Friday, August 14, 2015

Dump Clear Text Passwords using The LaZagne Project !!! BlackHatTrick Blog


Dump Clear Text Passwords using The LaZagne Project !!!

Description

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like OS.





Standalones

Standalones are now available here: https://github.com/AlessandroZ/LaZagne/releases/tag/0.9
Usage

Retrieve version
cmd: laZagne.exe --version

Launch all modules
cmd: laZagne.exe all

Launch only a specific module
cmd: laZagne.exe
example: laZagne.exe browsers
help: laZagne.exe -h

Launch only a specific software script
cmd: laZagne.exe
example: laZagne.exe browsers -f
help: laZagne.exe browsers -h

Write all passwords found into a file (-w options)
cmd: laZagne.exe all -w

Use a file for dictionary attacks (used only when it's necessary: mozilla masterpassword, system hahes, etc.). The file has to be a wordlist in cleartext (no rainbow), it has not been optmized to be fast but could useful for basic passwords.
cmd: laZagne.exe all -path file.txt

Change verbosity mode (2 different levels)
cmd: laZagne.exe all -vv

Note: For wifi passwords \ Windows Secrets, launch it with administrator privileges (UAC Authentication / sudo)
Supported software


(*) used by many tools to store passwords: Chrome, Owncloud, Evolution, KMail, etc.
IE Browser history

Internet Explorer passwords (from IE7 and before Windows 8) can only be decrypted using the URL of the website. This one is used as an argument of the Win32CryptUnprotectData api. Thus, using the browsing history of ie will permit to decrypt many passwords. To do that, I used a dll written in C code (the code is in the "browser_history_dll" directory) and it is directly embedded to the Python code as a Base64 string (c.f. ie.py). Once launched, the dll is written on the disk, a wrapper is used to call dll functions and then the dll file is removed from the disk.
Windows hashes

To dump windows hashes and LSA Secrets, the impacket library has been used:https://github.com/CoreSecurity/impacket
Build your own password recovery script

It's possible to write your own script for the software of your choice. Building your own module has become extremely easy.

To do that, some code standards are to be met:

Create a class using the name of the software containing 2 importants functions:
init: used to define all arguments used to launch the class.
run: will be the main function

Add on the config.manageModules.py file your class name and your import

The output containing all passwords has to be send to the "print_output" function - ex: print_output(software_name, password_list)
password_list has to be an array of dictionnaries.

Optional: you could use the function "print_debug" to print your output
ex: print_debug("ERROR", "Failed to load ...")

Use an existing script to understand what I have said :)

If you want to improve this tool, you can send me your script and it will be added to this project (authors will be, of course, credited on each script ;)).
Requirements

To compile the source code, some external libraries are required.

For Windows
Python 2.7
Colorama (for the Console colors): https://pypi.python.org/pypi/colorama
Python for Windows Extensions: http://sourceforge.net/projects/pywin32/
PyCrypto: pip install pycrypto
Impacket (for Windows hashes + LSA Secrets): https://github.com/CoreSecurity/impacket
Pyasn1 (for ASN1 decoding): https://pypi.python.org/pypi/pyasn1/


For Linux
Python 2.7
Argparse
PyCrypto: https://www.dlitz.net/software/pycrypto/
Dbus (Pidgin)
Python-kde4 (Kwallet)
Pyasn1 (for ASN1 decoding): https://pypi.python.org/pypi/pyasn1/

Reference: 

https://github.com/AlessandroZ/LaZagne
http://www.achillepowergeek.co.vu/2015/07/dump-cleartext-passwords-after-hack.html

Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing

Friday, July 31, 2015

Windows Important Commands

Windows Important Commands 
what is WMIC ?

 Windows management instrumentation command. The wmic command to me is one of the more powerful commands on windows. 



This command is very useful for the anlyst who is performing analysis on windows OS as well as Forensics.
This commands helpful to gather information without 3rd party tools.
You can do multiple tasks with one command
List of running processes in brief

wmic process list brief
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kill a process

wmic process where name="wordpad.exe" delete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine open shares

net share
wmic share list brief
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine ip address

ipconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get a new ip address

ipconfig /release
ipconfig /renew
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disk drive information

wmic diskdrive list full
wmic partition list full
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List all patches

wmic qfe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List services

wmic service list brief
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List user accounts

wmic useraccount list brief
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List number of times a user logged on

wmic netlogin where (name like "%adm%") get numberoflogons
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reboot

shutdown /r /t 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shutdown

shutdown /s /t 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Spawn a new command prompt

start cmd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command line history

F7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine the current user

echo %USERNAME%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine who is apart of the administrators group

net localgroup administrators
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add a user where rocky is the username and password is redhat

net user rocky redhat /add
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add user rocky to administrators group

net localgroup administrators rocky /add
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List user accounts

net user
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List network connections and the programs that make connection

netstat -an
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Display contents of file text.txt

type text.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Edit contents of file text.txt

edit text.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine PC name

hostname
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Determine whether a system is 32 or 64 bit

wmic cpu get DataWidth /format:list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Startup applications

wmic startup get caption,command


Tuesday, July 21, 2015

How To Set Up vsftpd on Ubuntu 12.04 | BlackHatTrick blog



How To Set Up vsftpd on Ubuntu 12.04 | BlackHatTrick Blog


About vsftpd

Warning: FTP is inherently insecure. If you must use FTP, consider securing your FTP connection with SSL/TLS. Otherwise, it is best to use SFTP, a secure alternative to FTP.

The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.

Step One—Install vsftpd

You can quickly install vsftpd on your virtual private server in the command line:
sudo apt-get install vsftpd


Once the file finishes downloading, the VSFTP will be on your droplet. Generally speaking, it is already configured with a reasonable amount of security. However, it does provide access on your VPS to anonymous users.

Step Two—Configure vsftpd

Once vsftpd is installed, you can adjust the configuration.

Open up the configuration file:
sudo nano /etc/vsftpd.conf


The biggest change you need to make is to switch the Anonymous_enable from YES to NO:
anonymous_enable=NO


Prior to this change, vsftpd allowed anonymous, unidentified users to access the server's files. This is useful if you are seeking to distribute information widely, but may be considered a serious security issue in most other cases.

After that, uncomment the local_enable option, changing it to yes and, additionally, allow the user to write to the directory.local_enable=YES
write_enable=YES


Finish up by uncommenting command to chroot_local_user. When this line is set to Yes, all the local users will be jailed within their chroot and will be denied access to any other part of the server.chroot_local_user=YES


Save and Exit that file.

Because of a recent vsftpd upgrade, vsftpd is "refusing to run with writable root inside chroot". A handy way to address this issue to is to take the following steps:
Create a new directory within the user's home directorymkdir /home/username/files

Change the ownership of that file to rootchown root:
root /home/username

Make all necessary changes within the "files" subdirectory

Then, as always, restart: 
sudo service vsftpd restart


Step Three—Access the FTP server

Once you have installed the FTP server and configured it to your liking, you can now access it.

You can reach an FTP server in the browser by typing the domain name into the address bar and logging in with the appropriate ID. Keep in mind, you will only be able to access the user's home directory.ftp://example.com


Alternatively, you can reach the FTP server on your virtual server through the command line by typing: ftp example.com


Then you can use the word, "exit," to get out of the FTP shell.

Toolbox for Security Analyst | BlackHatTrick Blog

Toolbox for Security Analyst | BlackHatTrick Blog


If you're just getting started in this field, know that half the battle is finding all the tools and understanding what they're best at. Here's my list of the sites I find myself using most and what they're good for:
Website Open Source Intelligence
  • CentralOps Domain Dossier - A nice simple DNS/WhoIs lookup tool.
  • Robtex - Horrible layout, good info for historical and current DNS records, infrastructure and findings all sites on a given IP.
  • DNSDumpster - A newcomer, makes a nice graph of subdomains for a given domain.
  • PassiveTotal - Requires being accepted in, but another great source for passive DNS data.
  • URLQuery - Search for the site in question, will give you a picture and all sorts of other awesome data on the site.
  • Page2Images - Get a picture of what a site looks like without going there.
  • Internet Archive - Actual snapshots of many pages at various points in history, unlike URLQuery, these can still be dangerous if the snapshot is captured at the point an infection was active.
Finding and Researching Malware Samples
  • Malwr - A standard in online dynamic and static analysis, uses the great Cuckoo Sandbox package. Great for submitting samples, even better for using their search terms for OSINT on related samples. Many samples are available for download.
  • Payload Security - A newcomer in online dyanmic/static analysis, but so far I like the analysis of samples even better than malwr.com. Once they get more samples submitted this will likely be a contender for best. Unique feature of searching for viruses by family.
  • VirusTotal - One of the best sources for historical DNS lookups and IP/FQDN/URL reputation. They do basic static analysis and dynamic analysis, HUGE collection of samples.
  • PassiveTotal - Mentioned above, but also great for researching malware domains.
  • URLQuery - Mentioned above, good for testing if a site is infected, much more useful for finding the history of infection on a given website. Snapshots of compromised sites from here can be invaluable to an investigation.
  • VirusShare - A private site that collections LOTS of samples for download, also offers massive bittorrent download of gigs of malware.
  • MalwareViz - A unique site that takes a sample and draws a graph of network and file interactions.
  • KernelMode Malware Forum - A great place to find discussion and samples of most of the malware families.
Software
  • IDA (Free Edition) - Unless you have tons of money, you'll be stuck with the free edition that doesn't support 64 bit code. That's ok, it's plenty good to get started.
  • Hopper Dissassembler - The affordable disassembler. It's gotten dramatically more powerful in a short amount of time and is actually affordable. I think it's great for the price.
  • OllyDbg - The standard debugger for Windows programs. Tons of great plugins, use version 1 or 2 depending on the plugins you want to be able to use. There's also a GREAT tutorial series here, it's focused on binary cracking, but the skills involved in that are very similar to reverse engineering malware. It will teach you Olly very quickly.
  • REMnux - A great linux distro that comes with 95% of the malware analysis tools you'll like want to use ready to go. Lenny Zeltser, the creator of REMnux, also has a awesome tools catalog organized by task so you can find what you need. P.S. Lenny also runs the SANS Malware Reverse Engineering course which is great for getting started in this field, I've taken it and can vouch that it's an awesome way to start.
Virtualization:
  • Type 2 Hypervisors - What you want for running malware in a safe environment.
    • VMWare Workstation/Fusion - The standard, works great, used by many, and can control ESXi if you have it. Windows / OS X
    • VirtualBox - The free virtualization solution, works pretty much just as well as VMWare, but sometimes seems to be not as fast and may have a few less features. Windows / OS X / Linux
    • Hyper-V - Comes free with some versions of Windows 8+, can also be used to control a free Windows Hyper-V Server 2012 box. A great option if you want a headless server for VMs and have an extra, decently powerful computer laying around. Windows only.
    • KVM - Perhaps technically a Type 1 hypervisor, this typically runs along a host OS and can be run locally or headless like with Promox. A great option if you use Linux as your main OS. There's lots of options for GUI management here depending on how you want to manage it.
  • Type 1 Hypervisors - For advanced setups with lots of VMs and multiple networks.
    • VMWare ESXi - A industry stanard, the free version is very limited in advanced features, but is ok for making and using basic VMs. It's good to know for professional development, but the down side is their free management client is windows only. It's also very picky with hardware, most server hardware will work, but if you try to put this on consumer hardware you might run into trouble. If you want this, try one of the next two options.
    • Proxmox - The free, web managed ESXi alternative. I love Proxmox, I've written about previously how I currently use it for running Sophos UTM for my home router/firewall. It will work with mostly anything Linux works with. It's slightly less user-friendly than ESXi due to it's somewhat lacking documentation, but most problems that aren't specifically solved in the wiki are a quick Google to find the answer to.
    • Microsoft Hyper-V Server - Honestly, if you're in an all Windows environment, this is free and the management portion comes built into windows so you should probably try it before anything else. Runs on tons of different hardware since it's Windows. Don't confuse Windows Server with the Hyper-V role installed with the standalone Hyper-V Server, the former is not free, the latter is. Also know that Windows 7 can only control up to Hyper-V Server 2008R2, you must have Windows 8+ to use Hyper-V server 2012+.

Saturday, June 20, 2015

Introduction to Linux ELF DDoS'er Malware & Family

Introduction to Linux ELF DDoS'er Malware & Family

ELF is the Linux Malware which is specifically developed to perform DDOS attacks against the Target.
We will learn more about the ELF malware and its Family, let`s start with some basic Introductions.

About Linux Malware:
Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux operating system. Linux, UNIX and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
Here has not yet been a single widespread Linux virus/malware infection of the type that is common on Microsoft Windows; this is attributable generally to the malware's lack of root access and fast updates to most Linux vulnerabilities.

History about Linux Malware:
In Old Days it was common that malware targeting windows  or even OS X, security threat to linux have become both more numerous and more severe in recent years.
There are couple of reason for the same :
The mobile explosion has meant that Android (which is Linux-based) is among the most attractive targets for malicious hackers.
·   The use of Linux as a server OS for and in the data center has also grown
 But Linux malware has been around in some form since well before the turn of the century.

Intro to ELF Malware:

ELF malware developed to infect server, mobile as well as embedded.




Malware of target to Linux system becomes too large to ignore
·         In virustotal statistics approx. 127,385 ELF binaries has submitted during the week of 2015/01/19
·         Approx. 2,722,106 Win32 binaries has submitted in the same week
·         Note:  Not all ELF binaries are malware

From malwaremustdie blog report, the threat is verdicted to be originated from China:
·    The source binary data contains China specific details.
·         Attacker IP address during attempt to infect are mostly (98%) originated from China network.
·    Panels served by ELF malware be downloaded during infection, are located in China network (98%)
·    CNC server used for downloading config or used for remote attack (92%)

Trends in Linux Malware :
ELF malware are not sophisticated yet unlike windows malware
·         Today, antivirus vendor endeavour to raise detection rate of ELF malware
·         “Google's Virustotal puts Linux malware under the spotlight” http://www.zdnet.com/article/googles-virustotal-puts-linux-malwareunder-the-spotlight/ • On the other hand, Several ELF malware has execution portability – It is unique perspective in Linux system

The distributed malware are separated into 3 categories:
1. "Elknot" variants, technical information
2. "AES.DDoS", technical information
3. ".IptabLes|x", technical information
4. "BillGates", technical information
5. (NEW) "GoARM.Bot", technical information
6. "XOR.DDoS", technical information

  Introduction of ELF Malware Family:
1. IptabLes/IptabLex
This infection is observed around 2013~ and a minute report submitted by AKAMAI in 2014.
· The malware infect using vulnerabilities of open source software such as Apache Struts, Tomcat and Elasticsearch.
· Exploiting newest vulnerabilities.
Some malware store itself in /boot with the name “.Iptables” or “.Iptablex”

2.  XOR.DDoS
This infection is observed around 2014~.
The malware contains LKMLinux Kernel Module) rootkits
 –Based on “Suterusu” open source LKM rootkit
The special future of XOR.DDoS ELF malware is, it hiding processes, files and other malware             activity from security services and administrators.

3. AES.DDoS
This infection is observed around 2014~.
An ELF malware is available for several architectures
· EM_386, EM_x86_64, EM_MIPS, EM_ARM, PE x86
· A MIPS architecture often used to router • Targets of this malware are a wide variety of systems such as desktop, mobile, routers and IoT devices.

4. ChinaZ
This infection is observed around 2015~.
This malware is spread all over the world by triggering Shell Shock vulnerability.
The malware analysed was compiled with aiming NIX base routers/servers, with these OS & CPU architectures:
1. Intel x32 (Linux / FreeBSD)
2. Intel x64 (Linux / FreeBSD)
3. AMD x64 (Linux)
4. ARM (Linux)
5. MIPS (Linux)
6. (NEW) PPC (Linux)

Note:
(NEW) The Windows version of the same DDoSer was started to be detected in Mid October 2014.
Samples: [http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24160]
  [http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24152]

PoC, Evidence contribution From MalwareMustDie
1. https://www.youtube.com/watch?v=JjtOUto9Sr8
2. https://www.youtube.com/watch?v=z6MdtFck6x4
3. https://www.youtube.com/watch?v=sdKCjbrs5uQ
4. https://www.youtube.com/watch?v=YtxaT1rahY8
5. https://www.youtube.com/watch?v=OcOiuxAtbOk

Illustration of "Volume & Combination" in its distribution
In a panel served with ELF malware, China DDoS'er crooks is distributing quite big amount of downloads (even we are assuming 70% downloads are for infection), as per seen in one panel snapshot picture below:


In a panel we often spotted the China crook is mixing the type of malware, as per seen in the PoC below:

Mixing samples PoC:↓


Recent ELF samples we collected & analyzed for the past one month:
(There are a lot more than these & are still coming)
https://www.virustotal.com/en/file/276b2bb1bb19e7b81e7656a6c411a094952592f77948151d43d460907e9702de/analysis/
https://www.virustotal.com/en/file/cb4aa1bc0a65771b7a23afc99d559a9943ebe06901b6ba37fcf563c64f28a872/analysis/
https://www.virustotal.com/en/file/586c2afdedef5e2ff0298b6bb5d8e11d847d35e86b2be56b437a35227643fb58/analysis/

China ELF DDoS'er download panels list:
h00p://192.169.219.22:280/
h00p://222.186.42.31:7019/
h00p://183.136.214.14:12345/
h00p://183.60.202.58:5147/
h00p://124.173.118.167:41235/
h00p://222.186.58.146:81/
h00p://183.60.202.58:5147/
h00p://222.186.58.146:81/
h00p://118.123.119.14:3543/
h00p://116.255.162.80:3322/
h00p://104.194.25.172/
h00p://218.244.148.150:24/
h00p://104.194.25.176:8080/
h00p://www.qiuwo.net/
h00p://www11359ui.sakura.ne.jp/


Geological Source of ELF Malware wrt IP addresses as below:


Malware & Intrusion Detection In Linux:


Malware Detection:
It is recommended to use ClamAV Anti-Virus, Linux Malware Detection tools to detect the malware.

Intrusion Detection:
It is recommended to use AIDE. It is used to check user-land integrity checker.
Linux IMA (Integrity Measurement Architecture): it is used to measure Kernel-Level Integrity.

Mitigation Techniques
ü  USE SELINUX – Intruder’s activity is limited to an application of attack surface.
ü  Restrict outbound connections at firewall as well as on Proxy – Using C&C blacklist

Conclusions
ü  Linux based platform such as server, mobile and embedded has increased – ELF Malware has increased at the same time.
ü  Several malware intrudes vulnerable host using latest vulnerabilities.
ü  Administrators and developers should have control over all system components and response to new vulnerabilities
– Should be considered anti-malware, intrusion detection and mitigation

Note: Very soon I Will Post Malware analysis & forensics Article on ELF Family Iptables/XOR.DDoS/AES.DDoS & ChinaZ.

Reference:
CREDIT:  #MalwareMustDie
http://blog.malwaremustdie.org/2014/09/tango-down-report-of-op-china-elf-ddoser.html
http://www.ffri.jp/assets/files/monthly_research/MR201501_Latest_Trends_in_Linux_Malware_ENG.pdf












Subscribe to: Posts (Atom)