercept downloaded and deleted files.
- Take screenshots during runtime.
It is now fixed, but here is the Hotmail exploit.
How it worked:
- Type in the Hotmail email you want to change the password for.
- Fill out the captcha.
- View page source on the next page and see what the users secondary email is (if it exists).
- Check to see if the email is registered (alot of people don’t even bother registering them). If it is, do the same thing you just did and keep going back until you have control over the first account you can.
- Reset passwords to those emails address in a daisy-chain fashion until you have control.
The old email used to be a hidden input element on the password reset form, but they just fixed it.