Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


gigiRoman last won the day on June 4

gigiRoman had the most liked content!

Community Reputation

372 Excellent


About gigiRoman

  • Rank
    Registered user
  • Birthday 02/05/1977

Recent Profile Visitors

4926 profile views
  1. Stiam de pavel yosifovich din referinte: https://www.pluralsight.com/authors/pavel-yosifovich Smecher omul.
  2. Sursa: https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html?m=1 THURSDAY, MAY 30, 2019 10 years of virtual dynamite: A high-level retrospective of ATM malware Executive summary It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer's ATM API functions and parameters, which were not publicly documented. Before the discovery of Skimer, anti-malware researchers' considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader. Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card. ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users. Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we've seen during that time and attempt to find out if the different families share any code. ATM malware overview SIGNIFICANCE ATM malware provided criminals with a subtler alternative to physically breaking into the safe built into the ATM. Before the appearance of ATM malware, criminals typically had to employ traditional ways of robbing ATMs, often pulling the physical device out of the ground or blowing it to pieces with dynamite. Obviously, these methods would quickly draw the attention of law enforcement and passersby. Over the past 10 years, we have seen a steady increase in the number of ATM malware samples discovered. Still, the number of discovered samples is very small compared to almost any other malware category. Number of ATM malware samples discovered year over year based on the year of first submission to VirusTotal. As a digital substitute for dynamite, ATM malware allows criminals to employ money mules and instruct them how to dispense money from targeted ATMs. Typically, it happens by supplying a special authorisation code or card created to authorise the transaction. Before that, criminals had to infect the targeted ATM to install the code, which more often than not meant that they had to physically open the device to access its optical media reading devices or USB ports. There have been many reported attacks on various banking organizations throughout the world, but they seem to be more prevalent in Latin America and Eastern Europe, where the ATM infrastructure is older and are not regularly updated with security software or tamper-proof sensors. The damage caused by ATM malware to banks and individuals is rarely disclosed but it likely reaches millions of dollars a year. ATM malware affects banks and other financial institutions, as well as the reputation of ATM manufacturers and individuals and companies whose account details are stolen in ATM malware attacks. CLASSIFICATION There are several different ways we can classify ATM malware families. Based on its functionality, we can classify ATM malware into virtual skimmers and cash dispensers. The purpose of skimmers is to steal card and transaction details and individual PINs if the encryption keys used by pin pad are successfully retrieved. Cash-dispensing malware uses functions to allow for so-called "jackpotting" of ATMs where money is dispensed by attackers without the authorisation from the bank. But there are malware families that can steal card details and dispense cash. As far as the installation process is concerned, we again have two major groups. The first one requires the attacker to physically access the device. The second group assumes that the attacker installs malware indirectly, typically by compromising the internal network of the bank and then targeting ATMs using stolen credentials. These types of malware will also either target specific models of ATMs, or will be more generic. Recently, ATM malware typically deploys generic functions. The most common framework is the CEN/XFS framework, which allows the developers of the ATM applications to compile and run their code regardless of the ATM model or the manufacturer but there are others, such as Kalignite framework built on top of XFS. The XFS API contains high-level functions for communicating with the various ATM modules such as the cash dispensing module (CDM), PIN pad (EPP4) or printer. The high-level functions are provided through a generic SDK, while the lower level functions, supplied through service providers, are developed by ATM manufacturers. The architecture is quite similar to Win32 architecture where the developers use the high-level API to communicate with the OS kernel and various device drivers provided by the manufacturers of the individual hardware components. High-level CEN/XFS architecture. Most ATM samples require physical access to the targeted ATM. ATMs are not typically connected to the internet and communicate with bank's central systems through specialized lines. However, most of the ATMs are connected to internal networks for their maintenance and administration so the second, smaller group of ATM malware may be introduced by compromising the internal network first. This technique requires a higher level of sophistication but potentially brings higher returns if successful. Some generic hacking tools, such as Cobalt Strike, have reportedly been used for attacking ATMs and the transaction systems. This method has been more commonly used by more advanced groups such as Carbanak, Cobalt Gang and Lazarus (Group 77), whose Fastcash attack affects IBM AIX operating system, which is rarely targeted by malware. NOTABLE ATM MALWARE FAMILIES AND THEIR FUNCTIONALITY Over the past 10 years, we have seen more than 30 different ATM malware families. In this section, we will briefly describe some of the more notable ones. Number of ATM malware samples per family. Ploutus Ploutus is the malware family with the largest number of discovered samples. The majority of them having been reported in Mexico. Ploutus is a standard ATM-dispensing malware. The attackers need to be able to access physical ports or a CD-ROM drive to be able to boot from it and modify the ATM system image to install the malware. Attackers allegedly used newer Ploutus variants to attack some U.S.-based ATMs. Ploutus.D communicates with the ATM using the multi-vendor KAL Kalignite framework, which allows it to work with ATMs from different vendors with minimal changes to its code base. One of the Ploutus variant's interface. Skimer Skimer is one of the first ATM attacks, and bears all of the features of well-developed malware. Skimer functions as a virtual skimming device that attempts to steal bank card numbers and details of the account and owner details stored on the magnetic stripe tracks 1 and 2. A recent review of its functionality also indicates that it may also attempt to steal users' PINs by retrieving the encrypted pin pad encryption keys from the system. Apart from the virtual skimming function, Skimer acts as a backdoor to the ATM functionality for its operators — money mules employed to collect stolen data and dispense cash. Main code loop for servicing Skimer's operators with cash. If the user knows the secret code to activate the backdoor, the malware displays a menu, which allows the operator to empty one of the four cash-dispensing modules (CDMs). The code locking the dispenser module and dispensing cash. Most of the other ATM malware families follow a similar principle. The attackers need to be able to physically access the ATM, which requires a key or drilling a hole to access specific ports or devices. Once the malware is deployed, the money mules need a specific code to access the menu and dispense cash. Tyupkin (Padpin) The most interesting characteristic of Tyupkin is that it has the ability to limit its operation to specific hours and days of the week. It was reported that some Tyupkin instances can only be used on Sundays and Mondays at night. Tyupkin function for checking the hours of operation. Before dispensing cash, Tyupkin disables any network connections, presumably to prevent administrators from shutting down the ATM if a suspicious activity is detected. Some members of Tyupkin family are developed using C# and the .NET framework and some using Microsoft Visual C++. The family uses XFS API to manage infected ATMs and dispense cash in multiple currencies. Tyupkin has been active since 2014 and the associated gangs reportedly target Eastern European countries. Alice Alice follows a similar pattern to other ATM malware. It is installed by attackers and requires physical access to the system. When the operator launches it, Alice displays a window requiring a PIN. First Alice screen. If the code is correct, Alice will access the dispenser module and allow the operator to retrieve cash. Main Alice UI window. Cutlet Cutlet, or Cutlet Maker, has been sold as a do-it-yourself ATM malware kit on some underground markets since 2016. The bundle contains detailed instructions in Russian and English on how to infect systems and how to acquire codes required to dispense cash. Main Cutlet Maker user interface. The Cutlet manual details operational security practices required to avoid being caught by law enforcement officers and shows where to drill holes in the ATM enclosure in order to access USB ports of a specific ATM model. The kit also contains a testing application named "Stimulator" for users to practice before they decide to conduct real attacks. Cutlet follows a similar pattern to the previous ATM malware. The owner of the kit has the ability to generate codes per ATM required for its operation. Fastcash The significance of Fastcash malware is its mode of operation and its targeting of IBM AIX operating system. Fastcash consists of a process injector and shared objects presumably injected into the process space of compromised bank payment authorization systems. The malware monitors ISO8583-based transactions using code from a fairly old open-source library for parsing ISO8583 packets. If an ATM transaction contains the attackers' codes, the data will not be forwarded to the original payment authorisation application and the transaction approval will be sent back to the target ATM system allowing attackers to dispense cash. This mode of operation is similar to some rootkits, where malware attempts to hide its presence on the system by modifying the responses sent back from the operating system to the application that attempts to list system objects such as files or processes. The returned list is usually modified to remove names of processes that belong to the malware. Fastcash has been attributed to the Lazarus Group and it is an example of a nation-state-related actor targeting financial systems for the attacker's financial benefit. Fastcash shows a level of sophistication and knowledge that is not seen in other, run-of-the-mill, ATM malware. CODE SHARING BETWEEN FAMILIES Thanks to Xylitol and the ATM Cybercrime tracker, it was easy to retrieve a fairly complete ATM malware data set, with the addition of the few files connected with the Fastcash campaign. The data set contains 121 files and it is well suited for analysis and clustering. Out of 121 files, there are 114 PE files and those were used for clustering using the static analysis techniques. Out of 114 PE files there were 37 packed files which may not be suitable for static analysis techniques and 20 DLLs. While investigating various methods for clustering, we stumbled upon an interesting book, "Malware Data Science" by Joshua Saxe and Hillary Sanders. This book shows basic and more advanced methods for classifying and clustering malicious files and used some of the ideas to cluster our own set. In our case, the clustering was conducted by extracting the following attributes of each sample: Strings extracted from the file Disassembled code from the entry point of the file File entropy and the presence of a known packer Imported or exported functions Embedded resources After collecting the attributes from each sample, Jaccard distance is calculated for every pair of the files in the set. The Jaccard index is a measure of similarity between two sets. The more similar the two samples are, the higher their Jaccard index will be. The index is a number between 0 and 1. For example, the Jaccard index of 0.5 indicates 50 percent overlap between the two sets. Clusters with Jaccard index threshold of 0.7. We need to set the threshold required for two samples to be connected as a part of a single cluster. The higher the Jaccard threshold we choose, the more related will be the members of the defined cluster. By varying the threshold we come to the optimal value for our purpose. For example, for correct classification of samples we should choose the value higher than 0.7, and for code sharing purposes, higher than 0.3. As expected, the results show that as we lower the thresholds we see more clusters appear and some of the clusters show overlap between distinct ATM malware families. Clusters with Jaccard index threshold of 0.3. The width of the lines in the graph show how strongly the files in the clusters are related. For example, we see that the members of individual GreenDispenser, Tyupkin or DispCash clusters are very closely related, while mixed Ligsterac/Skimer, Tyupkin/Dispcash and ATMtest/Helloworld clusters show weaker connections that likely indicate some overlap in the malware code. Protection and detection best practices When considering protection and detection of attacks with ATM malware, it is important to consider the physical security of ATMs, the security of software running on the system and the security of any segment of the organization's network that communicates with ATMs. Here are 15 best practices that organizations should follow when considering protection of ATMs networks and successful and timely detection of attacks when they happen. Ensure ATMs and all related systems run up-to-date software and the latest operating system versions with the latest security patches applied. Disable Windows AutoPlay and configure BIOS to disable the ability to boot software from USB sticks and CD/DVD drives. Set strong BIOS password protection to prevent boot settings from being changed. Disable access to the Windows desktop at the ATM, ensure RDP sessions are secured with multiple authentication factors such as Duo Authentication for Windows Logon and RDP. Remove any unused services and applications from the system to reduce the attack surface. Implement other measures to harden the underlying ATM operating system. Monitor the operation of ATMs, as well as their physical integrity. Look for unusual patterns of resets, communication failures and transaction volume. Implement strong encryption between the ATM and the host. Ensure access to the ATM cabinet is restricted to authorized persons and that such access is electronically logged. Perform a security assessment of ATMs, including their physical locations and any networks connecting to them. Ensure that firewalls and anti-malware protection are correctly configured. Configure whitelisting solutions or operating system features to allow only known, trusted software to run. Make sure that whitelisting cannot be disabled without generating a remote log entry. Prevent unauthorized USB devices from being installed using a device control function. Educate employees about how they can avoid introducing malware into operational systems. Maintain a physically and logically segmented network environment throughout the organization using segmentation technology such as Cisco TrustSec. Ensure visibility over network traffic to ATM systems and payment authorisation servers using technology that enhance network visibility, such as Cisco Stealthwatch. Monitor threat intelligence feeds to learn about newly detected ATM malware threats. Conclusion ATM malware is a niche area attacks, but it potentially brings significant benefits to actors that successfully manage to deploy it. Over 10 years since the discovery of the first specialized malicious code targeting the Diebold Agilis line of ATMs, we have seen over 30 other malware families with varying degrees of sophistication, complexity and success. Most of the successful attacks are reported in countries where the ATMs are older, such as some Latin American countries and Eastern Europe. While the majority of actors behind ATM malware seem to be less sophisticated criminal actors, the potential of being able to dispense large amounts of cash also attracts more sophisticated criminal groups such as Carbanak and Cobalt Gang, as well as some state-sponsored actors such as Lazarus. Although the number of known malware samples for ATMs has been very low there has been a steady increase in the trendline for number of discovered samples year over year. Financial organizations and banks have to be particularly vigilant when considering protection against malware for ATMs and payment systems. Enterprises and individuals may also experience financial loss due to potential of their card details being used for illegal transactions after being skimmed by ATM malware. Best practices should be followed to ensure the highest possible level of protection and organizations should invest into increasing user awareness about the dangers of ATM malware. Coverage Additional ways our customers can detect and block these threats are listed below. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here. Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. Email Security can block malicious emails sent by threat actors as part of their campaign. Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. IOCs SHA256 Alice 04f25013eb088d5e8a6e55bdb005c464123e6605897bd80ac245ce7ca12a7a70 23c50f1c37b7c55554c282ba1781e9d6279cbbd7bfc5f64772d2e7a8962ebe70 b8063f1323a4ae8846163cc6e84a3b8a80463b25b9ff35d70a1c497509d48539 db1169df116fda46319c4b87607df7b6a5e80b48de5411d47684974ca22dd35a e3bf733cc85da7421522a0b1ff788d43bcacd02815a88d19426e80de564174b3 ATMii 0ef71569308d44e89bde48096c67caf73ec177c1c970a2fd843fd3a094502d78 5f5d483c1fcd1638b32d11183c5ed5fd36362fb12d62e1d9940b47906733d672 7fac4b739c412b074ee13e181c0900a350b4df9499515febb75008e6955b9674 d74cbd2e39dc0a00dc4c0fb0823c5a86455cdad2be48d32866165c9e5557c3e0 DIAGK 03bb8decefc540bff5b08425adddb404b345452c8adedee0c8af13572891865b Cutlet 05fae4bef32daf78a8fa42f8c25fdf481f13dfbbbd3048e5b89190822bc470cd 4a340a0a95f2af5ab7f3bfe6f304154e617d0c47ce31ee8426c70b86e195320c c18b23cc493f89d73a2710ebb177d54beafe0edf0e17cc79e28d9efdfb69a630 d1a0b2a251fa69818784e8937403c18f09b2c37eead80ba61a3edf4ac2b6b7ff d4a463c135d17239047ad4151ab2f2d084e223970e900904ecedabc0fd916545 fe1634318e27e3af856506d49a54d1d12e1cf650cbc31eeb0c805949edc8fc85 Piolin 5f4215368817570e7a390c9f6e265a7db343c9664d22008d5971dac707751524 Prilex d10a0e0621a164fad0d7f3690b5d63ecb9561e5ad30a66f353a98395b774384e WinPot 0720db2469a61d41c1e67a8f32020927a32422a5d58067bb328a2ff407e14e98 3f5ff48aa4dc2c1af3deeb33a9cc576616dad37156ae9182831b1b2a5ae4ae20 a5d0cd1bc33f44d25695ebd6530757180f4fc4d87a1658ee2f0d8fc42d09fb80 c3a5c8e9195163cef8e0e70bd8f3d49c8048e37af7c969341e1753aee63df0ae d9c6515fd0fb3cd14b4bb4d11ecda78602d17f370780a4b9ee006a9830106213 ATMitch 1065502d7171df7be3776b839410a227c540cd977e5e856bbbcd837b0872bdb6 ea5ebd1e5f98e10b1e7c834dd54707ad06772bccb4179cae7e50c7e6e772a1ab ATMtest 9f8a7828d833ed7f28f9f5ceaf1c073c6de0645172b8316d86edc16c84b61c4f ATMWizX 7bd2c97ac5027c360011dc5aa8f2371cd934f73e885e41f7e80152332b3af1db a4b42f503090cd3cd53963ddaf0be3e4eeedbd81ff02664668e68612816e727f Ploutus 0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025 04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a 0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5 0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889 34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1 398e335f2d6379771d86d508a43c567b4156104f89161812005a6122e9c899be 62b61f1d3f876300e8768b57d35c260cfc60b768a3e430725bd8d2f919619db2 7fd109532f1e49cf074be541df38e0ce190497847fdb5588767ca35b9620a6c2 aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f c8d57b32ab86a3a97f89ae7f1044a63cca2b58f748bed250a1f9df5c50fc8fbb d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685 d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9 e75e13d3b7a581014edcc2a397eaffbf91c3e5094d4afd81632d9ad872f935f4 Suceful c7cb44e0b075cbc90a7c280ef8f1c69e8fe06e7dabce054b61b10c3105eda1c4 d33d69b454efba519bffd3ba63c99ffce058e3105745f8a7ae699f72db1e70eb Tyupkin 16166533c69f2f04110e8b8e9cc45ed2aeaf7850fa68845c64d92ff907dd44f0 3639e8cc463922b427ea20dce8f237c0c0e82aa51d2502c48662e60fb405f677 639d2d926325275cb023014d0b446d03f1dcc8526bff1aa72373e27d78a6a674 646433de5c56fdbc7e6e934a05e9e99012ef39a0ed6cc4bdb1d984cd4435379e 6c59cd1e12bc1037031af48b934e9398fc85efb2a067d03b6a100dd8423e5d9b 853fb4e85d8b0ad7c156ad6d3fc4b0340c8b29fa0548a3df758e7845ba8b23ae 8bb5c766de0a73dc0eff7c9fce086565b6220465185e258c21c5b9dfb0bef51d b670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80 SkimerWC dff7ee95100ffaec5848a73a7b306eaaee94ae691dfccff9fe6ce0a8f3b82c56 e267fb3044c31256f06dd712c7aeae97ad148fd3157995a7e536e5473c1a2bc0 e78e6155b8dfd206ba5a5e7253409891bfed1b943d217e0fbc416a25fa761580 ATMitch.B 66db5b6b5dc51de7e5380f214f703bdc69ab3c3bec7c3b67179940a06560f126 ATMripper 21f3c0bf3fc05685ec5b7bf3c98103761894d7c6783c2c12afae958eb103598e 22db6a994eb057715b499c5641cc608fb0380aeea25f78180436c35ecd81ce7d 3d8c7fb9e55f96cf3073b321ee5e59ff2189d70b0662bc0b88990971bc8b73d8 4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc 64499b2584d239380ffecf07e94167e0414c4bb5438620659fe37d595ef3f361 cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38 e3a6970d66bc4687b21381353826fabd469007c869efc711fdd0e4711aa77ffc Ligsterac 1243c478a7145fa08a03200611fcf5fae9bb58039c5069ef93e150d53cf22524 377f85562e9ec16cae8fed87e43b6dd230eaa6e1c8f2732f5096f1ec951f045a aaeee605cb1850dd81da8990fe4115fe85e5d4eb84ddaf2fa8d0b21afdc2b293 b361963fe11b149afc526a6e0656c08226f943bdba0f2c7c0a7640fba09afce8 e130bc1603893155d87946a430b6d6ad167760cde24aa2834c61dd0eace30e8e NeoPocket 85652bbd0379d73395102edc299c892f21a4bba3378aa3b0aaea9b1130022bdd Atmosphere 26b2daa6fbf5ec13599d24e6819202ddb3f770428d732100be15c23be317bd47 5c838658b25d44edab79a4bd2af7c56bef96768b93addbbaaaea36da604fca62 956968e6f4bf611137ea0e747891ba8dc200ca809c252ef249294912fb3dbe3c a6c33d7275c46397593f53ea136ea8669794f4d787044106594631c07a9ee71d d60126545fa68b14c36cd4cffa3f81ed487381482582acbba786fa88884f636b eeb8390e885612e1f0b8f8922baa4ebc9ba420224b30370d08b45f3453949937 ATMSpitter 4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958 85e5aacbc9113520d93f1d9d73193c3501ebab8032661052d9a66348e204cde6 8770f760af320d30681a4eb4ded331eab2481f54c657aac607df8babe8c11a6b bf20c674a0533e7c0d825de097629a96cb42ae2d4840b07dd1168993d95163e8 c5b43b02a62d424a4e8a63b23bef8b022c08a889a15a6ad7f5bf1fd4fe73291f e372631f96face11e803e812d9a77a25d0a81fa41e4ac362dc8aee5c8a021000 f27e27244233f2bb5b02412d4b05315625928adaa340708e91d61ad3bce54bf6 HelloWorld 2de4a510ee303c04c8d7bd59b7987b22c3471c9f4ba69b5f83ba36de88b63a8d 867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a f6609bb3c3197ace26ebdeb372ba657ac84b05a3e9e265b5211e1ea42da70dbe Java/Dispcash 0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027 ef407db8c79033027858364fd7a04eeb70cf37b7c3a10069a92bae96da88dfaa Trojan.Skimer 2721a5a6478bfff2c5de0d105623ba5f411401bbd92bd3e2bee4c51c2d12f5a8 4941331c64e0389d5ec966122ef71a99d8f9830f13e9afa758e03275f896c2eb 5ab6358e1886655257c437ebad71b98a6575313b2f9327359661aac5d450c45a 653701d02c5d8d39b3da9b0848d20921cd65ea28e77c8e9254e222601264bcc6 d90257af70401984d5d41dd057114df88566d00329874ced3103a6f8cd1991e5 GreenDispenser 20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5 50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572 5a37be2d298145b766ba54616677d802cfabc62e3b9be2ffb6d4719d3f8143e9 7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0 77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541 b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f ATM.DispCash.3 622d7489208578eaaaae054a07e16b4b8c91a3fde6e61d082a09aee5a1b1f829 b00cd2ca5247c93e3a40f73006051bbfada3b1bc73c4d44105384824bb60131d b66615b186bf7067cdb937220f86b1d9411351e0b06ee8d02cf6c5358348e884 9feea4b7a5b438335353bb4eac82f8f2a16232a90b7cddbf77dc73dd451e9a6e 6efedf9bde951ad6c3e240ec498767bb693ecc8fa62040e624c5a7fa21c5bdaa Trojan.Fastcash d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c Skimer 34e7060e7a0c0ba24fcb55c641e5b586cef744e10ebd5a9f73ecd2ed2f4e9c1f b51973c530802ae19df8ac4d9643fc3317952242d9d42f951e094c72d730dd66 359bb8596e4befafdaca706630bec598400694305622c116acdfa59074f1858e ac8e8216e71e078198ef67d4cb48118767d0696610a02137492814422153d3c6 7888e9a27b27f026f09997414504be5822f35b69ddec826eb2a56f6347e2d147 cde6f7fb2fbdefffe22a012295ab157cffc07cab26ba0e34ced0bae484355187 b39c5992c2cb70c76c82d6fba3cc0b7972c2f9b35227934b766e810f20a5f053 WinPotv3 009b677564b3ebb0831171edf3fb0deb0fa3b0010b74586e01d8df4af965ef3f 1d6508cbe5f7ccaa991572f05aef52bab8a59851ca9a4367605a9637b10ae081 20fb2edfcece271f87d006e263c4a6de48ed518901211a76dc38aac43e1b9d19 6670ccc940cca6983340dbce1a9bbce7b49643ac924e18ca25def8b632b70720 70cc5070ce058682c1d44cef887c0ec8a50dba6b717802c5a8f2c8f2ed377c13 8d7f932d8236671018c5cd02781301134aa6df315253f7a56559350d2616ff8e b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c e2c87bca353016aced41305ddd66ee7430bf61a20c0f4c8c0f0650f006f05160 POSTED BY VANJA SVAJCER AT 10:19 AM LABELS: ATM MALWARE, CLUSTERING, RETROSPECTIVE
  3. Digital Security Company Blog Information Security Reverse engineering dukebarman August 15, 2017 Favorites: reverse engineering links Sursa: https://m.habr.com/ru/company/dsec/blog/334832/ Hello! Today we would like to share our list of materials on reverse engineering (RE). This list is very extensive, because our research department is primarily concerned with the tasks of RE. In our opinion, the selection of materials on the topic is good for the start, while it may be relevant for a long time. We have been sending this list of links, resources, books for five years to people who would like to get into our research department, but they don’t yet pass by the level of knowledge or just begin their way in the field of information security. Naturally, this list, like most materials / selections, will need updating and updating in some time. Funny fact: we were shown how some companies send out our list of materials from themselves, but only in a very old edition. And after this publication, they will finally be able to use its updated version with a clear conscience;) So, let's go to the list of materials! Topics a. Reverse b. Search for vulnerabilities (fuzzing) c. Exploiting Vulnerabilities d. Malware Analysis Tools a. IDA Pro b. Radare2 c. WinDBG (Ollydbg / Immunity Debugger / x64dbg) d. GDB e. DBI f. SMT g. Python to automate h. BAF (Binary Analysis Frameworks) Architecture a. x86-x86_64 b. ARM OS a. Windows b. Linux c. Mac OS (OSX) / iOS d. Android File Formats a. PE b. ELF c. Mach-o Programming a. C / C ++ b. Assembler Practice a. War games 1. Topics In this section, we will look at the main areas of RE application. Let's start directly from the reverse development process itself, move on to finding vulnerabilities and developing exploits, and, of course, let's get to malware analysis. 1.a Reverse engineering Chris Kaspersky’s “The Art of Disassembling” is not new, but a very good and still up-to-date book from Chris with a good systematization of knowledge and excellent material; " Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation " - a "new" book from several well-known information security specialists covering some new issues and themes that are missing from Chris's book; " Reversal for Beginners " by Denis Yuryevich is a completely free book, already translated into many languages of the world. Here, probably, the most remarkable thing is the presence of interesting tasks after each chapter, while for several architectures at once; " Practical RE tips " - an excellent webinar in English from Gynvael Coldwind, containing many useful tips and scripts about RE; The resource "OPENSECURITYTRAINING.INFO " contains good educational lectures and videos on RE in English; " Digging Through the Firmware " is a good series of Practical Reverse Engineering articles - useful articles for those who are just about to dive into the world of device firmware reversal; " Training: Security of BIOS / UEFI System Firmware from Attacker and Defender Perspectives " - if you want to dive into the world of firmware security, UEFI BIOS, then you definitely need to familiarize yourself with these slides that were previously in paid training at leading security conferences; CRYPTO101 - a little introduction to cryptography, without which it can not do. 1.b Vulnerability Scan " Fuzzing: Brute Force Vulnerability Discovery" - although not a new book, it’s just right for understanding the basics of fuzzing. There is a translation into Russian, but it contains rather funny blunders; " Automatic search for vulnerabilities in programs without source texts " - a good introductory material in Russian, presented at PHDays 2011; " The Evolving Art of Fuzzing " - an article about the development of fuzzing; " Modern Security Vulnerability Discovery " - a compilation of different techniques for finding vulnerabilities in one document; " (State of) The Art of War: Offensive Techniques in Binary Analysis " - an all-in-one document on all existing vulnerability scan techniques; " The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities " is far from a new, but still relevant, book on different approaches to finding vulnerabilities. 1.c Examples of exploiting found vulnerabilities " Exploit Writing Tutorials by Corelan Team " ( translation ) - a famous series of posts on writing exploits and shellcodes, starting with the basics; " Exploit Development Community " ( partial translation ) - a series of articles on writing a combat exploit for IE 10 and 11 versions; " Modern Binary Exploitation " - materials from the RPISEC team from the training course they conducted at the Rensselaer Polytechnic Institute; " Web-archive of the blog company Vupen " - submerged blog with examples of exploiting complex vulnerabilities in VirualBox, XEN, Firefox, IE10, Windows Kernel, Adobe Flash, Adobe Reader; " Project Zero " - a blog from the research team of Google, where their experts often share interesting stories on the exploitation of various cool vulnerabilities; " Browser mitigations against memory corruption vulnerabilities " - protection technologies used in popular browsers: " Browsers and app specific security mitigation. Part 1 " " Browsers and app specific security mitigation. Part 2. Internet Explorer and Edge " " Browsers and app specific security mitigation. Part 3. Google Chrome " " SoK: Eternal War in Memory " is an excellent document that shows the attack model and describes various mechanisms to prevent exploitation at different stages for different types of vulnerabilities associated with memory corruption; " Writing Exploits for Win32 Systems from Scratch " - a detailed article on writing an exploit from scratch for a vulnerability in the SLMAIL program; Phrack - the famous hacker magazine Phrack. We recommend reading, first of all, the articles of the category "The Art of Exploitation"; " The Shellcoder's Handbook: Discovering and Exploiting Security Holes " is a legendary book on shellcode writing. 1.d Malware Analysis " Practical Malware Labs " - source for the book " Practical Malware Analysis "; " Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code " - we recommend this and the previous book with one set to those interested in this topic; " Malware Analysis Tutorials: a Reverse Engineering Approach " ( translation ) is a rather long series of articles devoted to setting up an environment with subsequent analysis of malware in it; " Course materials for Malware Analysis by RPISEC " - another course from RPISEC, only now about malware; " Computer viruses and antiviruses. Programmer's view " - even though the book examines malicious programs starting from the DOS times, it will still be useful, because besides analyzing the code of such programs, the author shows examples of writing antiviruses for each specific case. 2. Necessary tools Below are the popular tools used in RE. 2.a IDA Pro " The IDA Pro Book: The Unofficial Guide to the World Popular Disassembler " is a book that will make your acquaintance with IDA Pro easy and relaxed " TiGa's Video Tutorial Series on IDA Pro " - a selection of small HOW-TO videos using IDA Pro; " Open Analysis Live " - in contrast to the previous selection on the use of IDA Pro, this newer and more updated. Mostly, malware analysis is considered. 2.b Radare2 " The radare2 book " - the main book on the use of the Radare2 framework for reverse; " Radare2 Cheatsheet " - "cheat sheet" for the main teams; " Radare Today - the blog of radare2 " - framework blog. There are not only news, but also practical examples. 2.c WinDBG (Ollydbg / Immunity Debugger / x64dbg) Without knowledge of the principles of the debugger and the ability to use it, too, can not do. Below we look at debuggers for Windows OS, and in the next paragraph we will focus on the famous GDB. So, let's go: Advanced Windows Debugging: Developing and Administering Reliable, Robust, and Secure Software - first of all, this book is useful for understanding and “catching” errors like heap damage; " Inside Windows Debugging: A Practical Guide to Debugging and Tracing Strategies in Windows " - this edition will well complement the previous book; “An introduction to cracking from scratch using OllyDbg” - unfortunately, the oldest resource wasm.ru was closed, but such a compilation is easily searched because it has been duplicated into many resources. In addition, "forks" began to appear on the network, only they are already using x64dbg or IDA. 2.d gdb " gdb Debugging Full Example (Tutorial): ncurses " - a guide for using GDB; " GEF - GDB Multi-Architecture Enhanced Features for Exploiters & Reverse-Engineers" - add-on GDB over the Python language, adds many useful new commands that will be useful for developing exploits; " GEF Tutorials " is a series of screencasts on using GEF. 2.e DBI Programmable debugging is today an indispensable approach in the arsenal of any reverser. And DBI is one of the tools. More details: " Dynamic Binary Instrumentation inInformation Security " - this article has already collected some generalized information about DBI; " Light And Dark Side Of Code Instrumentation " - this presentation will help you navigate in the varieties of various code tools and in what and when you can help with the analysis of programs. 2.f SMT What is the SMT solver? In short, an SMT solver is a program that can solve logical formulas. The basic idea of using SMT in the field of software security is to translate a program code or algorithm into a logical formula, and then use a SMT solver to test one or another property of this code. In other words, SMT provides a mathematical tool for semantic code analysis. SMT solvers have been used in our field for quite some time. They are well established for the following tasks: search bugs (static analysis / fuzzing); deobfuscation; "home" cryptanalysis; character execution (as an "engine"); There are also some successes in the field of automatic exploit generation (for example, ROP generation). During this time, SMT lost the aura of mystery, more or less working tools for “ordinary” people appeared. Below are sources that will help to plunge into the topic: " SMT Solvers for Software Security, Sean Heelan, Rolf Rolles " - perhaps the first scientific work in which the application of SMT was proposed for solving software security problems. It gives an idea of where and how SMT can find its place in this area; Z3 is one of the most popular and effective SMT solvers; Z3 wiki - project repository; " Getting Started with Z3: A Guide " - online tutorial, SMT-solver for experiments; Z3Py - binding in Python for Z3; " Experimenting with Z3 - Dead code elimination "; " Experimenting with Z3 - Proving opaque predicates "; " Theorem prover, symbolic execution and practical reverse-engineering " - a good overview presentation, with examples of solving real-world problems and using Z3Py; " Quick introduction into SAT / SMT solvers and symbolic execution " ( Russian version ) is a good book with interesting practical examples. " An introduction to the use of SMT solvers " - review material. 2.g Python for Automation Today, without basic knowledge of Python, it will be very difficult, because this programming language is considered the most popular means for automating various tasks in the field of information security (and not only). In addition, it is used in various utilities (for example, all the above utilities allow you to complement the functionality with the help of this PL): " Gray Hat Python " ( translation ) is a great book that tells you how useful Python is in reverse; " The Beginner's Guide to IDAPython " - a free book on IDAPython; " Python Arsenal for Reverse Engineering " is a resource dedicated to various utilities and libraries for reverse engineering using Python. 2.h BAF (Binary Analysis Frameworks) For a bit more advanced, we recommend paying attention to whole frameworks, which in their composition use the previously mentioned mechanisms and analysis tools for solving more complex problems. So, here they are: " Overview and Usage of Binary Analysis Frameworks " - a small overview of BAF; Some interesting frameworks / tools: Triton Developer Use Examples " Dynamic Binary Analysis and Obfuscated Codes " How can Triton help virtual machine based software protections Angr Solving kao's toy project with symbolic execution and angr Ponce Binary Analysis Platform . 3. Architecture We will cover only a few popular architectures.At the end of the article in the section with additional materials you will find information on many others (MIPS, PowerPC, etc.). 3.a x86-x86_64 " Intel 64 and IA-32 Architectures Software Developer Developers " - previously, such manuals were sent by mail, but because of the large amount of material in them, printing became expensive. Recommended as a desktop reference. 3.b ARM Azeria Labs (ARM Assembly Basics & ARM Exploit Development) - a site with articles on the basics of ARM-assembler and the development of exploits for this architecture; The course " Introduction to ARM " - a two-day video course on ARM-development and operation; VisUAL - visualization of the work of ARM-commands. 4. OS Knowledge of the principles of work of popular Operating Systems. 4.a Windows " Windows Internals " - the fundamental book for understanding the work of Windows. The following items, although mainly related to the exploitation of vulnerabilities in this OS, but allow you to learn more about the insides of Windows: " Windows exploits, mostly precompiled " " Exploit Development Environment " " Windows Breakout from Defcon24 " " Part 10: Kernel Exploitation -> Stack Overflow " " Kernel and Driver explotation ". 4.b linux " Linux insides " is an analogue of the book Windows Internals, but only for OS such as Linux. As in the case of Windows, the following topics are related to the development of exploits: " Heap Exploitation into Linux " " A series of tutorial for linux exploit development to newbie " " Linux Kernel Exploitation " " Programming Linux Anti-Reversing Techniques " 4.c Mac OS (OSX) / iOS " Reverse Engineering Resources Mac and iOS " - a selection of materials on this topic. 4.d Android " Android Hacker's Handbook " - probably the most popular book dedicated to the safety of the Android OS; " Android Internals :: Power User's View " - a book that tells about the internal mechanisms of this OS. Due to recent leaks, the material appeared in the public domain, about which the author himself writes on his website and provides an opportunity to download the previous version. 5. Executable file formats This section provides links explaining the details of popular executable file formats. 5.a PE " PE sections "; " PE Title "; " Windows executable file format. PE32 and PE64 "; " Computer viruses inside and out ." 5.b ELF " Linux x64 Infection for Lamers (by a Lamer)." 5.c mach-o " Parsing mach-o files " The famous researcher corkami makes very useful and interesting "posters" with the scheme of various file formats, including those mentioned above. We recommend using them as a cheat sheet. A utility Kaitai Sctruct will help in the analysis. 6. Programming One of our friends once said that a good reverser is 80% a good programmer. The ability to program and understand what is being done and why simplifies the process of researching someone else's program. Therefore, without programming in the reverse nowhere. And of course, the automation of routine tasks, as you probably already understood, is a very useful thing;) 6.a C / C ++ Modern Memory Safety: C / C ++ Vulnerability Discovery, Exploitation, Hardening is a great course with excellent examples. Just must have stuff for everyone. 6.b ASM " A Crash Course in x86 Assembly for Reverse Engineers " - an "accelerated course" for diving in x86 Assembler, positioned as special for RE; " Assembly Programming Tutorial " - assembly programming manual, with the ability to run examples online as you study; " Assembler. 2nd edition " - it is recommended to use as a reference; " x86 Assembly Guide " - online version. 7. Practice This section provides links to virtual machines and online resources to practice. 7.a War Games SmashTheStack Wargaming Network - this multi-wargame network is maintained by volunteers and is available online. We recommend starting with it; BinTut - local wargame; Reversing Workshop - a master class on solving tasks from the annual competition "The Flare On Challenge" for 2016; Exploit-Challenges - a selection of vulnerable ARM binary files; ARM Reverse Engineering Exercises - the original repository "disappeared", but one of the forks was found on the github expanses; CTF Time - here you can find out the schedule of future CTF-events and read the solutions of the past. And finally, a few links with a large number of materials on the above topics: Selection, generally devoted to the field of information security Pro exploitation of vulnerabilities About reverse engineering: Awesome-reversing REMath Resource Overview About the exploitation of vulnerabilities in Windows About phasing Malware Analysis And many more different " awesome " collections. +35 37115 +35 38.3k371 27 Karma 0 Rating Boris Ryutin @dukebarman Security researcher 13 subscribers Share publication Comments 15 RELATED PUBLICATIONS August 24, 2015 SCADA and mobile phones: safety assessment of applications that turn a smartphone into a plant control panel March 17, 2015 JavaScript and Reverse Engineering Contact Points October 31, 2013 Favorites: IT Security Links POPULAR PER DAY yesterday at 10:10 Akihabara: Otaku nesting site yesterday at 14:22 GandCrab authors stop working: they claim they stole enough yesterday at 14:24 How we made a safe deal for freelance: give a choice, cut features, compare commissions yesterday at 13:05 Where are your constants stored on a CortexM microcontroller (using the C ++ IAR compiler as an example) yesterday at 12:18 Pointers in Python: what’s the point? Language settings Full version 2006-2019 © « TM »
  4. Sursa: https://m.habr.com/ru/company/dsec/blog/452836/ Digital Security Company Blog Information Security Network technologies forkyforky may 28 Web tools, or where to start pentester? We continue to talk about useful tools for pentester. In the new article we will look at tools for analyzing the security of web applications. Our colleague BeLove already did a similarselection about seven years ago. It is interesting to see which tools have retained and strengthened their positions, and which have faded into the background and are now rarely used. Note that the Burp Suite also applies here, but there will be a separate publication about it and its useful plugins. Content: Amass Altdns aquatone MassDNS nsec3map Acunetix Dirsearch wfuzz ffuf gobuster Arjun LinkFinder Jsparser sqlmap NoSQLMap oxml_xxe tplmap CeWL Weakpass AEM_hacker Joomscan WPScan Amass Amass is a Go tool for searching and iterating DNS subdomains and mapping an external network. Amass is an OWASP project created to show how organizations on the Internet look to an outsider. Amass gets the names of subdomains in various ways, the tool uses both recursive enumeration of subdomains and search in open sources. To find connected network segments and autonomous system numbers, Amass uses the IP addresses obtained during operation. All found information is used to build a network map. Pros: Information collection techniques include: * DNS - enumeration of subdomains in a dictionary, bruteforce subdomains, “smart” enumeration using mutations based on the found subdomains, reverse DNS requests and search for DNS servers on which it is possible to request a zone transfer request ( AXFR); * Search for open sources - Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo; * Search TLS certificate databases - Censys, CertDB, CertSpotter, Crtsh, Entrust; * Using the API of search engines - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan; * Search the web archives of the Internet: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback; Integration with Maltego; Provides the most complete coverage for the task of finding DNS subdomains. Minuses: Be careful with amass.netdomains — he will try to access each IP address in the identified infrastructure and obtain domain names from reverse DNS queries and TLS certificates. This is a "loud" technique, it can reveal your intelligence actions in the organization under study. High memory consumption can consume up to 2 GB of RAM in different settings, which will not allow running this tool in the cloud on a cheap VDS. Altdns Altdns is a Python tool for compiling dictionaries for brute force DNS subdomains. Allows you to generate many options for subdomains using mutations and permutations. To do this, use words that are often found in subdomains (for example: test, dev, staging), all mutations and permutations are applied to already known subdomains, which can be submitted to the input of Altdns. The output is a list of variations of subdomains that may exist, and this list can later be used for DNS brute force. Pros: Works well with large data sets. aquatone aquatone - was previously better known as another tool for finding subdomains, but the author himself abandoned this in favor of the aforementioned Amass. Now aquatone is rewritten to Go and more geared for pre-exploration of websites. To do this, aquatone passes through the specified domains and searches for websites on different ports, after which it collects all the information about the site and makes a screenshot. Convenient for quick preliminary exploration of websites, after which you can select priority targets for attacks. Pros: At the output, it creates a group of files and folders that are conveniently used for further work with other tools: * HTML report with collected screenshots and response headers grouped by similarity; * File with all the URLs on which the websites were found; * File with statistics and data page; * Folder with files containing the response headers from the found targets; * Folder with files containing the response body from the found targets; * Screenshots of found websites; Supports work with XML reports from Nmap and Masscan; Uses headless chrome / chromium for screenshots rendering. Minuses: It may attract the attention of intrusion detection systems, and therefore requires adjustment. The screenshot was made for one of the old versions of aquatone (v0.5.0), in which the search for DNS subdomains was implemented.Older versions can be found on the release page. Screenshot aquatone v0.5.0 MassDNS MassDNS is another tool for finding DNS subdomains. Its main difference is that it makes DNS queries directly to many different DNS resolvers and does so with considerable speed. Pros: Fast - able to resolve more than 350 thousand names per second. Minuses: MassDNS can cause a significant load on the DNS resolvers used, which can lead to a ban on these servers or complaints to your provider. In addition, it will cause a large load on the company's DNS servers, if they have them and if they are responsible for the domains you are trying to resolve. The list of resolvers is currently outdated, but if you select broken DNS resolvers and add new known ones, everything will be fine. nsec3map nsec3map is a Python tool to get a complete list of DNSSEC protected domains. Pros: Quickly detects hosts in DNS zones with a minimal number of queries if DNSSEC support is enabled in the zone; As part of the plugin for John the Ripper, which can be used to crack the resulting NSEC3 hashes. Minuses: Many DNS errors are handled incorrectly; There is no automatic parallelization of processing NSEC records - you have to split the namespace manually; High memory consumption. Acunetix Acunetix is a web vulnerability scanner that automates the process of checking web application security. Tests the application for SQL injection, XSS, XXE, SSRF, and many other web vulnerabilities. However, just like any other scanner of multiple web vulnerabilities does not replace the pentester, since complex chains of vulnerabilities or vulnerabilities in logic cannot be found. But it covers a lot of different vulnerabilities, including different CVEs, which the pentester could have forgotten, therefore, it is very convenient to get rid of routine checks. Pros: Low level of false positives; Results can be exported as reports; Performs a large number of checks for different vulnerabilities; Parallel scanning of multiple hosts. Minuses: There is no de-duplication algorithm (Acunetix pages that are of the same functionality will be considered different, because different URLs lead to them), but the developers are working on it; Requires installation on a separate web server, which makes it difficult to test client systems with a VPN connection and use the scanner in an isolated segment of the local client network; It can “rustle” the service under study, for example, send too many attacking vectors to the communication form on the site, thereby greatly complicating business processes; It is a proprietary and, accordingly, non-free solution. Dirsearch Dirsearch is a Python tool for brute force directories and files on websites. Pros: It can distinguish real “200 OK” pages from “200 OK” pages, but with the text “page not found”; Comes with a handy dictionary that has a good balance between size and search efficiency. Contains standard paths typical of many CMS and technology stacks; Its dictionary format, which allows to achieve good efficiency and flexibility of searching files and directories; Convenient output - plain text, JSON; Able to do throttling - a pause between requests, which is vital for any weak service. Minuses: Extensions must be passed as a string, which is inconvenient if you need to transfer many extensions at once; In order to use your dictionary, it will need to be slightly modified to the format of the Dirsearch dictionaries for maximum efficiency. wfuzz wfuzz - Python-fazzer web applications.Probably one of the most famous web phasers.The principle is simple: wfuzz allows phasing any place in an HTTP request, which allows phasing of GET / POST parameters, HTTP headers, including Cookies and other authentication headers. At the same time, it is convenient for simple brute force directories and files, for which you need a good dictionary. It also has a flexible filter system, with which you can filter the responses from the website by different parameters, which allows you to achieve effective results. Pros: Multifunctional - modular structure, assembly takes several minutes; Convenient filtering and fuzzing mechanism; You can phase out any HTTP method, as well as any place in the HTTP request. Minuses: In the state of development. ffuf ffuf - a web-fazer on Go, created in a similar fashion to wfuzz, allows files, directories, URL paths, names and values of GET / POST parameters, HTTP headers, including the Host header for virtual hosts brute-force. Wfuzz differs from its colleague by higher speed and some new features, for example, Dirsearch format dictionaries are supported. Pros: Filters are similar to wfuzz filters, allow flexible configuration of brute force; Allows fuzzing HTTP header values, data from POST requests and various parts of the URL, including the names and values of GET parameters; You can specify any HTTP method. Minuses: In the state of development. gobuster gobuster - a tool for Go for intelligence, has two modes of operation. The first one is used for brute-force files and directories on the website, the second one is used to iterate over the DNS subdomains. The tool initially does not support recursive enumeration of files and directories, which, of course, saves time, but on the other hand, the brute force of each new endpoint on the website needs to be launched separately. Pros: High speed for both brute force DNS subdomains, and for brute force files and directories. Minuses: The current version does not support the installation of HTTP headers; By default, only some of the HTTP status codes (200,204,301,302,307) are considered valid. Arjun Arjun is a tool for brute-force hidden HTTP parameters in GET / POST parameters, as well as in JSON. The built-in dictionary has 25,980 words that Ajrun checks in almost 30 seconds.The trick is that Ajrun does not check each parameter separately, but checks immediately ~ 1000 parameters at a time and looks to see if the answer has changed. If the answer has changed, then divides this 1000 parameters into two parts and checks which of these parts affects the answer. Thus, using a simple binary search, a parameter or several hidden parameters are found that influenced the answer and, therefore, can exist. Pros: High speed due to binary search; Support for GET / POST parameters, as well as parameters in the form of JSON; By the same principle, the Burp Suite plugin also works - param-miner , which is also very good at finding hidden HTTP parameters. We will tell you more about it in the upcoming article about Burp and its plugins. LinkFinder LinkFinder is a Python script for searching links in JavaScript files. Useful for finding hidden or forgotten endpoints / URLs in a web application. Pros: Fast; There is a special plugin for Chrome based on LinkFinder. . Minuses: Inconvenient final conclusion; Does not analyze JavaScript in dynamics; Quite simple link search logic - if JavaScript is obfuscated in some way, or the links are initially missing and dynamically generated, you will not be able to find anything. Jsparser JSParser is a Python script that uses Tornadoand JSBeautifier to analyze relative URLs from JavaScript files. Very useful for detecting AJAX requests and compiling a list of API methods with which the application interacts. Effectively paired with LinkFinder. Pros: Quick parsing javascript files. sqlmap sqlmap is probably one of the most well-known tools for analyzing web applications. Sqlmap automates the search and operation of SQL injections, works with several SQL dialects, has in its arsenal a huge number of different techniques, ranging from quotes head-on and ending with complex vectors for time-based SQL injections. In addition, it has many techniques for further exploitation for various DBMS, therefore, it is useful not only as a scanner for SQL injections, but also as a powerful tool for exploiting already found SQL injections. Pros: A large number of different techniques and vectors; Low number of false positives; Many possibilities for fine tuning, various techniques, target database, tamper scripts for bypassing WAF; Ability to create dump output data; Many different operating possibilities, for example, for some databases - automatic file upload / download, command execution ability (RCE) and others; Support for direct connection to the database using the data obtained during the attack; At the entrance, you can submit a text file with the results of the work Burp - no need to manually compile all the attributes of the command line. Minuses: It is difficult to customize, for example, to write some of your checks due to poor documentation for this; Without the appropriate settings conducts an incomplete set of checks, which can be misleading. NoSQLMap NoSQLMap is a Python tool for automating the search and operation of NoSQL injection. It is convenient to use not only in NoSQL databases, but also directly when auditing web applications using NoSQL. Pros: As well as sqlmap, it allows not only to find a potential vulnerability, but also checks the possibility of its exploitation for MongoDB and CouchDB. Minuses: Does not support NoSQL for Redis, Cassandra, is being developed in this direction. oxml_xxe oxml_xxe is a tool for embedding XXE XML exploits into various file types that use an XML format in some form. Pros: It supports many common formats, such as DOCX, ODT, SVG, XML. Minuses: Not fully supported PDF, JPEG, GIF; Creates only one file. To solve this problem, you can use the docem tool , which can create a large number of files with paylodes in different places. The aforementioned utilities do an excellent job with XXE testing when loading documents containing XML. But also do not forget that XML format handlers can occur in many other cases, for example, XML can be used as a data format instead of JSON. Therefore, we recommend to pay attention to the following repository containing a large variety of payloads: PayloadsAllTheThings . tplmap tplmap is a Python tool to automatically detect and exploit Server-Side Template Injection vulnerabilities. It has settings similar to sqlmap and flags. It uses several different techniques and vectors, including blind-injections, and also has techniques for executing code and loading / unloading arbitrary files. In addition, it has in its arsenal techniques for a dozen different engines for templates and some techniques for searching eval () - like code injections in Python, Ruby, PHP, JavaScript. In case of successful operation, opens an interactive console. Pros: A large number of different techniques and vectors; Supports many engines for rendering templates; A lot of maintenance techniques. CeWL CeWL is a Ruby dictionary generator, created to extract unique words from a specified website, following links on a website to a specified depth.Compiled dictionary of unique words can be used later for brute-force passwords on services or brute-force files and directories on the same web site, or to attack hashes obtained using hashcat or John the Ripper. Useful in compiling a “target” list of potential passwords. Pros: Easy to use. Minuses: You need to be careful with the depth of search, so as not to capture an extra domain. Weakpass Weakpass is a service containing many dictionaries with unique passwords. It is extremely useful for various tasks related to password cracking, ranging from simple online brute-force accounts to target services, ending off-line brute-force hashes obtained usinghashcat or John The Ripper . There are about 8 billion passwords in length from 4 to 25 characters. Pros: Contains both specific dictionaries and dictionaries with the most common passwords - you can choose a specific dictionary for your own needs; Dictionaries are updated and updated with new passwords; Dictionaries are sorted by efficiency. You can choose the option for quick online brute, as well as for a detailed selection of passwords from the extensive dictionary with the latest leaks; There is a calculator showing the time for password brutus on your hardware. In a separate group, we would like to bring the tools for CMS checks: WPScan, JoomScan and AEM hacker. AEM_hacker AEM hacker is a tool for detecting vulnerabilities in Adobe Experience Manager (AEM) applications. Pros: Can detect AEM-applications from the list of URLs submitted to the entrance; It contains scripts for obtaining RCE by loading a JSP shell or using SSRF. Joomscan JoomScan is a Perl tool to automate the detection of vulnerabilities when deploying a Joomla CMS. Pros: Able to find configuration flaws and problems with admin settings; Lists Joomla versions and related vulnerabilities, similar for individual components; Contains more than 1000 exploits for Joomla components; The output of final reports in text and HTML-formats. WPScan WPScan - a tool for scanning sites on WordPress, has in its arsenal vulnerabilities for the WordPress engine itself, as well as for some plugins. Pros: Able to list not only unsafe WordPress plugins and themes, but also to get a list of users and TimThumb files; Can conduct brute force attacks on WordPress sites. Minuses: Without the appropriate settings conducts an incomplete set of checks, which can be misleading. In general, different people prefer different tools for work: they are all good in their own way, and what one person liked, may not suit another. If you think that we have undeservedly bypassed some good utility, write about it in the comments! +43 3748 +43 11.3k374 20 Karma 56,8 Rating @forkyforky User 6 subscribers Share publication Comments 8 Открой дропшиппингмагазинДропшиппинг сотрудничество. Открывай свой магазин с популярными товарами у нас!Дропшиппинг сотрудничество. Открывай свой магазин с популярными товарами у нас!azimut-shop17.tkПерейтиЯндекс.Директ RELATED PUBLICATIONS December 30, 2015 Security of web resources of banks of Russia August 24, 2015 SCADA and mobile phones: safety assessment of applications that turn a smartphone into a plant control panel September 24, 2013 Information security in Australia, and why pentest there is no longer a cake POPULAR PER DAY yesterday at 10:10 Akihabara: Otaku nesting site yesterday at 01:22 PHP Digest number 157 (May 20 - June 3, 2019) yesterday at 14:22 GandCrab authors stop working: they claim they stole enough 2 June About the engineering approach I put in a word yesterday at 14:24 How we made a safe deal for freelance: give a choice, cut features, compare commissions Language settings Full version 2006-2019 © « TM »
  5. For(int j=n-1;j>0;j--) { //blabla }
  6. Pune codul pentru copy paste. E usor.
  7. https://trenduri.blogspot.com/2019/05/huawei-si-reduta-americana.html?m=1
  8. Daca le legi la raspberry? Ce marca si model sunt camerele?
  9. Ar putea sa mearga pe un fork de android. Eu am nexus 5x, de ziceau ei ca e android pur, l-am folosit 3 ani. Mi s-a parut cel mai prost. Era rapid doar pt ca era chel. Cand am umplut cei 32 gb crashuia o data la doua zile.
  10. Sa mai dea guvernul chinez drumul la niste hartii americane in piata si ii ingroapa de tot.
  11. Versiunea 2018 editia a Va https://b-ok.cc/book/3586769/2d5561 Mersi @gaddafi pentru site.
  12. Salut, Are cineva cartea asta: Rezultate de pe web Rootkits and Bootkits | No Starch Press https://nostarch.com › rootkits ? https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164/ref=sr_1_10?crid=PFUD52MLVM7P&keywords=practical+malware+analysis&qid=1557925744&s=gateway&sprefix=practical+malware+ana,aps,244&sr=8-10 Multumesc.
  13. Eu zic ca merita mai mult sa inveti putin asm decat sa te chinui cu pseudocodul. Oricum patchul il aplici tot pe asm. Mai rau te incurca.
  14. https://www.kali.org/kali-linux-nethunter/
  • Create New...