Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
I've tested a 6 models of Linksys, all of them appear to disable WPS completely as soon as a single wireless setting is set. I assume this would be the reason Cisco/Linksys aren't putting much stock in 'fixing' it further. If anyone has any experience to contradict this or have a modification to current tools to circumvent what I've perceived as disabled, I, as I'm sure Craig, would be very interested. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Sat, Feb 11, 2012 at 4:23 PM, farthva...@hush.ai wrote: _ Use Tomato-USB OS on them. _ Besides you void warranty... list of DD-WRT Supported routers: E1000 supported E1000 v2 supported E1000 v2.1 supported E1200 v1 ??? E1200 v2 ??? E1500 ??? E1550 ??? E2000 supported E2100L supported E2500 not supported E3000 supported E3200 supported E4200 v1 not supported yet E4200 v2 not supported M10 M20 M20 v2 RE1000 WAG120N not supported WAG160N not supported WAG160N v2 not supported WAG310G not supported WAG320N not supported WAG54G2 not supported WAP610N not supported WRT110 not supported WRT120N not supported WRT160N v1 supported WRT160N v2 not supported WRT160N v3 supported WRT160NL supported WRT310N v1 supported WRT310N v2 not supported yet WRT320N supported WRT400N supported WRT54G2 v1 supported WRT54G2 v1.3 supported WRT54G2 v1.5 not supported WRT54GS2 v1 supported WRT610N v1 supported WRT610N v2 supported X2000 not supported X2000 v2 not supported X3000 not supported. _ Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. _ What about removing WuPS entirely? WuPS is a total failure because: 1. Even if everything is fine 8 digits long is very weak because once you got the pin after 7 month - 2 years for example, you are completely pwned. 2. Pin number is fixed you can't change it to a longer number or maybe a string like omgponnies 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad only cell phones), if some people are lazy, you don't have to weakening the security of a strong protocol. Farth Vader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VIDEO] Keylogger, RecordMic and Shell
I think you forgot to remove the meterpreter prompt from your video. Just sayin.. should be an easy fix. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Mon, Jan 24, 2011 at 3:48 PM, runlvl run...@gmail.com wrote: Typo! Here is the link: http://www.youtube.com/watch?v=EY7lWQB23ek 2011/1/24 runlvl run...@gmail.com We recorded a new technical video of remote keylogging and recording from a remote mic and is available online on youtube! This funcionalities are being used trough an exploit and in the video we show how to obtain a full remote shell too :-) Take a look at: http://www.youtube.com/watch?v=EY7lWQB23ek Hope you enjoy! Cheers Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.0 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Couldn't this also be thwarted by having a MOTD? It generally displays before the bashrc if I'm not mistaken. -- Rob Fuller | Mubix Room362.com | Hak5.org On Mon, May 31, 2010 at 8:47 PM, Jan Schejbal jan.mailinglis...@googlemail.com wrote: PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the console window used for the connection. This could allow a malicious server to gain access to a user's passphrase by spoofing that prompt. We assume that the user is using key-bases ssh auth with ssh and connects using PuTTY. PuTTY now asks for the passphrase to the key. The user enters the passphrase. If the passphrase is wrong, PuTTY will now request the passphrase again after stating that it was wrong. If the passphrase is correct, the connection to the server is established. A malicious/manipulated server could then display Wrong passphrase and ask for the passphrase again. If the user enters it again, it is sent to the malicious server. As far as I can see, there are only two ways how the user might detect it: 1. The real Wrong passphrase message is displayed without delay. After entering the correct passphrase, a small delay occurs. 2. The prompt contains the name of the key as stored on the client. Often the same name is used in the authorized_keys file on the server, giving it to the attacker. Maybe it is also possible for the server to remotely read the screen contents or duplicate it using some xterm control sequences, so users should not rely on it. (See also the attached screenshot, where you can see that there is no visible difference.) I assume that there are more similar issues like this one using different authentication modes etc. This can be exploited using a modified .bashrc file. This means that once an attacker has gained access to a user account on the server, he can try this to gain the passphrase to the key. Impact: Low. As a malicious server is required, the attack probability is not very high. Without the keyfile, the passphrase is worthless to the attacker unless it is used in multiple places. However, key-based auth is supposed to be secure even with untrusted/malicious servers. Developer notification: The possibility of such spoofing attacks is known: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html Workaround: Load the key into the Pageant agent before esablishing the connection Other software affected: Probably many console-based SSH tools have similar issues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Non ZDI Post - EOM
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [GSEC-TZO-45-2009] iPhone remote code execution
Are there memory protections in 3.x to stop this or is it purely a lack of time/testing to find the exploit vector? -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com 2009/7/23 Thierry Zoller thie...@zoller.lu Fell quite behind on this one, here it is. ___ Phone iPod Touch - Remote arbritary code execution ___ Reference : [GSEC-TZO-45-2009] - iPhone remote arbritary code execution WWW : http://www.g-sec.lu/iphone-remote-code-exec.html CVE : CVE-2009-1698 BID : 35318 Credit: http://support.apple.com/kb/HT3639 Discovered by : Thierry Zoller Affected products : - iPhone OS 1.x through 2.2.1 - iPhone OS for iPod touch 1.x through 2.2.1 I. Background ¨¨ Wikipedia quote: Apple Inc. (NASDAQ: AAPL) is an American multinational corporation which designs and manufactures consumer electronics and software products. The company's best-known hardware products include II. Description Calling the CSS attr() attribute with a large number leads to memory corruption, heap spraying allows execution of code. III. Impact ¨¨¨ Arbitrary remote code execution can be achieved by creating a special website and entice the victim into visiting that site. IV. Proof of concept None will be released VI. About ¨¨ G-SEC ltd. is an independent security consultancy group, founded to address the growing need for allround (effective) security consultancy in Luxembourg. By providing extensive security auditing, rigid policy design, and implementation of cutting-edge defensive/offensive systems, G-SEC ensures robust, thorough, and uncompromising protection for organizations seeking enterprise wide data security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
I'm sorry, log time reader of FD, it's a great mashup of hilarity and vuln disclosure. But this takes the cake. I can't sit silent for this one: Are you OUTSIDE your mind? 4chan? and not even 4chan.org, an archive site. This is the very core of the White Hat being? If this is truly a 'agent of AntiSec' which I highly doubt, you must be selecting low hanging fruit and finding any possible way to associate it with those you hate. I hope those who are in Anti-Sec if there really is such a thing, come and hunt you down... and that's the way it is... for July 21st, 2009 -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com On Tue, Jul 21, 2009 at 9:39 PM, Ed Carp e...@pobox.com wrote: Do not fuck with anti-suck. LOL! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
