Tuesday, June 28, 2011

Analyzing Malicious Websites with Wepawet

Found via this video on securitytube.net:

From the explanation on the  website,

WEPAWET stands for Web Engine to Protect from and Analyze Widespread and Emerging Threats. It is a collection of tools that use static and dynamic techniques to analyze web content to identify possible malicious behavior. It currently supports analyzing Adobe Flash, JavaScript and PDF files.

Therefore, this tool is very useful to quickly analyze compromised websites that are performing drive-by download attacks.

 This service is hosted and maintained by  the University of California, Santa Barbara.

More information on the support page

Monday, June 27, 2011

Loading Raw Images on VirtualBox

This post is just a reference in case I have to load a raw image onto VirtualBox to make an analysis or just run the system.

I found this blog post that explains how to load a raw OS X image onto VirtualBox, but it should be fairly similar with other operative systems.

Web Exploitation Framework - wXf

wXf is a new framework focused on web application security and written in Ruby, with the look and feel of Metasploit.


I have read some posts written by carnalOwnage  as well as some videos on Vimeo and I have to say it  looks really interesting :)

I am quite sure that my definition is too simple, but I understand it follows the same principle of Metasploit but oriented to Web Application security, with the advantage of being well integrated with Burp. Of course, this tool can be really helpful to pen-testers that do an extensive use of Burp, because  it will permit to script many tasks with Buby modules  and automate many attacks, saving lots of time.


Doing some searches on Google I also found this video on securitytube.net that corresponds to a talk offered during the APPSEC DC 2010.



wxf: Web Exploitation Framework with Ken Johnson, Fishnet Security and Chris Gates, No Affiliation. from OWASP DC on Vimeo.


Links carnalOwnage's posts:
http://carnal0wnage.attackresearch.com/2011/05/jruby-buby-wxf-fun.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-1.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-2.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-3.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-4.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-5.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-6.html

Wednesday, June 22, 2011

Didier Stevens' Malicious PDF Analysis Screencasts

Didier Stevens has created a web page with all his screencasts on Malicious PDF analysis.

The above mentioned screencasts teach the viewer in the use of  his PDF tools. In a nutshell:

  • pdfid.py informs about the different kind of objects contained in the PDF document tree: Pages,  Stream,  OpenAction, Javascript. etc.. It permits to quickly flag a suspicious file as malicious, but without looking at its content.
  • pdf-parser.py can be used to extract the contents of a chosen object. This can be used to inspect objects of interest and  particularly: OpenAction and Javascript objects.
  • Its is important to notice that the objects can be compressed and encoded by making use of Filters. This technique can be used to obfuscate the contents of the malicious file and hide them from the view of the antivirus. pdf-parser.py permits to revert these filters by using specific flags in the command line.
  • Another interesting feature is the name type normalization, since the PDF standard permits to encode the characters in the Hex equivalent. This trick would also be useful for antivirus evasion when the engine does not understand the PDF language.

I have also found this old post that Didier wrote in 2008 to explain how a PDF file is structured. If I am not wrong, the example used in the first exercice is a simplified version of the one appearing in the blog post.


Monday, June 20, 2011

Browser Exploitation on Rooted 2011

I have found via SecurityByDefault  the presentation that Raul Siles made on RootedCon 2011 [Spanish] .

Raul explains how to perform Browser Explotation with Beef and XSS, giving a nice example that combines Beef and Metasploit. This demo exploits a XSS  in  a web page and a Java vulnerability in the victim's browser to gain full access to the victim's computer.




Raúl Siles - Browser Exploitation for Fun and Profit Revolutions (Rooted CON 2011) from rootedcon on Vimeo.

Analyzing Malware Hollow Processes with Volatility

Reading this post I have learned what is a Hollow Process and how can it be analyzed with Volatility.

What is a Hollow Process?
Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code. The advantage is that this helps the process hide amongst normal processes better. If you inspect the process and its imports using conventional tools, they all look legit. The PEB is untouched, but the actual code and data of the process have been changed.

A really simple example would be to create a new Notepad process in suspended mode and then replace the code and data segments with our malicious code before we start the execution. This way, we will not find any trace of malicious activity when doing a quick look at the process list (more info. on the post).



Then, how do we analyze a compromised system? The article explains the following techniques:

  • Looking for RWX memory segments. Some memory segments in a legit process should be 'read-only' and perhaps the attacker forgot to fix these permissions. There are some volatility plugins that do so.
  • Dump the process with the procexedump command  and compare it with the original in the file system (or a well known copy).
  • Since finding the exact binary is difficult, we can also do Fuzzy Hashing.  This technique indicates the amount of common content  in two files. The less similar the binaries are,  the more confident we are that the process was Hollowed. They use the tool called ssdeep (by Jesse Kornblum).

Thursday, June 16, 2011

Spreading Malware Through the Android Market

Nice post [Spanish] written by SecurityByDefault, that explains how simple is the process of spreading malware through the Android Market.

It seems that people perceive the market like a safe place and a controlled software repository, but it is far from that. Once we create an account and we pay 20 Euros (Europe) we can upload applications without any control or restriction. Therefore, the only barrier is the user's criteria (weak!). In fact, some people downloaded the tested applications without advertising them!!!

The test consisted in uploading two applications that were fully functional, but with 'extra' functionality. Both pretended to be an inoffensive Fortune program, but it was more than that:


  • Quote It. It leaks the contact list through GET requests with the excuse of downloading the quotes. The mechanism is simple: Encrypt the data and leak it by using the cookies in the above HTTP requests.
  • Quote Slim. It opens a backdoor on port 8080, that permits to execute commands, access files, etc..

Wednesday, June 15, 2011

Examples of Attack Remediation for Small and Large Enterprises

I have found this post that seems to be the resume of a talk  given by an employee of Mandiant at FIRST 2011.

The text explains the steps that need to be taken to remediate  the attack and the possible scenarios that a small and a large enterprise can face. It is not meant to be a cheat-sheet but  rather the experience in the field and tactics that helped them to be successful.

List of Sandbox Services

This post is just a reference in case I have to use these services in the future.

Via sempersecurus.blogspot.com I have found the list of the most common Sandbox services.

Tuesday, June 14, 2011

Sniffing DECT Phones with Dedected and BT5

Nice article in the BackTrack Wiki that explains how to sniff phone calls made with DECT devices.

The text explains how to  install  and run Dedected  on BT5.  I understand they use Audacity to merge all the WAV files generated by Dedected in one single file, but perhaps there are more tools for this purpose.


UPDATE: I have also  found the following video that explains the whole process


Sniffing DECT phones with BackTrack from smtx on Vimeo.

Analyzing OSX Memory Images with Volafox

I have learned via room362's twitter , volatility and computer.forensikblog.de that there is an open-source tool called Volafox that is able to analyze Mac OSX memory images. This tool is written in python and is built on  top of Volatility.

Kyeong-Sik Lee and the Korean Digital Forensic Research Center have released Volafox, a free and open-source tool to analyze Mac OS X memory images. Volafox is based on work by Matthieu Suiche (paper and slides) and the Volatility memory analysis framework.

Emulating Zeus DNS Traffic to Test the Defenses

Via rapid7 I have found a nice post that uses Metasploit to test how our defenses react when a host is infected with the Zeus trojan.

In a nutshell,  the author uses the module  auxiliary/vsploit/dns/dns_beacon  to resolve a list of DNS  domain names listed in the  Abuse.ch's Zeus Tracker. Since these domain names are known to spread malware, our defenses should react and report the incident.

Please, note the difference between resolving the DNS name and connecting to the server to fetch the malware. I might be wrong, but many IDS/IPS systems only flag the connections to the C&C and the dropper, like the Emerging Threats Signatures.

The IDS/IPS should inspect the DNS traffic in order to flag our tests. The other option is to setup a DNS Sinkhole that redirects these requests, in conjunction with an IDS rule that flags this redirection.

Friday, June 10, 2011

Cracking Password-Protected SSH Keys with John the Ripper

I have just found this announcement sent by Solar Designer from the Openwall Project.


It seems that they have added support to crack password-protected SSH private keys:



This community-enhanced release integrates preliminary support for several non-hashes, implemented under Dhiru Kholia's GSoC 2011 project. Specifically, it supports cracking of OpenSSH's passphrase-protected SSH protocol 2 private keys, password-protected PDF files with 40-bit and 128-bit RC4 encryption, and some password-protected RAR archives.

Yes, Dhiru's SSH key cracker includes OpenMP parallelization. There's a limitation, though: this requires OpenSSL 1.0.0 or newer, for thread-safety of the interfaces being used. When building or running with older versions of OpenSSL, OpenMP parallelization in the SSH cracker is automatically disabled. (You can always use MPI instead.)




Encrypting your Dropbox Data with EncFS

I have found this post via Mubix . This a recurrent subject and I have seen many posts in the past.

Since there is a total lack of security in Dropbox, many people have thought it would be a good idea to encrypt its content, so only the legit owner can access the data. The problem comes when many solutions encrypt complete volumes, forcing us to sync the complete volume to dropbox over and over again, which is not handy at all.

The advantage of EncFS is that it encrypts per file, making it really convenient for our purpose.

Wednesday, June 8, 2011

Metasploit Linux Post Exploitation

 Via digininja's Twitter account, I have found this blog post that describes a set of Metasploit Linux Post Exploitation modules.


I think the list of executed commands is more or less complete, but I would also add the following :

# currently logged users and server uptime.
w

# all opened connections (TCP,UDP and Unix sockets) and the respective PID/UID
netstat -pan

# same as before but only TCP and UDP
lsof -nn | egrep "TCP|UDP"

# the mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted
 /etc/fstab

#  Is the server exporing NFS volumes?
cat /etc/exports

# tree view of all the processes
ps faxu

# last users that logged to the system. The -a flag puts the complete remote hostname on the last column
last -a

# similar to the previous one
lastlog

#  quick view of the log policy in the computer. The default is 4 weeks worth of logs.
ls -lat /var/log

# Are they sending logs to a centralized system?
cat /etc/syslog.conf

Wednesday, June 1, 2011

Htaccess Web Shell

Via Mubix I have found this post that describes a new way to upload a web shell to a server.

This method uploads .htaccess files to change how the server behaves. The nice trick here is that the file itself:

  • Allows the .htaccess files to be displayed
  • Tells Apache that the contents of the .htaccess files must be interpreted by PHP (the file itself will be  executed by the PHP interpreter)
  • The last part of the file contains PHP code that will pass commands to the operative system.

As a side note, the author also comments that this trick can also be applied to jsp and mod_perl installations.

Some information on securing file uploads, from OWASP.