Archive | June, 2016

OpenIOC – Sharing Threat Intelligence

The New Acunetix V12 Engine


OpenIOC is an open framework for sharing threat intelligence, sophisticated threats require sophisticated indicators. In the current threat environment, rapid communication of pertinent threat information is the key to quickly detecting, responding and containing targeted attacks.

OpenIOC is designed to fill a void that currently exists for organizations that want to share threat information both internally and externally in a machine-digestible format. OpenIOC is an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.

OpenIOC - Sharing Threat Intelligence

Why OpenIOC

  • Sophisticated Indicators – Traditional methods of identifying security breaches no longer work. Simple signatures are too easy for an intruder to circumvent. Organizations need to be able to communicate how to find attackers on their networks and hosts using a machine digestible format that removes human delay from intelligence sharing.
  • Advanced Threat Detection – By using the OpenIOC framework, you will have the most advanced threat detection capability available. By joining the OpenIOC community, your organization can benefit from the network effect of threat intelligence from organizations within your industry, as well as global Fortune 1000 companies.
  • Extendable & Customizable – By allowing for extensions and customization, OpenIOC offers your organization the option of using MANDIANT’s field tested Indicators of Compromise, as well as creating your own custom sets of indicators, and any combination thereof that you need to complete your mission.

The Framework Schema

  • It’s Really Simple – The base OpenIOC schema is a simple framework that is written in XML to document and categorize forensic artifacts of an intrusion that can be identified on a host or network. You can easily extend the base schema to include additional indicators from a variety of sources.
  • Mandiant Indicators – OpenIOC ships with a base set of indicators provided by MANDIANT. These indicators describe over 500 facets of environments that can be used to track down advanced attackers, which have been vetted through years of MANDIANT’s experience responding to some of the world’s largest and most sophisticated computer attacks.
  • Extendable – Every environment is different, and you may find custom needs that your environment, market sector, or industry has that are not included in the base set of IOC terms. You are free to create and add your own sets of indicators and extend OpenIOC as you see fit.

You can download the IOC Editor here:

sdl-ioc-editor.zip

Or read more here.

Posted in: Countermeasures, Security Software

Topic: Countermeasures, Security Software


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Up1 – Client Side Encrypted Image Host

The New Acunetix V12 Engine


Up1 is a client side encrypted image host that that can also encrypt text, and other data, and then store them, with the server knowing nothing about the contents. It has the ability to view images, text with syntax highlighting, short videos, and arbitrary binaries as downloadables.

Up1 - Client Side Encrypted Image Host

How it Works

Before an image is uploaded, a “seed” is generated. This seed can be of any length (because really, the server will never be able to tell), but has a length of 25 characters by default. The seed is then run through SHA512, giving the AES key in bytes 0-256, the CCM IV in bytes 256-384, and the server’s file identifier in bytes 384-512. Using this output, the image data is then encrypted using said AES key and IV using SJCL’s AES-CCM methods, and sent to the server with an identifier. Within the encryption, there is also a prepended JSON object that contains metadata (currently just the filename and mime-type). The (decrypted) blob format starts with 2 bytes denoting the JSON character length, the JSON data itself, and then the file data at the end.

Image deletion functionality is also available. When an image is uploaded, a delete token is returned. Sending this delete token back to the server will delete the image. On the server side, HMAC-SHA256(static_delete_key, identifier) is used, where the key is a secret on the server.

Technologies

The browser-side is written in plain Javascript using SJCL for the AES-CCM encryption, with entropy obtained using the WebCrypto APIs and encryption performed within a Web Worker. The video and audio players just use the HTML5 players hopefully built into the browser. The paste viewer uses highlight.js for the syntax highlighting and line numbers.

The server-side is written in Node, although we also have a Go server which uses no dependencies outside of the standard library. The only cryptography it uses is for generating deletion keys, using HMAC and SHA256 in the built-in crypto/hmac and crypto/sha256 packages, respectively.

Client Utilities

  • ShareX, a popular screenshot and image uploader, now merged with Up1 support
  • upclient, a command-line tool for uploading to Up1 servers

You can download Up1 here:

Up1-v1.0.zip

Or read more here.

Posted in: Cryptography, Privacy

Topic: Cryptography, Privacy


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Criminal Rings Hijacking Unused IPv4 Address Spaces

Use Netsparker


So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently it’s ramped up a LOT since the September announcement by ARIN about IPv4 depletion. There was only only 50 hijacking attempts between 2005 and 2015.

Criminal Rings Hijacking Unused IPv4 Address Spaces

Since September, ARIN has already seen 25 such attacks though – which is basically 5 years worth.

IPv4 addresses are now so valuable that criminals are setting up shell companies so they can apply for addresses, then resell them to users desperate to grow their networks.

Criminals are doing so because there are no more IPv4 addresses left: the American Registry for Internet Numbers (ARIN) ran out in September 2015.

ARIN maintains a waiting list for address buyers and also oversees a market for used IPv4 addresses. While it is conceivable that some users will hand back addresses they no longer require, the IPv4 transfer market is short of stock.

Hence criminals’ interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN’s senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group’s NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for un-used IPv4 addresses possessed by dormant legacy networks.


So if you’re a company that owns a dormant IPv4 address space, give it back or sell it – because people need it! And secondly, it might get stolen anyway.

From the figures it seems there’s about 15,000 dormant network records without a validated point of contact.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

This activity is not rampant, but is rising fast: Nobile said ARIN detected about 50 such hijacking attempts between 2005 and 2015. Since announcing IPv4 depletion in September 2015 the organisation has detected about 25.

Nobile said ARIN has also found “fraud rings … people who set up shell companies in order to hoard IPv4 address spaces.”

These fraudsters came into existence just before the depletion of the IPv4 address space. One entity created 30 shell companies with the sole intention of securing addresses for later re-sale.

“They were good,” Nobile admitted. “They got by us.”

ARIN’s tightened its checks of late to stop hijackers and fraudsters. Nobile suggested you do likewise by keeping Whois records up to date and responding to ARIN’s annual point of contact validation request.

Keep your WHOIS records up to date, especially contact details for your network blocks, even if they are in use – it will go a long way towards not getting jacked.

Same goes for domains.

Source: The Register

Posted in: Legal Issues, Networking Hacking

Topic: Legal Issues, Networking Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


shadow – Firefox Heap Exploitation Tool (jemalloc)

The New Acunetix V12 Engine


shadow is a new, extended (and renamed version) of a Firefox heap exploitation tool, which is quite a swiss army knife for Firefox/jemalloc heap exploitation.

shadow - Firefox Heap Exploitation Tool (jemalloc)

If you want to dive in really deep to this tool, and the technicalities behind it check this out – OR’LYEH? The Shadow over Firefox [PDF]

Support

shadow has been tested with the following:

  • Windows 8.1 x86-64
  • Windows 7 SP1 x86 and x86-64
  • WinDBG 6.3.9600.17200 x86 (since Firefox stable is x86-only currently)
  • pykd version 0.3.0.36
  • Many different Firefox releases, but extensively with: 31.7.0-esr, 35.0.1, 36.0.1, 38.0.5, 39.0, 40.0, 43.0. 44.0.

Usage

When you issue a jemalloc-specific command for the first time, shadow parses all jemalloc metadata it knows about and saves them to a Python pickle file. Subsequent commands use this pickle file instead of parsing the metadata from memory again in order to be faster.

When you know that the state of jemalloc metadata has changed (for example when you have made some allocations or have triggered a garbage collection), use the jeparse command to re-parse the
metadata and re-create the pickle file.

Symbol Support

The symbol command allows you to search for SpiderMonkey and DOM classes (and structures) of specific sizes. This is useful when you’re trying to exploit use-after-free bugs, or when you want to position interesting victim objects to overwrite/corrupt.

In the “auxiliary” directory you can find a small PDB parsing utility named symhex. Run it on “xul.pdb” to generate the Python pickle file that shadow expects in the “pdb” directory (as “pdb/xul-VERSION.pdb.pkl”). Before running symhex make sure you have registered “msdia90.dll”.

You can download shadow here:

shadow-master.zip

Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Secure Coding

Topic: Exploits/Vulnerabilities, Hacking Tools, Secure Coding


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Cuckoo Sandbox – Automated Malware Analysis System

The New Acunetix V12 Engine


Cuckoo Sandbox is Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behaviour of the malicious processes while running in an isolated environment.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo Sandbox - Automated Malware Analysis System

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future.

Features

So what can it do? Cuckoo Sandbox is an advanced, extremely modular, and 100% open malware analysis system with infinite application opportunities.

By default it is able to:

  • Analyze many different malicious files (executables, document expoits, Java applets) as well as malicious websites, in Windows, OS X, Linux, and Android virtualized environments.
  • Trace API calls and general behavior of the file.
  • Dump and analyze network traffic, even when encrypted.
  • Perform advanced memory analysis of the infected virtualized system with integrated support for Volatility.

Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Use Cases

Use Cases
Cuckoo is designed to be used both as a standalone application as well as to be integrated in larger frameworks, thanks to its extremely modular design.

It can be used to analyze:

  • Generic Windows executables
  • DLL files
  • PDF documents
  • Microsoft Office documents
  • URLs and HTML files
  • PHP scripts
  • CPL files
  • Visual Basic (VB) scripts
  • ZIP files
  • Java JAR
  • Python files
  • Almost anything else

Thanks to its modularity and powerful scripting capabilities, there’s no limit to what you can achieve with Cuckoo.

You can download Cuckoo straight from Github:

Or read more here.

Posted in: Countermeasures, Forensics, Malware, Security Software

Topic: Countermeasures, Forensics, Malware, Security Software


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Intel Hidden Management Engine – x86 Security Risk?

The New Acunetix V12 Engine


So it seems the latest generation of Intel x86 CPUs have implemented a Intel hidden management engine that cannot be audited or examined. We can also assume at some point it will be compromised and security researchers are labelling this as a Ring -3 level vulnerability.

Intel Hidden Management Engine – x86 Security Risk?

This isn’t a new issue though, people have been talking about this since last December and similar issues for a while with BMC (Baseboard Management Controller) and other out-of-band system management hardware add-ons.

There’s a question on Quora about it too, with no real answer – Should I be worried about security backdoors in Intel’s Management Engine and Active Management Technology features?

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I’ve made it my mission to open up this system and make free, open replacements, before it’s too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that’s physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel’s Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.


The slightly worrying part is the Intel ME chip can access any memory location without the host Operating System knowing anything about it, and can also run a TCP/IP server on your network interface and bypass any firewall running.

So if it DID get compromised, it’d be the perfect conduit to steal information without being detected. Obviously on a corporate network with a centralised proxy, firewall or NAT device you’d have a better chance of catching the packets.

But it still seems extremely risky.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called “Intelligent Platform Management Interface” or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

While AMT can be a great value-add, it has several troubling disadvantages. ME is classified by security researchers as “Ring -3”. Rings of security can be defined as layers of security that affect particular parts of a system, with a smaller ring number corresponding to an area closer to the hardware. For example, Ring 3 threats are defined as security threats that manifest in “userspace” mode. Ring 0 threats occur in “kernel” level, Ring -1 threats occur in a “hypervisor” level, one level lower than the kernel, while Ring -2 threats occur in a special CPU mode called “SMM” mode. SMM stands for System-Management-Mode, a special mode that Intel CPUs can be put into that runs a separately defined chunk of code. If attackers can modify the SMM code and trigger the mode, they can get arbitrary execution of code on a CPU.

Although the ME firmware is cryptographically protected with RSA 2048, researchers have been able to exploit weaknesses in the ME firmware and take partial control of the ME on early models. This makes ME a huge security loophole, and it has been called a very powerful rootkit mechanism. Once a system is compromised by a rootkit, attackers can gain administration access and undetectably attack the computer.

So what we have here is basically a hardware based, Intel built, Ring -3 rootkit which we just have to hope and pray doesn’t get hacked.

And on newer systems, ME cannot be disabled.

As it operates completely out-of-band, the OS can’t even scan ME to see if it’s been compromised and can’t ‘heal’ a hacked ME chip.

Source: Boing Boing

Posted in: Exploits/Vulnerabilities, Hardware Hacking

Topic: Exploits/Vulnerabilities, Hardware Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.