Tools:
- pwntooth v0.2.1 – sourceforge.net/projects/pwntooth/
pwntooth (pown-tooth) is designed to automate Bluetooth Pen-Testing. - FRHACK OS v1 alpha1 – Pentesting/Security LiveCD – darknet.org.uk
It’s a fully fledged linux pen-testing/security environment. - Metasploit 3.3 Development Updates – metasploit.com
The team is in the process of baking in a few additions to the popular pentesting tool. - Katana v1.0 Beta – cc.vt.edu
Katana is a portable multi-boot security suite designed for all your computer security needs. - MiniFuzz File Fuzzer v0.1 – microsoft.com
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. - Airoscript v2.2 – code.google.com/p/airoscript/
Airoscript is a text-user-interface (TUI) for aircrack-ng. - Cain & Abel v4.9.32 – oxid.it
Cain & Abel is a password recovery tool for Microsoft Operating Systems. - Risk Tracker v1.0 Release – msdn.com
Risk Tracker v1.0 is a tool that will help organizations manage, track and report on risks and associated activities. - OWASP Code Crawler 2.5 – cyphersec.com
In this release, we have been busy making Code Crawler even more stable and fast. - JBroFuzz v1.6 – owasp.org
JBroFuzz is a web application fuzzer for requests being made over HTTP and/or HTTPS. - OVAL Interpreter v5.6.3 – sourceforge.net/projects/ovaldi
The OVAL Interpreter is a free reference implementation that demonstrates the evaluation of OVAL Definitions. - MAPDAV v1.0P5 – mapdav.sourceforge.net
A More Accurate Password Dictionary Attack Vector for creating attacks on user passwords.
Techniques:
- Wireshark, dissectors and fuzzers – mudynamics.com
Fuzzing is purely an exercise in semantic data structure manipulation, nothing more. - Packet Captures with Meterpreter – 7Zip – WinDump – and NMAP-ish – room362.com
A video about a pretty crafty way of getting packet captures on a target system. - SQL Injection – accessing additional tables via the where clause – petefinnigan.com
A tester manipulates the where clause of an existing statement that can be exploited via SQL injection. - Injecting Meterpreter into Excel files using XLSInjector – securitytube.net
Keith Lee has written a script which injects a Meterpreter shell into an Excel file. - SSL trick certificate published – h-online.com
Jacob Appelbaum has published an SSL certificate and pertinent private key that allow web servers to avoid an alert in vulnerable browsers. - Imperva Database Hacking Video: Database Privilege Abuse by Malicious Insiders – imperva.com
This video is focused on database privilege abuse which is generally related to careless, negligent or malicious insiders. - Response: Pentesting Coverage – sans.org
Some discussion on vulnerability assessment, of white vs. black box testing and more
Vulnerabilities:
- SMB2 Exploit
A new network exploit has been spotted in the wild so it’s best to block ports 135 and 445 asap.- SMBv2 exploit for Vista and Server 2008 released – security4all.be
- Exploit published for SMB2 vulnerability in Windows – h-online.com
- There will be no out of band patch for SMBv2 – immunitysec.com
Vendor/Software Patches:
- Vulnerabilities in Samba file and printer server plugged – h-online.com
They fixed three vulnerabilities which attackers could exploit to access data or disable the server.
Other News:
- Reddit Javascript Exploit Spreading Virally – reddit.com
Two Javascript codes were combined to wreck havok on Reddit’s comment system. - Elite Military Hacker Squad Would Stop Wars With Bits, Not Bombs – gizmodo.com
The US military is proposing a pre-emptive cyber attack plan to neutralize threats to computer security. - Microsoft Security Essentials now available
MS released a new and free antivirus application, available for download right now- Security Essentials graduates to v1.0 – cnet.com
- Microsoft provides free Security Essentials anti-virus solution – h-online.com
- First look: Microsoft Security Essentials impresses – arstechnica.com
- MS Security Essentials test shows 98% detection rate for 545k malware samples – zdnet.com
- Microsoft Security Essentials review – techradar.com
- Garage door… packet sniffer – hackaday.com
An intrepid hacker to log output from his garage door opener. - Reproducing Keys from Photographs – schneier.com
Teleduplication can easily let criminals create a duplicate of your keys. - DHS Seeking 1,000 Cyber Security Experts – washingtonpost.com
The Department of Homeland Security is poised to go on a geek hiring spree. - Credit Card Skimming Survey: What’s Your Magstripe Worth? – wired.com
Florida looks to be the hotbed for credit card “skimming”.
No comments yet.