Course Name: Ethical Hacking from Scratch to Advanced Technique
Course Instructor: Mohamed Atef
Overall Verdict: Good For Beginners
Pros: Extra material to help learn the material
Cons:
Review: There are some items that i would disagree with the instructor on, but not too many, and they are opinion based only. The instructor speaks slowly, and patientlly works through material IMO. The added material for each section is a bonus, and while much of it was review. There were a couple of handouts that were pretty useful to me.
wget mirror
wget
--directory-prefix=/root/Desktop/
--header="Accept: text/html"
--user-agent="(Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
--domains test.com
-e robots=off
--recursive
--no-clobber
--page-requisites
--html-extension
--convert-links
-R gif,jpg,png,css,pdf,mp3,wmv
http://<domain>.com
--directory-prefix=/root/Desktop/
--header="Accept: text/html"
--user-agent="(Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
--domains test.com
-e robots=off
--recursive
--no-clobber
--page-requisites
--html-extension
--convert-links
-R gif,jpg,png,css,pdf,mp3,wmv
http://<domain>.com
And now for some news.........
https://au.finance.yahoo.com/news/security-experts-borrowing-phone-charger-like-underwear-toothbrush-200052264.html
https://www.cshub.com/attacks/articles/incident-of-the-week-passwords-and-biometrics-info-for-one-million-users-exposed-in-biostar-2-data-breach
https://www.bleepingcomputer.com/news/security/second-steam-zero-day-impacts-over-96-million-windows-users/
https://thenewdaily.com.au/life/tech/2019/08/22/kmart-text-message-scam/
https://www.globenewswire.com/news-release/2019/08/21/1905045/0/en/Anomali-Threat-Research-Team-Identifies-North-Korea-Based-Cyber-Attack-Targeting-Stanford-University-Government-Agencies-Think-Tanks.html
https://www.cshub.com/attacks/articles/incident-of-the-week-passwords-and-biometrics-info-for-one-million-users-exposed-in-biostar-2-data-breach
https://www.bleepingcomputer.com/news/security/second-steam-zero-day-impacts-over-96-million-windows-users/
https://thenewdaily.com.au/life/tech/2019/08/22/kmart-text-message-scam/
https://www.globenewswire.com/news-release/2019/08/21/1905045/0/en/Anomali-Threat-Research-Team-Identifies-North-Korea-Based-Cyber-Attack-Targeting-Stanford-University-Government-Agencies-Think-Tanks.html
series: WestWild
Medium:
https://www.vulnhub.com/entry/westwild_11,338/
unknown maybe hard from description
https://www.vulnhub.com/entry/westwild_2,351/
Whole series happened so far, while on vacation.
https://www.vulnhub.com/series/westwild,224/
New CTF images
Still catching up on things after taking a vacation with the family.
One of these things is the latest additions to vulnhub.
Quite a few of these to post today.
Let;s get started.
Tr0ll: 3
https://www.vulnhub.com/entry/tr0ll_3,340/
beginner++ it says in the description
The whole series can be see here now:
https://www.vulnhub.com/series/tr0ll,49/
One of these things is the latest additions to vulnhub.
Quite a few of these to post today.
Let;s get started.
Tr0ll: 3
https://www.vulnhub.com/entry/tr0ll_3,340/
beginner++ it says in the description
The whole series can be see here now:
https://www.vulnhub.com/series/tr0ll,49/
failed installation
QxSearch hijacker fakes failed installs
Malwarebytes Labs
https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-installs/
Course Review - Intensive Ethical Hacking Series
Course Name: Intensive Ethical Hacking Series
Course Instructor: Zeal Vora
Overall Verdict: Stay Away
Pros:
Cons:
Review: It seems the goal of this course is to start you at the very beginning, and then take you through the process all the way to more advanced topics in penetration testing. To be honest, there is a lot of introductory IT stuff in this course. For example the discussion on DNS should not be in this course IMO. This is something you should already know, before you start learning about Ethical Hacking. (BTW, I would strongly debate the instructor on how many types of DNS records there are, and Question and Answer are not 2 of them.)
Very tool focused, like the CEH. no discussion of programming, scripting, social engineering, etc. For the whole section on protocols and networking, we only opened Wireshark on the last lesson. Just saying.
Some favorite quotes:
"Hacking is not just about attacking the server. It is a 2 way process. one is breaking into the serve,r and the other is coming out of the server safely." --> no mention of trying to get data out. My assumption was this is what he instructor meant, but a beginner will not know this.
"Ethical hacking is not just about the point-to-click and the tool will hack into the network. it is about you trying to understand what exactly the tool does from the bottom up." --> in reality this just makes you an advanced script kiddie, IMO. Nothing about learning the network and infrastructure around you. Nothing about how to find the data that "you" the Ethical Hacker want to see, or how to get it out of the organization.
Course Instructor: Zeal Vora
Overall Verdict: Stay Away
Pros:
Cons:
Review: It seems the goal of this course is to start you at the very beginning, and then take you through the process all the way to more advanced topics in penetration testing. To be honest, there is a lot of introductory IT stuff in this course. For example the discussion on DNS should not be in this course IMO. This is something you should already know, before you start learning about Ethical Hacking. (BTW, I would strongly debate the instructor on how many types of DNS records there are, and Question and Answer are not 2 of them.)
Very tool focused, like the CEH. no discussion of programming, scripting, social engineering, etc. For the whole section on protocols and networking, we only opened Wireshark on the last lesson. Just saying.
Some favorite quotes:
"Hacking is not just about attacking the server. It is a 2 way process. one is breaking into the serve,r and the other is coming out of the server safely." --> no mention of trying to get data out. My assumption was this is what he instructor meant, but a beginner will not know this.
"Ethical hacking is not just about the point-to-click and the tool will hack into the network. it is about you trying to understand what exactly the tool does from the bottom up." --> in reality this just makes you an advanced script kiddie, IMO. Nothing about learning the network and infrastructure around you. Nothing about how to find the data that "you" the Ethical Hacker want to see, or how to get it out of the organization.
a bit of humor
How a 'NULL' License Plate Landed One Hacker in Ticket Hell
https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell
Buffer Overflow Practice
https://github.com/stephenbradshaw/vulnserver/blob/master/readme.md
someone recently shared this with me, so I wanted to pass it along.
some links from the author:
http://www.thegreycorner.com/2010/01/beginning-stack-based-buffer-overflow.html
http://www.thegreycorner.com/2010/01/seh-stack-based-windows-buffer-overflow.html
http://www.thegreycorner.com/2010/01/windows-buffer-overflow-tutorial.html
http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html
http://www.thegreycorner.com/2010/02/windows-buffer-overflow-tutorial.html
http://www.thegreycorner.com/2010/03/difference-between-heap-overflow-and.html
and on and on......
I found at least 20 posts that it is worth spending some time with, so hats off to the author.
Buffer Overflow Practice
https://github.com/stephenbradshaw/vulnserver/blob/master/readme.md
someone recently shared this with me, so I wanted to pass it along.
file under oops
Election Systems Are Even More Vulnerable Than We Thought
https://www.wired.com/story/security-news-election-systems-more-vulnerable
https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials
“If they did everything correctly [with the ES&S systems] as they say they do, there is no danger,” Robert Graham, CEO of Errata Security, told Motherboard. “These are all secure technologies that if [configured] correctly work just fine. It’s just that we have no faith that they are done correctly. And the fact that [election officials are] saying they aren’t on the internet and yet they are on the internet shows us that we have every reason to distrust them.”
rising prices of business
https://www.bloomberg.com/news/articles/2019-08-07/cybersecurity-pros-name-their-price-as-hacker-attacks-multiply
In the 12 months ended August 2018, there were more than 300,000 unfilled cybersecurity jobs in the U.S., according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education. Globally, the shortage is estimated to exceed 1 million in coming years, studies have shown.
Flying Vulnerabilities
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
https://www.wired.com/story/boeing-787-code-leak-security-flaws
The Boeing press release makes me think that they're hiding something, or that they weren't able to fully test the vulnerabilities found.
Lies and Damn Lies: Getting Past the Hype of Endpoint Security Solutions
Some good things in here for anyone to use in their own evaluation.
I especially liked the business centrist view of the talk, as nothing gets done unless you can prove to the bean counters the benefits to the bottom line.
Mr. Wang trail deepens
More breadcrumbs..........
In summary, Zeng Xiaoyong, a well-known Chinese hacker using the handles ‘envymask’ and ‘EMM’ worked for RealSOI. RealSOI was closely associated with the MSS front companies identified in previous articles and Zeng knew Wang Qingwei, having worked as an InfoSec trainer with him.
#youknowwherethisleads
APT trends report Q2 2019
https://securelist.com/apt-trends-report-q2-2019/91897/
In April, we published our report on TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.
In April, we published our report on TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.
WMI Commands
- Get-WmiObject -class Win32_Product
- Gets a listing of all the installed software on a machine.
- Get-WmiObject - class Win32_Account
- Gets a listing of all the user accounts
- Get-WmiObject - class Win32_BIOS
- Many times used by malware to determine if the host is a virtual machine or not.
- Set up a remote windows command
- $command = "ipconfig /all >> c:\users\all users\desktop\results.txt"
- $cmd = "cmd.exe /c $command"
- Invoke-Method -class Win32_Process -name Create -ArgumentList $cmd -ComputerName \\Desktopname\
- wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
- uses WMIC to add a user on a remote machine
Powershell Fun
- Link Ref
- Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList cmd.exe
- Invoke-CimMethod -ClassName Win32_Process -MethodName create -Arguments @{commandline="notepad.exe"}
One Attack Example
- From a powershell command prompt, attacker launches WMIC with the intent of creating a process on the remote machine and adding a user to that remote machine.
- wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
- On the remote machine wmiprvse.exe gets the call and will run the commands. To find this attack in Carbon Black, check out this search:
- process_name:cmd.exe AND parent_name:wmiprvse.exe AND childproc_name:net.exe cmdline:user
- Event IDs on the remote machine are:
- 4720; 4722; 4738; 4732
Some Articles from my Bookmarks
https://www.secureworks.com/blog/malware-lingers-with-bits
https://azeria-labs.com/advanced-persistent-threat/
https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations
https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf
http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon_notes.pdf
https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
--> NOTE: this was a really good article!
http://techgenix.com/Dissecting-Pass-Hash-Attack/
https://azeria-labs.com/advanced-persistent-threat/
https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations
https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf
http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon_notes.pdf
https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
--> NOTE: this was a really good article!
http://techgenix.com/Dissecting-Pass-Hash-Attack/
Passive Reconnaissance
Some Manual Searching:
You can find some really good stuff sometimes at a site like Data.com. It is worth it to spend some time here, and search around. Besides, accounts are free.
Tools to Consider:
Discover scripts by Lee baird
Recon-NG
Online Searches
Shodan
Google
Bing
Have I been pwned
Bing
Have I been pwned
Hunter.io
Authenticated WMI Exec Via Powershell
https://packetstormsecurity.com/files/139762/Authenticated-WMI-Exec-Via-Powershell.html
This Metasploit module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the module runs as the current process owner. The module can be configured with credentials for the remote host with which to launch the process.
Exploit kits review
https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
Threat actors continue to buy traffic from ad networks and use malvertising as their primary delivery method. Leveraging user profiling (their browser type and version, country of origin, etc.) from ad platforms, criminals are able to maintain decent load rates (successful infection per drive-by attempts).
Threat actors continue to buy traffic from ad networks and use malvertising as their primary delivery method. Leveraging user profiling (their browser type and version, country of origin, etc.) from ad platforms, criminals are able to maintain decent load rates (successful infection per drive-by attempts).
fierce
Basic running of the program:
./fierce.pl -dns <domain>
Search all class C ranges found for PTR records that match the domain
./fierce.pl -wide -dns <company>
Some reverse DNS looking
./fierce.pl -dnsserver <target_dns> -range <ipNet_range>
Some other flags:
-search -- search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found.
-threads <number> -- The number of threads to use when running the scan.
-wordlist <list.txt> -- Use an alternate word list to the default one for the application.
-file <filename.out> -- write the results of the scan to the file specified in the cmdline.
-delay <number> -- This specifies a delay, in seconds, to wait between queries.
./fierce.pl -dns <domain>
Search all class C ranges found for PTR records that match the domain
./fierce.pl -wide -dns <company>
Some reverse DNS looking
./fierce.pl -dnsserver <target_dns> -range <ipNet_range>
Some other flags:
-search -- search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found.
-threads <number> -- The number of threads to use when running the scan.
-wordlist <list.txt> -- Use an alternate word list to the default one for the application.
-file <filename.out> -- write the results of the scan to the file specified in the cmdline.
-delay <number> -- This specifies a delay, in seconds, to wait between queries.
Will the real Mr. Wang please stand up
I have started looking at this blog in the past few months, and am really enjoying it more and more these days.
In summary, Wang Qingwei, an IT security expert, advertised jobs at Jinan Fanglang using two online profiles and was also listed as the company’s official representative. He is directly linked to likely MSS Officer Guo Lin, travelling with him on multiple occasions.
#theyknowwherethisleads
Capital One has a breach
Capital One data breach hits about 6 million people in Canada, 100 million in U. S.
http://flip.it/ly1lyr
update: 2019-07-30
Wired
NPR
http://flip.it/ly1lyr
update: 2019-07-30
Wired
NPR
new logwatch
Logwatch 7.5.2
https://packetstormsecurity.com/files/153783/logwatch-7.5.2.tar.gz
look at yer logs........
A Collection of Fun WMI Things
Playing with MOF files on Windows, for fun & profit
http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
"""
What is really interesting with WMI is that it permits to execute some code when the notification of an event occurs. The event might be a program start, an user authentication, ... or any other Windows event. A MOF file needs to be registered into the CIM/WMI repository in order to be taken into account by WMI. When registering a MOF file, the CIM class(es) it describes are indeed added into the repository.
"""
MOF files are compiled into the WMI repository using mofcomp.exe. Moreover, a MOF file that is put in the %SystemRoot%\System32\wbem\mof\ directory is automatically compiled and registered into the WMI repository. It is defined in the registry key HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\.
"""
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/TheresSomethingAboutWMIDevonKerr.pdf
https://www.youtube.com/watch?v=Ldzr0bfGtHc
http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
"""
What is really interesting with WMI is that it permits to execute some code when the notification of an event occurs. The event might be a program start, an user authentication, ... or any other Windows event. A MOF file needs to be registered into the CIM/WMI repository in order to be taken into account by WMI. When registering a MOF file, the CIM class(es) it describes are indeed added into the repository.
"""
MOF files are compiled into the WMI repository using mofcomp.exe. Moreover, a MOF file that is put in the %SystemRoot%\System32\wbem\mof\ directory is automatically compiled and registered into the WMI repository. It is defined in the registry key HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\.
"""
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/TheresSomethingAboutWMIDevonKerr.pdf
https://www.youtube.com/watch?v=Ldzr0bfGtHc
A Quick Red Team note
Golder Tickets
Filver TicketsKerberoasting
Pykek attacks
User hunting
Forest Enumeration
Cross Forest Attacks
SID attachks
ACL Abuses
GPO Abuses
Filver TicketsKerberoasting
Pykek attacks
User hunting
Forest Enumeration
Cross Forest Attacks
SID attachks
ACL Abuses
GPO Abuses
Today's Look For:
Any of instance of this User-Agents:
- Microsoft BITS/7.5
rundll32.exe, shell32.dll, OpenAs_RunDLL
- Microsoft BITS/7.5
rundll32.exe, shell32.dll, OpenAs_RunDLL
Jenkins can be an easy attack surface
Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks
https://blog.trendmicro.com/trendlabs-security-intelligence/jenkins-admins-relying-on-default-settings-could-put-master-at-risk-of-remote-code-execution-attacks/
Turla renews its arsenal with Topinambour
https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/
https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html
https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
Windows zero day was exploited by Buckeye alongside Equation Group tools during 2016 attacks. Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017.
Key Findings
- The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak.
- Variants of Equation Group tools used by Buckeye appear to be different from those
released by Shadow Brokers, potentially indicating that they didn't originate from that leak. - Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.
- While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed.
Iran has its turn in limelight
A Mystery Agent Is Doxing Iran's Hackers and Dumping Their Code
https://www.wired.com/story/iran-hackers-oilrig-read-my-lips
Subscribe to:
Posts (Atom)