Month: September 2011

Categories
Penetration Testing Security Reconnaissance

FBPwn – Facebook Profile Dumper

Β What is FBPwn?

FBPWN is a crossplateform java based Facebook profile dumper developed by Information Security Analyst team from RISST, released under GPL License. This tiny but worth full application is still in beta phase but can do plenty of usefull jobs for you πŸ™‚

How FBPwn works?

FBPwn sends requests to your facebook friends/polls and wait for the acceptance notification. Once your target(victim) accepts friend request, it dumps all info that includes everything(username,email,friends list, etc) it is visible.

What if your victim UnFriend/Delete from friend list you?

This application is super fast and it fetches data rapidly as soon victim access requests. It will dump all victim information including username, email, friend list, photos and other info. So it doesn’t matter if victim figures out it as a fake account because it is too late πŸ˜€

Crawl Facebook Contact list, profiles that contain email addresses and build a
mailing list of million emails contact by writing a small piece of bash script.

How to use FBPwn?

As we said, it is cross platform so it can be run on any operating system that have java installed. In our example, i am using it on BackTrack Linux.

wget http://fbpwn.googlecode.com/files/FBPwn-beta-0.1.4.zip
unzip FBPwn-beta-0.1.3.zip
cd FBPwn-beta-0.1.3
./run.sh

We have shoot FBPwn Video Tutorial. It covers how can you use this application. But due to codecs we could not upload it youtube. that will be posted soon. Stay tune.

Update – 15th Sep, 2011:

Sorry guys we couldn’t convert it, ofcourse we tried few times but failed :-D. So STOP sending Video tutorial REQUESTS emails.

Download FBPwn Video TutorialΒ  directly from
https://rapidshare.com/files/507532677/FBPwn-Video-Tutorial.ogv
Categories
News

Google Bulletin for Iranian Users to change their gmail password

Google suggested all users that access gmail accounts from Iran. Google broadcasted this news on GoogleOnlineSecurity Official blog.

Last month Google updated a similar thread on blog where MITM (Man in the middle attack) was attempted.

Some precautions recommended by Google is as follows

  • Change your Gmail password.
  • Verify your account recovery options. e.g second mail address, phone numbers, and other info that is filled to use in account recovery time.
  • Review websites that is allowed to access your account.
  • Check for suspicious forwarders/remote smtp.
  • Be smart to warnings/popups appears.
Categories
Malware Analysis Penetration Testing

How to Secure your Twitter and Facebook account using BitDefender SafeGo

What is BitDefender Safego?

SafeGo is a FREE online application that helps you to scan and detect dirty profiles that is activiated to flood your twitter accounts with spam. It also take care of your timeline, keeps it filtered against malicious links.

It does same care for your facebook account. It protects you from all online threads e.g malware, spam and data exposure.

For more details, you can visit official page : http://safego.bitdefender.com/

How to activate it on your twitter account?

Go to Twitter App page
http://safego.bitdefender.com/twitter

Click on
Activate Protection Now

Click on
Authorize app

Your Twitter is now secured! πŸ˜›

How to activate it on your Facebook account?

Go to Facebook App page
http://apps.facebook.com/bd-safego/

Click on
Install App

Click on
Allow

Your Facebook account is secured too πŸ˜›

It is good approach from BitDefender to developed application for facebook & twitter accounts protection. In coming days, we are expecting same apps from other competitors.

Categories
Android

How to get Free AVG Mobilation Pro Antivirus for Android phones

Android is a very Free Mobile Operating System from Google. Now a days it comes built-in with all smartphones. Android is a good competitor of IPhone from Apple.

Android growth is too fast but on the other hand cyber criminals are targeting it with equal pace πŸ˜€

AVG Mobilation Pro Antivirus

AVG antivirus provide some great features that includes malware, virus protection and also provide a feature for privacy protection if you lost your phone it provides remote lock feature to disable your phone and also suggest tips to close those applications which slowdown your phone performance.

Download AVG Mobilation Pro Antivirus

Chip.de is offering Free full version copies of AVG Mobilation Pro Antivirus.

You can download it here

Don’t ask us, how to install this App on android phone πŸ˜€

Categories
HowTos Linux Penetration Testing Security Reconnaissance

How to use SlowHTTPTest HTTP DoS Tool

Introduction :
Slow HTTP DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. SlowHTTPTest is developed by Sergey Shekyan, Who isΒ  Developer Web Application Scanning at Qualys.

This tool is enough capable to acquire resource on server side at application layer.

How to Install SlowHTTPTest?
wget http://slowhttptest.googlecode.com/files/slowhttptest-1.1.tar.gz
gunzip slowhttptest-1.1.tar.gz
tar xf slowhttptest-1.1.tar
cd slowhttptest-1.1

Configure & Compile it. You can use custom –prefix=your-location
./configure
make
make install

How To Use SlowHTTPTest for DoS?
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20

Detailed options :

-a start start value of ranges-specifier for range header test
-b bytes limit of range-specifier for range header test
-c number of connections limited to 1024
-H, B, or R specify to slow down in headers section or in message body.
           Β -R enables range test
-g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html,
   where xxx is the time and date
-i seconds interval between follow up data in seconds, per connection
-l seconds test duration in seconds
-o file custom output file path and/or name, effective if -g is specified
-r connections per second connection rate
-s bytes value of Content-Length header, if -B specified
-t verb custom verb to use
-u URL target URL, the same format you type in browser, e.g https://host:port/
-v level verbosity level of log 0-4
-x bytes max length of follow up data

Troubleshooting :

configure: error: OpenSSL is missing

Install openssl devel package on backtrack(or any debian based distro)
aptitude install libssl-dev

On CEntOS Linux :
yum install openssl-devel

SlowHTTPTest Video Tutorial :

Categories
General News

Apache released patch for ApacheKiller.pl Range Byte Flaw

Apache have released Patch for the recent range bytes request flaw which we published few days ago. This patch fix the Security flaw and

Change Log :

SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests
to use less memory, to avoid denial of service. If the sum of all ranges in a
request is larger than the original file, ignore the ranges and send the complete
file. PR 51714.

You can download latest stable release here

If you are running CEntOS, you can update it in this way;

Check update using Yum Utility
yum check-update httpd

Install it
yum update httpd

If don’t want to update it, you can see this post for mitigation techniques.