What is DNS Rebinding Attack? It's Work And Protection

what's DNS Rebinding attack? it's paintings And safety

what's DNS Rebinding attack?

DNS rebinding is a shape of pc attack or can say domain call laptop based totally attack. on this assault, a malicious net web page reasons traffic to run a client-facet script that assaults machines somewhere else on the network.

DNS rebinding attack may be used to breach a private network by using causing the victim's internet browser to get admission to machines at private IP addresses and return the results to the attacker. it could also be employed to use the sufferer system for spamming, allotted denial-of-provider attacks or other malicious sports.

Cybercriminal also can do DNS rebinding assault via Malicious advertising and marketing after which they are able to get right of entry to non-public facts on the network.

How DNS rebinding works?

The attacker registers a domain (consisting of anydomain.com) and delegates it to a DNS server underneath the attacker's manage. The server is configured to reply with a totally quick time to stay (TTL) report, preventing the response from being cached. while the sufferer browses to the malicious area, the attacker's DNS server first responds with the IP deal with of a server website hosting the malicious purchaser-side code.

 

as an instance, they might point the sufferer's browser to a internet site that incorporates malicious JavaScript or Flash scripts which are meant to execute at the victim's laptop.

The malicious customer-facet code makes additional accesses to the authentic domain name (along with attacker.com). these are accepted by way of the identical-beginning coverage. however, whilst the sufferer's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. for instance, they might reply with an inner IP deal with or the IP address of a goal somewhere else at the internet.

How can we guard Themselves?

the following strategies try and prevent DNS rebinding assaults:

 always use a robust password on your router. 

To Disable admin get right of entry to console in your router from any outside community.

internet browsers can put into effect DNS pinning: the IP cope with is locked to the cost obtained in the first DNS reaction. This technique may also block a few valid makes use of of Dynamic DNS, and might not work in opposition to all attacks. however, it is essential to fail secure (stop rendering) if the IP address does alternate, because the use of an IP address past the TTL expiration can open the other vulnerability whilst the IP address has legitimately changed and the expired IP address may additionally now be controlled via an attacker.

personal IP addresses may be filtered out of DNS responses.

outside public DNS servers with this filtering e.g. OpenDNS.

neighborhood sysadmins can configure the enterprise's neighborhood nameservers to block the resolution of external names into internal IP addresses. This has the downside of allowing an attacker to map the internal deal with tiers in use.

DNS filtering in a firewall or daemon e.g. dnswall.

net servers can reject HTTP requests with an unrecognized Host header.

The Firefox NoScript extension provides partial safety (for non-public networks)

It become first determined in 1996 and affected Java digital gadget.

Damn Small SQLi Scanner (DSSS): A Fully Functional SQL Injection Vulnerability Scanner

Damn Small SQLi Scanner (DSSS): A Fully Functional SQL Injection Vulnerability Scanner 

As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.

Sample runs

$ python dsss.py -h
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
by: Miroslav Stampar (@stamparm)

Usage: 

dsss.py [options]

Options:

  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -u URL, --url=URL  Target URL (e.g. "http://www.target.com/page.php?id=1")


--data=DATA        POST data (e.g. "query=test")
  --cookie=COOKIE    HTTP Cookie header value
  --user-agent=UA    HTTP User-Agent header value
  --referer=REFERER  HTTP Referer header value
  --proxy=PROXY      HTTP proxy address (e.g. "http://127.0.0.1:8080")
$ python dsss.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
 by: Miroslav Stampar (@stamparm)

* scanning GET parameter 'artist'
 (i) GET parameter 'artist' could be error SQLi vulnerable (MySQL)
 (i) GET parameter 'artist' appears to be blind SQLi vulnerable (e.g.: 'http://t
estphp.vulnweb.com/artists.php?artist=1%20AND%2061%3E60')

scan results: possible vulnerabilities found

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

Download DSSS

Wikileaks Published New Vault7 Series Project of CIA ExpressLane

Wikileaks Published New Vault7 Series Project of CIA ExpressLane

Now Wikileaks Leaked another project of CIA named 'ExpressLane'. The tool is used for information gathering. 

WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services -- which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world -- with the expectation for sharing of the biometric takes collected on the systems. But this 'voluntary sharing' obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.

ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.

Previously Wikileaks leaked projects of CIA

CouchPotato
10 August, 2017
Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.

Dumbo
3 August, 2017
Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported

Apparatus - A Graphical Security Analysis Tool For IoT Networks

ASTo - Apparatus Software Tool

An IoT network security analysis tool and visualizer

Apparatus is a security framework to facilitate security analysis in IoT systems. To make the usage of the Apparatus framework easier the ASTo app was created (ASTo stands for Apparatus Software Tool).

ASTo is security analysis tool for IoT networks. It is developed to support the Apparatus security framework. ASTo is based on electron and cytoscape.js. The icons are provided by Google's MaterialDesign.

The application is still in prototyping stage, which means a lot of functionality is being added with each commit, along with massive changes in almost everything.

To Use

To clone and run this repository you'll need Git and Node.js installed on your computer.
To download and install the app, type the following in your terminal:

# Clone this repository
git clone https://github.com/Or3stis/apparatus.git
# Go into the repository
cd apparatus
# Install dependencies
npm install
# to run the app

npm start

Because the app is still in prototype stage, it is best to keep up to date with the most recent commits. To do so, before starting the app, type:

# inside the apparatus directory

# update to latest
git pull

The first window (home screen) will ask you to choose which modeling phase would you like to perform analysis in. After you select a phase, a native dialog window will be displayed and ask you choose a file to load. By default, you can only choose .js or .json files.

You will find some example graphs in the graphs folder.

The architecture of ASTo

ASTo was designed with modularity and extendability in mind. Each module performs a specific function.

As with any Electron application, the first file that is being executed is the main.js. The main.js renders the index.html which is used as the home page of the app, so we can navigate to the different development phases.

Each phase has its own .html file where its graphical interface is declared.

• Design phase -> design.html
• Design state phase -> design-state.html
• Implementation phase -> implementation.html
• Implementation state phase ->implementation-state.html

Instructions

If you want to contribute that's great news Check the contributing guide. The application is being developed on Mac. That means that new commits might introduce breaking changes in other platforms. Especially commits that involve access to the file system. If something is not working, don't hesitate to create an issue.

If you want to find out how the app works check the wiki.
You can check the project's planned features in the roadmap.

Download Apparatus

New Android Malware GhostCtrl Can Take Full Control Of Your Phone

New Android Malware GhostCtrl Can Take Full Control Of Your Phone

• This Malware infects Android devices and it spreads via Apps like Whatsapp, MMS and even Pokeman GO. 
• It steals Call Logs, SMS, Contacts, Location and more Mobile activities.
• It can access your Phone Camera or record Audio. 

The Trend Micro security researchers warns of New Android Malware called GhostCtrl and its variant of the OmniRAT was found in year of 2015 which was known for remotely taking control of many OS including Linux, Mac and Windows with the touch of an Android device’s button.

How it Infects?

The APK forces the user to install the malicious app, when user tries to cancel the installation, the APK will keep displaying the prompt. According to report, When the app is launched, its base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK).

How To Protect?

• Always Keep the device updated: Android patching is fragmented and organizations may have custom requirements or configurations needed to keep the device updated, so enterprises need to balance productivity and security
• Apply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized access and installation of dubious apps
• Implement an app reputation system that can detect and block malicious and suspicious apps
• Deploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels to preempt the malware’s malicious network activities
• Enforce and strengthen your mobile device management policies to further reduce potential security risks
• Employ encryption, network segmentation and data segregation to limit further exposure or damage to data
• Regularly back up data in case of device loss, theft, or malicious encryption.

DMitry A Deepmagic Information Gathering Tool

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C language.

DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Download and installation

DMitry can be downloaded by issuing following commands:

$ cd /data/src/
$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz


For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz
$ cd DMitry-1.3a/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link to your /pentest/ directory:

$ mkdir -p /pentest/enumeration/dmitry/
$ ln -s /usr/local/bin/dmitry /pentest/enumeration/dmitry/dmitry

Use

help
DMitry help can be displayed by issuing:

$ dmitry --help

Download 

Pompem - Exploit and Vulnerability Finder Pentester Tool

Pompem - Exploit and Vulnerability Finder Pentester Tool

Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. 

Its's Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database.

Source code

You can download the latest tarball by clicking here or latest zipball by clicking here.

You can also download Pompem directly from its Git repository:

$ git clone https://github.com/rfunix/Pompem.git

Dependencies

Pompem works out of the box with Python 3.5 on any platform and requires the following packages:

Requests 2.9.1+

Installation

Get Pompem up and running in a single command:

$ pip3.5 install -r requirements.txt

Usage

To get the list of basic options and information about the project:

$ python3.5 pompem.py -h

Options:

  -h, --help              show this help message and exit
  -s, --search <keyword,keyword,keyword> text for search
  --txt                           Write txt File
  --html                          Write html File

Examples of use:

$ python3.5 pompem.py -s Wordpress
$ python3.5 pompem.py -s Joomla --html
$ python3.5 pompem.py -s "Internet Explorer,joomla,wordpress" --html
$ python3.5 pompem.py -s FortiGate --txt
$ python3.5 pompem.py -s ssh,ftp,mysql

Download 

A Simple Static Malware Analyzer SSMA Tool Written in Python 3

SSMA is a simple malware analyzer written in Python 3. 

Features: 

1. Analyze PE file’s header and sections (number of sections, entropy of sections/PE file, suspicious section names, suspicious flags in the characteristics of the PE file, etc.) 
2. Searches for possible domains, e-mail addresses, IP addresses in the strings of the file. 
3. Checks if domain is blacklisted based on abuse.ch’s Ransomware Domain Blocklist and malwaredomains.com’s blocklist. 
4. Looks for Windows functions commonly used by malware. 
5. Get results from VirusTotal and/or upload files. 
6. Malware detection based on Yara-rules 
7. Detect well-known software packers. 
8. Detect the existence of cryptographic algorithms. 
9. Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis. 
10. Find if documents have been crafted to leverage malicious code. 

Usage: 

git clone https://github.com/secrary/SSMA
cd SSMA
sudo pip3 install -r requirements.txt
python3 ssma.py -h
python3 ssma.py -k api-key file.exe

You can just statically scan the file or upload to VirustTotal using your API-KEY.

python3 ssma.py file.exe
python3 ssma.py -k api-key file.exe

Download

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

When run, this will proxy and log all traffic to a dummy mongodb server. MongoDB-HoneyProxy was created in response to the 'MongoDB Apocolypse'

Pre-requisites:

• sudo apt-get install nodejs npm gcc g++
• You'll also need to install MongoDB for this to function, as this project works as a logging proxy.

Cyber Criminals Attacking On Web Databases And Asking To Pay For Ransom

Setup

• Create a MongoDB database. Some good dummy data can be found here. Another good tool is JSON Generator, which generates fake json that can then be converted to bson.
• Then, install the project

git clone https://github.com/Plazmaz/MongoDB-HoneyProxy.git

cd MongoDB-HoneyProxy
sudo npm install

To run the project, simply use node index.js

Download

EAST: Exploits And Security Tools For Penetration Testing Framework

EAST: Exploits And Security Tools For Penetration Testing Framework

Pentest framework environment is the basis of IT security specialist’s toolkit. This software is essential as for learning and improving of knowledge in IT systems attacks and for inspections and proactive protection. 

The need of native comprehensive open source pen test framework with high level of trust existed for a long time. That is why EAST framework was created for native and native friendly IT security markets. EAST is a framework that has all necessary resources for wide range exploits to run, starting from Web to buffer overruns. EAST differs from similar toolkits by its ease of use. Even a beginner can handle it and start to advance in IT security.

Main features:

• Framework security. Software used for IT security must have a high level of user trust. Easy to check open source Python code realized in EAST. It is used for all parts of the framework and modules. Relative little amount of code eases its verification by any user. No OS changes applied during software installation.
• Framework maximum simplicity. Archive downloads, main python script start.py launches, which allows exploits start-stop and message traffic. All handled local or remotely via browser.
• Exploits simplicity of creation and editing. Possibility to edit and add modules and exploits on the fly without restart. Module code body is easy and minimal in terms of amount.
• Cross-platform + minimal requirements and dependencies. Tests for Windows and Linux. Should function everywhere where Python is installed. Framework contains all dependencies and does not download additional libraries.
• Full capacity of vanilla pen test framework. In spite of simplicity and
• “unoverload” the framework has all necessary resources for wide range exploits to run, starting from Web to buffer overruns.
• Wide enhancement possibilities. Third party developers can create their own open source solutions or participate in EAST development by use of Server-client architecture, message traffic API and support libraries. 
•  
•  
• 2. Requirements
• Python 2

3. Usage

git clone https://github.com/C0reL0ader/EaST && cd EaST
python start.py [-p PORT] [--all-interfaces]

Download EAST

•