FireMaster 2.1 - A Firefox Master Password Recovery Tool

FireMaster version 2.1 has been released with its new features and new speed.

Firemaster is the Firefox master password recovery tool. If you have forgotten the master password, then using FireMaster you can find out the master password and get back your lost signon information. It uses various methods such as dictionary, hybrid and brute force techniques to recover the master password from the firefox key database file.

 

Since its initial release in Jan 1, 2006 its speed has increased exponentially and currently it is operating at a speed of 50,000 passwords/sec to 100,000 passwords/sec depending upon low end or high end machine.

How it Works?

There is no way to recover the master password as it is not stored at all. Firemaster uses the same technique which has been used by firefox to check if the master password is correct, but in more optimized way. The entire operation goes like this.
Firemaster generates passwords on the fly through various methods.
Then it computes the hash of the password using known algorithm.
Next this password hash is used to decrypt the known encrypted string for which plain text ( i.e. ?password-check? ) is known.
Now if the decrypted string matches with known plain text ( i.e. ?password-check? ) then the generated password is the master password.

 

Firefox stores the details about encrypted string, salt, algorithm and version information in key database file key3.db in the user?s profile directory. So you can just copy this key3.db to different directory and specify the corresponding path to Firemaster. You can also copy this key3.db to any other high end machine for faster recovery operation.

More details are available here:

http://nagmatrix.50webs.com/article_firemaster.html

An interesting interview had been posted on Wired with Gary McKinnon about what he actually found whilst penetrating the US government networks.



After allegedly hacking into NASA websites — where he says he found images of what looked like extraterrestrial spaceships — the 40-year-old Briton faces extradition to the United States from his North London home. If convicted, McKinnon could receive a 70-year prison term and up to $2 million in fines.

Final paperwork in the case is due this week, after which the British home secretary will rule on the extradition request.

McKinnon, whose extensive search through U.S. computer networks was allegedly conducted between February 2001 and March 2002, picked a particularly poor time to expose U.S. national security failings in light of the terror attacks of Sept. 11, 2001.

You can also search the Darknet archives for more news on Gary.

There are a couple of interesting parts, but it all sounds rather X-Files..

WN: Did you find anything in your search for evidence of UFOs?

McKinnon: Certainly did. There is The Disclosure Project. This is a book with 400 testimonials from everyone from air traffic controllers to those responsible for launching nuclear missiles. Very credible witnesses. They talk about reverse-(engineered) technology taken from captured or destroyed alien craft.

Shame he was on 56k aswell, or we might have gotten some good stuff!



WN: What sort of evidence?

McKinnon: A NASA photographic expert said that there was a Building 8 at Johnson Space Center where they regularly airbrushed out images of UFOs from the high-resolution satellite imaging. I logged on to NASA and was able to access this department. They had huge, high-resolution images stored in their picture files. They had filtered and unfiltered, or processed and unprocessed, files.

My dialup 56K connection was very slow trying to download one of these picture files. As this was happening, I had remote control of their desktop, and by adjusting it to 4-bit color and low screen resolution, I was able to briefly see one of these pictures. It was a silvery, cigar-shaped object with geodesic spheres on either side. There were no visible seams or riveting. There was no reference to the size of the object and the picture was taken presumably by a satellite looking down on it. The object didn’t look manmade or anything like what we have created. Because I was using a Java application, I could only get a screenshot of the picture — it did not go into my temporary internet files. At my crowning moment, someone at NASA discovered what I was doing and I was disconnected.

I also got access to Excel spreadsheets. One was titled “Non-Terrestrial Officers.” It contained names and ranks of U.S. Air Force personnel who are not registered anywhere else. It also contained information about ship-to-ship transfers, but I’ve never seen the names of these ships noted anywhere else.

Interesting eh?

Source: Wired

Using standard script kiddy tools a consultant managed to compromise some of the FBI’s computers containing confidential information.

Quite a hack eh?

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.



The consultant Joseph Thomas Colon was approved (although he does have a somewhat unfortunate surname).

The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau’s attempt to sharpen its focus on intelligence and terrorism.

As usual with the government, no specifics are available..It seems like he got a hold of the SAM file or the shadow file from one of the systems then brute forced the hashes with john the ripper or something similar.

According to Colon’s plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation’s most secret databases.

Colon used a program downloaded from the Internet to extract “hashes” — user names, encrypted passwords and other information — from the FBI’s database. Then he used another program to “crack” the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet.



The new names they are coming up with for this stuff is straight out of the matrix.

The FBI’s Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office.

While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase — a software system called the Virtual Case File — was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called “Sentinel.”

Hopefully they will do it right this time.

Source: Washington Post

Netscape.com has been hacked via a persistent Cross Site Scripting (XSS) vulnerability in their newly launched Digg-like news service.

It seems the attacker did report the flaw to them repeatedly but they didn’t heed and ignored it, so he performed the XSS all over the site.



eplawless stated the following:

It was me. I did it. C’est moi, etc. This was in response to my having reported the month and a half old vulnerability to Netscape over a week ago. They ignored me. I reported it again, multiple times; they continued to ignore. I posted a few stories on their site, which made it to the front page and were deleted. I made the decision, in response to the recent Rose/Calacanis debacle, to add a benign script to the site that everyone would see and recognize as a compromise of security because this vulnerability is serious and they were not taking it as such. They had this coming; this isn’t a juvenile prank, and is only marginally retaliation against Calacanis for being a twit. This is making sure their users don’t get hacked too.



The guy made use of a fairly simple XSS vulnerability to inject their own javascript code snippets into pages on the website, including the homepage. As of now, it has only been used to display javascript alerts with “comical” messages and to redirect visitors to Digg.com!

Luckily nothing malicious has been done and the users aren’t at risk, as far as we know anyhow..

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks.

 

It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

You should be extremely careful when installing unsigned Firefox extensions from unknown sources.

 

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers

You can read the McAfee info on Formspy here.

Source: Heise Security

Ah cyberwar, cyber terrorism, efforts are ramping up, more sites are going down.



The war in Lebanon is now showing its consequences in the digital world and a huge number of websites has been attacked and defaced as a protest against the invasion of Lebanon by Israel.

Today two NASA websites were attacked as well. The intrusion was carried out by the Chilean group of crackers known as Byond Hackers Crew through a leak in the SQL Injection they entered the system and subtracted user names, passwords and e-mails from the NASA web server.

Seems like a pretty straight forward attack..but a high profile government site being prone to SQL injection that allow admin escalation?

That’s pretty bad..



After that these information had been stolen, they managed in entering the administrative area by using an administrator user ID and password , and finally they made the defacement replacing the homepage with their message…

This group goes with the others that in last days carried out attacks against governmental and commercial websites both from America and Israel, whereas other blackhat groups attacked Israeli websites provoking a denial of service (DDoS) of that particular webpage.

Let’s hope things don’t boil over to attacking powerstations or anything that will cause collateral damage.

Source: Zone-H

Link & Comment Spamming - A possible solution.

Recently one of the sites I am developing for my self was link spammed. Some unpleasant individual decided that it would be fun to post 160 ?comments? spread over all the blog posts. All the comments contained was URL?s. Even more stupid they used BB tags, but as I wrote the site it doesn?t use them.

Any way, obviously this isn?t some thing I want, so I deleted them all with a quick bit of SQL. No one else has posted a comment to the site because like I said, its still under development.

However, it happened once so there is no reason to think it wont happen again. I thought about the problem for a while, and the only solution is to incorporate some kind of humanity check. Because lets face it, its not like some one sat there and entered them all in. Its was some kind of bot.

Now, I don?t really like the ones that ask you to type the letters from some hard to read image. I can do that, no problem but they look ugly, and if the user was colour blind, or any other sight related issue, then you buggered.

So, I have come up with a different solution. The idea is to ask a random question, some thing that?s so easy any every one will know the answer, but unless you can read, you wont know what the answer is.

While I was busy implementing this solution, and believe me it didn?t take very long, another 20 comments of a very similar nature where posted. How annoying is that?

The solution seems to work for now. There have been no more comments since I completed the changes, but then maybe its only time until the bot gets adjusted, time will tell. But I thought other might benefit from having it so here goes, how to add random questions to your site.

Oh, one thing, I am not going to list my questions here, for a start it took me a shockingly long time to think of 30 really really easy questions, and I also don?t want to give a list of the question text and answers away.

So? on with the show. First off you will need 2 tables, one for the questions and one to keep track of what questions you have asked each user.



The questions table is easy, 3 coloums. Question_id, question and answer. The question id is just a unique number, the question and answer are both varchar.


Then we have the table used to store the asked questions. This is even less complicated. All you need is 2 fields, one for the question that was asked ID, and one to store the users Session ID.


So far, that?s all easy enough. You fill in the question table with as many questions as you can think of, along the lines of ?is the sky blue? with an answer of ?yes? or perhaps ?What is 25 + 30? answer, obviously 55.

Of course you can create the tables and this isn?t going to do a hell of a lot. So, you?ll need a class to deal with it all. This is a copy of the code, though you will notice the use of the functions ?performQuery? and ?fetchRow?, these are from my own DB layer. They replace the standard MySQL commands by using a wrapper. It makes it easy to port code from one RDBMS to the other. I personally like this solution because its light weight and simple. But it?s a bit beyond the scope of this post.

So, the class? Its got 2 methods: getQuestion and getAnswer. They both take the a single parameter of ?sid?. This is the session id, but for compatibility it is passed in to the function so it can basically be any thing.


How do you use it? Well, when your page displays the form you make a call to getQuestion and display it. For a while I thought about putting the question ID into the page, but only for a couple of seconds as I realised any half decent attempt to beat the system would just replace the ID with one with a known answer, infact as I suspect that the form is not used, simple data ?posted? to the page, then it wouldn?t even matter.

That?s why we keep that information in the database.

Any way, once the form is submitted you then ask the class to get the answer for the current session, and compare what the user entered to the correct answer. I?d suggest forcing lower case, or upper case if you want, but basically make the comparison case insensitive.

If the answers don?t match then the person is, well an idiot or a bot. If no answer is available, then some ones messed with the session, or never even used the form. Doesn?t matter which, either way its an error.

I don?t think I will bother to explain the code it self, its really not that complicated. I think maybe the only bit that might seem a bit strange is the sql used to select a question:


This simply selects a random record from the table, because its ordered by ?rand?. This basically means that for each record in the table a random number is generated, and then the records are ordered by the value. Because we only want one question we use the limit to only select the first record, how ever because each time the records are selected they will be in a different order, each time you get a different record? cool ha? 

I hope this proves to work over time. I?ll have to keep any eye on it. Just to see how it goes. If any one can see any thing wrong with it, well, let me know.

Ah another huge hacking resulting in a large loss of confidential information, companies really need to start getting more pro-active about aggresively testing their corporate networks and web based applications.

Information including CREDIT CARD numbers sadly.



AT&T on Tuesday said hackers broke into one of its computer systems and accessed personal data on thousands of customers who used its online store.

The information that was illegally accessed includes credit card numbers, AT&T said in a statement. The cyberattack affects about 19,000 customers who purchased equipment for high-speed DSL Internet connections through AT&T’s Web site, the company said.

“We deeply regret this incident,” Priscilla Hill-Ardoin, chief privacy officer for AT&T, said in the statement. “We will work closely with law enforcement to bring these data thieves to account.”

Companies really need to tighten up and enrole more high quality penetration testers (like me of course!).



The incident is the latest in a long string of data security breaches. Since early last year, more than 90 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information.

Let’s hope we don’t see any more huge data leaks in the near future.

Source: News.com

Ah another flaw in Myspace, this time it’s quite dangerous exposing the details of teenagers.

A security hole in the popular MySpace social networking site allowed users to view entries marked “private”, a crucial protection for users aged under 16, according to weekend reports.

Though the site is said to have fixed the problem, it was said by news reports to have been active for months. Nobody at MySpace was immediately available for comment.

The explosion of social networking sites has caused significant worry for parents and politicians over how to protect children from sexual advances over websites. The amount of information that young people reveal about themselves coupled with the opportunities for deception by sexual predators has led to concerns that the sites can be dangerous.

Normal for Myspace, things don’t get fixed for a LONG time.



“In the UK, the vulnerabilities alleged could amount to a breach of the Data Protection Act,” said Struan Robertson, editor of OUT-LAW.COM and a technology lawyer with Pinsent Masons.

The Data Protection Act says “appropriate technical and organisational measures” must be taken to prevent unauthorised access to personal data held by organisations.

“For any site, the technical measures that are appropriate will vary depending on the type of data held and the harm that might result from a security breach,” Robertson said. “There is best practice guidance in the UK for sites used by children and, if the allegations are true, it may be that MySpace fell short of the standard expected.”

This basically means anyone in the UK who got ‘hacked’ in this way is legally able to sue!

Source: The Register

Not sure if any of you heard of this new super secure ultra cool web browser called Browzar?

There was a bit of a backlash as it turned out Browzar was just another custom wrapper for Internet Exploder.

Security experts are crying foul over a new supposedly secure browser application.

Browzar is promoted as an easy way for users to surf the web without leaving traces of sensitive information behind on their PCs. Critics say it fails to do what it says on the tin and, worse still, the software manipulates search results to push ads at users.

Browzar, according to its developers, is designed not to retain information. Browzar automatically deletes internet caches, histories, cookies. It doesn?t use auto-complete forms, a feature that anticipates the search term or web address a user might enter.



Ah wow sounds amazing eh?.but?

Although positioned as a fully fledged browser application, Browzar is a simple ?custom wrapper? and user interface for IE that inherits any problems an installed version of Internet Explorer might have, while adding some all of its own. The software is supposed to get rid of all records of sites surfers may have visited, along with cookies and history files relating to a Browzar session from users? PCs.

But Browzar does not clean up all traces of surfing as promised. Deleted files are not wiped and would be easy to recover - allowing anyone with a basic data recovery tool to access history, cookies or any other media downloaded using Browzar. Furthermore, because Browzar uses IE?s ActiveX control, a list of browsed websites stills appear in the index.dat file. Browzar therefore, according to critics, offers a false sense of privacy protection.



What?s worse than no security? Yes?a false sense of security, the same goes for privacy.

Plus what?s worse?it seems to actually be along the lines of ad-ware spyware..

As if that wasn?t enough reason to be wary of the software, Browzar steers users towards the firm?s own search page which allows the browser?s developers to insert sponsored links intermixed with regular search results. Much of the criticism of Browzar has focused on its skewed search engine and the use of Browzar?s website as the default (unchangeable) home page for surfers.

Echo Mirage - A Generic Network Proxy

Echo Mirage is a generic network proxy. It uses DLL injection and function hooking to redirect network related function calls so that data transmitted and received by local applications can be observed and modified.

Think of it as Odysseus (or Burp, if you prefer) that will proxy (almost) anything?



Windows encryption and OpenSSL functions are also hooked so that the plain text of data being sent and received over an encrypted session is also available.

Echo Mirage tries to be smart with the OpenSSL calls by monitoring ssl_set_fd() and ssl_connect() to determine when SSL is in use on a particular socket. When SSL is in use the encrypted stream is ignored and only the unencrypted data is processed. This doesn?t work for the windows SSL stuff because that functions in an entirely different way?

Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts.



Changes Since 1.0
Hooked RecvFrom, SendTo, WSAConnect, WSASend, WSASendTo and WSARecvFrom.
Fixed intermittent crash on uninject.
Fixed intermittent crash in thread termination.

You can download Echo Mirage here:

http://www.bindshell.net/tools/echomirage/


Technorati Tags: bindshell, echo mirage, echomirage, network proxy, proxies, proxy, ssl proxy, user proxy

AnonymousInet has relaunched! A nice clean FREE web based proxy service.



http://www.anonymousinet.com/

Works great for me, it?s fast and free!

It also encodes the URL so stupid simple content filters wont stop it.

Technorati Tags: anonymous proxy, anonymousinet, bypass firewall, privacy, surf anonymously

The matrix has you. Those four words?which appeared on the retro computer screen of Keanu Reeves's character, Neo, in the 1999 hit movie The Matrix?have resonated with hackers around the Internet. No wonder, then, that a technology for taking control of a user's computer, more often than not for malicious ends, echoes the reality behind those words. Just as Neo had to come to grips with the fact that the world as he knew it was a well-crafted simulation, computer users today have to watch out for programs, known as rootkits, that attempt to take over a computer that appears normal. Rootkits are all about stealth: In the past, such programs have replaced common commands with their own modified versions. When the user of an infected computer connects to the Internet using Microsoft Windows' network driver, the system might instead route data through a malicious driver that also copies any important data?such as usernames and passwords?to the attacker's servers.

Yahoo opened its corporate headquarters to hordes of hackers, press and others on Friday and Saturday for its open Hack Day. After 24 hours of hacking (with a break for a private Beck concert in the Yahoo courtyard the first evening), 54 projects were demo?d to the crowd of about 400 people. Over 3,000 pictures from the event (tagged ?HackDay06″) are on Flickr here. A handful of teams were awarded prizes in categories ranging from ?Too Useful? and ?Best Schtick? to ?Overall Winner?. The overall winner, determined by a quick huddle of judges after the demos (David Filo, Jeff Weiner, Ash Patel, Bradley Horowitz, Chad Dickerson, David Hornik, Peter Fenton, Gina Trapani, Salim Ishmael and me) was a hardware/software combination device stashed inside a woman?s handbag. The winning project, called Blogging In Motion, combined a camera, a handbag, a pedometer and the Flickr API to create a device that takes a picture after every few steps and then automatically blogs those pictures. The device was created by Diana Eng, Emily and Audrey, pictured to the right along with the device (I?m still tracking down Emily and Audrey?s last names).