SEC-SEE: 2015

Nmap 7 Realesed

Nmap 7.00 comes after more than three years of development, and it's the biggest release of the open-source network discovery and security auditing software appreciated by hundreds of thousands of system administrators and security professionals around the globe. The latest release includes a great number of new features and fixes numerous issues reported by users since Nmap 6.00.

"It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever," reads the announcement.

Highlights of Nmap 7.00 include excellent SSL (Secure Sockets Layer) and TLS (Transport Layer Security) analysis, the addition of over 170 new NSE (Nmap Scripting Engine) scripts, better support for the next-generation IPv6 network protocol, faster synchronous network scanning, Ncat enhancements, and support for the Windows 10 and Mac OS X 10.11 El Capitan operating systems.

Download Nmap 7.00 for GNU/Linux, Mac OS X, and Microsoft Windows operating systems right now from Softpedia. New to network security? Don't hesitate to check out the project's official website for tutorials and other information regarding the Nmap software.

Wireshark 2.0 releasd

After being in development for a few months, Wireshark 2.0, the world's most popular open-source network protocol analyzer software, has been released today for all supported operating systems, including GNU/Linux, Mac OS X, and Microsoft Windows.

Prominent features of Wireshark 2.0 include a revamped graphical user interface (GUI) that has been rewritten in Qt 5 and designed from the ground up to provide users with a smoother and much faster network protocol analyzing experience. The new user interface also offers a faster workflow for multiple operations.

"The Windows installer provides the option of installing either the new interface ('Wireshark') or the old interface ('Wireshark Legacy'). Both are installed by default. Note that the legacy interface will be removed in Wireshark 2.2. The OS X installer only provides the new interface. If you need the old interface you can install it via Homebrew or MacPorts," reads the announcement.

Among other new features implemented in Wireshark 2.0, we can mention the addition of multiple dialogs, such as MTP3 statistics and summary, WAP-WSP statistics, UDP multicast statistics, WLAN statistics, display filter macros, as well as capture file properties. There are also numerous bugfixes and improvements in Wireshark 2.0.

Still the world's most popular network protocol analyzer

Wireshark 2.0 is a massive release that includes numerous, hundreds of changes, so it is recommended that you read the official release notes if you're interested in every little thing that has been implemented in the application, which remains the world's most popular network protocol analyzer.

Defcon 22 ( 2015 ) Youtube Video Channel

wach it here :

https://www.youtube.com/playlist?list=PL9fPq3eQfaaBCdjbKFYjosh1s1EkaYdsQ

goes without words..

Windows images for sandbox or other use

Catch this quick LINK for ISO file for windows operating system for your sandbox \virtual machine installation

Exploit kit roundup - early June 2015

taken from SANS internet storm center :

Introduction

Security Operation Center (SOC) analysts investigate alerts on suspicious network activity. However, these analysts might not run across exploit kit (EK) traffic that often. An organization's web gateway can stop a great deal of bad traffic before you see a full infection chain. Investigating other types of suspicious activity will likely take up the majority of an analyst's workday.

Some of us are lucky enough to review EK traffic on a routine basis. What that in mind, I want to share examples of the most common exploit kits I've noticed so far this year.

In order, the EK traffic I've seen most often in 2015 has been:

Angler
Fiesta
Nuclear
Neutrino
Magnitude
Rig

This isn't a comprehensive list. Other exploit kits are out there, but these are most common that I've seen this year. I don't have any hard numbers, and the last four (Nuclear, Neutrino, Magnitude, and Rig) are more of an educated guess for the ranking. The EK scene can evolve fairly quick. The list will likely change within a few months, and my observations are only one person's view.

Angler EK

Angler is the most common exploit kit I run across. It's also the most advanced. Angler changes URL patterns frequently, and these changes have recently happened on a near-daily basis. Angler started using "fileless" infection techniques in 2014 [1], and it now sends its payload in a fairly sophisticated encrypted manner (meaning it doesn't use a straight-forward ASCII string to XOR the payload when it's sent over HTTP). In recent months, I've had a hard time obtaining the payload from Angler EK. In the example for this diary, I wasn't able to obtain or decrypt the payload.

Previously, I've seen Angler sending some form of ransomware like the TeslaCrypt/Alpha Crypt variants [2] or CrytoWall 3.0 [3]. In the past few days, I've mainly seen Bedep and related payloads sent by Angler.

An example of Angler EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Angler EK traffic and post-infection activity on Wednesday 2015-06-03.

Fiesta EK

Fiesta is probably the next-most common exploit kit I've run across, most of it related to the BizCN actor that I described in a previous diary [4]. Other actors certainly use this exploit kit. Like Angler EK, Fiesta also uses a more sophisticated type of encryption when sending the malware payload. Fortunately, I can usually grab a copy of the payload from an infected host in my lab or decrypt the payload when necessary.

Example 1 of Fiesta EK traffic on 2015-06-03: click here for the pcap file.
Example 2 of Fiesta EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Fiesta EK traffic on Wednesday 2015-06-03.

Magnitude EK

Magnitude EK often sends several payloads, sometimes 6 or more. It's a very noisy exploit kit. I'll often see CryptoWall 3.0 as one of the payloads. In the example for this diary, Magnitude only sent one payload, and that was CryptoWall 3.0. I've usually seen Magnitude EK send the malware payloads unencrypted, at least when using IE 8 as a web browser in the vulnerable host. I don't see Magnitude now as much as I did last year.

An example of Magnitude EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Magnitude EK traffic and post-infection activity on Wednesday 2015-06-03.

Neutrino EK

In 2014, this exploit kit disappeared for about six months then came back in a much different form [5]. Traffic patterns have remained relatively unchanged since it reappeared in late 2014. Neutrino EK uses a more sophisticated style of encryption when sending the malware payload (not merely a straight-forward XOR using an ASCII string).

Neutrino's current URL patterns remind people of Sweet Orange EK; however, Sweet Orange seems to have disappeared from the scene back in February of 2015. I haven't found any Sweet Orange after February, but I've seen plenty of Neutrino since then. If you see recent traffic you think is Sweet Orange, double check it. It's probably Neutrino EK.

Neutrino has been relatively consistent over the past few months. Haven't seen a lot of it, but it's never gone away.

An example of Neutrino EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Neutrino EK traffic on Wednesday 2015-06-03.

Nuclear EK

Last year, this exploit kit seemed much more common than it is today. Operation Windigo still uses Nuclear EK [6], but in recent weeks, I've rarely seen Nuclear outside of that. Nuclear EK obfuscates its payload by XOR-ing it with an ASCII string.

An example of Nuclear EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Nuclear EK traffic and post-infection activity associated with Operation Windigo on Wednesday 2015-06-03.

Rig EK

When Rig first appeared in 2014, it looked remarkably similar to Infinity EK [7] (which was first identified as Goon EK). Rig EK apparently borrowed a great deal from Infinity. While I haven't seen Infinity this year, I've definitely run across Rig every once in a while.

In April 2015, Rig EK changed the encryption it uses for sending the malware payload. Now, it uses the same method as Nuclear EK, obfuscating its payload by XOR-ing it with an ASCII string [8].

An example of Rig EK traffic on 2015-06-03: click here for the pcap file.

Shown above: Rig EK traffic on Wednesday 2015-06-03.

Final words

As mentioned earlier, this is merely one person's view into the current state of exploit kits. It's not comprehensive, and there are other exploit kits I don't have visibility on. Here's a list of pcap files from the previous paragraphs:

I've also collected the exploits and malware payloads where I could. A zip file with this collection is available at:

http://malware-traffic-analysis.net/2015/06/03/2015-06-03-malware-samples.zip

The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
[2] https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
[3] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[4] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[5] https://isc.sans.edu/diary/Exploit+Kit+Evolution+Neutrino/19283
[6] http://www.rackspace.com/blog/in-2015-operation-windigo-is-still-going-strong/
[7] http://www.kahusecurity.com/2014/rig-exploit-pack/
[8] http://malware-traffic-analysis.net/2015/05/06/index2.html

Nmap 6.49BETA1 released

Fyodor has announced the release of Nmap 6.49BETA1.This version will have hundreds of improvement, including:

Integrated all of the latest OS detection and version/service detection submissions (including IPv6)
Infrastructure improvements: an official bug tracker
Added options --data and --data-string to send custom payloads in scan packet data.
25 new NSE scripts (total is now 494):

o bacnet-info gets device information from SCADA/ICS devices via BACnet (Building Automation and Control Networks)

  o   docker-version detects and fingerprints Docker
  o   enip-info gets device information from SCADA/ICS devices via EtherNet/IP
  o   fcrdns performs a Forward-confirmed Reverse DNS lookup and reports anomalous results
o   http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
o   http-cisco-anyconnect gets version and tunnel information from Cisco SSL VPNs
o   http-crossdomainxml detects overly permissive crossdomain policies and finds trusted domain names available for purchase
o   http-shellshock detects web applications vulnerable to Shellshock (CVE-2014-6271).
o   http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
o   http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect SSL VPNs
  o   http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote code execution.
  o   http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to MS15-034
  o   http-vuln-misfortune-cookie detects the "Misfortune Cookie"    vulnerability in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
o   http-wordpress-plugins was renamed http-wordpress-enum and extended to enumerate both plugins and themes of Wordpress installations and their versions. http-wordpress-enum is now http-wordpress-users.
o   mikrotik-routeros-brute performs password auditing attacks against Mikrotik's RouterOS API.
o   omron-info gets device information from Omron PLCs via the FINS service.
o   s7-info gets device information from Siemens PLCs via the S7 service, tunneled over ISO-TSAP on TCP port 102.
o   snmp-info gets the enterprise number and other information from the snmpEngineID in an SNMPv3 response packet.
o   ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS CCS Injection vulnerability (CVE-2014-0224)
o   ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566)
o   supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers.
o   targets-ipv6-map4to6 generates target IPv6 addresses which correspond to IPv4 addresses mapped within a particular IPv6 subnet.
o   targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made of hexadecimal characters

Microsoft Plans to Add Secure Shell (SSH) to Windows

Until now Unix and Linux system administrators have to download a third-party SSH client software like Putty on their Windows machines to securely manage their machines and servers remotely through Secure Shell protocol or Shell Session (better known as SSH).

This might have always been an awkward feature of Windows platform, as it lacks both – a native SSH client software for connecting to Linux machines, and an SSH server to support inbound connections from Linux machines. But…

Believe it or not:

You don't need to deal with any third-party SSH client now, as Microsoft is working on supporting OpenSSH.

- See more at: http://thehackernews.com/2015/06/windows-secure-shell.html#sthash.40ZCfuy1.dpuf

Yes, Microsoft has finally decided to bring OpenSSH client and server to Windows.

The PowerShell team at Microsoft has announced that the company is going to support and contribute to OpenSSH community in an effort to deliver better SSH support in the PowerShell and Windows SSH software solutions.

So, the upcoming version of Windows PowerShell – the command-line shell and scripting language – will allow users to manage Windows and Linux computers through SSH

For those who are unaware, SSH is basically designed to offer the best security when accessing another computer remotely. It not only encrypts the remote session, but also provides better authentication facilities, with features like secure file transferring and network port forwarding.

This is not first time Microsoft has planned to adopt SSH for its Windows platform, the company had tried to allow the secure shell protocol to be used within Windows twice but was unable to implement it.

However, developers who are eager to use this new functionality in PowerShell still have to wait for some time, as the project is still in the early planning phase. So far, there isn’t any definite release date.

The PowerShell team will update more information on when users can expect SSH support shortly.

Ransomware Response Kit

A security researcher has made a ransomware removal kit available online with the hope that it will help security professionals and system administrators alike in responding to instances of ransomware infection.

Researcher Jada Cyrus has published the kit on Atlassian Bitbucket. The kit itself consists of removal tools for common ransomware variants, as well as guides on how to perform the necessary removal tasks.

download from here

Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable

A critical vulnerability resides in AFNetworking could allow an attacker to cripple the HTTPS protection of 25,000 iOS apps available in Apple’s App Store via man-in-the-middle (MITM) attacks.

AFNetworking is a popular open-source code library that lets developers drop networking capabilities into their iOS and OS X products. But, it fails to check the domain name for which the SSL certificate has been issued.

Any Apple iOS application that uses AFNetworking version prior to the latest version 2.5.3 may be vulnerable to the flaw that could allow hackers to steal or tamper data, even if the app protected by the SSL (secure sockets layer)

protocol

online application check tool as scanned by SourceDna code scanning start-up vendor .

MS15-034 - Vulnerability in HTTP.sys Could Allow Remote Code Execution Nmap script check

http://seclists.org/nmap-dev/2015/q2/37

add the below text to a .nse file and add in to nmap plugin folder

usage example included in the code

FYI

local shortport = require "shortport"

local http = require "http"

local stdnse = require "stdnse"

local string = require "string"

local vulns = require "vulns"

description = [[

Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).

The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability.

The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1,

and Windows Server 2012 R2.

References:

* https://technet.microsoft.com/library/security/MS15-034

]]

---

-- @usage nmap -sV --script vuln <target>

-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse <target>

-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target>

-- @output

-- PORT STATE SERVICE REASON

-- 80/tcp open http syn-ack

-- | http-vuln-cve2015-1635:

-- | VULNERABLE:

-- | Remote Code Execution in HTTP.sys (MS15-034)

-- | State: VULNERABLE (Exploitable)

-- | IDs: CVE:CVE-2015-1635

-- | A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is

-- | caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who

-- | successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

-- |

-- | Disclosure date: 2015-04-14

-- | References:

-- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx

-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635

-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: /

---

author = {"Kl0nEz", "Paulino <calderon()websec.mx>"}

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"vuln", "safe"}

portrule = shortport.http

action = function(host, port)

local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"

local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

local vuln = {

title = 'Remote Code Execution in HTTP.sys (MS15-034)',

state = vulns.STATE.NOT_VULN,

description = [[

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is

caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who

successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

]],

IDS = {CVE = 'CVE-2015-1635'},

references = {

'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx'

dates = {

disclosure = {year = '2015', month = '04', day = '14'},

}

local options = {header={}}

options['header']['Host'] = stdnse.generate_random_string(8)

options['header']['Range'] = "bytes=0-18446744073709551615"

local response = http.get(host, port, uri, options)

if response.body then

local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)</[Tt][Ii][Tt][Ll][Ee]>")

if title == "Requested Range Not Satisfiable" then

vuln.state = vulns.STATE.EXPLOIT

end

return vuln_report:make_output(vuln)

end

SEC-SEE

Latest Security News