If you follow this blog, you know that I did an article on the first stable release of Namp http://www.pccybertek.com/2010/01/nmap-5-20-released yesterday. Now that it has been out for a week, Fydor has already released another update, Namp 5.21 which is also a stable
release and not a beta. It’s mainly just a bug fix release. So I have updated the download section here with a link to the 5.21 release, which is on the right column about 3/4 of the way down the page. My download link is directly to the file on the insecure.org website or you can go to the Nmap download page yourself.

But I don’t want to just tell you about the update, I’d like to offer you some more since you took the time to stop by here. So here is a link to Iron Geek’s Baisc Nmap Tutorial video. And if already know the basics and would like to move on to some more advanced lesson, here is Iron Geek’s Nmap Video Tutorial 2: Port Scan Boogaloo Happy port knocking.

Some how this one slipped by me because it was published by Adobe on the 19th.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided above.

This update resolves a buffer overflow vulnerability that could potentially lead to code execution (CVE-2009-4002).

This update resolves multiple integer overflow vulnerabilities that could potentially lead to code execution (CVE-2009-4003).

Download Adobe Shockwave Player version 11.5.6.606  here

You can find out which version you have by going here Test Adobe Shockwave Player

Fydor has released Nmap 5.20. This is the first stable release, or non beta release, of Nmap since July 2009. And like usual, it has a lot of nice improvements and upgrades. If I could only have one security tool, Nmap would be it. It’s the first, and sometimes the only, program I run when I want to do any kind of security audit or if I want an inventory of  the LAN and which services are running .
Read the rest of this entry »

Here we go again. This isn’t news hot off the press, but I decided I should post about it here just in case some of you have missed it. There has been another Adobe Acrobat Reader exploit, CVE 2009-4324. Since it was first disclosed back in the middle of December, it has grown even nastier. The Internet Storm Center over at sans.org has a good analysis of one of the current variants.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

t’s been about a year since one of the best pen testing tools has seen an upgrade to the framework. Metasploit Framework 3.3 is now available. Not only does it support Linux, Windows, OS X, and many versions of BSD, but now it also supports Windows 7. And according to the website this release has 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. However one of the new features that I’m pleased about is you can now run a full console version in Windows using Cygwin which is how I like to run nmap when I’m on my Windows computers, and RXVT. To be honest, I haven’t fired up any of my Linux machines in a while. I just boot from a Linux Live CD most the time but I digress.
The Windows installer works on all versions of Windows from 2000 to Windows 7 and the Linux installer works on most versions of Linux released in the last five years.
I’d like to point out, this is not a toy. This is the bad boy of penetration testing tools. I love using this because I know that if I can’t get into the system I’m testing with it, I can feel pretty confident that system is pretty secure. I wouldn’t go so far as to say that I’m 100% secure because I’ve been doing this long enough to know there is no such thing. But if you can’t successfully attack one of your computers with this, then chances are neither can the script kiddies.

There is a fake adobe flash player updater that monitors your google searches. It looks just like the adobe flash installer. I’m not sure where I picked it up, but luckily I found this fake adobe flash player on a computer running firefox. Good thing I run NOD 32. I have been getting a notice that NOD 32 was blocking an outbound connection

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

There has been another Adobe Acrobat Reader update released. Since this was not a planed update, there must be something nasty floating around on the net. I’d suggest you update Acrobat Reader ASAP, if you haven’t already. You probably already know how to do it, since there has been so many updates recently. In case you don’t, just run Adobe Acrobat Reader and go to the Help menu up at the top. Under Help you will want to select Check For Updates and in that window, select Download and install updates. Another window will open and you should see the download begin. If it isn’t downloading, you may need to uncheck the box marked Download when my internet is idle.

I didn’t bother looking up what this patch is for, but not long ago there was a new exploit floating around so I imagine this is what it’s for.

Yes, that’s right. The essential network scanner, nmap, has made it to version 5. If you are unfamiliar with nmap, it’s a must have tool for anyone who does anything with networks. It’s the greatest port scanner around. And you can get it for just about any OS. But nmap is much more than just a port scanner. It can be used for more than just seeing what ports are open. You can also use it for its OS detection, among other things, and you can even use it to find the conficker virus on remote computers. It’s available as a command line tool and for those who prefer a gui, it also comes with zenmap which is a graphical front end for it.

My thanks to Fydor and the nmap development team for constantly updating this awesome tool and never being satisfied with the status quo. Now let me quote insecure.org

July 16, 2009 — Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

You can find a list of the changes here and be sure to download it.

Looks like there is another ActiveX vulnerability. If you are unfamiliar with ActiveX, basically, a web page can do stuff like read and write files when you use Internet Explorer and allow ActiveX options. This nice for the Microsoft Update site to see which files it needs to update, but that’s about it in my opinion. Sure, there is a pop-up that asks you if you want to allow a website to use ActiveX but history shows that too many people allow ActiveX when the shouldn’t. There is an unbelievable amount of attacks that use ActiveX. That’s one of the main reasons I use Firefox instead of Internet Explorer, it doesn’t have ActiveX so you don’t have to worry. Google’s Chrome is another web browsers that doesn’t have ActiveX.

Our friends over at the Internet Storm Center are keeping an active eye on this new vulnerability. You can read all about it and follow their updates here. So do your Microsoft Updates, several just came out, and if you really want to be safe, stop using Internet Explorer or use it as little as possible and switch to Firefox, Chrome or even Opera. Stay Safe.

With all the media hype about conficker, I thought you might like a good collection of trustworthy resources. Beware of websites that have recently registered as “conficker help.” In fact, just avoid them all together. There’s also reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers, as well as spam offering the same.

There’s no need to try and figure out what’s safe or real and what has more sinister plans in mind. The good folks at dshield.org have been keeping an updated list of third party information on conficker. Here you can find plenty of free conficker detection and removal tools, general information and the microsoft patch. That should help keep you updated, safe and informed.

I’ve also found out about one other real neat way of detecting it, but it’s for more advanced users, so I’m going to make a seperate post about it.