NeXpose vs Nessus
I've used Nessus for years. I only recently heard of NeXpose after Rapid7 started funding Metasploit and promised to integrate their scanner with Metasploit. I decided to give NeXpose a whirl. The learning curve wasn't steep when using the scanner.
Scanned the same target machine with Nessus.
The 2 scanners produce the same result but I always believe in the need to use multiple tools to assess vulnerabilities in infrastructures, networks, systems and applications to uncover the full state of insecurity.
ThreatExpert
Found out about this resource from attending a Symantec security seminar today. ThreatExpert provides a list of free services including a "Memory Scanner". This tool scans your memory for malware. Users can submit suspicious files for analysis to discover the file's behaviour without having to execute it.
Code injection via English text?
Session video recording vs keystroke logging
Visually, it is easier to comprehend what is occurring during a session when reviewing a recording as compared to keystrokes. However, recordings consume a lot of storage and cannot be indexed for easy searching unlike keylogging. Session video recording is more secure as it does not record the privilege password. It is also less intrusive because no software or tweaking is required on the endpoint system.
The jury is still out on session video recording. It is a good concept but its disadvantages currently outweigh its benefits.
The jury is still out on session video recording. It is a good concept but its disadvantages currently outweigh its benefits.
Network forensics puzzle #2
My answer to the new digital forensics puzzle. I ran "ngrep" in Ubuntu to search for lines containing the "@" symbol. Ann's email address is "sneakyg33k@aol.com". Her secret lover's email address is "mistersecretx@aol.com". She requests him to bring his fake passport and bathing suit.
Searching for strings matching "aol.com" reveals "AUTH=LOGIN". I locate the login sequence in Wireshark.
I figure that the string "VXNlcm5hbWU6" is encoded and has signficance. Googling this string reveals that it is "Username:" encoded in Base64. I use the "Enocde/Hash" tool in Paros (Windows) to confirm this fact. Lo and behold! I start to decode the other encoded strings to reveal the password "558r00lz".
To locate the attachment that Ann sent, I search for the string "Content-Type:". The name of the attachment is "secretrendezvous.docx". I usually like to challenge myself by manually carving out file transfers but in this specific case, I was unsuccessful. Using file carvers like "tcpxtract" and "Foremost" also resulted in failure. I resorted to using NetMiner (Windows) to acquire this file.
I do not have Office 2007 installed on my laptop. I decided to be creative and viewed the file in Google Docs to reveal their secret meeting place. The MD5 hash of this file is "9e423e11db88f01bbff81172839e1923". To access the embedded image, I rename the extension ".docx" to ".zip". I am able to access the image from the "/word/media/" folder. The MD5 hash of this image is "aadeace50997b1ba24b09ac2ef1940b7".
Searching for strings matching "aol.com" reveals "AUTH=LOGIN". I locate the login sequence in Wireshark.
I figure that the string "VXNlcm5hbWU6" is encoded and has signficance. Googling this string reveals that it is "Username:" encoded in Base64. I use the "Enocde/Hash" tool in Paros (Windows) to confirm this fact. Lo and behold! I start to decode the other encoded strings to reveal the password "558r00lz".
To locate the attachment that Ann sent, I search for the string "Content-Type:". The name of the attachment is "secretrendezvous.docx". I usually like to challenge myself by manually carving out file transfers but in this specific case, I was unsuccessful. Using file carvers like "tcpxtract" and "Foremost" also resulted in failure. I resorted to using NetMiner (Windows) to acquire this file.
I do not have Office 2007 installed on my laptop. I decided to be creative and viewed the file in Google Docs to reveal their secret meeting place. The MD5 hash of this file is "9e423e11db88f01bbff81172839e1923". To access the embedded image, I rename the extension ".docx" to ".zip". I am able to access the image from the "/word/media/" folder. The MD5 hash of this image is "aadeace50997b1ba24b09ac2ef1940b7".
My new article
Password length
Interesting statistics but I wonder how reliable the source is. It is fascinating the difference and benefits that passwords with a length of 12 yields over those with 11.
Client-side validation
One of the rules of application security is to never implement client-side validation but rely on server-side validation.
I came across an e-card greeting on the "Uniquely Singapore" website and decided to try it out. Hmmmm... the form doesn't allow me to submit an e-card with the recipient and sender emails being the same. Did they implement client-side validation? I decided to disable Javascript in Firefox. I reload the webpage and resubmit. Viola!!! Email sent and received.
This confirms that Javascript is used to validate submissions on the client's machine. The secure way would be to validate on the server so that the client cannot manipulate requests to successfully bypass validation.
I came across an e-card greeting on the "Uniquely Singapore" website and decided to try it out. Hmmmm... the form doesn't allow me to submit an e-card with the recipient and sender emails being the same. Did they implement client-side validation? I decided to disable Javascript in Firefox. I reload the webpage and resubmit. Viola!!! Email sent and received.
This confirms that Javascript is used to validate submissions on the client's machine. The secure way would be to validate on the server so that the client cannot manipulate requests to successfully bypass validation.
Zbot
Downloaded a sample of "Zbot" from Offensive Computing's site. I'm no reverse engineering guru but decided to give it a go at analysing this nasty piece of malware. Fired up "Regshot" to detect modifications made to my virtual machine.
The following registry keys were added.
HKLM\SOFTWARE\Classes\.exe HKLM\SOFTWARE\Classes\.exe \PersistentHandler HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SOFTWARE\XTB
Corresponding values that were added.
HKLM\SOFTWARE\Classes\.exe \PersistentHandler\: "{098f2470-bae0-11cd-b579-08002b30bfeb}"
HKLM\SOFTWARE\Classes\.exe \: "exefile"
HKLM\SOFTWARE\Classes\.exe \Content Type: "application/x-msdownload" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows: "C:\WINDOWS\explorer.exe "
HKLM\SOFTWARE\XTB\httpaddr: "http://server.xyz/drss,jpg"
HKLM\SOFTWARE\XTB\xintr: "1440"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"
HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 8A 55 3E 84 54 CA 01 01 00 00 00 C0 A8 DC 89 00 00 00 00 00 00 00 00
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\tester\Desktop\malware.exe: "malware"
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
The following files were added.
C:\WINDOWS\Prefetch\EXPLORER.EXE -2F6C44D8.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-17DA0AE5.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4912BB30.pf
C:\WINDOWS\system32\wbem\Logs\wmiprov.log
C:\WINDOWS\explorer.exe
Files were modified.
C:\Documents and Settings\tester\Cookies\index.dat
C:\Documents and Settings\tester\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\tester\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\tester\ntuser.dat.LOG
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
As seen by the registry values added, the malware creates a backdoor into the victim's system. A pop-up was triggered by the malware and by clicking on "Unblock", the hacker has access to the system by adding a permit rule in "Windows Firewall". 2 Explorer processes can be seen from "Task Manager". The malware creates a file "explorer.exe " in "C:\Windows". Note that the fake Explorer does not replace the authentic one native in Windows because the hacker adds a space behind the extension. 2 Explorer processes are seen in "Task Manager" and one of them is the backdoor. "Active Ports" and "netstat" (with the -nab switch) confirm that the backdoor listens on TCP port 113 and UDP port 1025.
The malware requests a fake resource, drss,jpg, from a server presumably controlled by the hacker. This is not a typo as the hacker intentionally uses a comma instead of a fullstop. I hypothesize that the hacker uses this fake request to capture the victim's IP address so that he knows which IP address to connect to.
Besides "0wning" bots, I believe that the hacker is after the victim's surfing history and logs based on the files modified.
Launched "Capture BAT" to verify the findings from "Regshot". "Capture BAT" confirms that the same registry keys and values were added. It also confirms the spawning of the fake Explorer process. The packet capture by "Capture BAT" also confirms the HTTP request to "server.xyz".
The following registry keys were added.
HKLM\SOFTWARE\Classes\.exe HKLM\SOFTWARE\Classes\.exe \PersistentHandler HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SOFTWARE\XTB
Corresponding values that were added.
HKLM\SOFTWARE\Classes\.exe \PersistentHandler\: "{098f2470-bae0-11cd-b579-08002b30bfeb}"
HKLM\SOFTWARE\Classes\.exe \: "exefile"
HKLM\SOFTWARE\Classes\.exe \Content Type: "application/x-msdownload" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows: "C:\WINDOWS\explorer.exe "
HKLM\SOFTWARE\XTB\httpaddr: "http://server.xyz/drss,jpg"
HKLM\SOFTWARE\XTB\xintr: "1440"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"
HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 8A 55 3E 84 54 CA 01 01 00 00 00 C0 A8 DC 89 00 00 00 00 00 00 00 00
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\tester\Desktop\malware.exe: "malware"
HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
The following files were added.
C:\WINDOWS\Prefetch\EXPLORER.EXE -2F6C44D8.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-17DA0AE5.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4912BB30.pf
C:\WINDOWS\system32\wbem\Logs\wmiprov.log
C:\WINDOWS\explorer.exe
Files were modified.
C:\Documents and Settings\tester\Cookies\index.dat
C:\Documents and Settings\tester\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\tester\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\tester\ntuser.dat.LOG
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
As seen by the registry values added, the malware creates a backdoor into the victim's system. A pop-up was triggered by the malware and by clicking on "Unblock", the hacker has access to the system by adding a permit rule in "Windows Firewall". 2 Explorer processes can be seen from "Task Manager". The malware creates a file "explorer.exe " in "C:\Windows". Note that the fake Explorer does not replace the authentic one native in Windows because the hacker adds a space behind the extension. 2 Explorer processes are seen in "Task Manager" and one of them is the backdoor. "Active Ports" and "netstat" (with the -nab switch) confirm that the backdoor listens on TCP port 113 and UDP port 1025.
The malware requests a fake resource, drss,jpg, from a server presumably controlled by the hacker. This is not a typo as the hacker intentionally uses a comma instead of a fullstop. I hypothesize that the hacker uses this fake request to capture the victim's IP address so that he knows which IP address to connect to.
Besides "0wning" bots, I believe that the hacker is after the victim's surfing history and logs based on the files modified.
Launched "Capture BAT" to verify the findings from "Regshot". "Capture BAT" confirms that the same registry keys and values were added. It also confirms the spawning of the fake Explorer process. The packet capture by "Capture BAT" also confirms the HTTP request to "server.xyz".
Google warning
Google now warns its users of sites with malicious content. Google displayed a warning when I searched for the URL of my toy supplier. It also blocked my access to the suspect site.
Microsoft Security Essentials
M$ released a free AV called "Security Essentials" for home consumers. I gave it a test drive and found it intuitive to manage as well as use.
I tested it against the malicious MP3 file that I analysed previously and "Security Essentials" effortlessly detected the malware instantaneously. Avast! on the other hand needed me to manually trigger a scan before it warned me of the presence of malware. 27 AV engines hosted on VirusTotal missed it.
I tested it against the malicious MP3 file that I analysed previously and "Security Essentials" effortlessly detected the malware instantaneously. Avast! on the other hand needed me to manually trigger a scan before it warned me of the presence of malware. 27 AV engines hosted on VirusTotal missed it.
Subscribe to:
Posts (Atom)
-
This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
-
I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...