Category: Network Hacking

Sep 27 2013

16-Year Old Arrested Over World’s Biggest Cyber Attack

Spamhaus DDoS AttackIn March 2013, a distributed denial of service (DDoS) attack of unprecedented ferocity was launched against the servers of Spamhaus, an international non-profit dedicated to battling spam.

The March Spamhaus attack peaked at 300 gigabits per second, Spamhaus CEO Steve Linford told the BBC at the time – the largest ever recorded, with enough force to cause worldwide disruption of the internet.

In April, one suspect was arrested in Spain.

Now, it’s come to light, another suspect was also secretly arrested in April – this one being a London schoolboy.

The 16-year-old was arrested as part of an international dragnet against a suspected organised crime gang, reports the London Evening Standard.

Detectives from the National Cyber Crime Unit detained the unnamed teenager at his home in southwest London.

The newspaper quotes a briefing document on the British investigation, codenamed Operation Rashlike, about the arrest:

“The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies”.

Officers seized his computers and mobile devices.

The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive cyber attack, which slowed down the internet worldwide.

The briefing document says that the DDoS affected services that included the London Internet Exchange.

The boy has been released on bail until later this year, the London Evening Standard reports.

Feb 27 2013

ARPwner – ARP & DNS Poisoning Attack Tool

ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.

arpwner

This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

“apt-get install python-pypcap”

Download: ARPwner.zip

Read More: ARPwner @ GitHub

Jul 11 2012

How DNSChanger Malware Works

DNSChangerDNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.

Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

DNS Work DNSChanger Work
How DNS Works How DNSChanger Works

With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Jan 25 2012

Attackers Using DNS Poisoning to Hijack Domains, Divert Traffic

DNS PoisoningSeveral “activist hackers” appear to be using DNS poisoning and other attacks against the Domain Name System to divert users away from legitimate sites.

Instead of just launching distributed denial-of-service attacks, cyber-attackers have started hijacking domain names and redirecting traffic from legitimate sites to malicious ones.

The hacker group Anonymous recently managed to hijack the Domain Name System record for CBS.com and redirected all traffic to another Web server that displayed an empty directory structure. It appeared as if the contents of CBS.com had been wiped, but it was actually a different server altogether. CBS.com managed to regain control of its domain after the DNS poisoning attack.

A group of attackers called UGNazi, which may or may not have Anonymous sympathies, was behind a similar attack on the Website of the Ultimate Fighting Championship over the weekend. The UFC had supported the controversial Stop Online Piracy Act and Protect IP Act bills, which are now temporarily shelved in Congress. The same group hijacked two domains belonging to luxury handbag and leather goods retailer Coach and diverted the traffic.

“We arn’t done…not even close,” the attackers wrote on their Website. A short list of “targets” on the site explained the attacks were a result of the organizations’ support of SOPA.

Both Coach and UFC registered their domains through Network Solutions. It was evident the attackers had accessed Network Solutions’ domain management accounts. While it was unclear how they had done so, the cause is usually weak or compromised user passwords or a vulnerability in the registrar’s Website.

SOPA-related attacks continued this week and don’t appear to be abating. Anonymous attacked OnGuardOnline, a government-managed Website devoted to keeping users secure online. Some Anonymous members said the OnGuardOnline attack was in retaliation for SOPA and PIPA, as well as the proposed international agreement on combating online piracy, according to a message posted Jan. 23 on text-sharing site Pastebin,.

“If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate Internet, destroying dozens upon dozens of government and company Websites,” the message read.

Dec 29 2011

Reaver – WiFi Protected Setup Brute Force Attack Tool

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.

Description:
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Installation:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install

To remove everything installed/created by Reaver:

# make distclean

Usage:
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

Download: reaver-1.3.tar.gz

Reaver Home: http://code.google.com/p/reaver-wps/