BEURK – Linux Userland Preload Rootkit

Keep on Guard!


BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

BEURK - Linux Userland Preload Rootkit

Being a userland rootkit it gives limited privileges (whatever the user has basically) vs a superuser or root level rootkit.

Features

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp)
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Usage

Compile

Install

Enjoy !

Dependencies

The following packages are not required in order to build BEURK at the moment:

  • libpcap – to avoid local sniffing
  • libpam – for local PAM backdoor
  • libssl – for encrypted backdoor connection

You can download BEURK here:

beurk-dev.zip

Or read more here.


Tags: , , , , , ,

Posted in: Linux Hacking, Malware | Add a Comment

Shadow Brokers Release Dangerous NSA Hacking Tools

Outsmart Malicious Hackers


It’s not the first time Shadow Brokers has been on the radar with NSA Hacking Tools, in August 2016 they exposed a bunch of 0-day exploits (also from 2013).

Shadow Brokers Release Dangerous NSA Hacking Tools

This cache of tools appears to be from 2013, so was probably snatched during the same intrusion. This is somewhat more dangerous though as it provides what are essentially point-and-click tools for exploiting all types of Microsoft systems.

The Shadow Brokers have leaked more hacking tools stolen from the NSA’s Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone’s hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.

“The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away,” the group said in a typically garbled blog post.


Just exploits take a little more skill to use, but these tools allow the most n00b skiddies to carry out some pretty devastating attacks on machines running Win2k all the way to Windows 8 and Windows Server.

It seems like they tried to auction of this kit and got the cold shoulder, which should be expected as those with serious money are not gonna drop it on a bunch of 2013 software.

“The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?”

For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.

If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today’s dumped tools – if not by strangers on the ‘net then potentially by malicious employees or malware already on your network. If you’re running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.

The leaked archive also contains the NSA’s equivalent of the Metasploit hacking toolkit: FUZZBUNCH.

Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.

Some part of me is glad to see the NSA software appears to be well written and well architected, at least they are doing well on those fronts. Plus 4 years later I’d imagine the malicious software capabilities they have are much more powerful.

We will have to wait and see if any more comes from this.

Source: The Register


Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Legal Issues | Add a Comment

yarAnalyzer – Yara Rule Analyzer and Statistics Generator

Outsmart Malicious Hackers


yarAnalyzer is a Python-based YARA rule analyzer that can also generate statistics from yara rulesets. It also has an inventory creation feature that can output a CSV file detailing the rules.

yarAnalyzer - Yara Rule Analyzer and Statistics Generator

It creates statistics on a YARA rule set and files in a sample directory. Place some signatures with .yar extension in the “signatures” folder and then run yarAnalyzer on a certain sample directory.

Usage


You can download yarAnalyzer here:

yarAnalyzer-v0.3.4.zip

Or read more here.


Tags: , , , , , ,

Posted in: Malware, Security Software | Add a Comment

Prisoners Hack Prison From Inside Prison

Outsmart Malicious Hackers


Prisoners Hack Prison! Sounds exciting right? This time it’s actually pretty entertaining with the prisoners managing to hack a prison network from INSIDE the prison using scavenged PC parts from a rehabilitation class.

Prisoners Hack Prison From Inside Prison

Some pretty resourceful guys managing to build 2 functional PCs from scrapped parts AND connect to the prison network AND try and hack their way out of the proxy.

We are impressed by prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction’s (ODRC) network to engage in cyber shenanigans.

Compliment are less forthcoming from the State of Ohio’s Office of the Inspector General, which published its 50-page report [PDF] into this incident yesterday, following a lengthy investigation.

The Inspector General was alerted to the issue after ODRC’s IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC’s Operation Support Centre (OSC) that a computer operating on the network had exceeded a daily internet usage threshold. Further alerts, seven regarding “hacking” and 59 regarding “proxy avoidance”, reported that the user was committed to network mischief.

From there the search for the miscreant began, and once the log-in credentials used were found to be illicit, the ODRC’s IT employees attempted to find the unauthorised computer by locating the network switch it was connected into.


Judging from the way the scenario is described I’d assume (fairly safely) this is a low-security prison, probably THE lowest security AKA a white-collar prison.

There’s no way these kind of shenanigans could happen in a high-security facility. Plus whoever pulled this off is definitely tech-savvy so most likely a white-collar criminal rather than a violent murderer.

The computers were cobbled together from spare parts which prisoners had collected from Marion Correction Institution’s RET3, a programme that helped to rehabilitate prisoners by getting them to break down old PCs into component parts for recycling.

Forensic analysis of the computers completed by the Ohio Inspector General revealed that the users exploited their access to the ODRC’s systems to issue passes for inmates to gain access to multiple areas within the institution. They also used the Departmental Offender Tracking System to steal the personal information of another inmate and use those details to successfully apply for five credit cards.

Additional forensics by a more technical team reported finding “a large hacker’s toolkit with numerous malicious tools for possible attacks. These malicious tools included password-cracking tools, virtual private network tools (VPN), network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for various types of malicious activity.”

In addition to the above, the forensics team found “self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software” in addition to evidence that malicious activity had been occurring within the ODRC inmate network.

Some pretty advanced stuff going on there, delving into the darknet with Tor, self-signed SSL certs (probably trying to MiTM the proxy or something else on the network). Sounds like fun!

Apparently the 5 perps have been identified and split up, funs over boys.

Source: The Register


Tags: , , , , , , , , ,

Posted in: General Hacking, Legal Issues | Add a Comment
spectrology - Basic Audio Steganography Tool

spectrology – Basic Audio Steganography Tool

spectrology is a Python-based audio steganography tool that can convert images to audio files with a corresponding spectrogram encoding, this allows you to hide hidden messages via images inside audio files. Using this tool you can select range of frequencies to be used and all popular image codecs are supported. Usage

Example

You […]

Tags: , , , , , ,

Posted in: Cryptography, Hacking Tools, Privacy | Add a Comment
PowerMemory - Exploit Windows Credentials In Memory

PowerMemory – Exploit Windows Credentials In Memory

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows. The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, […]

Tags: , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Password Cracking, Windows Hacking | Add a Comment
Microsoft Azure Web Application Firewall (WAF) Launched

Microsoft Azure Web Application Firewall (WAF) Launched

Not too long after Amazon launched their cloud protection WAF the Microsoft Azure Web Application Firewall (WAF) has been made generally available in all public Azure DCs. It’s a good move with the majority of websites and services moving into one of the big 3 cloud providers (AWS, Google or Azure) and the vast majority […]

Tags: , , , , , , , ,

Posted in: Countermeasures, Web Hacking | Add a Comment
HashData - A Command-line Hash Identifying Tool

HashData – A Command-line Hash Identifying Tool

HashData is a Ruby-based command-line REPL Hash Identifying Tool with support for a lot of different (most popular) hash types. Installation

Usage Command Line When installed, run hashdata and paste in hashes when prompted. Library Example Script:

The above should output true. The library only matches the start of your second input, this […]

Tags: , , , , , , , , , , ,

Posted in: Cryptography, Hacking Tools, Password Cracking | Add a Comment
European Commission Pushing For Encryption Backdoors

European Commission Pushing For Encryption Backdoors

The debate surrounding encryption backdoors has been raging on for years with governments (that typically don’t really understand the things they are pushing for) requesting all software have government ‘secured’ backdoor keys. This is now getting more serious in Europe with the EC actually forcing the issue (in a passive aggressive kind of way for […]

Tags: , , , , , ,

Posted in: Cryptography, Legal Issues, Privacy | Add a Comment
HashPump - Exploit Hash Length Extension Attack

HashPump – Exploit Hash Length Extension Attack

HashPump is a C++ based command line tool to exploit the Hash Length Extension Attack with various hash types supported, including MD4, MD5, SHA1, SHA256, and SHA512. There’s a good write-up of how to use this in practical terms here: Plaid CTF 2014: mtpox Usage

You can download HashPump here:

Or read more […]

Tags: , , , , , , ,

Posted in: Cryptography, Exploits/Vulnerabilities, Hacking Tools | Add a Comment