CVE Feeds

Mar 1, 2015

Tools: Jack - ClickJacking PoC development assistance tool.








ClickJacking PoC development assistance tool.
Jack is a static HTML and JavaScript web-based tool. To get Jack up and running, serve the index.html file in a manner of your choice and ClickJack away. Be sure to check your browser settings when PoC'ing HTTPS based targets as most browsers will not allow embedding HTTPS resources into iFrames.


Source:: https://github.com/sensepost/Jack

 

Feb 25, 2015

Howto: Install Google Chrome on Ubuntu 14.04

Google Chrome is available on 3rd Party Repository: Google, so you can install it or update it with apt-get

1. Install Key
# wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - 

2. Add new repository
# sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'

3. Install it
# apt-get update
# apt-get install google-chrome-stable
# apt-get -f install



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 23, 2015

Howto: Setup NTP Server on Ubuntu 14.04 Server

1. Install ntp
apt-get install ntp

2. Edit the /etc/ntp.conf with your nearest NTP server. (Or you can find the list at http://www.pool.ntp.org/)

3. Add the local ntp server and set stratum to 8
server 127.127.1.0
fudge 127.127.1.0 stratum 8

4. Restart NTP Server
/etc/init.d/ntp restart

5. Check the sync of ntp server with
ntpq -p




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 20, 2015

Howto: Detect SuperFish(MITM with javascript)

<img style="width:300px;height:300px;" src="https://superfish.xmarks.com/infected.png" onerror="this.src='https://lastpass.com/superfish/safe.png';">
If client was mitm(man-in-the-middle), it will show https://superfish.xmarks.com/infected.png , if not, it will show https://lastpass.com/superfish/safe.png because when client visit the web and it's self-sign-certificate, it's will error. That's mean when you was mitm with trust certificate, the script will bypass onerror condition because you was show with trust certificate, if not you will get the error and onerror condition will activate.


Powershell for find superfish certificate (By Carnal0wnage)
powershell -Command Get-ChildItem -Recurse Cert: > certs.txt
powershell -Command Get-ChildItem -Recurse Cert: | findstr -i Superfish

Source:: https://filippo.io/Badfish/
 

Tools: CMSmap is a python open source CMS (Content Management System) scanner


CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.
At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.
Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Source::  https://github.com/dionach/CMSmap

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: pemcrack - Cracks SSL PEM files that hold encrypted private keys.

 Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks. This code is extraordinarily slow, DON'T JUDGE ME!!!

Source:: https://github.com/robertdavidgraham/pemcrack

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 19, 2015

Howto: Truncate all tables in one line

# mysql -Nse 'show tables' DATABASE_NAME | while read table; do mysql -e "truncate table $table" DATABASE_NAME; done



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 18, 2015

SSLBL - SSL Blachlist Website

SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section.

 
Source:: https://sslbl.abuse.ch/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 17, 2015

Tools: Example of Equation Malware and Yara Rule to detect it.

Sample
https://www.dropbox.com/s/latggdox9s3xv4t/Equation_x86_x64.zip?dl=0
http://contagiodump.blogspot.com/2015/02/equation-samples-from-kaspersky-report.html 

Yara Rules: (http://pastebin.com/P0Fb9DPb)
rule Equation_Kaspersky_TripleFantasy_1 {
        meta:
                description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
        strings:
                $mz = { 4d 5a }
       
                $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
                $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
                $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
                $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
                $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
                $s5 = "Chrome" fullword wide
                $s6 = "StringIndex" fullword ascii
               
                $x1 = "itemagic.net@443" fullword wide
                $x2 = "team4heat.net@443" fullword wide
                $x5 = "62.216.152.69@443" fullword wide
                $x6 = "84.233.205.37@443" fullword wide
               
                $z1 = "www.microsoft.com@80" fullword wide
                $z2 = "www.google.com@80" fullword wide
                $z3 = "127.0.0.1:3128" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 300000 and
                (
                        ( all of ($s*) and all of ($z*) ) or
                        ( all of ($s*) and 1 of ($x*) )
                )
}
rule Equation_Kaspersky_DoubleFantasy_1 {
        meta:
                description = "Equation Group Malware - DoubleFantasy"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
        strings:
                $mz = { 4d 5a }
               
                $z1 = "msvcp5%d.dll" fullword ascii
               
                $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
                $s3 = "actxprxy.DllGetClassObject" fullword ascii
                $s5 = "actxprxy.DllRegisterServer" fullword ascii
                $s6 = "actxprxy.DllUnregisterServer" fullword ascii
               
                $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
                $x2 = "191H1a1" fullword ascii
                $x3 = "November " fullword ascii
                $x4 = "abababababab" fullword ascii
                $x5 = "January " fullword ascii
                $x6 = "October " fullword ascii
                $x7 = "September " fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 350000 and
                (
                        ( $z1 ) or
                        ( all of ($s*) and 6 of ($x*) )
                )
}
rule Equation_Kaspersky_GROK_Keylogger {
        meta:
                description = "Equation Group Malware - GROK keylogger"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
        strings:
                $mz = { 4d 5a }
                $s0 = "c:\\users\\rmgree5\\" ascii
                $s1 = "msrtdv.sys" fullword wide
               
                $x1 = "svrg.pdb" fullword ascii
                $x2 = "W32pServiceTable" fullword ascii
                $x3 = "In forma" fullword ascii
                $x4 = "ReleaseF" fullword ascii
                $x5 = "criptor" fullword ascii
                $x6 = "astMutex" fullword ascii
                $x7 = "ARASATAU" fullword ascii
                $x8 = "R0omp4ar" fullword ascii
               
                $z1 = "H.text" fullword ascii
                $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
                $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
        condition:
                ( $mz at 0 ) and filesize < 250000 and
                (
                        $s0 or
                        ( $s1 and 6 of ($x*) ) or
                        ( 6 of ($x*) and all of ($z*) )
                )      
}
rule Equation_Kaspersky_GreyFishInstaller {
        meta:
                description = "Equation Group Malware - Grey Fish"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
        strings:
                $s0 = "DOGROUND.exe" fullword wide
                $s1 = "Windows Configuration Services" fullword wide
                $s2 = "GetMappedFilenameW" fullword ascii
        condition:
                all of them
}
rule Equation_Kaspersky_EquationDrugInstaller {
        meta:
                description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
        strings:
                $mz = { 4d 5a }
               
                $s0 = "\\system32\\win32k.sys" fullword wide
                $s1 = "ALL_FIREWALLS" fullword ascii
               
                $x1 = "@prkMtx" fullword wide
                $x2 = "STATIC" fullword wide
                $x3 = "windir" fullword wide
                $x4 = "cnFormVoidFBC" fullword wide
                $x5 = "CcnFormSyncExFBC" fullword wide
                $x6 = "WinStaObj" fullword wide
                $x7 = "BINRES" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
}
rule Equation_Kaspersky_EquationLaserInstaller {
        meta:
                description = "Equation Group Malware - EquationLaser Installer"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
        strings:
                $mz = { 4d 5a }
                $s0 = "Failed to get Windows version" fullword ascii
                $s1 = "lsasrv32.dll and lsass.exe" fullword wide
                $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
                $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
                $s4 = "lsasrv32.dll" fullword ascii
                $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
                $s6 = "%s %02x %s" fullword ascii
                $s7 = "VIEWERS" fullword ascii
                $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
}
rule Equation_Kaspersky_FannyWorm {
        meta:
                description = "Equation Group Malware - Fanny Worm"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
        strings:
                $mz = { 4d 5a }
       
                $s1 = "x:\\fanny.bmp" fullword ascii
                $s2 = "32.exe" fullword ascii  
                $s3 = "d:\\fanny.bmp" fullword ascii
       
                $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
                $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
                $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
                $x4 = "\\system32\\win32k.sys" fullword wide
                $x5 = "\\AGENTCPD.DLL" fullword ascii
                $x6 = "agentcpd.dll" fullword ascii
                $x7 = "PADupdate.exe" fullword ascii
                $x8 = "dll_installer.dll" fullword ascii               
                $x9 = "\\restore\\" fullword ascii
                $x10 = "Q:\\__?__.lnk" fullword ascii
                $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
                $x12 = "\\shelldoc.dll" fullword ascii
                $x13 = "file size = %d bytes" fullword ascii
                $x14 = "\\MSAgent" fullword ascii
                $x15 = "Global\\RPCMutex" fullword ascii
                $x16 = "Global\\DirectMarketing" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 300000 and
                (
                        ( 2 of ($s*) ) or
                        ( 1 of ($s*) and 6 of ($x*) ) or
                        ( 14 of ($x*) )
                )
}
rule Equation_Kaspersky_HDD_reprogramming_module {
        meta:
                description = "Equation Group Malware - HDD reprogramming module"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
        strings:
                $mz = { 4d 5a }
                $s0 = "nls_933w.dll" fullword ascii
               
                $s1 = "BINARY" fullword wide
                $s2 = "KfAcquireSpinLock" fullword ascii
                $s3 = "HAL.dll" fullword ascii
                $s4 = "READ_REGISTER_UCHAR" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 300000 and all of ($s*)
}
rule Equation_Kaspersky_EOP_Package {
        meta:
                description = "Equation Group Malware - EoP package and malware launcher"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
        strings:
                $mz = { 4d 5a }
                $s0 = "abababababab" fullword ascii
                $s1 = "abcdefghijklmnopq" fullword ascii
                $s2 = "@STATIC" fullword wide
                $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
                $s4 = "@prkMtx" fullword wide
                $s5 = "prkMtx" fullword wide
                $s6 = "cnFormVoidFBC" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 100000 and all of ($s*)
}
rule Equation_Kaspersky_TripleFantasy_Loader {
        meta:
                description = "Equation Group Malware - TripleFantasy Loader"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
        strings:
                $mz = { 4d 5a }
               
                $x1 = "Original Innovations, LLC" fullword wide
                $x2 = "Moniter Resource Protocol" fullword wide
                $x3 = "ahlhcib.dll" fullword wide      
       
                $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
                $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
                $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
                $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
                $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
                $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
    }

News::
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 16, 2015

Tools: OSXCollector - Forensic OSX

OSXCollector is a forensic evidence collection & analysis toolkit for OSX.

Forensic Collection

The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases and the local file system.

Forensic Analysis

Armed with the forensic collection, an analyst can answer the question like:
  • Is this machine infected?
  • How'd that malware get there?
  • How can I prevent and detect further infection?
Yelp automates the analysis of most OSXCollector runs converting OSXCollector output into an easily readable and actionable summary of just the suspicious stuff.

Source:: http://yelp.github.io/osxcollector/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |