Affichage des articles dont le libellé est Information Gathering. Afficher tous les articles
Affichage des articles dont le libellé est Information Gathering. Afficher tous les articles

Sniffly To Sniffing Browser History Using HSTS And CSP


Sniffly Trick For Browser Fingerprinting. Sniffing browser history using HSTS + CSP.

Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.

How it works

I recommend reading the inline comments in src/index.js to understand how Sniffly does a timing attack in both FF and Chrome without polluting the local HSTS store. tl;dr version:


  1. User visits Sniffly page
  2. Browser attempts to load images from various HSTS domains over HTTP
  3. Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
  4. When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.
Finding HSTS hosts

To scrape an included list of sites (util/strict-transport-security.txt, courtesy Scott Helme) to determine which hosts send HSTS headers, do:

$ cd util
$ ./run.sh > results.log

where 1 batch is 100 sites. You can override util/strict-transport-security.txt with a different list, such as the full Alexa Top 1M, if you want.

To process and sort the results by max-age, excluding ones with max-age less than 1 day and ones that are preloaded:

$ cd util
$ ./process.py > processed.log

Once that's done, you can copy the hosts from processed.log into src/index.js.

Running sploitz

Visiting file:///path/to/sniffly/src/index.html in Chrome should just work. In Firefox, CSP headers using the tag are apparently not supported yet, so you need to set up a local webserver to serve the CSP HTTP response header. My Nginx server block looks something like this:

server {
    listen 8081;
    server_name localhost;
    location / {
        root /path/to/sniffly/src;
        add_header Content-Security-Policy "img-src http://*";
        index index.html;
    }
}

Caveats

Not supported yet in Safari, IE, or Chrome on iOS.
Extensions such as HTTPS Everywhere will mess up results.
Doesn't work reliably in Tor Browser since timings are rounded to the nearest 100-millisecond.
Users with a different HSTS preload list (ex: due to having an older browser) may not see accurate results.

More info available in my ToorCon 2015 slides: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf.

Demo

Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera with HTTPS Everywhere disabled. If you use an ad blocker, a bunch of advertising domains will probably show up in the "Probably Visited" column (ignore them).

Download
Read more

by Malik korrich ~ lundi 26 octobre 2015 0 commentaires

Wikileaks Released CIA Head Email Accounts Details


Wikileaks Released CIA Head Email Accounts Details

Yesterday Wikileaks Tweeted about to publish the Email account details.


According to Wikileaks,

"Today, 21 October 2015 and over the coming days WikiLeaks is releasing documents from one of CIA chief John Brennan's non-government email accounts. Brennan used the account occasionally for several intelligence related projects.

John Brennan became the Director of the Central Intelligence Agency in March 2013, replacing General David Petraeus who was forced to step down after becoming embroiled in a classified information mishandling scandal. Brennan was made Assistant to the President for Homeland Security and Counterterrorism on the commencement of the Obama presidency in 2009--a position he held until taking up his role as CIA chief.

According to the CIA Brennan previously worked for the agency for a 25 year stretch, from 1980 to 2005.

Brennan went private in 2005-2008, founding an intelligence and analysis firm The Analysis Corp (TAC). In 2008 Brennan became a donor to Obama. The same year TAC, led by Brennan, became a security advisor to the Obama campaign and later that year to the Obama-Biden Transition Project. It is during this period many of the Obama administration's key strategic policies to China, Iran and "Af-Pak" were formulated. When Obama and Biden entered into power, Brennan was lifted up on high, resulting in his subsequent high-level national security appointments."


Wikileaks didn't released Full  documents yet, they said more to come in coming days

Here is the CNN Interview of Hacker who Hacked CIA Director Email Account,

Read more

by Malik korrich ~ jeudi 22 octobre 2015 0 commentaires

Facebook Will Tell You If Any Government Is Spying On Your Account


Facebook Will Tell You If Any Government Is Spying On Your Account.

Facebook CSO Alex Stamos said in statement

The security of people's accounts is paramount at Facebook, which is why we constantly monitor for potentially malicious activity and offer many options to proactively secure your account. Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state. This is what the notification looks like on the desktop version of the Facebook website:


While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.

It's important to understand that this warning is not related to any compromise of Facebook's platform or systems, and that having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware. Ideally, people who see this message should take care to rebuild or replace these systems if possible.

To protect the integrity of our methods and processes, we often won't be able to explain how we attribute certain attacks to suspected attackers. That said, we plan to use this warning only in situations where the evidence strongly supports our conclusion. We hope that these warnings will assist those people in need of protection, and we will continue to improve our ability to prevent and detect attacks of all kinds against people on Facebook.

Alex Stamos is the Chief Security Officer at Facebook.
Read more

by Malik korrich ~ lundi 19 octobre 2015 0 commentaires

Hackers Can Steal Your Information Through EarPhones


Hackers Can Steal Your Information Through EarPhones..

As we are aware about that Google Voice or Siri are tracking us via our mobile devices so that represents a security risks too.

French Information Security ANSSI research have figured out that how to utilize radio waves to silently trigger voice summons on iPhones or Android devices on the off chance that they utilize headphones and have Google Now or Siri empowered.

Security researchers unveiled that hackers can steal your information to make calls, send texts or browse a Malware website without notifying you. its over 16 feet they can use the attack on your smartphone.

According to Wired,
The researcher utilized the earphones' cord as a radio wire and exploited is wire to change over electromagnetic waves into electrical signals that told the smartphone that orders to be sound are originating from the user microphone.

Earlier, IEEE report was published on the same topic,

Research exploit the principle of front-door coupling on smartphones headphone cables with specific electromagnetic waveforms. We present a smart use of intentional electromagnetic interference, resulting in finer impacts on an information system than a classical denial of service effect. As an outcome, we introduce a new silent remote voice command injection technique on modern smartphones.

How Radio Attack dangerous Silently?

  • It can make calls
  • To Send text messages
  • Browsing Phishing or Malware websites
  • Spam Messaging through Social Media Accounts


How this attack works ?
Watch Video:

Read more

by Malik korrich ~ vendredi 16 octobre 2015 0 commentaires

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes



MEMSCAN A Memory Scanning Tool.. 
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process


  1. Obtain the target process PID, using ps.
  2. Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s  

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.


Download
Read more

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

Your Android Phone is Vulnerable To Remote Hacking With StageFright Bugs


Your Android Phone is Vulnerable To Remote Hacking With StageFright Bugs!

Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. 

Security Researcher of Zimperium Joshua Drake (Vice President of platform research and exploitation at Zimperium) discovered two more vulnerabilities in the Android. His aimed to researching media processing in Android and focused on remote attacks agains current devices.

What is the vulnerability ? 
Processing specially crafted MP3 or MP4 files can lead to arbitrary code execution. -

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

  • An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
  • An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
  • 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.

After the execution this Vulnerbaility allow attackers to access to personal data and photos stored on the phone, be able to take photos, record conversations, email and SMS and can download malicious apps remotely.

Google said that new Stagefright bugs will be fixed in next schedule update.

Source: Zimperium
Read more

by Malik korrich ~ jeudi 1 octobre 2015 0 commentaires

Gryffin: A Large Scale Web Security Scanning Platform Project By Yahoo


Gryffin: A Large Scale Web Security Scanning Platform Project By Yahoo!

Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems with existing scanners: coverage and scale.

Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure. Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling.

Coverage

Coverage has two dimensions - one during crawl and the other during fuzzing. In crawl phase, coverage implies being able to find as much of the application footprint. In scan phase, or while fuzzing, it implies being able to test each part of the application for an applied set of vulnerabilities in a deep.

Crawl Coverage

Today a large number of web applications are template-driven, meaning the same code or path generates millions of URLs. For a security scanner, it just needs one of the millions of URLs generated by the same code or path. Gryffin's crawler does just that.

Page Deduplication

At the heart of Gryffin is a deduplication engine that compares a new page with already seen pages. If the HTML structure of the new page is similar to those already seen, it is classified as a duplicate and not crawled further.

DOM Rendering and Navigation

A large number of applications today are rich applications. They are heavily driven by client-side JavaScript. In order to discover links and code paths in such applications, Gryffin's crawler uses PhantomJS for DOM rendering and navigation.

Scan Coverage

As Gryffin is a scanning platform, not a scanner, it does not have its own fuzzer modules, even for fuzzing common web vulnerabilities like XSS and SQL Injection.

It's not wise to reinvent the wheel where you do not have to. Gryffin at production scale at Yahoo uses open source and custom fuzzers. Some of these custom fuzzers might be open sourced in the future, and might or might not be part of the Gryffin repository.

For demonstration purposes, Gryffin comes integrated with sqlmap and arachni. It does not endorse them or any other scanner in particular.

The philosophy is to improve scan coverage by being able to fuzz for just what you need.

Scale

While Gryffin is available as a standalone package, it's primarily built for scale.

Gryffin is built on the publisher-subscriber model. Each component is either a publisher, or a subscriber, or both. This allows Gryffin to scale horizontally by simply adding more subscriber or publisher nodes.

Operating Gryffin

Pre-requisites

1. Go
2. PhantomJS, v2
3. Sqlmap (for fuzzing SQLi)
4. Arachni (for fuzzing XSS and web vulnerabilities)
5. NSQ

  • running lookupd at port 4160,4161
  • running nsqd at port 4150,4151
  • with --max-msg-size=5000000

6. Kibana and Elastic search, for dashboarding

  • listening to JSON over port 5000
  • Preconfigured docker image available in https://hub.docker.com/r/yukinying/elk/


Installation

go get github.com/yahoo/gryffin/...

Run

TODO

  • Mobile browser user agent
  • Preconfigured docker images
  • Redis for sharing states across machines
  • Instruction to run gryffin (distributed or standalone)
  • Documentation for html-distance
  • Implement a JSON serializable cookiejar.
  • Identify duplicate url patterns based on simhash result.


Download
Read more

by Malik korrich ~ samedi 26 septembre 2015 0 commentaires

How To Detect Potentially Malicious PHP Files


How To Detect Potentially Malicious PHP Files ?

Here is the tool called PHP-malware-finder by nbs-system


What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

  • Best PHP Obfuscator
  • Carbylamine
  • Cipher Design
  • Cyklodev
  • Joes Web Tools Obfuscator
  • Php Obfuscator Encode
  • SpinObf
  • Weevely3
  • atomiku
  • cobra obfuscator
  • phpencode
  • webtoolsvn

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

How to use it?

$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] ...
    -c  Optional path to a configuration file
    -f  Fast mode
    -h  Show this help message
    -v  Verbose mode

Or if you prefer to use yara:

$ yara -r ./malwares.yara /var/www

Download
Read more

by Malik korrich ~ jeudi 24 septembre 2015 0 commentaires

MALHEUR - Automatic Analysis of Malware Behavior


MALHEUR - Automatic Analysis of Malware Behavior

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It supports four basic actions for analysis which can be applied to reports of recorded behavior:

1. Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

2. Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

3. Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.

4. Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

A detailed description of these techniques as well as technical background on analysis of malicious software is provided in the following articles:

  • "Automatic Analysis of Malware Behavior using Machine Learning." Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz Journal of Computer Security (JCS), 19 (4) 639-668, 2011.
  • "A Malware Instruction Set for Behavior-Based Analysis." Philipp Trinius, Carsten Willems, Thorsten Holz, and Konrad Rieck Technical report TR-2009-07, University of Mannheim, 2009

Dependencies
  • libconfig >= 1.4, http://www.hyperrealm.com/libconfig/
  • libarchive >= 2.70, http://libarchive.github.com/

Debian & Ubuntu Linux

The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux

gcc
libconfig9-dev
libarchive-dev

For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.

automake
autoconf
libtool
Mac OS X

For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc. Additionally, the following packages need to be installed via Homebrew

libconfig
libarchive (from homebrew-alt)

OpenBSD

For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake instead of make for building Malheur.

gmake
libconfig
libarchive

For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed

autoconf
automake
libtool

Compilation & Installation

From GIT repository first run

$ ./bootstrap

From tarball run

$ ./configure [options]
$ make
$ make check
$ make install

Options for configure

--prefix=PATH           Set directory prefix for installation

By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.

License
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed without any warranty. See the GNU General Public License for more details.

Copyright
Copyright (c) 2009-2015 Konrad Rieck (konrad@mlsec.org) University of Goettingen, Berlin Institute of Technology

Download
Read more

by Malik korrich ~ vendredi 4 septembre 2015 0 commentaires

SubBrute - The Ultime Subdomain Bruteforcer


SubBrute - The Ultime Subdomain Bruteforcer

Are you under a Security Pentest and you need to find all the Subdomains of a WebSite Right?...
This updated tool may give a good spin up accelleration to your Security Test!


What's it?
SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool.



Options:

SubBrute is now a DNS spider that recursively crawls enumerated DNS records.

This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)

--type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)

-s can now read subdomains from result files.


How to compile it?

./subbrute.py google.com -o google.names
        ...162 subdomains found...

    ./subbrute.py -s google.names google.com --type TXT
        google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
        adwords.google.com,"v=spf1 redirect=google.com"
        ...

    ./subbrute.py -s google.names google.com --type CNAME
        blog.google.com,www.blogger.com,blogger.l.google.com
        groups.google.com,groups.l.google.com
        ...
                         ...or from Windows...

Open the CMD, navigate to your subbrute folder, open the windows directory and paste the following command:

subbrute.exe google.com

Enjoy! ;-)

Download


About the Author :
Christian Galeone is an IT Security Specialist from Italy. He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as Author of Cyber Security & VA Research Articles.
Read more

by Malik korrich ~ mardi 1 septembre 2015 0 commentaires

Hackers Use iOS Malware "KeyRaider" And Stole 225,000 Apple Account From Jailbroken Devices

Hackers Use iOS Malware "KeyRaider" And Stole 225,000 Apple Account From Jailbroken Devices.

Cyber security research firm Palo Alto Networks found iOS Malware called KeyRaider where its stole 225,000 Apple accounts. 

KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The attack was first discovered by i_82, a student from Yangzhou University and member of WeipTech. WeipTech (Weiphone Tech Team) is an amateur technical group consisting of users from Weiphone – one of the largest Apple fans websites in China. Previously, WeipTech cooperated with us to report on other iOS and OS X malware including AppBuyer and WireLurker.

Paltoalto cooperation with Weiptech and identified 92 Samples of a new iOS Malware called "KeyRaider"

KeyRaider was distributed by Cydia in China, but its effect to other countries as well, like France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

Malicious Code Exist
The KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the MobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system processes or in other iOS apps.

  • Stealing Apple account (user name and password) and device GUID
  • Stealing certificates and private keys used by Apple Push Notification Service
  • Preventing the infected device being unlocked by passcode or by iCloud service
  • In addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices for ransom.

How to Protect?
Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs

Next time if you want to do Jailbreak of your iOS devices then think first. KeyRaider only effects on Jailbroken iOS devices.

Source: PaltoAltoNetworks 

Read more

by Malik korrich ~ lundi 31 août 2015 0 commentaires

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions


Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions, built for node.js/io.js.

It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services.

toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

toxy can be fluently used programmatically or via HTTP API. It's compatible with connect/express, and it was built on top of rocky, a full-featured middleware-oriented HTTP proxy.

Requires node.js +0.12 or io.js +1.6


Why toxy?

There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure and/or extend. Additionally, most of the those solutions only operate at TCP level stack instead of providing high-level abstraction to cover common requirements of the specific domain and nature of the HTTP protocol, like toxy does.

toxy provides a powerful hackable and extensible solution with a convenient abstraction, but also a low-level interface and programmatic capabilities exposed as a simple, concise and fluent API, with the implicit power, simplicity and fun of node.js.

Concepts

toxy introduces two core directives that you can plug in the proxy and should knowing before using: poisons and rules.

Poisons are the specific logic to infect an incoming or outgoing HTTP flow (e.g: injecting a latency, replying with an error). HTTP flow can be poisoned by one or multiple poisons, and poisons can be plugged to infect both global or route level incoming traffic.

Rules are a kind of validation filters that can be reused and applied to global incoming HTTP traffic, route level traffic or into a specific poison. Their responsability is to determine, via inspecting each incoming HTTP request, if the registered poisons should be enabled or not, and therefore infecting or not the HTTP traffic (e.g: match headers, query params, method, body...).

How it works

↓   ( Incoming request )  ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Toxy Router |    ↓ --> Match the incoming request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Exec Rules  |    ↓ --> Apply configured rules for the request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     | Exec Poisons |    ↓ --> If all rules passed, then poison the HTTP flow
↓     ----------------    ↓
↓        /       \        ↓
↓        \       /        ↓
↓   -------------------   ↓
↓   | HTTP dispatcher |   ↓ --> Proxy the HTTP traffic, either poisoned or not
↓   -------------------   ↓


Installation

npm install toxy


Download
Read more

by Malik korrich ~ vendredi 28 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code


BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar
java -jar target/binnavi-all.jar


Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

  1. Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
  2. Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
  3. Select '"javac" task found in target "build-binnavi-jar"
  4. Open the "Project Properties" dialog.
  5. Edit the source folders to have the following properties:
  6. Linked Folder Location: $SRCDIR/src/main/java
  7. Folder Name: java
  8. Click on "Next"
  9. Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
  10. Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
  11. You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download
Read more

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

SniffLab: Setup Your Own MITM, Packet Sniffing WiFi Access Point


Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

PROXYIP=your.proxy.ip
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1
/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
        ssid=""
        psk=hashofyourpassword
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=TKIP
        auth_alg=OPEN
}

Getting the network running correctly on boot

/etc/init.d/network.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:     network.sh
# Short-Description:    Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start:    2 3 4 5
# Default-Stop:     0 1 6
# Required-Start:   $remote_fs $syslog
# Required-Stop:    $remote_fs $syslog
### END INIT INFO
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service

/etc/init/sniffer.conf

#sniffer.conf
start on runlevel [2345]
stop on runlevel [016]

script
    cd /home/pi/snifflab
    exec python sniffer.py -i bond0 -s 100 -t 1200
end script

MITM proxy service

mitm.conf

start on filesystem

script
    sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
    SSLKEYLOGFILE=/var/log/mitmkeys.log
    export SSLKEYLOGFILE
    echo "MITM Keys being logged here: $SSLKEYLOGFILE"
    exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine

#!/bin/bash
remote_server=yourservername
pcap_dir=/pcaps
keylogfile=/var/log/mitmkeys.log
local_dir=~/Documents/snifflab

rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir

Download
Read more

by Malik korrich ~ lundi 17 août 2015 0 commentaires

NetRipper - Smart Traffic Sniffing For Penetration Testers


NetRipper - Smart Traffic Sniffing For Penetration Testers

Description
NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract
The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications
NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components
NetRipper.exe - Configures and inject the DLL
DLL.dll       - Injected DLL, hook APIs and save data to files
netripper.rb  - Metasploit post-exploitation module

Command line
Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe

Generate DLL:

  -h,  --help          Print this help message
  -w,  --write         Full path for the DLL to write the configuration data
  -l,  --location      Full path where to save data files (default TEMP)

Plugins:

   -p,  --plaintext     Capture only plain-text data. E.g. true  
 -d,  --datalimit     Limit capture size per request. E.g. 4096  
 -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example:
NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit module

msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

Set PROCESSNAMES and run.

Metasploit installation (Kali)
  • cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
  • mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
  • g++ -Wall netripper.cpp -o netripper
  • cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
  • cd ../Release
  • cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
  • Plugins
  • PlainText - Allows to capture only plain-text data
  • DataLimit - Save only first bytes of requests and responses
  • Stringinder - Find specific string in network traffic

To do
  • Support multiple applications
  • Support for x64 processes
  • Thread-safe API hooking
  • Monitor loading of DLLs and new processes

Author
Ionut Popescu, Senior Security Consultant at KPMG Romania

Read more

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

PortDog: Port Scanning Tool In Python


PortDog: Port Scanning Tool In Python

PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface. 

It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'm thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.


Usage:

sudo python portdog.py -t time_for_sniff_in_minutes

For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5

For infinite detection use:

sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).


Download
Read more

by Malik korrich ~ 0 commentaires

Snitch: A Tool For Information Gathering Via Dorks


Snitch: A Tool For Information Gathering Via Dorks.

Snitch is a tool which automate information gathering process for specified domain. Using build-in dork categories, this tool helps gather specified information's domain which can be found using web search engines. It can be quite useful in early phases of pentest.


devil@hell:~/snitch$ python snitch.py
                       _ __       __  
           _________  (_) /______/ /_ 
          / ___/ __ \/ / __/ ___/ __ \ 
         (__  ) / / / / /_/ /__/ / / /
        /____/_/ /_/_/\__/\___/_/ /_/ ~0.3   

Usage: snitch.py [options]

Options:

  -h, --help            show this help message and exit
  -U [url], --url=[url]
                        domain(s) or domain extension(s) separated by comma*
  -D [type], --dork=[type]
                        dork type(s) separated by comma*
  -C [dork], --custom=[dork]
                        custom dork*
  -O [file], --output=[file]
                        output file
  -S [ip:port], --socks=[ip:port]
                        socks5 proxy
  -I [seconds], --interval=[seconds]
                        interval between requests, 2s by default
  -P [pages], --pages=[pages]
                        pages to retrieve, 10 by default
  -v                    turn on verbosity


 Dork types:

  •   info   Information leak & Potential web bugs
  •   ext    Sensitive extensions
  •   docs   Documents & Messages
  •   files  Files & Directories
  •   soft   Web software
  •   all    All


Download
Read more

by Malik korrich ~ vendredi 17 juillet 2015 0 commentaires

[Kali Linux] Maltego - Infrastructure Information Gathering








In this tutorial, i'm going to show you how to gather information using Maltego in Kali Linux.

Firstly, open up Maltego.


Applications>Kali Linux>Top 10 Security Tools>Maltego





If this is your first time using it, you need to complete the registration. Once the registration complete. Click on the menu button and select new.




A blank screen will appear. Later, click on pallete. In this tutorial i'm going to show how to gather information from infrastructure. So, click infrastructure, drag and drop "Domain" into your project.




You will see a earth icon with a domain name. Double click on it and change the domain name to your target. In this tutorial, my target is www.papagomo.com




Close that window and let's start gathering information. Right click on the earth icon, choose Run Transform and then All transform , followed by your choice. In this case, i will use  To phone number [using search engine].




If the result was found, it will produce output like this picture.If nothing appear, that mean not result found.




There are 4 phone numbers, but it doesn't mean all of them belongs to the webmaster, but you can make a try. Now i'm going to use the phone number to get more information. So i will use the phone number to transform it into url. 




After i transform it into URL using search engine, i got a Facebook page. Maybe it's belong to the phone number owner and the webmaster.





I think that's all for now. I hope you understand how to use Maltego. 

Read more

by Malik korrich ~ jeudi 24 juillet 2014 0 commentaires

« Articles plus anciens