Search

vulnerablelife

Vulnerable Life by Vulneraman | Information Security Blog

Awesome Malware Analysis Lists

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org – A free, web based anonymizer.
  • OpenVPN – VPN software and hosting solutions.
  • Privoxy – An open source proxy server with some privacy features.
  • Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot – ICS/SCADA honeypot.
  • Dionaea – Honeypot designed to trap malware.
  • Glastopf – Web application honeypot.
  • Honeyd – Create a virtual honeynet.
  • HoneyDrive – Honeypot bundle Linux distro.
  • Kippo – Medium interaction SSH honeypot.
  • Mnemosyne – A normalizer for honeypot data; supports Dionaea.
  • Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • maltrieve – Retrieve malware samples directly from a number of online sources.
  • MalwareDB – Malware samples repository.
  • theZoo – Live malware samples for analysts.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011. required.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files, from Mandiant.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • PassiveTotal – Research, connect, tag and share IPs and domains.
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • ExifTool – Read, write and edit file metadata.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEiD – Packer identifier for Windows binaries.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • AndroTotal – free online analysis of APKs against multiple mobile antivirus apps.
  • Anubis – Malware Analysis for Unknown Binaries and Site Check.
  • AVCaesar – Malware.lu online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • DRAKVUF – Dynamic malware analysis system.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Jotti – Free online multi-AV scanner.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metascan Online – Free file scanning with multiple antivirus engines.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • SenderBase – Search for IP, domain or network owner.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • TekDefense Automator – OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java IDX cache files.
  • JSDetox – JavaScript malware analysis tool.
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
  • swftools – Tools for working with Adobe Flash files.
  • xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor – Fast file carving tool.
  • EVTXtract – Carve Windows Event Log files from raw binary data.
  • Foremost – File carving tool designed by the US Air Force.
  • Hachoir – A collection of Python libraries for dealing with binary files.
  • Scalpel – Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken – GUI for Pyew and Radare.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • GDB – The GNU debugger.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • pestudio – Perform static analysis of Windows executables.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • Pyew – Python tool for malware analysis.
  • Radare2 – Reverse engineering framework, with debugger support.
  • strace – Dynamic analysis for Linux executables.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • X64dbg – An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
  • CapTipper – Malicious HTTP traffic explorer.
  • chopshop – Protocol analysis and decoding framework.
  • Fiddler – Intercepting web proxy designed for “web debugging.”
  • Hale – Botnet C&C monitor.
  • INetSim – Network service emulation, useful when building a malware lab.
  • Malcom – Malware Communications Analyzer.
  • Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy – Intercept network traffic on the fly.
  • Moloch – IPv4 traffic capturing, indexing and database system.
  • NetworkMiner – Network forensic analysis tool, with a free version.
  • ngrep – Search through network traffic like grep.
  • Tcpdump – Collect network traffic.
  • tcpick – Trach and reassemble TCP streams from network traffic.
  • tcpxtract – Extract files from network traffic.
  • Wireshark – The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • DAMM – Differential Analysis of Malware in Memory, built on Volatility
  • FindAES – Find AES encryption keys in memory.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – OpenSource Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • Malwarehouse – Store, tag, and search malware.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Viper – A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
  • Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
  • Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Twitter

Some relevant Twitter accounts.

Other

Related Awesome Lists

Reference :github

Original Post: https://www.linkedin.com/pulse/awesome-malware-analysis-lists-mayur-agnihotri

Anatomy of Paypal Phishing Attack

The phishing email

The email header

 Delivered-To: xxx@gmail.com
Received: by 10.202.71.131 with SMTP id u125csp1210882oia;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
X-Received: by 10.28.45.69 with SMTP id t66mr661693wmt.41.1469791950832;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Return-Path: <sh198725@atena21.gdn-superhost.pl>
Received: from mailGW-1.gdn-superhost.pl (mailGW-1.gdn-superhost.pl. [178.250.47.101])
 by mx.google.com with ESMTP id v66si3080759wmf.69.2016.07.29.04.32.30
 for <xxx@gmail.com>;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of sh198725@atena21.gdn-superhost.pl designates 178.250.47.101 as permitted sender) client-ip=178.250.47.101;
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of sh198725@atena21.gdn-superhost.pl designates 178.250.47.101 as permitted sender) smtp.mailfrom=sh198725@atena21.gdn-superhost.pl
Received: by mailGW-1.gdn-superhost.pl (Postfix, from userid 500)
 id 77A34104353; Fri, 29 Jul 2016 13:32:30 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 mailGW-1.gdn-superhost.pl
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,HTML_FONT_SIZE_HUGE,
 HTML_MESSAGE,MIME_HTML_ONLY,NO_RELAYS,URIBL_BLOCKED autolearn=no version=3.3.2
X-Spam-Languages: en
Received: by atena21.gdn-superhost.pl (Postfix, from userid 35301)
 id 8681717C0278; Fri, 29 Jul 2016 13:32:23 +0200 (CEST)
To: xxx@gmail.com
Subject: Unusual activity in your account
X-PHP-Script: andrea.lattari.eu/modules/blog/ml.php for 197.3.225.82
From: Security Team <ppl@jacob-broom.dreamhost.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <20160729113223.8681717C0278@atena21.gdn-superhost.pl>
Date: Fri, 29 Jul 2016 13:32:23 +0200 (CEST)

The phishing Paypal site

Without https of course, my firefox shows that hosting in Germary

fake_paypal_02

The phishing IP information

fake_paypal_11

The phishing site registration information

fake_paypal_12

Try to login the phishing site

fake_paypal_03

Login failed. However the “My Paypal” and “Log out” button at right top corner don’t work

fake_paypal_04

After press the Continue button, it will brings you to update credit/debit card

fake_paypal_05

The phisher wants all your information, have to add billing address to next step

fake_paypal_06

The billing address page

fake_paypal_07

The phisher will ask for remaining information of you

fake_paypal_08

Congratulations! You have submitted all necessary information to phisher

fake_paypal_09

Finally, the phisher will bring you back to the real Paypal website.

fake_paypal_10

Final Thought:

The phishing campaign website design and quality is good. Phisher looking for high quality of data, many fields with validation, the data collection flow is nice.

To avoid trap by those kind of phishing email is easy, the website without https, and the domain name is very easy to identify.

Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites

800px-Red_onion_closeup_2

When it comes to accessing public websites, Tor has an intrinsic security problem: though the nodes between your computer and the public internet are unable to see where the traffic is coming from or going to, the final hop in the network (known as an exit node) gets to know what webserver you are connecting to.

If that final hop isn’t protected by an HTTPS connection — if it takes place without encryption — then all the traffic between you and the webserver are an open book to the exit node. It can see what you send and what you receive, and it can tamper with the connection (for example, it can inject malicious code that exploits bugs in your browser to take it over). If your session includes identifying information — your Google cookie, say, or a login and password — then someone running a spying exit node can figure out who you are without having to poison your session. This was much more of a problem when HTTPS connections were more rare, but now, thanks to the Snowden revelations and projects like Let’s Encrypt, much of the web is encrypted by default. That means that a spying exit node will only be able to see which server is being accessed, but not which page, and will not be able to inject code into the session, and will not be able to see the data going to and from the server.

There aren’t many exit nodes out there. Many people fear that running an exit node will put them in police crosshairs if it gets used in the commission of a crime. For the record, Boing Boing runs a very high-capacity exit node, and though we’ve received multiple contacts from US law enforcement, we’ve just explained that this is a Tor node that runs with logging switched off, and thus we have no information that’ll be relevant to any investigations, and the officers involved have thanked us and gone away without further trouble.

The lack of exit nodes means that if you run an exit node and want to spy on people, you can see an appreciable fraction of all the Tor traffic that goes to and from the public internet. Many governments, including the Chinese government, are understood to be running high-availability exit nodes that snoop on and log all the traffic they can see.

One answer to this problem is Tor “hidden services.” These are servers that have no public internet address; rather, they are accessed directly through the Tor network, without traffic ever being routed through an exit node. Because all this traffic takes place in the Tor network, without the intermediate nodes ever getting access to decrypted information, the sessions are considered very secure. Notorious darknet sites like The Silk Road ran as hidden services, and many sites maintain hidden service versions of their public offerings: for example, Facebook can be accessed on the Tor network via https://www.facebookcorewwwi.onion/, which resolves to a machine in one of Facebook’s data centers in Oregon, which is then bridged into the rest of Facebook’s system. By accessing Facebook over a .onion hidden service, you can disguise the fact that you’re visiting Facebook at all, and bypass censoring firewalls, like those used by schools, employers and governments.

However, hidden services are not without their own security issues. A pair of security researchers from Northeastern University have announced a paper(to be delivered at this summer’s Def Con hacker convention in Las Vegas) that reveals over 100 spying Tor nodes that were shown to be targeting hidden services.

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of “infowar” weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

“We create what we call ‘honey onions’ or ‘honions.’ These are onion addresses that we don’t share with anyone,” Noubir said. If someone visits the sites, it’s a good indication that their service has been picked up by a malicious HSDir.

At any one time, the pair ran 4,500 honey onions over 72 days, and found at least 110 HSDirs spying on hidden services. Some of the actors behind these weren’t just passive observers; many came back and then aggressively probed the hidden services.

“They’re looking for vulnerabilities in the web server,” Sanatinia said. Those attackers might look for cross-site scripting attacks, SQL-injection vulnerabilities, or just try to find the server’s status page, which can reveal lots of interesting, and potentially identifying, information about the site.

Most of the dodgy HSDirs the researchers found were hosted in the US, followed by Germany, France, and then other European countries. Of course, that doesn’t necessarily mean their operators are based in the same country; anyone can whip up a remote server from pretty much anywhere in the world. And because over half of the 110 nodes were hosted on cloud infrastructure, it’s not easy to immediately pin down who’s behind them.

Honey Onions: Exposing Snooping Tor HSDir Relays [Guevara Noubir and Amirali Sanatinia/Def Con]

Over 100 Snooping Tor Nodes Have Been Spying on Dark Web Sites[Joseph Cox/Motherboard]

(Image: Red onion closeup , Ogre, Public Domain)

Original Post: https://boingboing.net/2016/07/01/researchers-find-over-100-spyi.html

Process Hallowing

In this article, we will learn what process hallowing is, how is it done, and how we can detect it while performing memory analysis.

Process Hallowing

It is a technique by which malware will replace a legitimate process with a duplicate process but with malicious code. The process helps the malware to hide among other legitimate processes. The new malicious process looks so similar to the original legitimate process that even the image name, path and command lines remain unchanged. Below are the steps usually followed for process hallowing:

  • First, target process is created in a suspended state using CreateProcess with CREATE_SUSPENDED option. After the process is created, its memory space can be altered with the handle provided. This handle will be referenced in all the subsequent function calls. Note that at this point malicious process is loaded but not yet executed because it was created in a suspended state.
  • Next step is to find the Process Environment Block (PEB section) for this malicious process which can be done using ReadRemotePEB helper function. After this is acquired, image base address is read to locate the NT headers.
  • Next step is to hollow the legitimate code from memory in the hosted process. For this NtUnmapViewOfSection is used. Because it is a kernel function, malware usually resolves the function at runtime using GetProcAddress.
  • Next step is to allocate a new block of memory to host malicious code. Malware usually makes the entire block PAGE_EXECUE_READWRITE for simplicity otherwise permissions can be set for each section as well.
  • Since space has been allocated for a new image, WriteProcessMemory is used to write the new image code in place of original image code. In the optional header structure, the base address will be changed to that of the new memory image. If however the image base of the new image does not match up with image base of original image then the image base of the new image need to be rebased.
  • SetThreadContext function is used to set the context of this process.
  • The last step is just to resume the process using ResumeThread.

Detection of Process Hallowing Using Volatility

Using Volatility plugin malfind

As discussed above, if the malware author forgot to fix the RWX protection on his malicious spawned process, then that can be detected by Volatility plugin ‘malfind’. Malfind looks for memory section that has PAGE_EXECUTE_READWRITE privileges and cannot be mapped onto the disk. It also dumps the assembly code at that memory section and final check to look at whether there is an executable code in the dump code is left for the analysts.

We first run the malfind plugin on a sample image and got following output

There is some clear process hallowing happened here. Multiple instances of lsass.exe are running where under normal circumstances only 1 should be running. To compare these with a normal lsass.exe we ran pslist plugin and got following output

Now process 680 has parent 624 and process 868 & 1928 has parent 668. Running a pstree will give us a good indication of parent-child relationship.

From above we can conclude that process 680 looks legitimate since it has a valid parent winlogon.exe and it was not present in malfind output. To further illustrate this, we will look at the dumped memory sections from process 868,1928.

        

Here we can see that both these has MZ header but cannot be mapped to disk (pre-requisite for malfind). However this MZ header can be easily manipulated by malware authors. To overcome this malfind gives you all the possible hallowed/injected section which Redline miss if the memory section does not have a MZ header.

It is worth to note that while performing memory analysis process hallowing and code injection looks very same.

Comparing the size of multiple instances of same process

We can even look at the sizes of all lsass process. First we will dump these lsass process using Volatility’s procdump plugin. Then we do a ls on the directory where we dumped all the 3 lsass processes. We can clearly see a difference in the size of the 680 vs. 1928 & 868.

After dumping these devices, I plugged it into a machine which has antivirus installed on it. McAfee recognized 1928 as a malicious process and as per set up policies as below

For other process i.e. 868 I submit it to virus total and it confirms that the process is malicious (39/54)

Comparing the processes with fuzzy hashing

We can even use fuzzy hashing to see how much of these processes match each other. With hashing like md5 we can only see whether an output matches or not but with fuzzy hashing we can see how different files are close to being the same. We will use tool ssdeep over the dumped processes in volatility.

Below is the ssdeep tool running over the executables dumped from volatility in above step.

Below we can see that process 680 has 0 match with process 868 & 1928.

So in this article we see how process hallowing is done and how we can detect it with volatility plugins and fuzzy hashing.

Original Post: http://resources.infosecinstitute.com/process-hallowing/

pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 11 testing modules:
  1. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
  2. bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
  3. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
  4. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
  5. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
  6. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
  7. ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
  8. normalUsage: Payloads that correspond to a normal usage.
  9. pcapReplay: enables to replay pcap files
  10. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  11. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:
  1. socket: open a socket on a given port and send the payloads to the remote target on that port.
  2. command: send command to the remote target with the subprocess.call() python function.
  3. scapy: send special crafted payloads based on the Scapy syntax
  4. client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
  5. pcap replay: enables to replay traffic based on pcap files

Architecture

Remote mode

In this mode, the IDS is plugged on the span port (or port mirroring) of the core switch and is configured in promiscuous mode. The IDS analyzes all traffic that goes through the core switch. Malicious files can be downloaded either by pytbull or by the server. This mode is called “remote”.

Local mode

In this mode, files are downloaded on the client pytbull is started from.

IDS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged in a span port (or port mirroring) of the switch with its interface configured in promiscuous mode. It will analyze every traffic that is sent to the LAN interface of the firewall.

IPS mode

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. To give the IDS a chance to detect the malicious files, pytbull has to download the infected files itself.

IPS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. Malicious files have to be downloaded by pytbull directly to give the IDS a chance to detect them.

Usage

If you have selected the clientSideAttacks module (see configuration file section for more information), you will need to start the reverse shell on the server. Following command uses port 34567/tcp:

$ ./pytbull-server.py -p 34567

Since the files are downloaded in the current directory, you can create a pdf/ directory and start pytbull from the parent location:

$ mkdir pdf/
$ cd pdf/
$ ../pytbull-server.py -p 34567

Then start pytbull (on the client side). An example to start pytbull tests against 192.168.100.48, running Snort:

$ sudo ./pytbull -t 192.168.100.48

Notice that you will need to adapt (config.cfg) the port used by the reverse shell if you use the optional parameter -p on remote side.

Download pytbull

Original Post: http://www.kitploit.com/2016/06/pytbull-intrusion-detectionprevention.html

UBER HACKING: HOW WE FOUND OUT WHO YOU ARE, WHERE YOU ARE AND WHERE YOU WENT!

“WHAT CAN BE MORE EXCITING THAN BEING AUTHORIZED TO TEST ONE OF THE MOST HYPED COMPANIES IN 2016?”

Here at Integrity we love to be challenged, so whenever there is some free time, there is encouragement to do research or to break some things (http://labs.integrity.pt/advisories/) in addition to play foosball.

We (@r0t1v, @fjreis, @fabiopirespt) decided to use this time to jump into some bug bounties.

What is a bug bounty?

As stated in wikipedia:

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.

For our luck, Uber decided to open their bug bounty program to the public, and in Portugal, Uber was almost a daily issue in the news because of the taxi drivers, so we dove right into this program.

After a couple of hours, we found out two open redirects that we reported right away. This could be the start of something good (we thought), but both issues were already reported by other researchers.

At first it was a bit disappointing, but not giving up we doubled back and decided to implement some processes/methodologies.

The process / Methodology

In order to implement some kind of methodology, we went back to the Uber bug bounty program to check again their scope, which is far extensive as it can be seen below:

Information Gathering

To gather more information about Uber subdomains we started with a dns brute-force.

Example of subdomains retrieved with sublist3r

With all subdomains enumerated, all that was left to do was to use nmap and check for banners, page titles, page redirects as well as exploit-db and some blogs for known vulnerabilities.

For the mobile apps, jd-gui was used to read the java classes in order to map the mobile endpoints, later we also turned toMobSF.

API endpoints gathered with jd-gui

Now, judging from the information that we gathered, we felt that it was more than enough to start searching for some vulnerabilities.

Vulnerabilities

0×01 – Possibility to brute force promo codes in riders.uber.com

Uber has a feature that allows the usage of promotion codes. This codes can be given by other users or companies. The application riders.uber.com had this feature in the payment page, so after adding a new promotion code we grabbed the request and realised that the application didn’t had any kind of protection against brute-force attacks, which helped us to find many different promotion codes.

Promotions page form – without any promotion code applied

The image below illustrates our brute force attack. As stated before different codes were found and can be distinguished by their response.

Responses length:

  • 1951 – Valid code
  • 1931 – Not valid
  • 1921 – Code Expired

Example of brute-force attack

Uber also gives an option to customize promotion codes, and since all the default codes began with the word “uber”, it was possible to drop the time of the brute force considerably allowing us to find more than 1000 valid codes.

Initially this issue was not considered valid because the promotions codes are supposed to be public and be given by anyone. This was true until finding an $100 ERH (Emergency Ride Home) code which they (uber-sec team) had no knowledge about. This ERH codes work differently from all others since even if a promotion code is already applied this ones can still be added.

Vulnerable form with ERH code applied

DISCLOSURE TIMELINE

March 23, 2016 – Bug reported to Uber
March 23, 2016 – Uber’s team changed status to Informative
March 24, 2016 – We provided new information
March 24, 2016 – Uber’s team changed status to Triaged
April 19, 2016 – Uber’s team changed status to Resolved
May 2, 2016 – Uber rewarded us with a bounty.

0×02 – Possibility to get private email using UUID

As you can see in the picture below, inside Uber riders mobile application there is a “Help” section that allow users to send questions directly to support. Let’s be honest, many of us almost never use the “Help” or even know that it exists, but as pentesters we can’t say no to another form. (later we found that the Partners application had the same forms).

Help feature

After submitting a question, the server would reply with the message: “We’ve received your request and will be in touch as soon as possible via <my-email-address>”. Looking at this message we thought that maybe we could enumerate some user emails.

Request sending uuid instead of token

By looking at the request there are two places (the x-uber-uuid header and the uuid parameter) that  might allow us to get emails from other users if we change them for another valid UUID. We tried to change both, but unfortunately the server returned our email again. Although there is a token parameter also, our first approach was to fuzz a bit into this parameter but in the end we end up by changing it to another user UUID and something magic happened, the webserver returned the email address for that user.

Server replied with email associated to uuid

It’s a bit hard to say why a UUID has been interpreted as a valid token, but it is indeed.

Since the application wasn’t throttling our requests in this endpoint, we grabbed a small amount of UUIDs and with them we were able to get all the emails corresponding to those UUIDs. Now you’re probably asking: “how can you know UUIDs from other users?”, that’s what we will explain later.

DISCLOSURE TIMELINE

March 31, 2016 – Bug reported to Uber
March 31, 2016 – Uber’s team changed status to Triaged
April 11, 2016 – Uber’s team changed status to Resolved
April 13, 2016 – Uber rewarded us with a bounty.

0×03 – Enumerating UserIDs with phone numbers (duplicated)

When looking for vulnerabilities we always try to find all of the application/webapp features, especially those that aren’t easily found or used. With this in mind, we decided to get our phones, computers and called for a Uber and so we did. During our trip we intercepted all the requests and one of those requests caught our attention.

Request inviting to split the fare

This request happens when an user tries to split his fare with others. To invite someone to split the fare, the user needs to add a phone number from his contact list.

The problem here is that the response is leaking too much information such as driver UUID, invitees UUIDs and the invitees picture, even before they accepting the fare split.

You can see the app leaking the information in the pictures below:

Response leaking information about invited user [1/2]Response leaking information about invited user [2/2]

Remember before when we told you that we would explain how we got a list of UUIDs? This is how!

Now, joining this vulnerability with the previous one we could get anyones email address that was associated to the phone number.

Unfortunately, after reporting this issue, it was marked as duplicated.

DISCLOSURE TIMELINE

April 6, 2016 – Bug reported to Uber
April 7, 2016 – Uber’s team changed status to Needs more info
April 7, 2016 – We provided new information
April 7, 2016 – Uber’s team changed status to Duplicate

0×04 – Use Partner/Driver App Without Being Activated (duplicated)

Every user is able to create a driver account but it remains not activated until Uber verify all your driver documents.

After started to test the Partner/Driver app, we realized that you can only enter in the mobile app after the activation process.

“Driver account not activated” response

Looking on the request of the response above, you can see a parameter called allowNotActivated and his value wasfalse.

Request with new value on “allowNotActivated” parameter

By manipulating the login request and changing the parameter allowNotActivated to true, it was possible to obtain a valid session token. So at least, it means that the server create a valid token even when the account was not activated.

New token created

As you can see on the response, there is a field called isActivated setted to false. Changing this to true allowed us to get into the app.

Interface of Partners mobile application

Now we got a couple of new features to test.

DISCLOSURE TIMELINE

March 31, 2016 – Bug reported to Uber
March 31, 2016 – Uber’s team changed status to Needs more info.
March 31, 2016 – We provided new information
April 7, 2016 – Uber’s team changed status to Duplicated

0×05 – Possible to View Driver Waybill via Driver UUID

Using the previous vulnerability we were able to test a new functionality called waybill. By crafting the request that the app sends, we notice that it has a broken access control vulnerability that allowed us to see the last trip from every driver, by only knowing his uuid.

Request for waybill of other driver

To get a driver UUID you can, for example, request a random car, let the driver accept the trip and after this you cancel it. In the meanwhile you are able to capture the driver UUID.

In the response of this request, we were able to get the driver name, license plate, last tripUUID, last passenger name, number of passengers, the origin and destination of the trip.

Detailed response of driver’s waybill

Notice the TRIP # in this response? To get the full path of the trip, we ended up discovering a new functionality that returns the full path of the trip, the driver nameclient name, license plate and even the car model.

This functionatility  could not be detailed in this moment, but as soon as we are authorized, we will talk about it.

Full path of the trip

DISCLOSURE TIMELINE

March 31, 2016 – Bug reported to Uber
April 1, 2016 – Uber’s team changed status to Triaged
April 13, 2016 – Uber’s team changed status to Resolved
April 18, 2016 – Uber rewarded us with a bounty.

0×06 – Information regarding trips from other users

Remember the vulnerability 0×03 where we found out that by changing the token by a UUID we could impersonate another user?

Requesting trips associated to uuid (in the token)

The request above allow an user to view the trips made by himself. Notice that in the request there is any session headers or session cookies. All the **session** details are sent via GET parameters.

By changing the highlighted uuid and maintaining the original token, the server return a 403 unauthorized access. If we change the UUID and the token for the UUID of the user that you want to see the trips, we get a bunch of new information

This was the response when asking for trips by sending the same value in UUID and TOKEN fields.

List of trips associated to the UUID

As it can be seen we were able to get the date of the trip, driver name and picture, the id and cost of the trip and the map of where he have been.

The response above only demonstrate one single trip, but the full response gives us all the trips made by the user.

DISCLOSURE TIMELINE

March 31, 2016 – Bug reported to Uber
March 31, 2016 – Uber’s team changed status to Triaged
April 5, 2016 – Uber’s team changed status to Resolved
April 13, 2016 – Uber rewarded us with a bounty.

What about profits?

DUPLICATED VULNERABILITIES

# Vulnerability Reported at
1 Open Redirect in trip.uber.com 23/03/2016
2 Open Redirect in riders.uber.com 23/03/2016
3 Possibility to enumerate users via getrush.uber.com and bruteforce login via iOS app to get a valid account 26/03/2016
4 Possibility to download beta app as admin (Riders app IOS) 30/03/2016
5 Use Partner/Driver App Without Being Activated 31/03/2016
6 Enumerating userIDs with phone numbers 06/04/2016

TRIAGED/CLOSED VULNERABILITIES

# Vulnerability Reported at Bounty
1 Possibility to brute force invite codes in riders.uber.com 23/03/2016 Paid
2 To be disclosed 24/03/2016 Waiting..
3 To be disclosed 25/03/2016 Waiting..
4 Possible to View Driver Waybill via Driver UUID 31/03/2016 Paid
5 Possibility to get private email using UUID 31/03/2016 Paid
6 Information regarding trips from other users 31/03/2016 Paid
7 To be disclosed 07/04/2016 Waiting..
8 To be disclosed 13/04/2016 Waiting..

Conclusion

This was our first bug bounty program that we really dedicated some time, and we think it had a positive outcome. At the beginning we weren’t too confident with this program because a lot of people had already tested Uber in the private program, but after some time and when we started to find some good vulnerabilities it gave us the drive to continue and see where it could lead us.

For the people who are starting the bug bounty programs, our advice is: never give up or be afraid if it is a big company, just have fun and try to learn as much as possible along the way and in time the profits will come.

As a final note to our article, we want to say that Uber should provide testing accounts to bug hunters. During our tests we did have our accounts being locked due to the nature of our tests and to unlock them, it was a bit of a nightmare. At that moment we tried to talk with Uber support team and they didn’t helped much, so the only thing to do was to try to talk with the security team directly. In this case we have to say that they did help, and much! (A big thank you to all of them).

With this being said, we think that Uber has one of the best bug bounty programs, with great payouts.

From a pentester’s view, the security team takes this program very seriously by trying to resolve all the issues as fast as they can.

Original Post: https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you-are-where-you-are-and-where-you-went/

Faraday v1.0.20 – Pen Test Environment (IPE)

logo_faraday

Faraday v1.0.20 – Pen Test Environment (IPE)

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment

a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.

The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Design for simplicity, users should feel no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same an IDE does for you when programming, but from the perspective of a penetration test.

screenshot_faraday

 

A brand new Faraday version is ready! Faraday v1.0.20 is here, bringing more functionality to our GTK interface and other cool new features.
Changelog v1.0.20

  • Fixed bugs in plugins: Acunetix – Nmap – Nikto
  • Removed description from Hosts list in web UI
  • Fixed sort in Hosts list in web UI
  • Fixed ports sorting in Host view in web UI
  • Added search link for OS in Hosts list in web UI
  • Removed description from Services list in web UI
  • Added version to Services list in web UI
  • Modified false values in Hosts list in web UI
  • Added search links in Services list in web UI
  • Added scrollbar in Gtk Terminal
  • Added workspace status in Gtk interface
  • Added conflict resolution support for the Gtk interface
  • Added search entry for workspaces in Gtk
  • Added support for ‘exit’ command inside Faraday’s Gtk terminal
  • Improved handling of uncaught exceptions in Gtk interface
  • Improved text formatting in Gtk’s log console
  • Fixed several small bugs in Faraday GTK
  • Added support for resize workspace bar
  • Added a quote for imported reports in web UI
  • Added support for a new type of report in Qualysguard plugin

Full Changelog: here

How To Find Wi-Fi Password Using CMD Of All Connected Networks

 

wifi-password-in-cmd
It is very easy to find WiFi password using few cmd commands. This command works even when you are offline or you are connected to some other WiFi network. Using this command, we can further optimize our particular WiFi network like turning on some features such as mac randomization, changing the radio type of your WiFi etc.

Whenever we connect to a WiFi network and enter the password to connect to that network, we actually make a WLAN profile of that WiFi network. That profile is stored inside our computer along with the other required details of the WiFi profile.

Instead of using a GUI to find the individual passwords, we can also look for the WiFi password of that particular WiFi network using cmd.These steps work even when you are totally offline or you are not connected to the particular wifi you are looking the password for.

How to know the WiFi password using cmd:

  • Open the command prompt and run it as administrator.

command-prompt-run-as-administrator-300x252@2x.jpg

  • In the next step, we want to know about all the profiles that are stored in our computer. So, type the following command in the cmd:

netsh wlan show profile

This command will list out all the WiFi profiles that you have ever connected to.

netsh-wlan-show-profile-300x176@2x

In the above picture, I have intentionally blurred some of my WiFi networks’ name. As you can see, there are eight WiFi networks that I connect to. So, let’s go and find out the password for the WiFi ‘NETGEAR50’ in this case which I created intentionally for this article.

Want to learn Wi-Fi hacking? Get started here.

  • Type the following command to see the password of any WiFi network:

netsh wlan show profile WiFi-name key=clear

netsh-wlan-show-profile-wifi-name-keyclear-300x186@2x

  • Under the security settings, in the ‘key content’, you see the WiFi password of that particular network.

Besides knowing the password, you can also use this result to further optimize your WiFi. For example, Under the profile information, you can see mac randomization is disabled. You can turn on mac randomization feature to avoid your location tracking based on the device’s MAC address.

Here is how to turn on mac randomization on Windows 10:

  • Go to settings and click on ‘Network & internet’
  • Choose the ‘WiFi’ in the left pane and click on the advanced option.

Advanced-option-wifi-settings-300x192@2x.jpg

  • Turn on the ‘Random Hardware Address’ feature under this settings. If your wireless hardware does not support this feature, the “Random Hardware Addresses” section will not show up at all in the settings app.
  • Once you have turned this on, you are done.

Also, under the connectivity settings, in radio type, you can see the whole list. Channel interference could be another reason for a slow WiFi. So, next time, you might also like to change the radio type settings for a better speed.

As far as radio type is concerned, you can also change that in your router for a better connection or connectivity. For this purpose, we have a dedicated article on to increase WiFi speed by choosing correct WiFi channel.

Original Post: http://fossbytes.com/find-wifi-password-connected-networks-cmd-windows/

ESET releases new decryptor for TeslaCrypt ransomware

decryptor-teslacrypt-623x426

Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.

We have been covering this malware for a few months now, sometimes along with Locky or beingspread by Nemucod. Recently, TeslaCrypt’s operators announced that they are wrapping up their malevolent activities:

teslacrypt_closed-1024x204

On this occasion, one of ESET’s analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt’s operators, and requested the universal master decryption key.

Surprisingly, they made it public.

This allowed ESET to create a free decrypting tool promptly, which is able to unlock files affected by all variants of this ransomware. For instructions on how to use the decryptor, please visit the ESET Knowledgebase website.

TeslaCryptDecryptor

We must stress that ransomware remains one of the most dangerous computer threats at this moment, and prevention is essential to keep users safe. Therefore, they should keep operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).

We also advise all users to be very careful when clicking on links or files in their email or browsers. This is particularly true when messages are received from unknown sources or otherwise look suspicious.

For more information about how to protect yourself against these and other ransomware threats, please check this: 11 things you can do to protect against ransomware.

Original Post: http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/

Create a free website or blog at WordPress.com.

Up ↑

Follow

Get every new post delivered to your Inbox.