Category Archives: Vulnerability

Processor Vulnerability – Spectre

by

0

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Microsoft has issued a patch for Windows 10, while other versions of Windows are expected to be patched on the traditional Patch Tuesday on January 9, 2018. Microsoft has also issued a guidance document for mitigations on client devices. Please note that the patches released by Microsoft may be incompatible with certain antivirus software.

MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

Processor Vulnerability – Meltdown

by

0

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called “speculative execution”.

Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained.

There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.

krack attack scripts released

by

0

krack attack is a pseudonym for key reinstallation attacks. Krack attack uses a vulnerability in WPA2 (Wi-Fi Protected Access II ) handshake process. Wpa2 is used to protect communication of wireless devices. wpa2 has a mechanism that permits devices to join the network with a pre-shared password and a four-way handshake. The attack works against all modern protected Wi-Fi networks. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

According to Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.

Scripts to perform krack attack has released on GitHub.

You can find scripts here.

ThreatPinchLookup, threat intelligence extension for Chrome

by

0


ThreatPinchLookup supplies threat intelligence information on hover tool tips.

Creates on hover tooltips for every website for IPv4, MD5, SHA2, CVE or any custom IOC you define. Designed to work with any API, customization encouraged. Its the infosec threat and OSINT swiss army knife for your browser. Investigate less by taking your context with you.

Documentation here: https://github.com/cloudtracer/ThreatPinchLookup/wiki

Features:
– Add your own IOC’s by setting your own Look up type via regex
– Create your own data connections, maybe add a data connection for your asset portal
– Sync your data requests with a CouchDB
– Filter look up requests so that you aren’t looking up your own assets in online tools.
– Supports defanged IOCs

Out of the box integrations with:
– ThreatMiner for IPv4, FQDN, MD5 and SHA2 lookups.
– Alienvault OTX for IPv4, MD5 and SHA2 lookups.
– IBM X-Force Exchange for IPv4, FQDN lookups.
– VirusTotal for MD5, SHA2, FQDN lookups.
– Cymon.io for IPv4 lookups.
– Computer Incident Response Center Luxembourg (CIRCL) for CVE Lookups.
– PassiveTotal for FQDN whois Lookups
– MISP for MD5 and SHA2

Chrome Web Store Link

Inspector.py privilege escalation utility

by

0

The Inspector is a handy privilege escalation utility.

Features;
-can find processes with root privilege
-find exploits for your kernel version with builtin exploit database.
-The Inspector also analyses history files to find login information.

Download:
wget https://raw.githubusercontent.com/graniet/Inspector/master/inspector.py

usage:
python inspector.py

i think inspector is a handy utility which all pentesters like to store in their vault.

torcrack: ssh brute force over TOR

by

0

torcrack is a penetration testing utility which tries to crack SSH passwords multi-threaded and over TOR network.

argparse, PyFiglet, PySocks, Paramiko, tor installation

git clone https://github.com/norksec/torcrack.git

pip3 install pyfiglet pysocks paramiko argparse

apt-get install -y tor

usage

Make sure the tor service is running:

service tor restart

python3 torcrack.py -h for commands

LINK

rapid7/ metasploitable3 – a VM for metasploit.

by

0

metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.

Metasploitable3 is released under a BSD-style license. See COPYING for more details.
Building Metasploitable 3

System Requirements:

OS capable of running all of the required applications listed below
VT-x/AMD-V Supported Processor recommended
65 GB Available space on drive
4.5 GB RAM

Requirements:

Packer
Vagrant
Vagrant Reload Plugin
VirtualBox
Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here.

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here.

To build automatically:

Run the build_win2008.sh script if using bash, or build_win2008.ps1 if using Windows.
If the command completes successfully, run ‘vagrant up’.
When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

Clone this repo and navigate to the main directory.
Build the base VM image by running packer build windows_2008_r2.json. This will take a while the first time you run it since it has to download the OS installation ISO.
After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add windows_2008_r2_virtualbox.box –name=metasploitable3.
Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven’t already.
To start the VM, run the command vagrant up. This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.
Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

LINK

PenQ Pentesting Browser Bundle

by

0

penq

PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.

PenQ is configured to run on Debian based distributions including Ubuntu and its derivative distros, and penetration testing operating systems such as BackTrack and Kali.

Steps to install and run PenQ

Download the PenQ package.
Open the command-line interface (CLI) and navigate to the location of the downloaded file.
cd [path to PenQ file]
Assign executable permission to this file.
chmod +x PenQ-installer-1.0
Run PenQ installer file from CLI.
./PenQ-installer-1.0
Provide sudo password and wait for installation to complete.
Once installed, double-click the PenQ icon on desktop or run ‘penq’ from CLI to open and use the tool.

To uninstall PenQ, navigate to the PenQ folder at ‘/usr/share/PenQ’ and run the uninstaller.

Features

OWASP ZAP Wfuzz Web Application Fuzzer PenTesting Report Generator OWASP WebScarab Mozilla Add-ons Collection Vulnerability Databases Search OWASP WebSlayer Integrated Tor Access to Shell and System Utilities Nikto Web Server Scanner OWASP Penetration Testing Checklist Collection of Useful Links

PenQ Website

Using Vuls Vulnerability Scanner For Linux

by

0

Vuls is a vulnerability scanner for Linux, agentless and written in golang.

Vuls downloads NVD(National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file.

Second step you should prepare ssh key based authorization between server and scan target. Because vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades thus getting unsecure packages by this way.

Imho this could be problematic at some distros. Likewise debian team likes to patch some vulnerabilities in prior versions of packages. I think there could be many false positives.

Download

DROWN or not to DROWN

by

0

DROWN logo
DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. DROWN is another downgrade attack over SSL hence this time over SSLv2.
SSL has a good history with downgrade attacks likewise Lucky13, Crime, BEAST, Poodle. Currently %33 of internet servers uses SSLv2. With DROWN an attacker can decrypt connection with server which has SSLv2 enabled.

Papers and Vulnerability Testing Here