Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

16 January 2016 | 3,099 views

LOKI – Indicators Of Compromise Scanner

Cybertroopers storming your ship?

Loki is a Indicators Of Compromise Scanner, based on 4 main methods (additional checks are available) and will present a report showing GREEN, YELLOW or RED result lines.

LOKI - Indicators Of Compromise Scanner

The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.

If you don’t trust the compiled executable, please compile it yourself.

Detection

Detection is based on four detection methods:

  • File Name IOC – Regex match on full file path/name
  • Yara Rule Check – Yara signature match on file data and process memory
  • Hash Check – Compares known malicious hashes (MD5, SHA1, SHA256)
  • C2 Back Connect Check – Compares process connection endpoints with C2 IOCs

There are also some additional checks available:

  • Regin filesystem check (via –reginfs)
  • Process anomaly check
  • SWF decompressed scan
  • SAM dump check

Included IOCs

Loki currently includes the following IOCs:

  • Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)
  • Carbanak APT – (Hashes, Filename IOCs – no service detection and Yara rules)
  • Arid Viper APT – (Hashes)
  • Anthem APT Deep Panda Signatures (not officialy confirmed)/li>
  • Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
  • Five Eyes QUERTY Malware
  • Skeleton Key Malware (other state-sponsored Malware)
  • WoolenGoldfish – (SHA1 hashes, Yara rules)
  • OpCleaver (Iranian APT campaign)
  • More than 180 hack tool Yara rules
  • More than 600 web shell Yara rules
  • Numerous suspicious file name regex signatures

Usage

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

You can download Loki here:

loki.exe

Or read more here.

Advertisements



14 January 2016 | 3,266 views

Fortinet SSH Backdoor Found In Firewalls

So the Fortinet SSH Backdoor, apparently it’s just a management authentication issue. Sorry, what’s that? It looks like a passphrase based admin level access login via SSH to me personally.

Which is scary.

Fortinet SSH Backdoor Found In Firewalls

They are adamantly shouting from rooftops that it was not planted by a 3rd party (NSA? Like Juniper..) or any kind of malicious activity.

Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.

It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.

It was actually patched by Fortinet in July 2014, but with edge devices like Firewalls – they don’t often get updated as it usually causes network downtime. So I’d guess there are plenty of firewalls out there very vulnerable to this, which basically gives you full admin access.

You can find the ‘exploit’ script in Python here: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

It’s also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.

The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.

If you are running older code and can’t upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.

Whether you call it a backdoor or a “management authentication issue,” it’s still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.

One significant part of Fortinet’s statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.

In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets.

There are some work arounds, what I’d personally like to see though is more transparency about the process and decisions made that led to this code being on production firewalls. How does this even happen?

And how did they only find it during scheduled review and testing? What kind of testing/QA/CI process do they have?

It all sounds rather fishy to me.

Source: The Register


12 January 2016 | 3,503 views

dnscat2 – DNS Tunnel Tool

This DNS tunnel tool named dnscat2 creates an encrypted tunnel over the DNS protocol primarily as a command-and-control (C&C) channel for penetration testers as outbound DNS is rarely blocked in networks.

dnscat2 - DNS Tunnel Tool

This makes it a very effective tunnel out of almost every network.

Overview

dnscat2 comes in two parts: the client and the server.

The client is designed to be run on a compromised machine. It’s written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesn’t compile or run, please file a ticket, particularly if you can help me get access to said system).

When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).

If you don’t have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). They’ll be faster, and still look like DNS traffic to the casual viewer, but it’s much more obvious in a packet log (all domains are prefixed with “dnscat.”, unless you hack the source). This mode will frequently be blocked by firewalls.

The server is designed to be run on an authoritative DNS server. It’s in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.

How is it different from…

dnscat2 strives to be different from other DNS tunnelling protocols by being designed for a special purpose: command and control.

This isn’t designed to get you off a hotel network, or to get free Internet on a plane. And it doesn’t just tunnel TCP.

It can tunnel any data, with no protocol attached. Which means it can upload and download files, it can run a shell, and it can do those things well. It can also potentially tunnel TCP, but that’s only going to be added in the context of a pen-testing tool (that is, tunnelling TCP into a network), not as a general purpose tunnelling tool. That’s been done, it’s not interesting (to me).

It’s also encrypted by default. I don’t believe any other public DNS tunnel encrypts all traffic!

You can download dnscat2 here:

Win32 Client – dnscat2-v0.05-client-win32.zip
Linux x86 Client – dnscat2-v0.05-client-x86.tar.bz2
Linux x64 Client – dnscat2-v0.05-client-x64.tar.bz2
Server – dnscat2-v0.05-server.zip

Or read more here.


09 January 2016 | 3,855 views

FastIR Collector – Windows Incident Response Tool

FastIR Collector is Windows incident response tool that offers the possibility to extract classic artefacts such as memory dump, auto-started software, MFT, MBR, Scheduled tasks, Services and records the results in csv files. The tool can also perform smart acquisitions thanks to the filecatcher, certificate filtering or support of Yara rules.

FastIR Collector - Windows Incident Response Tool

The first part of the name “Fast” was chosen because one of the prerequisite before the beginning of the development was to be able to perform forensic collections as quickly as possible. A standard collection (without filecatcher or dump) takes less than 1 minute 30 seconds on a Windows 7 system.

FastIR is designed to counter the growing size of hard drives, traditional forensics tools can take several hours to make a copy of the data and the volume of the data may be too large to make a reasonably speedy analysis.

Features

FastIR looks for various artefacts, including (but not limited to):

  • Drive Identification – Archives all PE files not signed by Microsoft in Windows directories.
  • Persistence Identification – Collects several persistence mechanisms.
  • Named Pipes Identification – Rootkits often use named pipes to communication between components.
  • Virtual File Systems – Collects & analyses Windows Prefetch files.
  • Malware Identification – Using various artefacts and techniques.
  • Process & Injection Identification – Able to identify various RATs, malware and rootkits from these artefacts.

The full documentation can be found here – FastIR_Documentation.pdf

Requirements

If you aren’t using the prebuilt exe:

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

There is also a more extensive paper about the tool here: FastIR-Collector-on-advanced-threats_v1.5.pdf

You can download FastIR Collector here:

FastIR_x64.exe
FastIR_x86.exe

Or read more here


07 January 2016 | 2,023 views

A Look Back At 2015 – Tools & News Highlights

So here we are in 2016, yet still writing 2015 in our chequebooks (yah lolpls like anyone uses cheques any more). Following on from last year and our 2014 summary, here is our 2015 highlights post with interesting happenings over the past 12 months – including tools and news stories.

A Look Back At 2015 – Tools & News Highlights

2015 News Stories

The theme for 2015 seemed to be LARGE SCALE OWNAGE, everything and everyone was getting hacked left right and center. Right at the start of the year we already had the GHOST vulnerability and a Flash zero day in the wild – which left us happy to say goodbye to Flash on Facebook towards the end of the year (After their record breaking patch which contained 78 CVE-classified Vulnerabilities).

One of the big dramas of the year was Hacking Team getting Hacked – oh the irony. Other notable stuff would be the vulnerabilities in Jeep cars, the WhatsApp Web vCard Vulnerability, and the Hilary Clinton e-mail leak.

It was also the year of mega DDoS attacks with Telegram suffering a HUGE 200GBps pounding mid-year, then the prolonged, sustained and rather sophisticated DDoS on the crypto-mail service ProtonMail and to finish the year (and the one that affected me) the multi-day mega DDoS Seige on Linode over xmas and new years (thanks for wrecking many people’s holidays).

Other interesting stuff would be the Dell backdoor root cert fiasco, the TalkTalk hack which they tried to initially downplay and cover up, Logjam (which was a very interesting attack vector based on the the forward secrecy implementation).

2015 Best Hacking Tools

There’s been some pretty neat stuff released this year, the below are tools that’s I’ve personally found interesting but haven’t been super high traffic:

You may have overlooked some of these, so do check them out if you did!

You’ve probably already seen those below in the most viewed list, but well if you haven’t check out the below for the hottest tools in 2015.

Bonus – Top 10 Most Viewed Posts From 2015

  1. Infernal Twin – Automatic Wifi Hacking Tool
  2. EvilFOCA – Network Attack Toolkit
  3. FruityWifi – Wireless Network Auditing Tool
  4. Windows Credentials Editor (WCE) – List, Add & Change Logon Sessions
  5. Hacking Team Hacked – What You Need To Know
  6. Gcat – Python Backdoor Using Gmail For Command & Control
  7. Zarp – Network Attack Tool
  8. ATM Hacked Using Samsung Galaxy S4 & USB Port
  9. Parrot Security OS – Debian Based Security Oriented Operating System
  10. WinRAR Vulnerability Is Complete Bullshit

Enjoy 2016!


05 January 2016 | 2,934 views

Dradis – Reporting Platform For IT Security Professionals

Dradis is an open source reporting platform for IT Security, tailored towards the types of information that need to be shared amongst an information security team during a professional engagement. It provides a centralized repository of information using a web interfaced based client/server architecture.

Dradis - Reporting Platform For IT Security Professionals

It also supports 15+ different tools including Burp, Nessus, Nmap, Qualys (listed below).

The goals of the project are to:

  • Share the information effectively.
  • Easy to use, easy to be adopted.
  • Flexible: with a powerful and simple extensions interface.
  • Small and portable.
    • You should be able to use it while on site (no outside connectivity).
    • It should be OS independent (no two testers use the same OS).

Features

  • Platform independent
  • Markup support for the notes: text styles, code blocks, images, links, etc.
  • Integration with existing systems and tools:
    • Burp Scanner
    • Metasploit
    • Nessus
    • NeXpose
    • Nikto
    • Nmap
    • OpenVAS
    • OSVDB
    • Retina
    • SureCheck
    • VulnDB
    • w3af
    • wXf
    • Zed Attack Proxy

New in v3.0

  • Support for Issue/Evidence separation
  • New HTML/CSS interface
  • Use BCrypt for password storage.
  • Gemified plugins in external repositories
  • Enhanced background workers
  • New plugins:
    • Export: CSV, PDF
    • Upload: Acunetix, Qualys
  • Rails 4.1

You can download Dradis 3.0.0.rc3 here:

Linux – dradis-3.0.0.rc3-linux-x86.tar.gz
Mac – dradis-3.0.0.rc3-osx.tar.gz

Or read more here.


31 December 2015 | 4,378 views

Linode DDoS Attack – Merry Xmas Sysadmins

So the Linode DDoS attack – seems like this xmas has been a terrible time for sys admins, along with what happened to Steam and A Small Orange (100+ hours down).

Linode DDoS Attack - Merry Xmas

A whole lot of work during the most drunken holiday of the year, not fun. And yes it affected me too, work wise everything is hosted on Linode – and this site is also hosted on Linode. So I got spammed with SMS alerts from Dec 26th – Dec 28th (thankfully not on xmas day itself). The above image is actually my own screenshot I sent to the team to update everyone on the situation on boxing day.

And the attacks are still ongoing to some degree as you can see on the Linode status page here: http://status.linode.com/

Virtual server host Linode has been on and offline since Christmas Day as it weathers an ongoing denial-of-service attack. Four days in, its customers are getting grumpy.
Linode

Status page … Linode still suffering days after attacks began

“We are currently aware of a DoS attack that is affecting the Linode Manager/Website and our Dallas datacenter. This post will be updated as soon as we have more information to provide,” the biz said in the wee small hours of Christmas Day.

While billions settled in for the end-of-year festivities, floods of network traffic overwhelmed Linode’s systems in Dallas, Texas, and took parts of its website down. By 3am on the 26th, the waves of packets seemed to be dying down, but then the attackers shifted their sights to the company’s other data centers.

People were getting antsy all over and moving to other hosts like Digital Ocean, RamNode and Vultr.

Can’t blame them really, even if you had a hot fail-over in a different Linode DC – you’d likely still be affected.

Later that day, Linode’s data centers in Atlanta, Georgia, and Newark, New Jersey, took hits – as did the company’s London hosting center. The assailants then started hammering the Dallas data center again, effectively knocking people’s virtual servers offline.

Atlanta, Newark, and London were brought back online a day later, although the two US data centers, plus a third in Fremont, California, were soon floored again. Now it seems only the Dallas site is under attack, causing “degraded performance,” according to Linode.

Punters have been venting about the situation, with the linuxadmin and webdev subreddits getting complaints. With little more than stock statements coming out of Linode, some users are threatening to move to rival services, such as Vultr and DigitalOcean.

A spokesperson for Linode was not available for comment.

It seems like the attack is still being aimed at their biggest DC, which is Dallas and the home of the Linode site and manager. This means the Linode Manager, API and the Dallas DC itself are still suffering degraded performance – but are not totally offline.

The DDoS seems to be quite a broad, powerful attack against the entire Linode infrastructure – targeting various bits which can degrade an entire data centre and moving the attack upstream as it got blocked.

Source: The Register


29 December 2015 | 6,851 views

LaZagne – Password Recovery Tool For Windows & Linux

The LaZagne project is an open source password recovery tool used to retrieve passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases and so on). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like operating systems.

LaZagne - Password Recovery Tool For Windows & Linux

It supports a whole bunch of software including things like CoreFTP, Cyberduck, FileZilla, PuttyCM, WinSCP, Chrome, Firefox, IE, Opera, Jitsi, Pidgin, Outlook, Thunderbird, Tortoise, Wifi passwords and more.

Usage

Retrieve version

Launch all modules

Launch only a specific module

Launch only a specific software script

Write all passwords found into a file (-w options)

Use a file for dictionary attacks (used only when it’s necessary: mozilla masterpassword, system hahes, etc.). The file has to be a wordlist in cleartext (no rainbow), it has not been optimized to be fast but could useful for basic passwords.

Change verbosity mode (2 different levels)

You can download laZagne here:

Windows – laZagne-Windows.zip
Source – Source-1.1.zip

Or read more here.


24 December 2015 | 552 views

Facebook Disabled Flash For Video Finally

So Facebook disabled Flash for video finally, sadly it’s still there for games but a large use case for it just went out the window. And really, it’s not surprising after the recent mega patch in Adobe Flash that fixed 78 CVE classified vulnerabilities.

Facebook Disabled Flash For Video Finally

There’s just no good reason for anyone to still be using Flash and browsers, if they don’t block it completely, should at minimum make it click to enable on a site by site basis.

That doesn’t guarantee safety though with Flash vulnerabilities floating around in drive-by malware hiding in Flash based ad units. Just say no to Flash.

Facebook has hammered another nail in to the coffin of Adobe Flash, by switching from the bug-ridden plug-in to HTML5 for all videos on the site.

The Social NetworkTM explained the move by saying “Moving to HTML5 best enables us to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.”

Flash hasn’t been completely banished: Facebook says it is “continuing to work together with Adobe to deliver a reliable and secure Flash experience for games on our platform.”

Facebook’s Daniel Baulig writes that going to HTML5 means the company can “tap into the excellent tooling that exists in browsers, among the open source community, and at Facebook in general. Not having to recompile code and being able to apply changes directly in the browser allow us to move fast.”

“HTML5 made it possible for us to build a player that is fully accessible to screen readers and keyboard input,” Baulig added, going on to explain that the standard will make it easier to develop for people with visual impairments.

Less of the web is becoming reliant on Flash with video being one of the big hold outs, Youtube moved away earlier this year – but most WordPress plugins, private sites players and anyone else playing or streaming video still use Flash based players.

With a big site like Facebook going fully HTML5 for video, it should lead the way and push people in the right direction (hopefully).

But HTML5 is no panacea: Baulig wrote that “we noticed that a lot of the older browsers would simply perform worse using the HTML5 player than they had with the old Flash player.”

“We saw more errors, longer loading times, and a generally worse experience.”

The Social NetworkTM therefore moved to HTML5 for newer browsers some time ago, adding more browsers over time has improved its video player. As of December 19th, however, it’s all HTML5 all the time, no matter the browser with which you venture into The House That Zuck Built.

And The House always wins: Baulig says “People like, comment, and share more on videos after the switch, and users have been reporting fewer bugs. People appear to be spending more time with video because of it.”

As Baulig’s post points out, Facebook operates at unusual scale and therefore has unusual needs. Yet the site’s considerable influence means developers everywhere are likely to be asked to consider this decision before long, not least because YouTube’s also flushed Flash.

It’s one thing I am grateful to Apple for – leading the anti-Flash movement since the very beginning. Can’t blame them really, why implement such an insecure piece of software into your walled garden.

I don’t see the big Facebook games reimplementing in HTML5 any time soon unless Facebook forces their hand, I hope it’s already tabled though and Facebook has given a deadline to totally stop the use of Flash on the platform.

Source: The Register


22 December 2015 | 2,293 views

PowerSploit – A PowerShell Post-Exploitation Framework

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. Basically PowerSploit is a PowerShell Post-Exploitation Framework that helps you with various tasks like DLL injection, invoking shellcode and setting up script persistence.

PowerSploit - A PowerShell Post-Exploitation Framework

It also includes reflective PE injection and can reflectively load Mimikatz into memory allowing you to dump credentials without writing anything to disk.

Features

PowerSploit has the modules categorised in the following groups:

  • Antivirus Bypass Find bytes of a file which has a matching signature in antivirus.
  • Code Execution Execute code on a target machine.
  • Exfiltration Create logons, get keystrokes, grab passwords, make a volume shadow copy etc.
  • Mayhem Cause general mayhem with PowerShell.
  • Persistence Maintain control to machine by adding persistence to scripts.
  • Privesc Tools to help with escalating privileges on a target.
  • Recon Tools to aid in the reconnaissance phase of a penetration test.
  • Script Modification Modify and/or prepare scripts for execution on a compromised machine..

Usage

Refer to the comment-based help in each individual script for detailed usage information.

To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules” The default computer-level module path is: “$Env:windir\System32\WindowsPowerShell\v1.0\Modules

To use the module, type Import-Module PowerSploit

To see the commands imported, type Get-Command -Module PowerSploit

If you’re running PowerShell v3 and you want to remove the annoying ‘Do you really want to run scripts downloaded from the Internet’ warning, once you’ve placed PowerSploit into your module path, run the following one-liner: $Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }

For help on each individual command, Get-Help is your friend.

Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.

You can download PowerSploit v3.0.0 here:

PowerSploit-v3.0.0.zip

Or read more here.