Security Blog » General Hacking

Jarlsberg – Web Application Exploits and Defenses

inSecure — Sun, 09 May 2010 21:05:55 +0000

Jarlsber

A aparut un nou tool, creat chiar de ‘marele’ Google.
Ce ofera acest tool?!

Learn how hackers find security vulnerabilities! Learn how hackers exploit web applications! Learn how to stop them!


This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following: 
How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).

How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

O sa il incerc si eu, dupa licenta, ca deocamdata nu am timp. Daca ati reusit sa il testati voi, va rog dati-va cu parerea, sa stiu daca merita sa il incerc.
Apropo, NU sunt fan Google.

Website: http://jarlsberg.appspot.com/
Download: http://jarlsberg.appspot.com/jarlsberg-code.zip

De ce sunt sparte Retelele si cum ?

inSecure — Sat, 08 May 2010 12:14:48 +0000

De ce ?

Am reusit sa identific 5 motive “mari” pentru care hackerii sparg retele in ziua de azi:

1. Retele contin sistem ce au in dotare date sensibiel(parole, carti de credit, informatii confidentiale etc).
2. Asigura facilitati de comunicare pentru a muta datele furate prin lume(pot muta carti de credit prin mai multe retele).
3. Sistemele din retea sunt folosite pentru a cripta datele furate, inainte de a fi mutate prin lume.
4. Sistemele din retea sunt folosite pentru a stoca datele furate.
5. Sistemele sunt folosite pentru creare de troieni, si pentru a dat drumul la viermi.

Cum ?

1. Research general
2. Social engineering(pretext calls, forum-uri etc)
3. Scanning
4. User ID si password breaking
5. Exploit-uri de sistem
6. Interceptarea comunicatiilor (man-in-the-middle attacks)
7. Furt, mita si santaj

Mai stiti si alte motive sau moduri ?!

How to Steal a Botnet and What Can Happen When You Do

inSecure — Sat, 23 Jan 2010 21:24:55 +0000

Un video foarte buna

www.youtube.com/watch?v=2GdqoQJa6r4

Hacking Video – Series – 6

inSecure — Mon, 04 Jan 2010 15:53:13 +0000

Hacking Video – Series – 5

inSecure — Mon, 04 Jan 2010 15:52:13 +0000

Hacking Video – Series – 4

inSecure — Mon, 04 Jan 2010 15:49:08 +0000

Hacking Video – Series – 1

inSecure — Fri, 01 Jan 2010 21:58:03 +0000

Am gasit pe undeva o serie despre ‘hacking’. Mi s-a parut interesanta si am spus sa incep sa le postez pe rand.

Metasploit 3.3 a fost LANSAT!

inSecure — Sat, 05 Dec 2009 13:39:43 +0000

S-a lansat versiunea 3.3 Metasploit!(2009-11-30)
Ce este Metasploit ?

Metasploit este o unealta open source de testare a vulnerabilitatii unui Server/PC. Are exploit-uri predefinite, si este o unealta de vis pentru orice ‘script-kiddie’.

Mai jos am pus o descriere in engleza.

The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Metasploit v3.3 il puteti gasi aici:

Windows – Metasploit-3.3.exe
Linux – Metasploit-3.3.tar.bz2

Detalii cu functionalitati: Metasploit Release Notes
Homepage: Metasploit.com

Cain & Abel

inSecure — Thu, 12 Nov 2009 19:24:06 +0000

Ce este Cain & Abel ?

Am pus aici o descriere completa luata de pe oxit.it
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.


The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness intrinsic of protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration testers and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program.

De ce am adus aminte de Cain & Abel ?

Pai a aparut versiunea noua de Cain & Abel !

Ce s-a schimbat:

[!] Added Windows Firewall status detection on startup. [!] Added UAC compatibility in Windows Vista/Seven. [!] Winpcap library upgrade to version 4.1.1.

Download here: Cain & Abel
Homepage : here
Tutoriale Cain & Abel (youtube) : Link

Flawfinder – Tool de Audit al Codului Sursa

inSecure — Sat, 26 Sep 2009 09:13:37 +0000

Flawfinder este un program ce examnieaza un cod sursa si genereaza rapoarte.Acestea sunt categorisite dupa nivelul de risc.
Este usor de folosit, tot ce trebuie sa faci dupa instalare este:

flawfinder directorul_cu_codul_sursa

Cum functioneaza?

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don’t have to create this database – it comes with the tool.
Flawfinder then takes the source code text, and matches the source code text against those names, while ignoring text inside comments and strings (except for flawfinder directives). Flawfinder also knows about gettext (a common library for internationalized programs), and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs. .

Link-ul de download:
flawfinder-1.27.tar.gz