Archive | 2014

Sony Digital Certs Being Used To Sign Malware

Keep on Guard!


So at the end of November, Sony got owned, owned REAL bad – we wrote about it here: Sony Pictures Hacked – Employee Details & Movies Leaked. It seems in as a part of the massive haul of documents, the digital certificates used to sign software were also stolen.

Which is bad, as you can imagine. Not SSL certs, but software crypto-certs that verify the executable comes from a trustworthy source (in this case Sony).

Sony Digital Certs Being Used To Sign Malware

It’s something of a malware-ception too, as the software that is thought to have been used in the Sony Pictures compromise is the very software being signed with the Sony cert to boost it’s effectiveness.

Miscreants were quick to capitalize on the theft of Sony’s cryptographic certificates – used to sign software to make it look legit.

An analysis of malware dubbed Destover was published by Kaspersky Lab on Tuesday, and shows the code was signed using a private certificate belonging to Sony to evade malware filters.

These certificate were apparently taken from Sony Pictures servers, which were comprehensively ransacked by hackers at the end of November, and leaked online.

It’s believed the infiltrators used a version of Destover to attack Sony’s network. And it appears the stolen digital certs were used to sign another build of Destover on Friday, which then ended up in the wild over the weekend.

When Windows examines an executable, it looks to see if the program has been signed by a recognized, trusted developer before running the code. As far as the operating system was concerned, the signed Destover was legit.


It’s a pretty nifty trick, but it wouldn’t work for long (the beauty of cert schemes) is that the issuer can also revoke the cert. Which apparently, in this case, happened pretty fast. So if you try and run the Sony signed malware on Windows now – it should reject it.

I’m not exactly sure the message Windows gives and if it’s any different between a revoked cert and and running something with no cert.

“The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples,” Kaspersky warned on Tuesday.

“In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.”

Sounds pretty scary, right? But before anyone panics, it’s worth pointing out that malware writers can no longer use the code-signing keys.

The certificates were issued by DigiCert, a US biz that sells security certs. Kaspersky said it warned DigiCert about the issue, so El Reg checked with the crypto-company to find out what the situation was.

“This certificate is already revoked,” a spokeswoman for DigiCert told The Register on Tuesday, meaning Windows systems should reject the Destover build when its cryptographic signature is checked by the operating system.

“We received a report about the malware last week and immediately revoked the certificate,” she added.

I imagine they managed to get the malware deeper into a few places with the signed version, maybe only for a day or two – but a crack team of people with bad intentions could really capitalise on that.

There’s some good info about certs and certificate revokation here: DIGGING INTO CERTIFICATE REVOCATION LISTS

I honestly don’t think this will have caused a massive amount of damage, but it sure is interesting reading. We’ll have to see if any more news about this crops up.

Source: The Register

Posted in: Cryptography, Malware

Topic: Cryptography, Malware


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


InsomniaShell – ASP.NET Reverse Shell Or Bind Shell

Keep on Guard!


InsomniaShell is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell.

ASP.NET is an open source server-side Web application framework designed for Web development to produce dynamic Web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services.

It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.

InsomniaShell - ASP Reverse Shell Or Bind Shell

A bind shell is basically binding the command prompt to a listening port on the compromised machine, a reverse shell is sending a command prompt to a listening port on the attackers machine (used when the hacked server doesn’t have a public IP).

InsomniaShell has the added advantage of searching through all accessible processes looking for a SYSTEM or Administrator token to use for impersonation.

If the provider page is running on a server with a local SQL Server instance, the shell includes functionality for a named pipe impersonation attack. This requires knowledge of the sa password, and results in the theft of the token that the SQL server is executing under.

You can download InsomniaShell here:

InsomniaShell.zip

Posted in: Exploits/Vulnerabilities, Hacking Tools, Web Hacking

Topic: Exploits/Vulnerabilities, Hacking Tools, Web Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


WhatWeb – Identify CMS, Blogging Platform, Stats Packages & More

Keep on Guard!


WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

WhatWeb - Identify CMS, Blogging Platform, Stats Packages & More

WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests.

Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. meta name="generator" content="WordPress 2.6.5", but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links.

We wrote about WhatWeb way back in 2010, and there actually hasn’t been a release since 2011 (v0.4.7). I was glad to find however it still is under active development and there is work being done on what is going to become 0.4.8 at some point, it has many changes (as listed below) but hasn’t yet been released.

But due to the wonders of technology, you can grab the unreleased development version from Github now (link also below).


Features

  • Over 1500 plugins
  • Control the trade off between speed/stealth and reliability
  • Performance tuning. Control how many websites to scan concurrently.
  • Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB.
  • Proxy support including TOR
  • Custom HTTP headers
  • Basic HTTP authentication
  • Control over webpage redirection
  • Nmap-style IP ranges
  • Fuzzy matching
  • Result certainty awareness
  • Custom plugins defined on the command line

Sample Output

Changes in 0.4.8-dev

  • Added over 700 new plugins
  • Added aggressive version detection using md5 static file matches to several plugins
  • Added support for raw HTTP headers when scanning local files
  • Added –dorks to return google dorks for the selected plugin
  • Added google dorks to more than 500 plugins
  • Added ./addons/hunter
  • Added ./addons/gggooglescan
  • Added ./addons/country-scanner
  • Added SQL logging with --log-sql and --log-sql-create arguments.
  • Added raw header support by monkey patching the net/http library
  • Added context searching for plugin matches[].
  • Added the matches keyword, :search.
  • Added methods for aggressive plugins to send HEAD and POST requests
  • Added –grep, -g option to be easier than –custom-plugin.

You can download the latest ‘stable’ dev version (if such a thing exists) here:

master.zip

Or read more here.

Posted in: Hacking Tools, Web Hacking

Topic: Hacking Tools, Web Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Sony Pictures Hacked – Employee Details & Movies Leaked

Keep on Guard!


Sony hasn’t always had the best of times when it comes to being hacked, back in 2011 Sony basically had to rebuild the PlayStation Network (PSN) because of a hack which rendered the service off-line for almost a whole week.

Plus the fact the PSN hack could have leaked up to 10 million user accounts which included credit card details. And again in 2011 they lost 25 Million Customer Account Details Through SOE (Sony Online Entertainment).

Sony Pictures Hacked - Employee Details Leaked

The hack was so bad, it basically shut down Sony Pictures – the above picture is a photo of a desktop in the Sony Pictures office and apparently all computers were showing this. Similar images came from various sources in different offices showing that this is indeed a seriously pervasive attack.

If you downloaded the archive from the URLs in the pictures, it contains text files which are basically HUGE lists of filenames, files that have leaked from Sony servers. And there’s some serious stuff in there including Hollywood stars passport scans, ppk files (SSH private keys), password lists and much much more.

There’s some discussion on the contents and analyse on Reddit here: I used to work for Sony Pictures.

The password lists/SSH keys also led to the compromise of many more related services and accounts (many film related Twitter accounts were hacked).

Sony Pictures is investigating a breach that has seen hackers supposedly steal reams of internal data and splash defacements across staff computers. The company is now in lock-down as it wrestles with the problem.

The beleaguered company, writes Variety, has requested staff disconnect their computers and personal devices from the Sony network and shut down virtual private networks.

Cracking group Guardians of Peace claimed responsibility for a defacement appearing on staff machines that it stole internal corporate data. The group says it will leak more details to the public web depending on what Sony ‘decided’ in what appeared to be a reference to demands quietly sent to the company earlier.

Source: The Register

Sony Pictures e-mail servers were still totally off-line the day after the attack and they made a statement saying it could take between 1-3 weeks to rectify the matter.

It seems like the attackers are really leaking the files they stole too as details of Sony employees were leaked including personal details and salaries.

It’s getting worse for Sony: the latest dump from the raid that’s brought the company to an IT standstill include the personal detas of staff.

Documents leaked through BitTorrent show the names, home addresses, salaries (and bonuses), and social security numbers of thousands of staff, including executives.

Sony Pictures Entertainment could not be reached for comment by the time of writing.

Some 17 executives, from programming to advertising, were listed as having salaries over US$1 million. Severance pays also appeared to be listed.

Source: The Register

It’s 8 days since the attack and Sony Pictures is still struggling to recover, it also seems like some unreleased movies might (including Annie) have been leaked during the compromise.


Sony, the studio behind “The Amazing Spider-Man” films and the “Breaking Bad” television series, restarted many of its computer systems on Monday after a Nov. 24 breach by a group calling itself #GOP, for Guardians of Peace. Executives at the entertainment company said they were also making progress in fighting the apparently related Internet pirating of five complete films, including the unreleased “Annie.”

Source: New York Times

The virus was pretty nasty and wiped all the machines + removed the master boot record rendering most of Sony’s Microsoft based desktops useless. There are some suspicions North Korea could be involved due to the malware used.

Back in August Sony was under attack by a massive DDoS attack aimed at PSN, and then just as they recovered – this.

The latest details to pop-up are that the leaked data dump is being seeded by a bunch of Amazon EC2 servers that host Sony PlayStation websites..which is odd, as the Sony Pictures network and the Sony PlayStation network should be totally separate.

Sony PlayStation website servers were used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers, it’s claimed.

Until early on Tuesday afternoon, San Francisco time, more than 60 systems seeding the archive on the BitTorrent network appeared to be virtual servers in the Amazon EC2 cloud, according to security researcher Dan Tentler.

A number of those fingered server instances – eg, 54.77.62.39 – are also serving websites for Sony Computer Entertainment. The EC2 instances serving up the data were checked by another researcher, who found some had SSL certificates signed by Sony.

Source: The Register

This is quite possibly the worst hack of a major US company ever perpetrated, especially in terms of business disruption and data loss – the financial implications of this could be HUGE. Especially for their biggest Christmas movie Annie.

I’m sure we’re going to see more data dumps dropping in the next week or so, it’s certainly an interesting case and it’s definitely not over yet.

Posted in: Exploits/Vulnerabilities, Privacy

Topic: Exploits/Vulnerabilities, Privacy


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Gruyere – Learn Web Application Exploits & Defenses

Outsmart Malicious Hackers


This codelab is built around Gruyere – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general, it’s a great way to learn web application exploits & defenses.

Gruyere - Learn Web Application Exploits & Defenses

The codelab is organized by types of vulnerabilities. In each section, you’ll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you’ll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable.

Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it’s open source: you can read through the source code to try to find bugs.

Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

If you want to find more similar apps, you can do so here: Vulnerable Web Applications.

Exploits Available

There is a good variety of stuff to learn in Gruyere including:

  • Cross-Site Scripting (XSS)
  • Client-state Manipulation
  • Cross-Site Request Forgery (XSRF)
  • Cross Site Script Inclusion (XSSI)
  • Path Traversal
  • Denial of Service (DoS)
  • Code Execution
  • Configuration Vulnerabilities
  • AJAX Vulnerabilites

It doesn’t cover SQL Injection as it doesn’t use SQL.

Or you can download Gruyere here:

gruyere-code.zip

Or read more here.

Was previously known as Jarlsberg.

Posted in: Exploits/Vulnerabilities, Web Hacking

Topic: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


isowall – Completely Isolate A Device From The Local Network

Keep on Guard!


Isowall is a mini-firewall that allows you to completely isolate a device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

isowall - Completely Isolate A Device From The Local Network

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you’ll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

Configuration

The following shows a typical configuration file

You can download isowall here:

master.zip

Or read more here – the author can be found on Twitter here @erratarob.

Posted in: Countermeasures, Forensics

Topic: Countermeasures, Forensics


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.