Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

Anonymouse.org – A free, web based anonymizer.
OpenVPN – VPN software and hosting solutions.
Privoxy – An open source proxy server with some privacy features.
Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

Conpot – ICS/SCADA honeypot.
Dionaea – Honeypot designed to trap malware.
Glastopf – Web application honeypot.
Honeyd – Create a virtual honeynet.
HoneyDrive – Honeypot bundle Linux distro.
Kippo – Medium interaction SSH honeypot.
Mnemosyne – A normalizer for honeypot data; supports Dionaea.
Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

Clean MX – Realtime database of malware and malicious domains.
Contagio – A collection of recent malware samples and analyses.
Exploit Database – Exploit and shellcode samples.
Malshare – Large repository of malware actively scrapped from malicious sites.
maltrieve – Retrieve malware samples directly from a number of online sources.
MalwareDB – Malware samples repository.
theZoo – Live malware samples for analysts.
ViruSign – Malware database that detected by many anti malware programs except ClamAV.
VirusShare – Malware repository, registration
Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
Zeus Source Code – Source for the Zeus trojan leaked in 2011. required.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
IntelMQ – A tool for CERTs for processing incident data using a message queue.
IOC Editor – A free editor for XML IOC files, from Mandiant.
ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
MISP – Malware Information Sharing Platform curated by The MISP Project.
PassiveTotal – Research, connect, tag and share IPs and domains.
threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
ThreatCrowd – A search engine for threats, with graphical visualization.
TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Autoshun (list) – Snort plugin and blocklist.
CI Army (list) – Network security blocklists.
Critical Stack- Free Intel Market – Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
CRDF ThreatCenter – List of new threats detected by CRDF anti-malware.
Emerging Threats – Rulesets and more.
FireEye IOCs – Indicators of Compromise shared publicly by FireEye.
hpfeeds – Honeypot feed protocol.
Internet Storm Center (DShield) – Diary and searchable incident database, with a web API(unofficial Python library).
malc0de – Searchable incident database.
Malware Domain List – Search and share malicious URLs.
OpenIOC – Framework for sharing threat intelligence.
Palevo Blocklists – Botnet C&C blocklists.
STIX – Structured Threat Information eXpression – Standardized language to represent and share cyber threat information. Related efforts from MITRE:
threatRECON – Search for indicators, up to 1000 free per month.
Yara rules – Yara rules repository.
ZeuS Tracker – ZeuS blocklists.

Detection and Classification

Antivirus and other malware identification tools

AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
chkrootkit – Local Linux rootkit detection.
ClamAV – Open source antivirus engine.
ExifTool – Read, write and edit file metadata.
hashdeep – Compute digest hashes with a variety of algorithms.
Loki – Host based scanner for IOCs.
MASTIFF – Static analysis framework.
MultiScanner – Modular file scanning/analysis framework
nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
packerid – A cross-platform Python alternative to PEiD.
PEiD – Packer identifier for Windows binaries.
PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
Rootkit Hunter – Detect Linux rootkits.
ssdeep – Compute fuzzy hashes.
totalhash.py – Python script for easy searching of the TotalHash.com database.
TrID – File identifier.
YARA – Pattern matching tool for analysts.
Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

Anubis – Malware Analysis for Unknown Binaries and Site Check.
AVCaesar – Malware.lu online scanner and malware repository.
Cryptam – Analyze suspicious office documents.
Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
DRAKVUF – Dynamic malware analysis system.
Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
IRMA – An asynchronous and customizable analysis platform for suspicious files.
Jotti – Free online multi-AV scanner.
Malheur – Automatic sandboxed analysis of malware behavior.
Malwr – Free analysis with an online Cuckoo Sandbox instance.
MASTIFF Online – Online static analysis of malware.
Metascan Online – Free file scanning with multiple antivirus engines.
Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
PDF Examiner – Analyse suspicious PDF files.
Recomposer – A helper script for safely uploading binaries to sandbox sites.
VirusTotal – Free online analysis of malware samples and URLs
Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
Dig – Free online dig and other network tools.
IPinfo – Gather information about an IP or domain by searching online resources.
SenderBase – Search for IP, domain or network owner.
SpamCop – IP based spam block list.
SpamHaus – Block list based on domains and IPs.
Sucuri SiteCheck – Free Website Malware and Security Scanner.
TekDefense Automator – OSINT tool for gatherig information about URLs, IPs, or hashes.
Whois – DomainTools free online whois search.
Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

Firebug – Firefox extension for web development.
Java Decompiler – Decompile and inspect Java apps.
Java IDX Parser – Parses Java IDX cache files.
JSDetox – JavaScript malware analysis tool.
jsunpack-n – A javascript unpacker that emulates browser functionality.
Malzilla – Analyze malicious web pages.
RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
swftools – Tools for working with Adobe Flash files.
xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malwaresection.

AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
diStorm – Disassembler for analyzing malicious shellcode.
JS Beautifier – JavaScript unpacking and deobfuscation.
libemu – Library and tools for x86 shellcode emulation.
malpdfobj – Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner – Scan for malicious traces in MS Office documents.
olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
Origami PDF – A tool for analyzing malicious PDFs, and more.
PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf – Python tool for exploring possibly malicious PDFs.
Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

bulk_extractor – Fast file carving tool.
EVTXtract – Carve Windows Event Log files from raw binary data.
Foremost – File carving tool designed by the US Air Force.
Hachoir – A collection of Python libraries for dealing with binary files.
Scalpel – Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
de4dot – .NET deobfuscator and unpacker.
ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
unxor – Guess XOR keys using known-plaintext attacks.
XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
xortool – Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

Bokken – GUI for Pyew and Radare.
dnSpy – .NET assembly editor, decompiler and debugger.
Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
GDB – The GNU debugger.
hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
IDA Pro – Windows disassembler and debugger, with a free evaluation version.
Immunity Debugger – Debugger for malware analysis and more, with a Python API.
ltrace – Dynamic analysis for Linux executables.
objdump – Part of GNU binutils, for static analysis of Linux binaries.
OllyDbg – An assembly-level debugger for Windows executables.
pestudio – Perform static analysis of Windows executables.
Process Monitor – Advanced monitoring tool for Windows programs.
Pyew – Python tool for malware analysis.
Radare2 – Reverse engineering framework, with debugger support.
strace – Dynamic analysis for Linux executables.
Udis86 – Disassembler library and tool for x86 and x86_64.
Vivisect – Python tool for malware analysis.

Network

Analyze network interactions.

Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
CapTipper – Malicious HTTP traffic explorer.
chopshop – Protocol analysis and decoding framework.
Fiddler – Intercepting web proxy designed for “web debugging.”
Hale – Botnet C&C monitor.
INetSim – Network service emulation, useful when building a malware lab.
Malcom – Malware Communications Analyzer.
mitmproxy – Intercept network traffic on the fly.
Moloch – IPv4 traffic capturing, indexing and database system.
NetworkMiner – Network forensic analysis tool, with a free version.
ngrep – Search through network traffic like grep.
Tcpdump – Collect network traffic.
tcpick – Trach and reassemble TCP streams from network traffic.
tcpxtract – Extract files from network traffic.
Wireshark – The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

DAMM – Differential Analysis of Malware in Memory, built on Volatility
FindAES – Find AES encryption keys in memory.
Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
Rekall – Memory analysis framework, forked from Volatility in 2013.
TotalRecall – Script based on Volatility for automating various malware analysis tasks.
VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
Volatility – Advanced memory forensics framework.
WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

AChoir – A live incident response script for gathering Windows artifacts.
python-evt – Python library for parsing Windows Event Logs.
python-registry – Python library for parsing registry files.
RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

Aleph – OpenSource Malware Analysis Pipeline System.
CRITs – Collaborative Research Into Threats, a malware and threat repository.
Malwarehouse – Store, tag, and search malware.
MISP – Malware Information Sharing Platform curated by The MISP Project.
Viper – A binary management and analysis framework for analysts and researchers.

Miscellaneous

DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Malware Analyst’s Cookbook and DVD – Tools and Techniques for Fighting Malicious Code.
Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software.
The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux, and Mac Memory.
The IDA Pro Book – The Unofficial Guide to the World’s Most Popular Disassembler.

Twitter

Some relevant Twitter accounts.

Adamb @Hexacorn
Andrew Case @attrc
Claudio @botherder
Dustin Webber @mephux
Glenn @hiddenillusion
jekil @jekil
Jurriaan Bremer @skier_t
Lenny Zeltser @lennyzeltser
Liam Randall @hectaman
Mark Schloesser @repmovsb
Michael Ligh (MHL) @iMHLv2
Open Malware @OpenMalware
Richard Bejtlich @taosecurity
Volatility @volatility

Other

Honeynet Project – Honeypot tools, papers, and other resources.
Malicious Software – Malware blog and resources by Lenny Zeltser.
Malware Analysis Search – Custom Google search engine from Corey Harrell.
WindowsIR: Malware – Harlan Carvey’s page on Malware.
/r/csirt_tools – Subreddit for CSIRT tools and resources, with a malware analysis flair.
/r/Malware – The malware subreddit.
/r/ReverseEngineering – Reverse engineering subreddit, not limited to just malware.

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome!

Thanks

This list was made possible by:

Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst’s Cookbook, which was a big inspiration for creating the list;
And everyone else who has sent pull requests or suggested links to add here!

Thanks!

Original Post: https://github.com/rshipp/awesome-malware-analysis

September 30, 2015 0

peinjector – MITM PE File Injector

The peinjector is a MITM PE file injector, the tool provides different ways to infect Windows platform executable files (PE COFF) with custom payloads without changing the original functionality. It creates patches, which are then applied seamlessly during file transfer. It is very performant, lightweight, modular and can be operated on embedded hardware.

Features

Full x86 and x64 PE file support.
Open Source
Fully working on Windows and Linux, including automated installation scripts.
Can be operated on embedded hardware, tested on a Rasperberry Pi 2.
On Linux, all servers will be automatically integrated as service, no manual configuration required.
Plain C, no external libraries required (peinjector).
MITM integration is available in C, Python and Java. A sample Python MITM implementation is included.
Foolproof, mobile-ready web interface. Anyone who can configure a home router can configure the injector server.
Easy to use integrated shellcode factory, including reverse shells, or meterpreter.

How it Works

+ configuration

| payload

| ...

+—————–v——————+

+———–+ | |

| PATCH <———–+ libpeinfect <—+

+———–+ | | |

+—————–+——————+ |

| |

+—————–v——————+ |

| | |

+———————-> libpetool | |

| change values | | |

| add sections +—————–^——————+ |

| resize sect. | |

+ ... +——v——+ |

| PEFILE +—————+

+——^——+

+—————–v——————+

PE File data | | PE File data

+———————-> libpefile +———————->

| |

+————————————+

peinjector contains the following:

libpefile – Provides PE file parsing, modification and reassembling capabilities, based on PE COFF specification. Also works with many non-compliant and deliberately malformed files which the Windows Loader accepts.
libpetool – Provides more complex modifications (adding/resizing sections). Keeps header values PE COFF compliant.
libpeinfect – Provides different infection methods, removes integrity checks, certificates, etc. It can fully infect a file (statically, e.g. from disk) or generate a patch (for MITM infection. Connectors which work with these patches are available in C, Python and Java). The infected file keeps its original functionality.

Servers

+————————–+–+

| web browser |X|

+——————–+ +————————–+–+

| peinjector– | | _____ |

———->+ interceptor +————-> | / \ |

–orig.->+ (MITM) +–patched-> | | () () | |

–data—>+ +–data——> | \ ^ / |

———->+ +————–+ +————-> | ||||| |

+–+–+——–^–+–+ +——–+———^———+

raw | | send | | get

header | | patch config | | status

| | | |

+–+–v——–+–+–+ +–+—–v———+—–+–+

| +————–+ | | +———————+ |

| peinjector | | |

| (core +—–+ crtl +—–+ peinjector– |

| |r o+—————->r r| (user |

| |t r<—————–+t o| interface) |

| |l t| |l .| |

+————–+—–+ +—–+———————+

peinjector – Provides PE file patching as a service. Just send the raw header of your PE file and you’ll receive a custom-made patch for it. Can be remotely controlled via a command protocol.
peinjector-control – Web interface to configure and control a peinjector server. A small shellcode factory with some basic shellcodes, automatic encryptoin/obfuscation and thread generation is provided – alternatively, custom shellcode can be injected.
peinjector-interceptor – Sample MITM integration. Based on Python and libmproxy, supports SSL interception, can act as transparent Proxy, HTTP Proxy, … . Provides seamless PE patching capabilities.

You can download peinjector here:

peinjector-1.0.1.zip

Or read more here.

Original Post: http://www.darknet.org.uk/2015/09/peinjector-mitm-pe-file-injector/

September 22, 2015 0

20 Useful Commands for Linux Newbies

1. Command: ls

The command “ls” stands for (List Directory Contents), List the contents of the folder, be it file or folder, from which it runs.

root@tecmint:~# ls

Android-Games                     Music
Pictures                          Public
Desktop                           Tecmint.com
Documents                         TecMint-Sync
Downloads                         Templates

The command “ls -l” list the content of folder, in long listing fashion.

root@tecmint:~# ls -l

total 40588
drwxrwxr-x 2 ravisaive ravisaive     4096 May  8 01:06 Android Games
drwxr-xr-x 2 ravisaive ravisaive     4096 May 15 10:50 Desktop
drwxr-xr-x 2 ravisaive ravisaive     4096 May 16 16:45 Documents
drwxr-xr-x 6 ravisaive ravisaive     4096 May 16 14:34 Downloads
drwxr-xr-x 2 ravisaive ravisaive     4096 Apr 30 20:50 Music
drwxr-xr-x 2 ravisaive ravisaive     4096 May  9 17:54 Pictures
drwxrwxr-x 5 ravisaive ravisaive     4096 May  3 18:44 Tecmint.com
drwxr-xr-x 2 ravisaive ravisaive     4096 Apr 30 20:50 Templates

Command “ls -a“, list the content of folder, including hidden files starting with ‘.’.

root@tecmint:~# ls -a

.			.gnupg			.dbus			.goutputstream-PI5VVW		.mission-control
.adobe                  deja-dup                .grsync                 .mozilla                 	.themes
.gstreamer-0.10         .mtpaint                .thumbnails             .gtk-bookmarks          	.thunderbird
.HotShots               .mysql_history          .htaccess		.apport-ignore.xml      	.ICEauthority           
.profile                .bash_history           .icons                  .bash_logout                    .fbmessenger
.jedit                  .pulse                  .bashrc                 .liferea_1.8             	.pulse-cookie            
.Xauthority		.gconf                  .local                  .Xauthority.HGHVWW		.cache
.gftp                   .macromedia             .remmina                .cinnamon                       .gimp-2.8
.ssh                    .xsession-errors 	.compiz                 .gnome                          teamviewer_linux.deb          
.xsession-errors.old	.config                 .gnome2                 .zoncolor

Note: In Linux file name starting with ‘.‘ is hidden. In Linux every file/folder/device/command is a file. The output of ls -l is:

d (stands for directory).
rwxr-xr-x is the file permission of the file/folder for owner, group and world.
The 1st ravisaive in the above example means that file is owned by user ravisaive.
The 2nd ravisaive in the above example means file belongs to user group ravisaive.
4096 means file size is 4096 Bytes.
May 8 01:06 is the date and time of last modification.
And at the end is the name of the File/Folder.

For more “ls” command examples read 15 ‘ls’ Command Examples in Linux.

2. Command: lsblk

The “lsblk” stands for (List Block Devices), print block devices by their assigned name (but not RAM) on the standard output in a tree-like fashion.

root@tecmint:~# lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 232.9G  0 disk 
├─sda1   8:1    0  46.6G  0 part /
├─sda2   8:2    0     1K  0 part 
├─sda5   8:5    0   190M  0 part /boot
├─sda6   8:6    0   3.7G  0 part [SWAP]
├─sda7   8:7    0  93.1G  0 part /data
└─sda8   8:8    0  89.2G  0 part /personal
sr0     11:0    1  1024M  0 rom

The “lsblk -l” command list block devices in ‘list‘ structure (not tree like fashion).

root@tecmint:~# lsblk -l

NAME MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda    8:0    0 232.9G  0 disk 
sda1   8:1    0  46.6G  0 part /
sda2   8:2    0     1K  0 part 
sda5   8:5    0   190M  0 part /boot
sda6   8:6    0   3.7G  0 part [SWAP]
sda7   8:7    0  93.1G  0 part /data
sda8   8:8    0  89.2G  0 part /personal
sr0   11:0    1  1024M  0 rom

Note: lsblk is very useful and easiest way to know the name of New Usb Device you just plugged in, especially when you have to deal with disk/blocks in terminal.

3. Command: md5sum

The “md5sum” stands for (Compute and Check MD5 Message Digest), md5 checksum (commonly called hash) is used to match or verify integrity of files that may have changed as a result of a faulty file transfer, a disk error or non-malicious interference.

root@tecmint:~# md5sum teamviewer_linux.deb 

47790ed345a7b7970fc1f2ac50c97002  teamviewer_linux.deb

Note: The user can match the generated md5sum with the one provided officially. Md5sum is considered less secure than sha1sum, which we will discuss later.

4. Command: dd

Command “dd” stands for (Convert and Copy a file), Can be used to convert and copy a file and most of the times is used to copy a iso file (or any other file) to a usb device (or any other location), thus can be used to make a ‘Bootlable‘ Usb Stick.

root@tecmint:~# dd if=/home/user/Downloads/debian.iso of=/dev/sdb1 bs=512M; sync

Note: In the above example the usb device is supposed to be sdb1 (You should Verify it using command lsblk, otherwise you will overwrite your disk and OS), use name of disk very Cautiously!!!.

dd command takes some time ranging from a few seconds to several minutes in execution, depending on the size and type of file and read and write speed of Usb stick.

5. Command: uname

The “uname” command stands for (Unix Name), print detailed information about the machine name, Operating System and Kernel.

root@tecmint:~# uname -a

Linux tecmint 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux

Note: uname shows type of kernel. uname -a output detailed information. Elaborating the above output of uname -a.

“Linux“: The machine’s kernel name.
“tecmint“: The machine’s node name.
“3.8.0-19-generic“: The kernel release.
“#30-Ubuntu SMP“: The kernel version.
“i686“: The architecture of the processor.
“GNU/Linux“: The operating system name.

6. Command: history

The “history” command stands for History (Event) Record, it prints the history of long list of executed commands in terminal.

root@tecmint:~# history

 1  sudo add-apt-repository ppa:tualatrix/ppa
 2  sudo apt-get update
 3  sudo apt-get install ubuntu-tweak
 4  sudo add-apt-repository ppa:diesch/testing
 5  sudo apt-get update
 6  sudo apt-get install indicator-privacy
 7  sudo add-apt-repository ppa:atareao/atareao
 8  sudo apt-get update
 9  sudo apt-get install my-weather-indicator
 10 pwd
 11 cd && sudo cp -r unity/6 /usr/share/unity/
 12 cd /usr/share/unity/icons/
 13 cd /usr/share/unity

Note: Pressing “Ctrl + R” and then search for already executed commands which lets your command to be completed with auto completion feature.

(reverse-i-search)`if': ifconfig

7. Command: sudo

The “sudo” (super user do) command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy in the sudoers list.

root@tecmint:~# sudo add-apt-repository ppa:tualatrix/ppa

Note: sudo allows user to borrow superuser privileged, while a similar command ‘su‘ allows user to actually log in as superuser. Sudo is safer than su.
It is not advised to use sudo or su for day-to-day normal use, as it can result in serious error if accidentally you did something wrong, that’s why a very popular saying in Linux community is:

“To err is human, but to really foul up everything, you need root password.”

8. Command: mkdir

The “mkdir” (Make directory) command create a new directory with name path. However is the directory already exists, it will return an error message “cannot create folder, folder already exists”.

root@tecmint:~# mkdir tecmint

Note: Directory can only be created inside the folder, in which the user has write permission. mkdir: cannot create directory `tecmint‘: File exists
(Don’t confuse with file in the above output, you might remember what i said at the beginning – In Linux every file, folder, drive, command, scripts are treated as file).

9. Command: touch

The “touch” command stands for (Update the access and modification times of each FILEto the current time). touch command creates the file, only if it doesn’t exist. If the file already exists it will update the timestamp and not the contents of the file.

root@tecmint:~# touch tecmintfile

Note: touch can be used to create file under directory, on which the user has write permission, only if the file don’t exist there.

10. Command: chmod

The Linux “chmod” command stands for (change file mode bits). chmod changes the file mode (permission) of each given file, folder, script, etc.. according to mode asked for.

There exist 3 types of permission on a file (folder or anything but to keep things simple we will be using file).

Read (r)=4
Write(w)=2
Execute(x)=1

So if you want to give only read permission on a file it will be assigned a value of ‘4‘, for write permission only, a value of ‘2‘ and for execute permission only, a value of ‘1‘ is to be given. For read and write permission 4+2 = ‘6‘ is to be given, ans so on.

Now permission need to be set for 3 kinds of user and usergroup. The first is owner, then usergroup and finally world.

rwxr-x--x   abc.sh

Here the root’s permission is rwx (read, write and execute).
usergroup to which it belongs, is r-x (read and execute only, no write permission) and
for world is –x (only execute).

To change its permission and provide read, write and execute permission to owner, group and world.

root@tecmint:~# chmod 777 abc.sh

only read and write permission to all three.

root@tecmint:~# chmod 666 abc.sh

read, write and execute to owner and only execute to group and world.

root@tecmint:~# chmod 711 abc.sh

Note: one of the most important command useful for sysadmin and user both. On a multi-user environment or on a server, this command comes to rescue, setting wrong permission will either makes a file inaccessible or provide unauthorized access to someone.

11. Command: chown

The Linux “chown” command stands for (change file owner and group). Every file belongs to a group of user and a owner. It is used Do ‘ls -l‘ into your directory and you will see something like this.

root@tecmint:~# ls -l 

drwxr-xr-x 3 server root 4096 May 10 11:14 Binary 
drwxr-xr-x 2 server server 4096 May 13 09:42 Desktop

Here the directory Binary is owned by user “server” and it belongs to usergroup “root” where as directory “Desktop” is owned by user “server” and belongs to user group “server“.

This “chown” command is used to change the file ownership and thus is useful in managing and providing file to authorised user and usergroup only.

root@tecmint:~# chown server:server Binary

drwxr-xr-x 3 server server 4096 May 10 11:14 Binary 
drwxr-xr-x 2 server server 4096 May 13 09:42 Desktop

Note: “chown” changes the user and group ownership of each given FILE to NEW-OWNER or to the user and group of an existing reference file.

12. Command: apt

The Debian based “apt” command stands for (Advanced Package Tool). Apt is an advanced package manager for Debian based system (Ubuntu, Kubuntu, etc.), that automatically and intelligently search, install, update and resolves dependency of packages on Gnu/Linux system from command line.

root@tecmint:~# apt-get install mplayer

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  java-wrappers
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  esound-common libaudiofile1 libesd0 libopenal-data libopenal1 libsvga1 libvdpau1 libxvidcore4
Suggested packages:
  pulseaudio-esound-compat libroar-compat2 nvidia-vdpau-driver vdpau-driver mplayer-doc netselect fping
The following NEW packages will be installed:
  esound-common libaudiofile1 libesd0 libopenal-data libopenal1 libsvga1 libvdpau1 libxvidcore4 mplayer
0 upgraded, 9 newly installed, 0 to remove and 8 not upgraded.
Need to get 3,567 kB of archives.
After this operation, 7,772 kB of additional disk space will be used.
Do you want to continue [Y/n]? y

root@tecmint:~# apt-get update

Hit http://ppa.launchpad.net raring Release.gpg                                           
Hit http://ppa.launchpad.net raring Release.gpg                                           
Hit http://ppa.launchpad.net raring Release.gpg                      
Hit http://ppa.launchpad.net raring Release.gpg                      
Get:1 http://security.ubuntu.com raring-security Release.gpg [933 B] 
Hit http://in.archive.ubuntu.com raring Release.gpg                                                   
Hit http://ppa.launchpad.net raring Release.gpg                      
Get:2 http://security.ubuntu.com raring-security Release [40.8 kB]   
Ign http://ppa.launchpad.net raring Release.gpg                                                  
Get:3 http://in.archive.ubuntu.com raring-updates Release.gpg [933 B]                            
Hit http://ppa.launchpad.net raring Release.gpg                                                                
Hit http://in.archive.ubuntu.com raring-backports Release.gpg

Note: The above commands results into system-wide changes and hence requires root password (Check ‘#‘ and not ‘$’ as prompt). Apt is considered more advanced and intelligent as compared to yum command.

As the name suggest, apt-cache search for package containing sub package mpalyer.apt-get install, update all the packages, that are already installed, to the newest one.

Read more about apt-get and apt-cache commands at 25 APT-GET and APT-CACHE Commands

13. Command: tar

The “tar” command is a Tape Archive is useful in creation of archive, in a number of file format and their extraction.

root@tecmint:~# tar -zxvf abc.tar.gz (Remember 'z' for .tar.gz)

root@tecmint:~# tar -jxvf abc.tar.bz2 (Remember 'j' for .tar.bz2)

root@tecmint:~# tar -cvf archieve.tar.gz(.bz2) /path/to/folder/abc

Note: A ‘tar.gz‘ means gzipped. ‘tar.bz2‘ is compressed with bzip which uses a better but slower compression method.

Read more about “tar command” examples at 18 Tar Command Examples

14. Command: cal

The “cal” (Calendar), it is used to displays calendar of the present month or any other month of any year that is advancing or passed.

root@tecmint:~# cal 

May 2013        
Su Mo Tu We Th Fr Sa  
          1  2  3  4  
 5  6  7  8  9 10 11  
12 13 14 15 16 17 18  
19 20 21 22 23 24 25  
26 27 28 29 30 31

Show calendar of year 1835 for month February, that already has passed.

root@tecmint:~# cal 02 1835

   February 1835      
Su Mo Tu We Th Fr Sa  
 1  2  3  4  5  6  7  
 8  9 10 11 12 13 14  
15 16 17 18 19 20 21  
22 23 24 25 26 27 28

hows calendar of year 2145 for the month of July, that will advancing

root@tecmint:~# cal 07 2145

     July 2145        
Su Mo Tu We Th Fr Sa  
             1  2  3  
 4  5  6  7  8  9 10  
11 12 13 14 15 16 17  
18 19 20 21 22 23 24  
25 26 27 28 29 30 31

Note: You need not to turn the calendar of 50 years back, neither you need to make complex mathematical calculation to know what day you were worn or your coming birthday will fall on which day.

15. Command: date

The “date” (Date) command print the current date and time on the standard output, and can further be set.

root@tecmint:~# date

Fri May 17 14:13:29 IST 2013

root@tecmint:~# date --set='14 may 2013 13:57' 

Mon May 13 13:57:00 IST 2013

Note: This Command will be very use-full in scripting, time and date based scripting, to be more perfect. Moreover changing date and time using terminal will make you feelGEEK!!!. (Obviously you need to be root to perform this operation, as it is a system wide change).

16. Command: cat

The “cat” stands for (Concatenation). Concatenate (join) two or more plain file and/or print contents of a file on standard output.

root@tecmint:~# cat a.txt b.txt c.txt d.txt >> abcd.txt

root@tecmint:~# cat abcd.txt
....
contents of file abcd 
...

Note: “>>” and “>” are called append symbol. They are used to append the output to a file and not on standard output. “>” symbol will delete a file already existed and create a new file hence for security reason it is advised to use “>>” that will write the output without overwriting or deleting the file.

Before Proceeding further, I must let you know about wildcards (you would be aware of wildcard entry, in most of the Television shows) Wildcards are a shell feature that makes the command line much more powerful than any GUI file managers. You see, if you want to select a big group of files in a graphical file manager, you usually have to select them with your mouse. This may seem simple, but in some cases it can be very frustrating.

For example, suppose you have a directory with a huge amount of all kinds of files and subdirectories, and you decide to move all the HTML files, that have the word “Linux” somewhere in the middle of their names, from that big directory into another directory. What’s a simple way to do this? If the directory contains a huge amount of differently named HTML files, your task is everything but simple!

In the Linux CLI that task is just as simple to perform as moving only one HTML file, and it’s so easy because of the shell wildcards. These are special characters that allow you to select file names that match certain patterns of characters. This helps you to select even a big group of files with typing just a few characters, and in most cases it’s easier than selecting the files with a mouse.

Here’s a list of the most commonly used wildcards :

Wildcard			Matches
   *			zero or more characters
   ?			exactly one character
[abcde]			exactly one character listed
 [a-e]			exactly one character in the given range
[!abcde]		any character that is not listed
 [!a-e]			any character that is not in the given range
{debian,linux}		exactly one entire word in the options given

is called not symbol, and the reverse of string attached with ‘!’ is true.

Read more examples of Linux “cat command” at 13 Cat Command Examples in Linux

17. Command: cp

The “copy” stands for (Copy), it copies a file from one location to another location.

root@tecmint:~# cp /home/user/Downloads abc.tar.gz /home/user/Desktop (Return 0 when sucess)

Note: cp is one of the most commonly used command in shell scripting and it can be used with wildcard characters (Describe in the above block), for customised and desired file copying.

18. Command: mv

The “mv” command moves a file from one location to another location.

root@tecmint:~# mv /home/user/Downloads abc.tar.gz /home/user/Desktop (Return 0 when sucess)

Note: mv command can be used with wildcard characters. mv should be used with caution, as moving of system/unauthorised file may lead to security as well as breakdown of system.

19. Command: pwd

The command “pwd” (print working directory), prints the current working directory with full path name from terminal.

root@tecmint:~# pwd 

/home/user/Desktop

Note: This command won’t be much frequently used in scripting but it is an absolute life saver for newbie who gets lost in terminal in their early connection with nux. (Linux is most commonly referred as nux or nix).

20. Command: cd

Finally, the frequently used “cd” command stands for (change directory), it change the working directory to execute, copy, move write, read, etc. from terminal itself.

root@tecmint:~# cd /home/user/Desktop

server@localhost:~$ pwd

/home/user/Desktop

Note: cd comes to rescue when switching between directories from terminal. “Cd ~” will change the working directory to user’s home directory, and is very useful if a user finds himself lost in terminal. “Cd ..” will change the working directory to parent directory (of current working directory).

These commands will surely make you comfortable with Linux. But it’s not the end. Very soon I will be coming with other commands which will be useful for ‘Middle Level User‘ i.e., You! No don’t exclaim, if you get used-to these commands, You will notice promotion in user-level from newbie to Middle-level-user. In the next article, I will be coming up with commands like ‘Kill‘, ‘Ps‘, ‘grep‘,….Wait for the article and I don’t want to spoil your interest.

Original Post: http://www.hacoder.com/2015/08/20-useful-commands-for-linux-newbies/

September 22, 2015 0

“seL4” is an Unhackable Kernel for Keeping All Computers Safe From Cyberattack

Short Bytes: The Australian national research agency Data61 has developed an unhackable kernel named seL4 and proved its unhackable property mathematically. The kernel does this job by separating the critical systems and data from the kernel.

Today, the threat of cyber attacks isn’t just limited to computers and smartphones. With the ever-increasing intrusion of computers and electronics in our lives, ranging from our home automation system to cars, everything has become a hacker’s target.This could also create problems in the battlefield where any software plays an important role in military and intelligence systems. Recently, in a DARPA drill, hackers were given the complete access to the computer of a Boeing Little Bird helicopter – but they were unable to disrupt the critical systems of the helicopter. How did this happen? Well, the computer in the helicopter was using a new operating system, based on an unhackable kernel.

Kernel is the heart of any computer’s operating system and if hackers can access it, they can do some irreparable damages to your system. Here, I’m talking about a very dangerous situation where security of power station systems, heart pacemakers, vehicles, weapons etc. could be compromised. The Australian national research agency Data61 has developed an unhackable kernel named seL4 – and proved this mathematically.

Gernot Heiser from Data61 writes, “My hope is that in 10 years’ time, anything that is security critical is running on our system or some other one built on the principles we’ve established.”

The seL4 unhackable kernel comes with some very secure characteristics. It can only do what it’s designed to do and its code is unalterable without permission. Along the similar lines, its memory and data can’t be read without permission. Another interesting fact: An earlier version of seL4, known as OKL4, could be found in millions of smartphones.

The seL4 unhackable kernel works this way by isolating the data and the kernel. This could also be used to run two operating systems simultaneously to stop the hacking.

The seL4 unhackable kernel could also be used in multiple situations like medical equipment, manufacturing plants, automobiles, satellites and more.

Watch the video below to know about the basics of a kernel:

With inputs from New Scientist

Original Post: http://fossbytes.com/sel4-is-an-unhackable-kernel-for-keeping-all-computers-safe-from-cyberattack/

September 19, 2015 0

Weird Security Term of the Week: “Exfiltration”

The Problem: Your organization is on track for one of its best years in its history, with many of its projects nearing completion and the first of which is scheduled to be announced next week. All of your data is stored on-site and only authorized users are granted access. Suddenly however, a press release comes out from your main rival organization that they just completed their own project- and that the results are identical to that which your organization was going to announce. Security has ruled out an externally-sourced breach, so that leaves a source inside the organization.

“Exfiltration” is the act of getting something out. The mirror of ‘infiltration’ (breaking in to a secure location), exfiltration means that you have already gained access to what you want- you just need to be able to leave with it. Exfiltration revolves around using known techniques to get data out of a secure area as if it was anything else- like if you were sneaking financial documents out with the garbage. The more restrictions in place, the more difficult it is for unauthorized use and transmission of this data.

The solution: There are a number of ways to attempt to block exfiltration, the tricky part is balancing hardened security measures versus ease of use for regular users.

Solution the First: Block USB Ports

See Also ‘Disable USB Mass Storage through GP…‘:

When it comes to being able to get data easily in and out, removable media is at the top of the list for most people. USB Drives have made it extremely easy to transfer huge amounts of files quickly and painlessly from system to system. The problem in this case is that it may not be authorized, and in most cases cannot be tracked unless the security on your network has already been setup to do so. While the act of blocking access to thumb drives may cause an uproar among the user base, it is still one of the easiest and cost-effective measures for blocking data from leaving the facility.

Solution the Second: Block Non-standard traffic

Image Provided by ‘Any/Any/Deny Security Rule Changes Default Behavior’

If your organization does not use FTP, is there a reason to keep that port open? What about SSH or other protocols? When these ports are not a part of day-to-day operations but are left open, they can present a hazard through unauthorized use. Therefore having your firewall set up in a ‘white-list’ mode to only allow what the organization needs to use (and then block everything else) can greatly improve the average security, and thus prevent data leaving through unusual methods.

Solution the Third: Visitor Escorts

In many organizations, once a visitor gets through the front door- they have free reign to go where they please. If they are wearing a suit, holding a clipboard, act like they know where they’re going, or seem to be in a hurry- a lot of times the perceived attitude is “don’t interrupt me, I don’t have time for this”. This also goes for package deliveries as well for instance- people may look like they’re trying to find a specific office or desk, but have actually been roaming around freely for half a hour or more. When a visitor has somebody with them, they are far more likely to be able to get where they need to go quickly, and exit the building as soon as they are done. They also have fewer chances to get lost or observe elements that the organization may not wish them to see.

Honorable Mention: Digital Loss Prevention (DLP)
Exfiltration is the last step that can be blocked before a full-on breach. Its far easier to manage somebody that has gotten stuck with their hand in the cookie jar, than if they have already gotten away with the goodies. Blocking Exfiltration requires a great deal of proactive measures, but everything required to do so helps out other aspects of security as well- making the overall environment that much safer.

Original Post: http://blog.lifars.com/2015/09/18/weird-security-term-of-the-week-exfiltration/

September 19, 2015 0

Attacks over DNS

DNS is a naming system used for all devices connected to the Internet or a network. DNS is easy to remember instead of IP addresses for users. It is a method in which domain names are translated into an IP (Internet Protocol) addresses. The DNS works transparently in the background doing the conversions. DNS works as an Internet’s directory service with a domain name for each and every IP address. All the information from domain name servers across the internet are gathered and stored in a Central Registry; e.g., search for a website with the domain name http://www.examplesite.com, the computer’s search engine doesn’t know the domain name exists or not. Then it converts to the respective IP address and the name location is loaded.

DNS is a type of protocol used to set standards for exchanging information on the Internet and private networks. DNS is a kind of navigation, like GPS for computers. When a new domain name is registered or updated in a DNS server, it takes about 12-36 hours for all the DNS servers to get updated and gain access to the information. The time period is also referred as propagation. DNS servers are present within every geographic proximity through each ISP (internet service provider) that maps the domain names for your computer’s requests. It also forwards them to other servers.

Domain names in DNS are separated by dots. The last word in a domain name is called the top level domain. The word in the left-most end is known as the host name. It specifies the importance of a host for specific purpose. The words or characters in between the dots are known as labels. The domain entered should be unique, so it is controlled by an authority called registry which is under the service of ICANN. The domain name hierarchy is divided in terms of tree nodes.

How Does DNS Work?

A DNS server or name server is the management device containing large database that connects domain names to IP addresses. This process of mapping can be called DNS name resolution. DNS servers always rely on internet protocols and efficiency of network. The DNS working can be explained as a step-by-step process.

Name Entry: Domain name of the site should be entered in the search engine. Then a query is created to access the DNS.
Requesting Information: The place the computer looks first is the DNS cache. DNS cache is the location where recently retrieved information is stored. If it is not found there, a DNS query should be performed.
Recursive DNS servers: If the information is not stored in local history, then the ISP’s recursive DNS servers are queried by the computer. Since the recursive servers contain their own caches, the information is returned to the computer user if found.
Root Name Servers: After the unsuccessful recursive DNS server query, the computer queries the root name servers. It acts as like a phone switchboard for the DNS. It answers the questions of each domain name by the IP addresses. It also directs the query to some other server, if the query is not answered.
TLD Name servers: Root name servers take the last part of the request and direct the query to TLDs (top level domain name servers). TLDs have their own name servers so, even if the TLDs don’t have the information we need, they refer us directly to the name servers containing the information.
Authoritative DNS servers: TLD name servers check the next part of the request and search or direct the query responsible for this particular domain. Authoritative name servers are the servers that contains the information about every specific domain. This information is stored in DNS records. Each record has a different type of information.
Retrieval of Record: The recursive server retrieves the data or information obtained from authoritative name servers. It then stores the retrieved record in its cache locally. The advantage is that if again someone need the same information, it doesn’t need to perform the same process again. Once in a while, the recursive server asks for new copy to update information without being out of date.

Figure 1: Working of DNS

Receiving Answer: The computer receives the record of data from recursive server. It then stores the data record in its cache for future references. The IP address is read and information is passed to the web browser, which will open a connection to the web server, obtaining the website.

The entire process from start to finish will take only very little milliseconds.

How Are DNS Servers attacked?

DNS servers having cyber attacks are the significant threats to the Internet security. DNS attacks threaten modern communications since it is used by many network application, e.g., email, web browsing, ecommerce, etc. The DNS attacks changes are varied due to the ever-growing IT infrastructure. Some of the common attacks are made directly and indirectly on DNS. The attacks are

Cache Poisoning Attacks: DNS cache poisoning attack is also known as DNS spoofing. DNS spoofing is a computer hacker attack where the data is introduced in DNS resolver’s cache, therefore diverting the internet traffic from genuine ones to fake ones; e.g., the user is sent to malicious site even after entering the correct name. A single attack on the DNS server affects the users attached to that server. The hacker exploits the DNS software. The attacker also uses DNS ID hacking to find the ID number of the user to poison the cache of the user. It is a kind of rerouting domain name to another IP address which may be phishing page of attacker.

Figure 2: Poison attack

DNS amplification attack: This is also called a DOS attack. It is a reflection-based distributed attack. The attacker hides the source of exploit and provides the target. The small DNS query is changed to larger payload. It attacks servers supporting open recursive relay. It may feature a botnet’s help to use less bandwidth use for large attacks. The advantage of this attack is that it shows the path as coming from valid servers with valid traffic.

Figure 3: Amplification attack

Query redirection attack: This happens when a query is intercepted and modified on the path to the DNS server. If the interception occurs on the way to caching name server, it shows the attack is on LAN. It is different from the mitigation technique since it occurs outside local networks.
Zone enumeration: Zone enumeration happens when the user calls DNS diagnostic commands to gain information about the network architecture of a site. It provides a path for the attacker to attack. It can be attacked by knowing the zone information of site, what the site advertising.
UDP flood attack: In this attack type, a large number of UDP packets are sent to a random port on the server. This flooded packet confuses the system, causing it to fail.

Figure 4: Flood Attack

TCP SYN flood attacks: This is a type of distributed DOS attack that hangs the connection by flooding the DNS server with multiple TCP connection requests. After a certain point the system fails to manage the exceeding number of request, resulting in the server’s failure. It also sends SYN-ACKs to many fake destinations. These attacks exhaust the memory. Thus this stops request coming from new connections, even from legitimate server users.

DNS fast flux: In this attack type, the ability to change the location of any DNS, web, email or distributed service from many computers connected to internet to some other different set of computers for delaying and evading detection.
Registration change: this is a difficult type of attack, where the domain’s registration is taken over and the authoritative name servers are changed. An attack like this affects globally cached DNS servers. Among the other features of this attack is that the data can be changed.
Cyber squatting: In this attack, a domain name is registered with the intent of profiting and undermining a third party. It is used to steal identity and divert of traffic.
Tunneling: DNS is used as covert communication for bypassing the firewall. It helps to tunnel IP traffic without any detection. It acts as a full remote control channel. It even helps to bypass captive portals to use Wi-Fi service and also data exfilitration.

Figure 5: Tunnel Attack

DNS hijacking: In this attack, DNS records are modified to some rogue servers. This method helps to acquire personal details of user like passwords, credit card information, and user names.

Figure 6: DNS Hijacking

Random sub domain attacks: In this attack, infected users or clients create queries by sub domain strings to the domain of the victim. It makes it harder to detect and many of these infected send requests. It thus targets the authoritative server.
Phantom domain attack: This attack is setup for an attack where the DNS resolver will be trying to resolve all domains that are phantom domains. These domains are slow and will not send responses. This will consume resources for waiting the responses.
NX domain attack: In this attack, the attacker sends many queries to the DNS server for resolving a domain name. The recursive server for locating a non-existing domain carries out multiple queries, causing the cache to be filled with NX Domain. this creates a longer time for genuine requests and also resources for finding a resolution result of query.

Figure 7: NX Domain attack

How to Avoid DNS Attacks?

Hosting of authoritative servers on their own organization helps to protect from registration attack.
Traffic controlling along with monitoring and configuration will help to reduce the DNS tunneling; i.e., attacks from TCP and UDP transport mechanisms.
Separate out functionality between recursive servers and authoritative name servers, thus preventing the external user from attacking the recursive resolver.
Use of DNSSEC with validation enabled in the recursive resolver will help the mitigation.

DNSSEC: It is a most important security suite. It provides clients with original authentication of data in DNS and integration of data. It works by signing digital records by public key cryptography. The record is authenticated with set of public keys that are verified for DNS root zone.
New addresses should be checked minimally against all black lists and whois registry.
Split DNS views by running both internal and external servers.
To prevent spoofing, forbidding recursive queries helps.
IP-based ACLs provide protection to DNS servers.
Training program with solid social engineering is also effective.
Limiting of rate and blocking specific open recursive relay servers, along with tightening security of DNS server.
Only data of the requested domain should be stored.
A separate management port, use of VPN, and encrypted communications help to secure the DNS server.
Use of selective packet discards mechanism to control the traffic.
Use of cryptographic signatures will help with authenticity. HTTPS will help for validation of server.
Restrict the allowed queries and hosts to the minimum. Also restrict queries to requested domain.
Set up the best redundancy methods with improvements along the security and performance.

Figure 8: DNS attack prevention

Updating of BIND is to limit bug problems and maximize amount of randomness. Bind provides compile-time for storage of zone in all the databases.

DNS Traffic

Traffic patterns in the DNS server will show the malicious activities affecting the server. Traffic due to spoofed addresses in the DNS server while requesting query shows the infected hosts on the network that are engaged in an attack. It may be due to many attacks, like TCP/UDP or DDoS attack. The fast flux, NX Domain, and phantom attacks cause large delays that cause heavy traffic that will also attack the recursive servers. Cache poisoning, amplification attack, covert channel, etc., cause traffic to local networks.

DNS Traffic Monitoring

The traffic can be monitored using security systems and name resolvers. Traffic monitoring is a real-time function. Some methods of traffic monitoring are:

Firewall: Primarily, firewalls help us to prevent IP spoofing. For protection from DDoS attacks, include a protocol for denying queries coming from outside the allocated space. It thus acts as an open reflector to the name resolver. Inspection of DNS traffic should be enabled for checking malicious byte patterns. It also checks to block name server vulnerable attacks by anomalous DNS traffic.

Intrusion detection system: It composes rules for reporting various DNS requests from malicious and authorized clients. The rules are composed by detection systems like Snort, OSSEC, etc. It also reports attacks from NXDomain responses, responses containing records with short TTLs, queries made from TCP, large attacked DNS responses, some queries to non-standard ports, etc. Intrusion protection helps to both permit/deny mechanisms for services in firewall also.

Traffic analyzers: Analyzers show that for identifying malicious traffic, passive traffic analysis can be carried out. In this process, the DNS traffic between name server and clients is captured and filtered. It is then saved as PCAP file. Then create some scripts for searching some malicious activities in the file.

DNS monitoring: It is always best to monitor DNS traffic of our environment to identify any suspicious activity within the organization. Monitoring of DNS traffic can be done by using an SIEM. SIEM has the capability to visualize the traffic and identify any anomalies in the network. Automated alerts can be configured in SIEM to fire alarms which needs an attention there by to provide immediate response.

Conclusion

The DNS server is a globally used method for connecting to the Internet or network. It decouples the name used by humans from IP addresses to access the information. DNS also decouples logical names from machine names and the names are not even related to routing. The DNS name servers have distributed databases with very simple database mechanisms. It doesn’t lose consistency in logging of records. The DNS servers are strict hierarchical databases with zone conceptions to reduce delay. It also has a high survivability due to the replication within one zone. The DNS server performs caching for improving performance. DNS has become a key component in internet and network but survivability and security the key issues.

References

Original Post: http://resources.infosecinstitute.com/attacks-over-dns/

September 17, 2015 0

Decrypt SSL traffic using Wireshark

September 14, 2015 0

The state of Ransomware in 2015

Introduction

Ransomware has been a threat for quite some years, although the ransomware as its currently known, encrypting files, has only been around a few years. This change started with the initial 2013 CryptoLocker infections authored by the creator of the notorious Zeus banking malware, Slavik. Since CryptoLocker, many new variants as well as completely new families of ransomware have been appearing. Some stayed alive and ran successful operations for a long period of time which spanned years in some cases, while others disappeared as quickly as they appeared.

Takedowns in the world of ransomware are few and far between. Occasionally large operations with law enforcement result in successful takedowns as seen with the original CryptoLocker takedown; Operation Tovar in which Fox-IT InTELL played a key role and released a whitepaper about: ‘GameOver Zeus: Backgrounds on the Badguys and Backends’. Together with the joint effort takedown with law enforcement, Fox-IT InTELL was also able to support CryptoLocker victims in decrypting and recovering their files.

Sadly there is still a lot of ransomware going around. In this article we describe what we consider the top 3 of ransomware families currently active. We take a look at how and what they target for encryption as well as how we at Fox-IT combat them, looking at it in terms of detection and prevention.

Top 3 Ransomware families

We consider the following three ransomware families to be at the top of the ransomware threats alive right now:

CryptoWall
CTB-Locker
TorrentLocker

All three of these have been around for quite some time making a lot of victims along the way. Using a combination of exploit kits and faked emails, posing to be postal or financial agencies for example, they have been making victims all through-out the world.

In the case of TorrentLocker we were, in cooperation with the Dutch NCSC, able to fend them off which ended in them abandoning their campaigns against the Netherlands. We first documented a new variant being active on October 15, 2014 in a blog article. This however did not end their campaigns in other countries which are still ongoing as of writing this article.

In the following subsections we will give a brief analysis of the individual ransomware variants listed in the top 3. The analysis structure will be the same formal setup for all three families to keep it nicely standardized, straight forward and allow for easy comparison between the three. In this analysis we will be referring to the criminal’s command and control server from which they control the ransomware as the ‘C&C’ in short.

Ransomware analysis: CryptoWall

History

This Ransomware has been around since at least November 2013, although the operators were active developing and using this ransomware before it was officially dubbed ‘CryptoWall’.

CryptoWall has gone through a lot of changes on all aspects including, persistence, cryptography and C&C communication. Initially when it was still called ‘CryptoDefense’, CryptoWall would generate its encryption keys on the local machine which was proven to be flawed in a new article; which was read by the authors who fixed this ‘issue’. The encryption for the current version of CryptoWall, version 3.0, uses AES for file encryption while versions below that used RSA-2048 directly for the files. Version 3.0 receives a 2048 bit RSA key from the C&C, but doesn’t use it directly to encrypt files; an AES key is generated to encrypt a file with, this AES key is then encrypted with the obtainedRSA-2048.

Originally CryptoWall’s first versions communicated via proxy servers setup by the criminals which would forward traffic towards the C&C server residing in Tor. In a newer version of CryptoWall communication was directly over the Tor network, this was originally seen as test version by the authors but it was later also used as their main way of C&C communication. A few days after the Tor only version it changed back to non-direct Tor followed by a version using the I2P network, a lot of testing was going on. After all these tests the authors settled on a communication setup consisting of two layers of proxies, basically the first original setup for the initial CryptoWall, but with one extra layer of proxies. These proxies are setup on hacked websites. While these servers are cleaned up or taken offline quickly, it is workable for the CryptoWall authors as the ransomware needs to get one single connection out in order to be able to obtain a key and encrypt files, it doesn’t need a constant C&C connection as seen with other types of malware.

The spread of CryptoWall has only been increasing since its start with constant active campaigns mostly through the use of exploit kit services. The authors have an affiliate program running which makes it even more interesting and profitable for other criminals to spread CryptoWall to get a cut of the profit. This affiliate program has greatly improved their business income.

Network behavior

As said earlier, CryptoWall communicates via proxy servers to its real, hidden within the Tor network, command and control server. These proxies are hosted on compromised websites mainly consisting of outdated WordPress and Joomla instances although Drupal instances are also spotted at times. All communication is done via plain HTTP POST requests in which the POST data and response data being encrypted with RC4.

After getting on a victim’s PC, CryptoWall will start looking for a proxy server that is functioning. When it has found one it will start by sending the C&C server a few things to start of:

A unique campaign identifier (basically the source of the infection like spam or an exploit kit)
Its IP address (because the C&C runs inside Tor it needs to know the real IP address to be able to geolocate an infection)
Its unique identifier (identifier generated for an infected machine to be able to identify it from other infections)

The C&C server responds with:

The location of the ransom payment page (where victims can buy the decryption software)
The country the victim is originating from
An RSA-2048 public key used for file encryption

After receiving this information the client will start encrypting files on the machine. After it is finished encrypting the files, the ransomware reports the amount of encrypted files back to the C&C. The C&C responds with an image shown to the user indicating that CryptoWall encrypted all their files:

File-system behavior

Besides encrypting all the files specified in its target file-types list, CryptoWall also performs the following operations on the file-system of the infected system:

Drop the lock screen image
Drop a TXT file containing the same instructions as seen on the image

CryptoWall will also run a set of commands to disable volume shadow copies (Windows automatic volume backups) and the Windows Error Recovery boot screen. It also disables Windows updates and if enabled various security services like Windows Defender.

Overview

Distribution source(s) :	Exploit kits Email
C&C communication scheme :	Traffic send through a proxy (usually a hacked website) towards a server (controlled by the criminals) that proxies the data further onto the C&C server hidden within the Tor network.
Cryptography scheme for files :	AES
Targets network shares :	Yes, enumerates all connected drives networked or not.

Targeted file types

Documents

Photos

Code

Images

Audio & Video

Backup

odt ppt indd oab ods pptx pct nk2 odp pptm prf eml odm rtf des wb2 odc msgiif pdd odb

pages nd thm

doc tex qba

der docx txt

tlg cer docm

wpd qbb crt

wps pdf qbm

pem xls db

qbr pfx xlr

dbf qbw p12

xlsx mdb qby

p7b xlsm mdf

ach p7c xlsb

pst key xlk

sql ost wallet

pps accdb pab

3dm kddxf 3ds

erf dxg

max mef

psd obj

mrw dds

ai nef

pspimage

eps nrw

tga ps

orf yuv

svg raf

dng cdr

rwl arw

rw2 srf

raw sr2

r3d bay

ptx crw

pef 3fr

srw cr2

x3f dcr

dwg

pdb ccpp hhpp

class cs

dtd fla

java lua

m pl

py pas

jpe jpgjpeg

3g2 3gpasf asx

avi flv

m4v mov

mp4 mpg

rm srt

swf vob

vmw mp3

wav flac

Bakback

Ransomware analysis: CTB-Locker

History

CTB-Locker was first seen being sold in the underground communities back in the middle of June 2014. Researcher Kafeine wrote an article on this original sale by the author. The name CTB stands for Curve-Tor-Bitcoin, referring to items it utilizes: Curve refers to the elliptic curve encryption scheme used for file encryption, Tor refers to its usage of the Tor network to hide its C&C server and Bitcoin refers to the single ransom payment method available: Bitcoins.

CTB was originally only supporting Russian and English translations for its ransom demand message, but has been supporting more languages as it was being developed. It currently supports Russian, English, Italian, Dutch, German, Spanish, French and Latvian for its ransom message. In the Netherlands we’ve seen several waves of CTB-locker, mostly impersonating a financial institution normally involved with sending out payment forms which CTB fakes as attachments.

CTB’s command and control servers reside in the Tor network, but are not needed for the initial infection. A user’s files can be encrypted while the machine has no internet connectivity. This is possible due to the way the encryption and payment system of CTB works. The file encryption is a combination of SHA256 from Curve25519 operations, the exact details of this are explained in great detail by a researcher named Massimiliano Felici, who published an article on his blog named ‘CTB-Locker encryption/decryption scheme in details’.

Just like CryptoWall, CTB-locker has an affiliate program where other criminals can spread CTB-locker in order to get a cut of the profits. This affiliate program has been publicly exposed and researched by researcher Kafeine on his blog. This affiliate program has a website running inside the Tor network just like the C&C server. On this affiliate website the author of CTB-locker also keeps an updated log on the updates/extending in the functionality of CTB-locker.

Network behavior

As said earlier CTB-locker does not require an internet connection to be present on the infected client. Would it have internet connectivity, it does send the encryption information to the C&C within Tor. It does this by having the ability to talk to its server inside the Tor network via variants of the Tor2Webservice, which act like a proxy into the Tor network.

Besides sending this information to the C&C it will also do an online lookup for its external IP address.

File-system behavior

Besides encrypting all the files specified in its target file-types list, CTB-locker also performs the following operations on the file-system of the infected system:

Drop the lock screen image and set it as a background; an example of this:

Have an application pop-up with similar instructions as seen on the background image. This application is stored on the local machine. It contains a payment ID, a list of encrypted files, a countdown counter and instruction on how to pay the ransom amount to recover encrypted files. This example is the English translation, clicking any of the flags at the top of the application changes the language:

Besides these graphical messages a copy of the text is also put on the file-system in the form of a text file as well as a copy of the background image.

CTB-locker will also run a set of commands to disable volume shadow copies (Windows automatic volume backups).

Overview

Distribution source(s) :	Exploit kits Email
C&C communication scheme :	Doesn’t need an internet connection to start file encryption. Due to its implementation it is able to encrypt files offline.
Cryptography scheme for files :	AES
Targets network shares :	Yes, enumerates all connected drives networked or not.

Targeted file types

Documents

Photos

Code

Images

Audio & Video

Other

doc docxrtf docm

xls xlsx

txt xlk

xlsb xlsm

mdb dwg

accdb odb

odm odp

ods odt

odf wb2

vsd wpd

wps

kdc nefraw

cpp cphp js

cs pas

bas pl

3fr ddsjpe jpeg

jpg cr2

rw2 psd ai dd

rwl dxf

dxg arw

cdr crw

eps dcr

dng indd

mrw nrw

srw ims

rgx

arp

cer crtder pem

7z zip

rar pwm

kwm safe

groups mdf

dbf sql

md bay

blend erf

mef p12

p12f dbx

gdb bsdr

bsdu bdcr

bdcu bpdr

bpdu bsd

bdd bdp

gsf gsd

iss rik

fdb abu

config

Ransomware analysis: TorrentLocker

History

TorrentLocker was first documented in February 2014 when Turkish victims received emails from ‘Turkcell’, which is the leading mobile phone operator in Turkey. Users were lured onto a fake turkcell website where they had to download a document. This was the first documented attack from TorrentLocker who at the time didn’t have a name yet. It was named TorrentLocker to distinguish it from other ransomware threats based on the first registry key it used which contained ‘Torrent’:

HKCU\Software\Bit Torrent Application\

From that time on TorrentLocker has been evolving in how it shows the user the ransom demand messages and implementation of cryptography. Their method of spreading however hasn’t changed a bit, they impersonate local telecom providers or postal service websites sending users emails indicating a document is ready for them to download.

There have also been a few instances where malicious Word documents containing macros were used to infect systems with TorrentLocker.

The way the TorrentLocker group obtains the email addresses to send spam messages to is also interesting. They (most likely) started with an initial list of victims to started spamming and this list was extended by infecting victims. When TorrentLocker infects a machine it will harvest any possible email address from address books for Thunderbird, Outlook and Windows Live Mail present on the system. We’ve documented this process and their success in the past on our blog: ‘ Update on the TorrentLocker ransomware’. In our investigation of the run we saw back then they were able to obtain 2.6 million email addresses with this harvesting technique, a lot more possible victims to start sending their spam to.

TorrentLocker tries to impersonate CryptoLocker and uses this name on both the ransom messages shown to the user as well as the ransom payment website. This ransom payment website is hosted within the Tor network while the C&C used for communication with the malware from an infected machine is a server outside of the Tor network.

Network behavior

TorrentLocker communicates with a C&C server directly. With this server TorrentLocker speaks a small protocol in which it can send the encryption key, encrypted file count, stolen email information as well as possible (crash) logs. It will also obtain a ransom page from the C&C server.

The whole communication protocol is encapsulated in HTTPS.

File-system behavior

Besides encrypting all the files specified in its target file-types list, TorrentLocker also performs the following operations on the file-system of the infected system:

Make a copy of itself to a location in which it can make sure it will be present the next time the system starts.
Show a ransom instruction screen to the victim with information on how to pay the required ransom (in Bitcoins), where to get Bitcoins and where to send them. This screen does not give information on a possible deadline for the payment or the amount of affected files:

Overview

Distribution source(s) :	Email
C&C communication scheme :	Contacts a dedicated C&C server directly.
Cryptography scheme for files :	AES-256
Targets network shares :	Yes, enumerates all connected drives networked or not.

Targeted file types

Documents

Photos

Code

Images

Audio & Video

Other

3ds ab4bgt ac2

blend cdf

cfp csv

dbf ddd

djvu doc

docm docx

dot dotm

dotx odb

odf odg

odm odp

ods odt

otg oth

otp ots

ott pdf

pot potm

potx ppam

pps ppsx

ppsm ppt

pptm pptx

rtf sldm

sldx std

stw scx

sxg sxi

sxw txt

wb2 xla

xlam xll

xlm xls

xlsb xlsm

xlsx xlt

xltm xltx

xlw

cib cmtcraw crw

dc2 dcr

dng mos

mrw nef

orf pcd

ra2 raf

raw rw2

rwl sd0

sd1 sr2

srf srw

st4 st5

st6 st7

st8 x3f

asm aspc cpp

css h

erbsql js

hpp lua

php pl

3fr 3pracr agd1

ai ait

arw cdr

cdr3 cdr4

cdr5 cdr6

cdrw ce1

ce2 cgm

cr2 csh

dcs ddoc

ddrw design

fpx fxg

jpeg jpg

psd sda

sxd

al bikcpi mpg

ycbcra

7z accdbaccde accdr

accdt adb

apj awg

backup backupdb

bak bdb

bgt bkp

bpw cdx

cer cls

crt csl

dac db

db-journal

db3 der

dgc drf

drw dwg

dxb erf

exf fdb

ffd fff

fh fhd

gray grey

gry hbk

ibank ibd

ibz idx

iiq incpass

kc2 kdbx

kdc kpdx

mdb mdc

mef mfw

mmw myd

moneywell

ndd nop

nrw ns2

ns3 ns4

nsd nsf

nsg nsh

nwb nx1

nx2 nyf

p12 p7b

pat p7c

pem pfx

ps psafe3

ptx rdb

rwz s3db

sas7bdat

sav sdf

sql sqlite

sqlite3 sqlitedb

stc sti

stx sxm

xml zip

The generic traits of Ransomware

While the different ransomware variants are unique in most behavior, file types they are after and in some cases cryptographic implementations are similar. When having to defend a client network on different levels, network and host based, there are quite some generic traits seen with all of these.

File-system behavior

Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. Usually it will also change the background wallpaper of the infected computer to these instructions including a popup window so the user knows his files are being held ransom and he can get them back by paying for it.

Network behavior

Most ransomware families will contact a C&C server in some form, either via Tor or via compromised WordPress websites. While the current state of ransomware does not yet look actively for shares, it does encrypt files on drives that are network mapped on the computer as a side effect. This highly impacts businesses that do not have proper backup protocols.

Because decryption instructions files are dropped, it can also be detected on a network level when this happens on a network share. Our Network Monitoring service has detection for this.

When you see encrypted files on a network share you can easily check which user was infected with the ransomware and started to encrypt the files. Just check the creator of the instruction files on the share. This can help the system administrator to disconnect the infected user as quickly as possible from the network to prevent any further damage.

Conclusions

Having looked at the ransomware variants described there’s a few things we can conclude in terms of security:

Unlike normal malware, ransomware does not need an extended presence on the system in order to ‘do-its-thing’. Once the key has been sent to the criminals it is over as it is in most cases unrecoverable.
On the networking side there are quite a lot of indicators to work with in order to detect the presence or the initial infection of these ransomware variants in most cases.
As seen with CTB-Locker, ransomware doesn’t always need internet connectivity. This is where endpoint protection should be able to determine the ransomware.

Based on our findings in the ’ generic traits’ section, we can also say that in many cases we’re quite lucky in terms of detection. Many authors of ransomware have the same goal and perform the same actions.

Ransomware is (sadly) not a thing that will pass on some point, as seen with fake antiviruses for example. The past years ransomware threats have only grown in size and numbers. Where in the past lockers wouldn’t affect files but solely the users’ current session, ransomware has been a very effective threat as users are forced to take action in order to get their personal files back..

The usage of the Tor network only makes it harder to stop these threats and only continued operations where law enforcement and the private industry work together are an effective way of frustrating and/or wearing down these criminals.

Original Post: http://blog.fox-it.com/2015/09/07/the-state-of-ransomware-in-2015/

September 7, 2015 0

Analyzing Quantum Insert Attacks

A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server.

Understanding the attack

The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better:

Step 1:

Step 2:

Step 3:

In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded.

Simulating the attack

To simulate the Quantum Insert attack, we would require three VMs:

One VM will act as a victim
Second VM will be used to monitor the traffic
Third will be used to shoot a malicious payload to the victim.

The proof-of-concept code for simulation is available to be downloaded here:

DOWNLOAD

Though the details of use for the script is given in the github page, let me re-iterate them here for quick reference.

The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows:

Victim visits mysite.com
We need SYN+ACK of mysite.com

On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition.

How real time QI works

I. Foot printing

Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis.

II. Build User Profiles

Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years.

III. Attack the target

Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites.

IV. Maintain access and persist

Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts.

Detecting QI attacks

QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks.
Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim.

Links for QI detection for snort: GitHub

Links for QI PCAPS: GitHub

References

Deep dive into QUANTUM INSERT

Original Post: http://resources.infosecinstitute.com/analyzing-quantum-insert-attacks

September 6, 2015 0

25 Ways to Become the Ultimate Script Kiddie

You do not need to learn C, C++, C#, Python, Perl, PHP, Assembly and other computer programming languages since Kali, Parrot OS, and Backbox Linux have scripts and GUIs for performing penetration testing, wireless cracking, and vulnerability assessment.
Use r57, c100 or c99 shells as your backdoor shells as a proof that you were able to hack their web application and have gained access to the server.
Use the Hail Mary attack in Armitage in a covert penetration test because the GUI is awesome. It is very cool and totally legit. You don’t need to know the exploits being launched.
You don’t need to study exploit development or all those EIP and ESP stuffs since you can just download any exploits in Exploit-DB or Packet Storm. The Metasploit Framework has a bunch of exploits too so no worries. Some forums have exploit kits that are free to download and you should be all right with it.
Make unbelievable claims that you are the world’s no. 1 hacker and write a book about your hack escapades and adventures.
Trust and use SubSeven, DarkComet RAT or Lost Door Remote Administration Tools (RAT).
Use wifite (automated wireless auditor), Gerix Wifi Cracker, WepAttack and Fern WiFi Cracker without having to know how to use Aircrack-ng Suite.
Use Burp Suite Professional’s Active scanning always when auditing web apps – it’s all about the threads. Also do not trust the Web Application Hacker’s Handbook – it takes time.
Treat Acunetix, Netsparker, HP Webinspect, Core Impact and IBM Appscan as your ultimate web application hacking tools.
You don’t need to learn about networking, TCP/IP, and IPv6 since there are various GUI tools for automating network penetration testing and network pwnage. You don’t need to be quiet in order to hear better, sometimes you need brute force if it just doesn’t work out well.
Download as many hacking tools as you can. Fill up your hard drive with loads of it. Turn off your antivirus if it detects some of your tools as malicious.
Create your own security blog that rips off other articles from known InfoSec blogs.
If you can’t hack a certain website with your tools, just suppress it by DDoSing their site. Sometimes you just need to annoy them in order to teach them instead of outsmarting them.
Create your own underground group then deface as many websites as you can with your group name on it like “Owned by fs0ciety! Nothing was harmed except your pride” without knowing what attacks you have conducted.
You don’t need to understand the concepts of how an operating system works.
Create your own “Self-Interview” without being asked by a news editor and have it published online. Self-promotion is good so that you can spread how you started hacking and share the tools that you used.
Create an ub3rl33t handle with numbers in it e.g. 4h4ck3r, d1v1d3sbyz3r0, z3r0c00l, 3n1gm4, j3j3m0n, m4st3rsw0rd, k3rn3l 3.0, etc.
Do not resist the urge to use LOIC, WiNuke, Cain and Abel, Back Orifice, ProRat, exploit kits, Trojans, and malware without understanding how it works and its underlying concepts.
UNIX is just too old. You don’t need to study it. You have Windows, anyway.
Do not contribute to open source tools like Metasploit, Nmap Scripts, SQLmap, and wpscan. Just use them anyway!
Do not responsibly disclose the vulnerabilities that you have found or do not submit vulnerability findings and exploits in PacketStorm and Exploit-DB.
Create an army of zombie computers and botnets by using available tools online. You can rip off some known malware in the wild.
Sometimes you don’t need to “Try Harder” as what the Offensive Security Course always says. The easy way is better.
Threaten that you will hack people if they agitate you.
If you have problems installing penetration-testing distributions, just use Windows and download alternative packages and bundles for hacking.

A Remedy for the Weak of Heart and for Taking the Guide Seriously

As we all know, a script kiddie is a derogatory term that refers to malicious attackers who uses scripts and programs without the knowledge of how it really works and the main concepts behind it. It is safe to say that they don’t know how to code and they just rip off someone else’s program or script for conducting attacks like website defacement, DDoS (Distributed Denial of Service) or DoS (Denial of Service), or even infecting other users by sending them malware in order to create an army of botnets for fun and profit.

Although script kiddie is a derogatory term, script kiddies could also do harmful damage just like an average exploiter or attacker. We shouldn’t undermine DDoS / DoS attacks for example since it could take your business offline if there is no mitigation or protection.

The purpose of this article is to add some spiced up humor about how some script kiddies act. As a security professional, do not follow this guide. Alan Wlasuk once said in his article “Help! I Think my Kid is a Script Kiddie” that
no one likes a Script Kiddie except of course a fellow Script Kiddie.

Following the footsteps of a script kiddie could lead you to jail. Nobody wants to end up in prison.

I think everyone likes to improve their skills and boost their career so yeah keep trying harder. Read, read, and read; and apply what you learn. Study and learn programming, UNIX, Linux, exploit development, information security, and malware analysis. You can also take up good courses like CEH, CCNA, OSCP, etc.

I would also like to add that there is nothing wrong with using Metasploit Framework, Nessus, and penetration testing distributions like Kali Linux and BackBox Linux as long as you understand what you are doing, and you know how it works. Contributing to such good tools is also one of best approaches to helping the community.

If you think that you may be disappointed of what you have become I would suggest that you read the best reference and document for starters on how to be a good hacker which is entitled “How To Become A Hacker” written by Eric Steven Raymond (ERS). Therefore, I would like to quote the paragraphs that explain what a hacker is:

The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant.

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the UNIX operating system what it is today. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you’re a hacker.

The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.

There is another group of people who loudly call themselves hackers, but aren’t. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn’t make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren’t as smart as you think you are. And that’s all I’m going to say about crackers.

Pretty nice essay from ESR don’t you think? Resist the Script Kiddie side! Use the force to learn the hacker way.

References and Additional Reading:

How to Avoid Becoming a Script Kiddie – http://www.wikihow.com/Avoid-Becoming-a-Script-Kiddie
Help! I think my Kid is a Script Kiddie – http://www.securityweek.com/help-i-think-my-kid-script-kiddie
How To Become a Hacker – http://www.catb.org/esr/faqs/hacker-howto.html

Original Post:http://resources.infosecinstitute.com/25-ways-to-become-the-ultimate-script-kiddie/

September 3, 2015 0

	gorden khusus rumah… on Mr. Hack: Googlebot’s Unruly A…
	Resource Hacker - Pi… on Resource Hacker – Windows Tool…
	Veerendra on Python for penetration te…
	Kal1-D3f3nd3r on Things To Do After Installing…
	agency matrix on Kali Linux “NetHunter…

	gorden khusus rumah… on Mr. Hack: Googlebot’s Unruly A…
	Resource Hacker - Pi… on Resource Hacker – Windows Tool…
	Veerendra on Python for penetration te…
	Kal1-D3f3nd3r on Things To Do After Installing…
	agency matrix on Kali Linux “NetHunter…