Surfing "Playboy.com"

Have you try surfing "playboy.com"? You will likely to see the "nice" MDA (Media Development Authority) notification webpage telling you that the Website that you are accessing is restricted.

If your company uses Web/URL filtering, you are also likely to receive similar notification while surfing "illegal" website in your company network.

In order to continue surfing those website by bypassing the Web/URL filter or MDA notification, the answer is "Anonymous Web surfing" or "Anonymous Proxy". It will hide your actual IP and surf the internet using the proxy IP instead.



This Picture shows the MDA notification when you try surfing "illegal" website such as "playboy.com"




We uses Vtunnel.com as an example of a Anonymous proxy. we are able to surf the website without any problem.



While surfing the Internet, you will be using the IP from your local ISP. From DNSstuff.com, you are able to see that my IP is from SCV BroadBand, Singapore.

While using the Anonymous Proxy, you will see the IP from Chicago,USA. So your actual IP from Singapore was successfully hidden.

Before you start using the anonymous proxy, there are something that i need to highlight. Since your web traffic is sent via the proxy, your information such an username, password, credit card number and even your web surfing habits can be havested by the proxy owner. So be careful on the information that you are going to transmit when using the anonymous proxy.

Some free Anonymous Proxy:

- VTunnel
http://www.vtunnel.com/

- Proxify
http://www.proxify.com/

Windows Account Cracking

Last week, someone had problem logging into his Windows 2003. So needed a Windows account cracking tools. So i am thinking of sharing some of my knowledge in Windows account cracking. The passwords in Windows systems are hash and stored in SAM (Security Account Manager). Only 14 characters of the password are used for the hashing. The password is split into 2 (with 8 characters each) and hash seperately.

For account cracking tool, it normally uses either Brute-force/Dictionary, Rainbow table or replace the password hash in the SAM file.

For Brute-force method, it will try every possiblilites. But with long and complex password being used these days, this method will not be practical. A 8-characters complex password (mixed case with number or symbols) will have 7.2 Quadrillion (thousand million million)combinations will need 2 1/4 years to crack using current dual-processor PC. (Password Recovery Speed)

For Rainbow table method, which uses time-memory tradeoff technique, is by doing all cracking time computation in advance and store the result in files so called “rainbow table”. It is trading speed for memory and diskspace. The table can be very large if the table is more comprehensive. If you have a correct table, a complex password can be cracked in a few minutes rather than months to years with brute-force.

OPHCRACK - The "famous" Windows password cracker based on rainbow table. It comes with "LiveCD" that can be bootup and automatically crack the password.

The other ways to crack the password is to replace the hash in the SAM file. This method will need to bootup with another OS to dump the SAM file for modification. The username and the password hash are located, and be replaced with the hash of the password of your choice.

Offline NT Password & Registry Editor - My recommendated Windows password cracking tools that "reset" the password. This tool is bootable from a floppy or CD. It require the system to boot up from the tool to do the password "reset".

Related sites:
-Password Recovery Speed
http://www.lockdown.co.uk/?pg=combi

-Ophcrack
http://ophcrack.sourceforge.net/

-Offline NT Password & Registry Editor
http://home.eunet.no/~pnordahl/ntpasswd/

Legal "Malware" from FBI

FBI uses a Spyware to track down the source of e-mailed bomb threats against a Washington high school last month. The malware had led FBI to 15-year-old student at the school, Josh Glazebrook. He had pleaded guilty to making bomb threats, identity theft and felony harassment.

An FBI agent describes the software (Malware) as a "Computer and Internet Protocol Address Verifier," or CIPAV.

The full capabilities of CIPAV were guarded as secret. But some information of the data that will be collected by the malware were disclosed as below.

• IP Address
• MAC address
• Open TCP / UDP ports
• Current running programs
• OS type, version and serial number
• Registered user and company name on the OS
• Current logged-in username
• Last visited URL

The malware will also monitor the computer's internet use, logging every IP address to which the machine connects. All the information will be sent over to an FBI system located at their technical laboratory.

So who says all malware are "Bad".

Related report:
Wired News - FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

Sell your "Boss"

I have talk about having bots and selling exploit to make money. How can i miss out the most easiest way of "backstab" (report to authority) your company for illegal software to BSA. They have recently raise the rewards to $1 million. Another good "part" time and ways to make your first million.


BSA Reward Payment Guidelines

With movies like 'Infernal Affairs' or 'The Departed' (Hollywood Version), Double crossing your boss seems to get heroic "respect" and also good MONEY.



So what you waiting for, all bosses beware.

Related report:
SecurityFocus - BSA to pay up to $1 million for piracy tips

Sell "your" eXploit

Recently there are alot of "talking" on selling vulnerability information or Zero-day exploit. It was likely due to the newly opened online auction website that allows security researchers to
sell their finding.

This "eBay" for security research, by a Swiss-registered company WSLabi, claiming to allow researchers to get a fair "market" price and also to prevent those exploits being sold to cybercriminals.

Now there is a more "legal" way to sell the security finding. Previously, to sell a zero-day exploit, contacts to find a "good" and "reliable" buyer is important. Many times, the patched may already be announced before your deal could get through.

Some estimated "market" rate for exploits
- Exploit values between USD$500 - $200,000

- H.D. Moore (Metasploit founder) was offered USD$60,000 and $120,000 for IE vulnerability.

- Desautels (co-founder of SNOSoft) claims that an exploit can fetch more than USD$75,000 in Bugtraq or Disclosure Mailing list.

- Product Vendor such as 3Com, VeriSign and Trend Micro are offering between USD$5,000 to $50,000

- Mozilla Security Bug Bounty Program offers USD$500 and a T-shirt.
(http://www.mozilla.org/security/bug-bounty.html)


So there is an ethical issue here, buyer that are non-vendor tends to be paying much higher for the exploit. These buyer (likely to be from Government agencies or Cybercriminals) are not likely to report it to the product vendor as they will need to re-coup the tens of thousands dollars spent before their exploit "expired".

So what you waiting for, start "whacking" your system and see if you can find any "treasure" to sell. Another part-time business or/and to make your first million.

Hello World!

Hi all, I am a n00b in IT security and want to thank wolf here for creating this blog so that we can all share our knowledge and test cases in IT security. My areas of interest are in pen-testing, malware and reverse engineering. Hope to learn from all and also contribute back. Here's some links that maybe of interest to you:

http://www.damnvulnerablelinux.org/
http://www.darknet.org.uk/

Cheers!
GB

Make Big bucks by having Bots?

I have been to some seminars and webcasts, some security reseacher claims that botnet owner are making millions yearly by "renting" their bots

Some Market rate for employing Bots for Spamming or DOS

- A thousand dollars (USD) for spamming for 1 or 2 days
- Average of $0.05 (five cents) per bot per node.
- 2 to 3 hundreds dollars (USD) per hour (for spamming or DOS)

According to the Symantec Internet Security Threat Report, in the first half of 2006, there were about 4.7 millions active botnet systems. Based on the market rate with 4.7 millions bots, it becomes a big "underground" business (possibly billion-dollar business).

If you own half a millions bots, i think you will not have problem making a million within a year. This can be a good part-time business or/and to make your first million.

Google Hacking

Last month, while practicing my Googlefu, i also try out some google-hacking. You can really see that many system are not properly secured and were captured by "our favourite" search engine.

As an "non intrusive" example from my google-hacking, i found an unsecured webcam that allows us to "tour" the Data Centre in University of California, San Diego .

http://calit2-1101-1.ucsd.edu/local/lvappl.html

To learn more about Google hacking, i recommend Johnny Long's website.

Blog by a IT security newbies

I am a novice in IT security and setting up this blog to share on what i know and be learning on IT security especially on hacking, pen-testing, vulnerability and malware understanding.

I will also wish to share and comment on the popular security news.

Hope that other security enthusiasts can share their knowledge and comment on my blog.

Cheers
w01f