Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 12/04/20 in all areas

  1. Description TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs). In order to make it working, you need a computer with a Debian-like operating system and two Wi-Fi interfaces. The best choice is to use a Raspberry Pi (3+) with a Wi-Fi dongle and a small touch screen. This tiny configuration (for less than $50) allows you to tap any Wi-Fi device, anywhere. History The idea of TinyCheck came to me in a meeting about stalkerware with a French women's shelter. During this meeting we talked about how to easily detect easily stalkerware without installing very technical apps nor doing forensic analysis on them. The initial concept was to develop a tiny kiosk device based on Raspberry Pi which can be used by non-tech people to test their smartphones against malicious communications issued by stalkerware or any spyware. Of course, TinyCheck can also be used to spot any malicious communications from cybercrime or state-sponsored implants. It allows the end-user to push his own extended Indicators of Compromise via a backend in order to detect some ghosts over the wire. Use cases TinyCheck can be used in several ways by individuals and entities: Over a network - TinyCheck is installed on a network and can be accessed from a workstation via a browser. In kiosk mode - TinyCheck can be used as a kiosk to allow visitors to test their own devices. Fully standalone - By using a powerbank, you can tap any device anywhere. Few steps to analyze your smartphone Disable mobile aka. cellular data: Disable the 3G/4G data link in your smartphone configuration. Close all the opened applications: This to prevent some FP. Can be good also to disable background refresh for the messaging/dating/video/music apps. Connect your smartphone to the WiFi network generated by TinyCheck: Once connected to the Wi-Fi network, its advised to wait like 10-20 minutes. Interact with your smartphone: Send an SMS, make a call, take a photo, restart your phone - some implants might react to such events. Stop the capture: Stop the capture by clicking on the button. Analyze the capture: Analyze the captured communication, enjoy (or not). Save the capture: Save the capture on an USB key or by direct download. Architecture TinyCheck is divided in three independent parts: A backend: where the user can add his own extended IOCs, whitelist elements, edit the configuration etc. A frontend: where the user can analyze the communication of his device by creating an ephemeral WiFi AP. An analysis engine: used to analyze the pcap by using Zeek, Suricata, extended IOCs and heuristics. The backend and the frontend are quite similar. Both consist of a VueJS application (sources stored under /app/) and an API endpoint developed in Flask (stored under /server/). The data shared between the backend and the frontend are stored under the config.yaml file for configuration and tinycheck.sqlite3 database for the whitelist/IOCs. It is worthy to note that not all configuration options are editable from the backend (such as default ports, Free certificates issuers etc.). Don't hesitate to take a look at the config.yaml file to tweak some configuration options. Installation Prior the TinyCheck installation, you need to have: A Raspberry Pi with Raspberry Pi OS (or any computer with a Debian-like system) Two working Wi-Fi interfaces (check their number with ifconfig | grep wlan | wc -l). A working internet connection (Adviced) A small touchscreen previously installed for the kiosk mode of TinyCheck. $ cd /tmp/ $ git clone https://github.com/KasperskyLab/TinyCheck $ cd TinyCheck $ sudo bash install.sh By executing install.sh, all the dependencies associated to the project will be installed and it can take several minutes depending of your internet speed. Four services are going to be created: tinycheck-backend executing the backend server & interface; tinycheck-frontend executing the frontend server & interface; tinycheck-kiosk to handle the kiosk version of TinyCheck; tinycheck-watchers to handle the watchers which update automatically IOCs / whitelist from external URLs; Once installed, the operating system is going to reboot. Meet the frontend The frontend - which can be accessed from http://tinycheck.local - is a kind of tunnel which help the user throughout the process of network capture and reporting. It allows the user to setup a Wi-Fi connection to an existing Wi-Fi network, create an ephemeral Wi-Fi network, capture the communications and show a report to the user... in less than one minute, 5 clicks and without any technical knowledge. Meet the backend Once installed, you can connect yourself to the TinyCheck backend by browsing the URL https://tinycheck.local and accepting the SSL self-signed certificate. The default credentials are tinycheck / tinycheck. The backend allows you to edit the configuration of TinyCheck, add extended IOCs and whitelisted elements in order to prevent false positives. Several IOCs are already provided such as few suricata rules, FreeDNS, Name servers, CIDRs known to host malicious servers and so on. In term of extended IOCs, this first version of TinyCheck includes: Suricata rules CIDRs Domains & FQDNs (named generically "Domains") IPv4 / IPv6 Addresses Certificates sha1 Nameservers FreeDNS Fancy TLDs Meet the analysis engine The analysis engine is pretty straightforward. For this first version, the network communications are not analyzed in real time during the capture. The engine executes Zeek and Suricata against the previously saved network capture. Zeek is a well-known network dissector which stores in several logs the captured session. Once saved, these logs are analysed to find extended IOCs (listed above) or to match heuristics rules (which can be deactivated through the backend). The heuristics rules are hardcoded in zeekengine.py, and they are listed below. As only one device is analyzed at a time, there is a low probability to see heuristic alerts leveraged. UDP/ICMP going outside the local network UDP/TCP connection with a destination port >1024 Remote host not resolved by DNS during the session Use of self-signed certificate by the remote host SSL connection done on a non standard port Use of specific SSL certificates issuers by the remote host (such as Let's Encrypt) HTTP requests done during the session HTTP requests done on a non standard port ... On the Suricata part, the network capture is analysed against suricata rules saved as IOCs. Few rules are dynamics such as: Device name exfiltred in clear-text; Access point SSID exfiltred in clear-text; Watchers? In order to keep IOCs and whitelist updated constantly, TinyCheck integrates something called "watchers". It is a very simple service with few lines of Python which grabs new formated IOCs or whitelist elements from public URLs. As of today, TinyCheck integrates two urls, one for the whitelist and one for the IOCs (The formated files are present in the assets folder). If you have seen something very suspicious and/or needs to be investigated/integrated in one of these two lists, don't hesitate to ping us. You can also do you own watcher. Remember, sharing is caring. Q&As Your project seem very cool, does it send data to Kaspersky or any telemetry server? No, at all. You can look to the sources, the only data sent by TinyCheck is an HTTP GET request to a website that you can specify in the config, as well as the watchers URLs. Kaspersky don't - and will not - receive any telemetry from your TinyCheck device. Can you list some hardware which can be used with this project (touch screen, wifi dongle etc.)? Unfortunately, we prefer to not promote any hardware/constructor/website on this page. Do not hesitate to contact us if you want specific references. I'm not very confortable with the concept of "watchers" as the IOCs downloaded are public. Do you plan to develop a server to centralize AMBER/RED IOCs? Yes, if the demand is felt by NGOs (contact us!). Is it possible to develop this kind of thing, allowing you to centralize your IOCs and managing your fleet of TinyCheck instances on a server that you host. The server can also embed better detection rules thanks to the telemetry that it will receive from devices. Possible updates for next releases Centralized server for IOC/whitelist management (aka. Remote Analysis). Implement Ethernet use. Possibility to add watchers from the backend interface. Encryption of ZIPed reports. Better frontend GUI/JS (use of websockets / better animations). More OpSec (TOR integration, Local IP randomization etc.) 3d template for kiosks ? Special thanks Guys who provided some IOCs Cian Heasley for his android stalkerwares IOC repo, available here: https://github.com/diskurse/android-stalkerware Te-k for his stalkerwares awesome IOCs repo, available here: https://github.com/Te-k/stalkerware-indicators Emilien for his Stratum rules, available here: https://github.com/kwouffe/cryptonote-hunt Costin Raiu for his geo-tracker domains, available here: https://github.com/craiu/mobiletrackers/blob/master/list.txt Code review Dan Demeter @_xdanx Maxime Granier Florian Pires @Florian_Pires Ivan Kwiatkowski @JusticeRage Others GReAT colleagues. Tatyana, Kristina, Christina and Arnaud from Kaspersky (Support and IOCs) Zeek and Suricata awesome maintainers. virtual-keyboard.js.org & loading.io guys. Yan Zhu for his awesome Spectre CSS lib (https://picturepan2.github.io/spectre/) Download: TinyCheck-main.zip or git clone https://github.com/KasperskyLab/TinyCheck.git Source
    2 points
  2. Devs have not updated a crucial library inside their apps, leaving users exposed to dangerous attacks. Some of the vulnerable apps include Microsoft's Edge browser, Grindr, OKCupid, and Cisco Teams. Image: Check Point Around 8% of Android apps available on the official Google Play Store are vulnerable to a security flaw in a popular Android library, according to a scan performed this fall by security firm Check Point. The security flaw resides in older versions of Play Core, a Java library provided by Google that developers can embed inside their apps to interact with the official Play Store portal. The Play Core library is very popular as it can be used by app developers to download and install updates hosted on the Play Store, modules, language packs, or even other apps. Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library that a malicious app installed on a user's device could have abused to inject rogue code inside other apps and steal sensitive data — such as passwords, photos, 2FA codes, and more. A demo of such an attack is available below: Google patched the bug in Play Core 1.7.2, released in March, but according to new findings published today by Check Point, not all developers have updated the Play Core library that ships with their apps, leaving their users exposed to easy data pilfering attacks from rogue apps installed on their devices. According to a scan performed by Check Point in September, six months after a Play Core patch was made available, 13% of all the Play Store apps were still using this library, but only 5% were using an updated (safe) version, with the rest leaving users exposed to attacks. Apps that did their duty to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp, and Chrome; however, many other apps did not. Among the apps with the largest userbases that failed to update, Check Point listed the likes of Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. Via zdnet.com
    1 point
  3. Din ce inteleg eu din structura proiectului: payton, greatlte, lilac, etc. sunt builduri pentru diferite deviceuri. aici cred ca sunt toate buildurile https://sourceforge.net/projects/havoc-os/files/ si aici au suport pt useri: https://havoc-os.com/download.html Din pagina lor nu vad un build pentru x86. Doar arm. (doar prebuilds for dev purpose pe x86) Poate stie altcineva cum poti emula arm64 in vm. Sau daca ai un raspberry pi poti incerca sa instalezi build-ul pe el. (Raspberry pi e arm cred)
    1 point
  4. Din ce vad eu din tutoriale de indieni sunt multi connectori curcubeu de scos si pus la loc. Daca ai uitat sa pui unul sau daca at tras de el si s-a crapat se poate sa faca scurp pe un rail sau sa nu intre in post. Unele placi de baza sunt asa proaste ca daca nu gasesc tastatura/touchpad/etc. nu pornesc. Sper sa ai noroc la service. Eu am dat si peste tarani care mi-au futut capul 3 suruburi pe placa de baza si dupa au zis ca nu au avut timp nici sa dechida laptopul, sa merg la alt service, ei nu se ocupa de acest model. 👍 Depinde si de service daca se ocupa de troubleshoot sau daca-ti zic "trebe alta placa de baza, alt ecran" In general daca vrei sa te ocupi de el in primul rand ii faci troubleshoot. 1. Esti sigur ca merge si e doar monitorul? Incearca sa vezi daca-ti trimite ceva pe HDMI, booteaza fara monitor? 2. deconecteaza tastatura si vezi daca booteaza fara tastatura. 3. verifica daca toate cablurile (in special cele care au fost scoase) fac contact. Booteaza daca scoti cablurile 1 cate 1? 3. Verifica din schematici daca toate componentele primesc curent. (cauta schematici si board-view pt modelul tau si verifica cu un multimetru daca tot primeste curent) 4. Ai grija sa nu uiti ceva in laptop. un surub care zboara liber iti face scurt.
    1 point
  5. Nu aveai cum sa atingi altceva cu pistolul de lipit. Cand ai desfacut carcasa sa nu fi bagat ceva si sa fii atins pe placa de baza. Daca esti sigur ca ai pus mufa conectorului video bine in slot atunci noua tastatura este un rahat in scurtcircuit.
    1 point
  6. 1. Posibil sa nu mai faca contact perfect conexiunile de la monitor - le poti misca fara sa iti dai seama de multe ori. 2. Ai topit si altceva pe langa plasticul ala. 3. Daca ai semnal pe hdmi/displayport mai ai o sansa, daca nu sigur e ceva de pe placa de baza dus.
    1 point
  7. Ce thread am ajuns sa citesc pe RST... E drept ca am dormit azi-noapte doar 3 ore si inca nu am baut cafeaua, probabil inca visez.
    1 point
  8. M-am speriat cand youtube mi-a dat primul rezultat ceva documentar, doar al 2-lea corect fratele Salam!!!! Dupa parerea mea de filme SF nu cred ca se ajunge la "razboi mondial". Prea multe tari au arme prea puternice de distrugere in masa. Nu ma refer doar la nucleare ci si la Stuxnet, chei SSL etc. Prea multa infrastructura poate fi distrusa instant, asa ca majoritatea populatiei se va opune. (Nimeni nu vrea sa fie regele unui nuclear wasteland) Posibil sa inceapa razboaie proxy. Asa e in Crimeea, Transnistria, Iraq, Koreea etc. E nasol pentru populatiile din zona si pentru tarile sarace, dar cred ca e foarte putin probabil ca Rusia sa atace direct tari NATO si sa treaca pe "razboi total". Cu IT-ul e probabil sa devina mai important dpdv militar. Nu ca nu ar fi deja.. Restul populatiei intra in criza economic si foamete, cum a fost si in 2008 si cum va fi si dupa covid.
    1 point
  9. Daca incepe razboiul noi avem Bombardieri asa ca stau linistit :))) Ironic fiind... daca incepe razboiul se cam poate sa nu iti mai arda ce se intampla cu it-ul, comunicatiile, facebook & Co. e probabil sa iti cam arda unde bagi capul la cutie sa nu te urmareasca vreo racheta sau tu o sa stai sa o arzi cu like-uri cand pe cer e trafic intens de ghiulele :))). si eventual singurele comunicatii stabile vor fi cele pentru armata nici decum sa ai tu sau eu semnal la telefon ca sa imi verific minutele... posibil si curentul electric sa fie cazut ca strategie din partea dusmanului bombardezi centrale electrice cele de apa potabila comunicatiile pe cat posibil la pamant si multe altele... era o regula nescrisa in razboi biserici scoli si spitale nu se atacau dar in ziua de azi ce mai conteaza ca o racheta a functionat gresit si na a nimerit o scoala sau un spital mare smecherie... cauti cel mai apropiat buncar iei pe cei dragi si stai ca strutu cu capu sub pamant si te rogi sa treaca mai repede sa scapati cu viata... in razboi daca incepe de preferat dusmanului i se ia " Vedera/Auzul/Vorbitul" sper sa intelegi la ce ma refer si cel mai simplu ai nimicit dusmanul.
    1 point
×
×
  • Create New...