Jul 23, 2015

Slides: Recon 2015


Jul 22, 2015

Howto: Memory Acquisition for Forensic

Summary from: https://alexandreborgesbrazil.files.wordpress.com/2014/06/memory-acquisition_win_linux1.pdf

Memory Acquisition on Windows
  • DumpIt from MoonSols (http://www.moonsols.com/downloads/7) using DumpIT.exe
  • Memoryze from Mandiant/FireEye (https://www.mandiant.com/library/MemoryzeSetup3.0.msi) using MemoryDD.bat
Initial analysis with Mandiant's Redline (https://www.mandiant.com/library/Redline-1.12.msi)

Memory acquisition on  Linux System
  • https://code.google.com/p/lime-forensics/downloads/list
  • https://github.com/504ensicslabs/lime
    • Compile with make
    • Install kernel module with command
      • insmod lime-3.7-trunk-amd64.ko  "path=/media/external_drive/kali_memory_dump.bin   format=lime"
    • memory dump will save as /media/external_drive/kali_memory_dump.bin


Tools: PEframe - PEframe is a open source tool to perform static analysis on (portable executable) malware.

PEframe is a open source tool to perform static analysis on Portable Executable malware

Source:: https://github.com/guelfoweb/peframe

Tools: hacking-team-windows-kernel-lpe - exploit from the Hacking Team leak, written by Eugene Ching/Qavar.

This an exploit for CVE-2015-2426 (MS-078), a Windows kernel local privilege escalation 0day from the Hacking Team archive (email here). It was developed by Eugene Ching / Qavar security. Original contents below:

Windows kernel memory corruption exploit leading to privilege escalation.
Tested on Windows 8.1 fully-patched (as of 28 Jan 2015).
Also tested to work against:
  • Google Chrome, up to v40.0.2214.93 (64-bit); and
  • Google Chrome Canary, up to v42.0.2290.6 canary (64-bit)
assuming a suitable RCE in Chrome (simulated via injecting a thread into Chrome)

Source:: https://github.com/vlad902/hacking-team-windows-kernel-lpe

Jul 18, 2015

Tools: MicEnum

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.
MicEnum is a simple graphical tool that:
  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.

Source:: https://www.elevenpaths.com/labstools/micenum/index.html

Howto: Uninstall Global Protect in Mac

1. Go to Global Protect folder
# cd /Applications/GlobalProtect.app/Contents/Resources

2. Run uninstall script
# sudo bash uninstall_gp.sh

Jul 17, 2015

Tools: passgen - an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2

Passgen is an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output opposed to generating a list like so, (aaaaaaaa, aaaaaaab, aaaaaac, etc).
example usuage with aircrack-ng (python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap)
argument switches are as followed
-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length
This application will be updated with new features as needed.

Source:: https://github.com/blmvxer/passgen/

Jul 16, 2015

Tools: Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

EvoMalware is a BASH script which permits to identify files (PHP only ATM) infected by malwares/virus/backdoor.
The main goal is to be used in a cron job to generate reports, but it can be used in "one shot" mode.
The script uses 3 flat text files as databases:
  • evomalware.filenames, known filenames.
  • evomalware.patterns, known patterns.
  • evomalware.whitelist, files to ignore.
There is also an "aggresive" mode which permits to find suspect files using evomalware.suspect DB.
At each run, the script downloads the last databases.

Source::  https://github.com/evoforge/evomalware

Tools: Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Source:: https://github.com/Kevin-Robertson/Inveigh

Tools: ZeroDay Cyber Research - ZCR Shellcoder - z3r0d4y.com Shellcode Generator

>python shellcoder.py -os linux_x86 -encode xor_random -job chmod('/etc/shadow','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode xor_random -job chmod('/etc/passwd','444') -o file.txt

Note: each time you execute chmod() function with random encode, you are gonna get random outputs and different shellcode.

>python shellcoder.py -os linux_x86 -encode xor_0x41414141 -job chmod('/etc/shadow','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode xor_0x45872f4d -job chmod('/etc/passwd','444') -o file.txt

Note: your xor value could be anything. "xor_0x41414141" and "xor_0x45872f4d" are examples.

>python shellcoder.py -os linux_x86 -encode add_random -job chmod('/etc/passwd','444') -o file.txt
>python shellcoder.py -os linux_x86 -encode add_0x41414141 -job chmod('/etc/passwd','777') -o file.txt

>python shellcoder.py -os linux_x86 -encode sub_random -job chmod('/etc/passwd','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode sub_0x41414141 -job chmod('/etc/passwd','444') -o file.txt 

Source:: https://github.com/Ali-Razmjoo/ZCR-Shellcoder