Kali Linux with intel OpenCL

Kali Linux with intel OpenCL

Also receiving the following error using KALI, HASHCAT and your Intel CPU -> clGetDeviceIDs(): CL_DEVICE_NOT_FOUND

Then follow these steps ->

$ mkdir intel-opencl
$ tar -C intel-opencl -Jxf intel-opencl-r3.1-BUILD_ID.x86_64.tar.xz
$ tar -C intel-opencl -Jxf intel-opencl-devel-r3.1-BUILD_ID.x86_64.tar.xz
$ tar -C intel-opencl -Jxf intel-opencl-cpu-r3.1-BUILD_ID.x86_64.tar.xz
$ sudo cp -R intel-opencl/* /
$ sudo ldconfig

tar the version downloaded. At this time 4.x

 

 

 

 

DEF CON 23 – Marquis-Boire, Marschalek, Guarnieril – F the attribution, show us your .idb

Over the past few years state-sponsored hacking has received attention that would make a rockstar jealous. Discussion of malware has shifted in focus from ‘cyber crime’ to ‘cyber weapons’, there have been intense public debates on attribution of various high profile attacks, and heated policy discussion surrounding regulation of offensive tools. We’ve also seen the sale of ‘lawful intercept’ malware become a global trade.

While a substantial focus has revolved around the activities of China, Russia, and Iran, recent discoveries have revealed the capabilities of Western nations such as WARRIORPRIDE aka. Regin (FVEY) and SNOWGLOBE aka. Babar (France). Many have argued that digital operations are a logical, even desirable part of modern statecraft. The step from digital espionage to political persecution is, however, a small one. Commercially written, offensive software from companies like FinFisher and Hacking Team has been sold to repressive regimes under the guise of ‘governmental intrusion’ software.

Nation state hacking operations are frequently well-funded, difficult to attribute, and rarely prosecuted even if substantive evidence can be discovered. While efforts have been made to counter this problem, proof is hard to find and even more difficult to correctly interpret. This creates a perfect storm of conditions for lies, vendor lies, and flimsy attribution.

In this talk we will unveil the mess happening backstage when uncovering nation state malware, lead the audience on the track of actor attribution, and cover what happens when you find other players on the hunt. We will present a novel approach to binary stylometry, which helps matching binaries of equal authorship and allows credible linking of binaries into the bigger picture of an attack. After this session the audience will have a better understanding of what happened behind the scenes when the next big APT report surfaces.

Speaker Bios:
Morgan Marquis-Boire is a Senior Researcher at the Citizen Lab, University of Toronto. He is the Director of Security for First Look Media and a contributing writer for The Intercept. Prior to this, he worked on the security team at Google. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Inter-regional Crime and Justice Research Institute. In addition to this, he serves as a member of the Freedom of the Press Foundation advisory board and as an advisor to Amnesty International.

Marion is a malware reverse engineer on duty for Cyphort Inc., focussing on the analysis of emerging threats and exploring novel methods of threat detection. She teaches malware analysis at University of Applied Sciences St. Pölten and frequently appears as speaker at international conferences. Two years ago Marion won Halvar Flake’s reverse engineering challenge for females, since then she set out to threaten cyber criminals. She practices martial arts and has a vivid passion for taking things apart. Preferably, other people’s things.

Claudio is a security researcher mostly specialized in the analysis of malware, botnets and computer attacks in general. He’s a core member of The Honeynet Project and created the open source malware analysis software Cuckoo Sandbox and Viper and runs the Malwr free service. Claudio published abundant research on botnets and targeted attacks and presented at conferences such as Hack In The Box, BlackHat, Chaos Communication Congress and many more. In recent years he devoted his attention especially on issues of privacy and surveillance and published numerous articles on surveillance vendors such as FinFisher and HackingTeam with the Citizen Lab as well as on NSA/GCHQ and Five Eyes surveillance capabilities with The Intercept and Der Spiegel. Claudio also contributes to Global Voices Advocacy. He continuously researches and writes on government surveillance and threats to journalists and dissidents worldwide and supports human rights organisations with operational security and emergency response.

T-Pot HoneyPot

Yesterday I came across a really great Honeypot. Since I don’t have much time I just repost their main page -> source

T-Pot is based on Ubuntu Server 14.04.4 LTS. The honeypot daemons as well as other support components being used have been paravirtualized using docker. This allowed us to run multiple honeypot daemons on the same network interface without problems make the entire system very low maintenance.
The encapsulation of the honeypot daemons in docker provides a good isolation of the runtime environments and easy update mechanisms.

In T-Pot we combine the dockerized honeypots conpot, cowrie, dionaea, elasticpot, emobility, glastopf and honeytrap with suricata a Network Security Monitoring engine and the ELK stack to beautifully visualize all the events captured by T-Pot. Events will be correlated by our own data submission tool ewsposter which also supports Honeynet project hpfeeds honeypot data sharing.

T-Pot HoneyPot

All data in docker is volatile. Once a docker container crashes, all data produced within its environment is gone and a fresh instance is restarted. Hence, for some data that needs to be persistent, i.e. config files, we have a persistent storage /data/ on the host in order to make it available and persistent across container or system restarts.
Important log data is now also stored outside the container in /data/<container-name> allowing easy access to logs from within the host and. The upstart scripts have been adjusted to support storing data on the host either volatile (default) or persistent (/data/persistence.on).

Read more @ http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t-pot-16.03.html

IMF Walkthrough (Vulnhub)

Geckom uploaded his first vulnerable machine to vulnhub.com.

As posted before you can find a lot of (mostly) virtualbox images which are vulnerable in several ways. Usually there is one goal, find an x number of flags with the last flag being available only when you rooted the system. The vulnerabilities range from insecure web applications to insecure and/or old or self made services, the need to use port knocking, stuff hidden in images, reverse engineering (buffer overflows), cryptography and many more.

The information given @vulnhub about IMF does not tell you how much flags there are ->

There are walkthroughs available in case you get stuck. No walkthrough is posted for the IMF challenge but I did see some tweets from people having solved IMF.

Welcome to “IMF”, my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty: Beginner/Moderate

Can contact me at: geckom at redteamr dot com or on Twitter: @g3ck0m

So let’s see what IMF is about:

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF – Homepage

OS details: Linux 3.2 – 4.4, Linux 4.4
TCP/IP fingerprint:
OS:SCAN(V=7.31%E=4%D=11/2%OT=80%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=5819
OS:934A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=104%TI=Z%TS=8)OPS(O1=M5B
OS:4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6
OS:=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF
OS:=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)I
OS:E(R=N)

Going to the webpage will show the page below:

IMF Vulnhub

I always download images from websites to see if there is something hidden in them, binaries, strings or other useful artifacts. I use binwalk and Exiftool to get some more information. The IMF logo above has no information in it that is usable.

The image on the project page (brain.jpg) seems to hold some usable information in the IPTC Digest.

Current IPTC Digest : d41d8cd98f00b204e9800998ecf8427e
IPTC Digest : d41d8cd98f00b204e9800998ecf8427e

Trying to crack the MD5 hash i found this hash to be generated using: md5sum /dev/null

I’m not sure if the above hash is something we need to use later on. It’s certainly no flag because after viewing the source of every page I found flag 1 ( YWxsdGhlZmlsZXM= -> Decoded -> allthefiles


&lt;section id="service"&gt;

&lt;div class="container"&gt;
            &lt;!-- flag1{YWxsdGhlZmlsZXM=} --&gt;

&lt;div class="service-wrapper"&gt;

&lt;div class="row"&gt;

&lt;div class="col-md-4 col-sm-6"&gt;

&lt;div class="block wow fadeInRight" data-wow-delay="1s"&gt;

&lt;div class="icon"&gt;
                               &lt;i class="fa fa-desktop"&gt;&lt;/i&gt; 
                            &lt;/div&gt;

                            

&lt;h3&gt;Roger S. Michaels&lt;/h3&gt;



rmichaels@imf.local



Director

                        &lt;/div&gt;


What I also noticed, after a while I must say, is that 3 filenames are parts of a base64 encoded string. flag2{aW1mYWRtaW5pc3RyYXRvcg==} -> decoded imfadministrator


I often find myself puzzling around long enough to forget the previous hint 😉 (allthefiles) I first combined the filenames using the order as found in the BURP target window, not the head section of the index/contact or project.php file.

IMF Vulnhubflag2_decryptedIn the background dirbuster is running. So far, after an hour running, I only find a directory on the webserver called /less which gives me a forbidden message. There are no other open ports so I resume to scroll through the files on the webserver.

Since I have no login page and no other input fields other then the contact form, I decided to just use the “imfadministrator” as a directory. This gives me a login screen.

I have stopped dirbuster because I’m just impatient. In previous CTF’s I found the results to be there quickly. If it takes long, then the probability of getting results using this methods is not that big. Usually this indicates a dead end. Let’s keep the ” less”  directory in the back of the mind.

Vulnhub IMFViewing the source of this page gives us a clue on how to proceed:  <!– I couldn’t get the SQL working, so I hard-coded the password. It’s still mad secure through. – Roger –>

So let’s see. username: Roger, password: madsecure fail, same for imfadministrator, fail….What I notice is that the error message is very specific, namely “invalid username”. Let’s try the 3 names showed at the contact page rmichaels@imf.local, fail, invalid username, now without the @imf.local, invalid password. So rmichaels is a valid username. Let’s check the other 2. estone and akeith are both invalid. So the hamering needs to be done using the rmichaels account

While hydra is brute forcing the login page with rmichaels as a username I also found some other pages http://192.168.1.68/imfadministrator/cms.php (using dirbuster / files only pure brute force no list) and http://192.168.1.68/imfadministrator/uploads/ (403).

After hours of brute force and guessing I decided to check the walk through made by g0blin. I was totally stuck. flag3{Y29udGludWVUT2Ntcw==} /continueTOcms can be received by editing the name of the password field with using inspect element. So far for the hamering 🙁

We take the hint and continue to the CMS which gives the screen below:

IMF Vulnhub

Throwing some garbage @ http://192.168.1.68/imfadministrator/cms.php?pagename=/../../..%27%27/etc/passwd%27%27%27 broke the sql query. So probably we have a SQL Injection point here.

Warning: mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/imfadministrator/cms.php on line 29

Easiest way to continue is to capture a valid request such as http://192.168.1.68/imfadministrator/cms.php?pagename=home in burp, save the request in a file and start SQLMAP using: sqlmap -r “path to saved file”

IMF Vulnhub

And oops there it is. We have an SQL injection which we can exploit. Let’s poke around in the database!

Making a dump of the admin database I quickly managed to find flag 4 from a QR code in an image (flag4{dXBsb2Fkcjk0Mi5waHA=} -> decoded -> uploadr942.php

The QR code is on the following page -> http://192.168.1.68/imfadministrator/cms.php?pagename=tutorials-incomplete

SQLMAP command: sqlmap -r “path to saved file” -D admin –dump-all

Using the decoded previous flag brings us to the following page:

http://192.168.1.68/imfadministrator/uploadr942.php

IMF VulnhubLet’s see if we can upload some simple shells that come with KALI. Picking a simple backdoor PHP file will throw an error telling me that the filetype is invalid. Let’s try to upload a renamed php file (jpg). Seem that only upload allowed are images.

Trying to append a jpg extension to a PHP gives me: Error: CrappyWAF detected malware. Signature: system php function detected.

I’ll continue with IMF walkthrough on friday/saturday. So flag 5 and 6 are pending. I spent a lot of time getting something out of the Intelligence Upload Form but so far not that much progress. Better to take some distance and have another try in some days. 

Nemucod, the dropped files

Yesterday I posted a blog about Cuckoo  & Nemucod. It looked like the Nemucod sample downloaded 2 files successfully, but after reading the Kahu Security write up of the same sample, stating that there were no successful downloads, I immediately had a look this morning what was in the files. Both dropped files just state an error message. One is a 403 error and the other one something to do with db not allowed.

I assumed (bad bad bad) hat something was in both files since I saw this sample download some files with interesting content last week. After a closer look the download sites seem to be either down or removed the downloadable content from their sites. Luckily malwr.com holds the submitted sample with the dropped files.

Be aware that this Nemucod downloader has a certain job id. The same file is in the wild with different JobID’s with different payloads to be downloaded. The JobID for this sample is: uDvjhoi Threathminer gives 191 results related to this sample. Probably there is not much difference between the sample other than the JobID.

So what do we have.

XhrqpFwuqG2 334 bytes   HTML document, ASCII text  -> no matches virustotal/yara

b25e30c420aee02c187f2cc3ff1f17b3a911a0bdfc2368ebeb0a7a5a82f8b319

This file contains an error message:

You don’t have permission to access /g7fb6v

g7fb6v[1].htm 511 bytes  ASCII text  -> no matches virustotal/yara

9497256e044110c051052b2fc31b3d16ed14e8233fa2f60e8ce83127b95b9ed2

This file contains an error.

require(/home/lkadz/public_html/naturesagro.com/wp-includes/functions.php): failed to open stream: No such file or directory in <b>/home/lkadz/public_html/naturesagro.com/wp-settings.php</b> on line <b>65</b><br

XhrqpFwuqG4 HTML document, ASCII text, with very long lines, with CRLF, LF line terminators  -> no matches virustotal/yara

73831709d228ae752c6d41016fff10a7caa984da7bb8edab38cfff2df5c1f4fc

Having a closer look (binwalk, atom) this is nothing more than a HTML document with some javascript in it. Nothing special though.

So no payloads 🙁 Searched the web but seems that this sample was not very successful. Probably because the sample was already end of line and well detected by most AV products.

Analyse Malware & Ransomware with Cuckoo

Cuckoo Malware

Analyse Malware and Ransomware with Cuckoo

Last week I started with manual debugging a file which I received from Advissa Ludvinka, a non-existing person. Since the beginning of this year I picked up my old passion for debugging malware & viruses, looking into buffer overflows, playing capture the flags on-line (root-me.org, ctf365), off-line (application) penetration testing (offline <> vulnhub, mutillidae, OWASP Juice shop, DVWA) and other general (information) security subjects. Some 20+ years ago I used to sit behind multiple screens for days in row figuring out (reverse engineering) the way viruses (with their encryption and stealth abilities), games (to give me more “lives”), worms and other software worked. At that time it was very hard to learn this by yourself because the only sources of information were the bulletin board systems of that time. No youtube, not that much documentation, no communities and no advanced/mature tools. I remember me sitting there behind the screen for days in a row with a load of assembly language on the screen and a big boring book in my hands trying to figure out what all those asm was about. I’ll refrain defining this as the good old days.

Nowadays there are a lot of online tutorials, online/offline and active communities, well written books (< not only very hardcore technical books) and last but not least there are a lot of very active open-source communities building highly advanced/mature tools. The advanced tools are a double-edged-sword in multiple ways. Having such advanced tools freely available (SQLMAP, OWASP ZAP, OpenVAS/Nessas, Metasploit, SET < basically whole KALI distro), lowers the level of knowledge needed to perform advanced “attacks”. This basically means everybody, with some basic knowledge about computers/networks, can use the tools and use them “effectively”. It doesn’t require deep SQL or application infrastructure knowledge to googledork a site, try the well known ” ‘ “, capture a request with BURP, feed it to SQLMAP and dump a database from a website vulnerable to an SQL Injection. On the other side the same tools are enablers for more secure corporate environments. They are of tremendous help in the daily work of professional penetration testers both for applications and infrastructure, security analysts and for other people in infosec jobs. People in those jobs need to be constantly aware of the knowledge trap inherent in using these tools. It has the risk of getting dependable on tools only instead of on acquired knowledge. Using tools only has the potential of ending up with a nice report without knowing, really knowing, what is in the report. Running an OpenVAS or Nessus scan and handing over a 100+ report to your customer will not be of much value for a customer.

What is Cuckoo?

Ok, long enough disclaimer for using advanced tools made by the open-source infosec community. One such tool, or more precisely one such system, is cuckoo.

What is it? In three words, Cuckoo Sandbox is a malware analysis system.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future

Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

Source: https://cuckoosandbox.org/

General Cuckoo Setup.

I’m not going to give an extensive overview of how Cuckoo works. If you want a more detailed overview a good start would be the main Cuckoo page.

The basic setup I use consists of Ubuntu 16.0.4.1 LTS with all Cuckoo requirements installed inluding MongoDB and Python 2.7 and Virtualbox. MongoDB is needed if you want to run the Django-based web interface and virtualbox is off-course needed to have a virtual environment in which to run the sandboxed clients. A good start to get your setup going = http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/

I have a windows 7 image running (64-bit) on Virtualbox, network in Host only mode, with Python 2.7 (completely) installed, the Cuckoo agent in the startup folder and the python imaging library (1.1.7) for windows installed. The latter is needed for the screenshots which are made during a malware run on the client. What I also installed (on the host) is the tesseract and suricata. The first for the screenshots (in combination with the python image library on the client) and the latter is a free and open source, mature, fast and robust network threat detection engine. Cuckoo sends the captured network traffic (pcap) to the suricate engine for analysis against the available rules.

IP Tables are adjusted to route traffic from the host-only network to internet and back. I do not use Nat or Bridge mode.

So basically I’m running all components on one host. I did not dive into the scaling options but I’m sure you can split the components (reporting, core, db) the way you want depending on your needs. Also different kinds of virtualization software are supported.

The Nemucod sample

In figuring out the exact workings of the Nemucod sample in my spam, I struggled with the obfuscation used by the author to make the sample very difficult to read. Probably the more samples you see, the easier it gets to immediately see the structure and the methods used.There are no easy to read strings so you cannot see which websites the sample contacts or what exactly is going on. The author of this sample calls it the Maze. (Maze.shuffle) Some part of the sample is also base64 encoded.

I have mailed Kahu Security about the sample and probably he is going to have a more detailed blog post about the sample.

So aside of throwing the Nemucod sample in the Cuckoo black box, I also have a printed version to learn from. A good book making this task easier is “Practical malware analysis” by Michael Sikorski and Andrew Honig”

Some sample code:

var efioppocsonny5jjik = "QURPREIuU3RyZWFt".efioppocAIRJORDAN(); 
 
var efioppocsonny5VARDOCF ="JVRFTRUCHIDOVAlRUCHIDO".efioppocAIRJORDAN(); 
String.prototype.efioppocsonny5center2 = function () { 
 var efioppoc44_H11_L22 = { 
 efioppocSUyaWON: this 
 }; 
 efioppoc44_H11_L22.efioppocsonny5VARDOCE = efioppoc44_H11_L22.efioppocSUyaWON["c3VRUCHIDOic3RyRUCHIDOaW5RUCHIDOn".efioppocAIRJORDAN()](efioppocsonny5DRUZA, efioppocsonny5chosen); 
 return efioppoc44_H11_L22.efioppocsonny5VARDOCE; 
}; 
var efioppocsonny5sirdallos ="RUCHIDORXhwYW5RUCHIDOkRW52aXRUCHIDOJvbm1lbnRTdHJRUCHIDOpbmdz".efioppocAIRJORDAN(); 
var efioppocsonny5Native = function(options){

I have submitted the sample using the submit option on the local website (runs by default on http://127.0.0.1:8000/ . Cuckoo automatically restores a predefined snapshot, starts the client (Windows 7 Machine), uploads the sample to the local machine and subsequently runs it using the configured settings. Data from the analysis (screenshots, network captures and much more) is sent to the host and the client is shutdown again. One important setting is to make use of the so called “dirty line”. This is the internet connection. You can run a sample without it being able to reach the outside world. In my case I want to enable the sample to reach out to the internet because I want to know what kind of data is fetched and from which locations. Be careful with this, you don want to end up looking at a web page with a timer and some instructions to how to pay in bitcoins to decrypt your files again.

Cuckoo

Cuckoo output of Nemucod sample

In the screenshot below you see a part of the summary page which is generated by the reporting server. There is just too much information in there to cover everything in short blog post. And I did not even enabled all possible reports or auxiliary options.

Cuckoo Analysis

  1. Behavioural Analysis -> here you find – whatś in the name -, a detailed analysis of the behavior of the sample when run on the client machine (in my case Windows 7 64 bit)
  2. Network Analysis -> here you find information about contacted hosts, DNS queries made, tcp packages sent, UDP packages sent, HTTP/HTTPS request made, ICMP traffic, IRC traffic, Suricata analysis, and if you use SNORT some output from SNORT.
  3. Dropped files -> this will show the files which were downloaded by the sample.
  4. Process memory -> you can disable this if you want. It will give a lot of information which is found in memory. The default list worries me a bit 🙂 Just take a look at it after submitting a benign file such as notepad.exe to Cuckoo.

About Nemucod

In the previous screenshot (5) you see the hashes calculated for this sample:

SHA256: 2d188dc6d2890ec1f33bb806382b377190a73492daea4ac1d643f949d878ad8c and others.

U can use the hash to see if this sample was already analyzed by somebody else and which anti-virus vendors will recognize the sample. Best site to go to is virustotal.

This sample, with this specific hash. has a detection ratio of 24/54. From the results you can see that the sample is a branch of other malware. This specific sample has a jobid named “uDvjhoi”. Probably the jobid is linked to a specific payload with specific actions. So the sample acts as an agent, much like a SCCM agent, waiting for jobs to execute.

Cuckoo WebsitesIn the second part of the summary you can quickly see which websites are approached by the sample. You see 4 request, from which only 1,drsearscoach.com, was successful. 3 of the sites have been notified and took countermeasures.

The keygame.com website gives the following error upon receiving the get request ->

buffer: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access /g7fb6v on this server.<br /> </p> <p>Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html>
request_handle: 0x0000000000cc0014

The naturesagro.com website gives the following error upon receiving the get request:

<b>Important note for site admins: </b>If you are the administrator of this website note that your access has been limited because you broke one of the Wordfence firewall rules. The reason your access was limited is: <b>”Access from your area has been temporarily limited for security reasons”</b>. <br /><br /> If this is a false positive, meaning that your access to your own site has been limited incorrectly, then you will need to regain access to your site, go to the Wordfence “options” pa

The kv6j.net swebsite fives the following error upon receiving the get request:
00000000: 4854 5450 2f31 2e31 2034 3033 2046 6f72 HTTP/1.1.403.For
00000010: 6269 6464 656e 0d0a 4461 7465 3a20 5765 bidden..Date:.We
00000020: 642c 2031 3920 4f63 7420 3230 3136 2031 d,.19.Oct.2016.1
00000030: 383a 3330 3a35 3820 474d 540d 0a53 6572 8:30:58.GMT..Ser
00000040: 7665 723a 2041 7061 6368 650d 0a43 6f6e ver:.Apache..Con

In the screenshot below you see that more DNS queries have been made. veddanagor.net, stenokeud.org & oofyming.com are taken offline so no response seen. msftncsi.com is used by Windows 7 to do some network checks.

Cuckoo DNS

Below you see some information about the two files downloaded by the sample. One thing I need to find out is if it’s possible with cuckoo to also run these files or give the downloader the opportunity to process the downloaded files. Both files will be processed to become executable files. Malware tries to trick IDS/IPS systems by dowloading normal looking idata instead of data which triggers those systems and block the download (such as .exe files Once downloaded the data is processed with as result a file that can be run in windows (this sample).

Cuckoo Malware

The screenshots for this sample are not that interesting. They show just a boring windows 7 desktop. No action going on.

There is really much much more to say about Cuckoo and this sample. Cuckoo is a perfect framework or system that allows you to analyze malware. It’s a good first step to see what happened during a security incident. You take the sample, feed it to cuckoo, and see what actions were performed by that specific sample. Did it spread to other servers? What was downloaded? Who is in control of the malware? Which actions were performed on the local server? It will give you a lot off information which you can use to adjust your security policy (on paper and in practice) and which you can use to respond to a security incident. (block trafffic/ip’s/websites, blacklist certain files from running with policies….)

Needless to say that setting up a Cuckoo Sandbox in a corporate environment needs to be implemented very carefully and not on a Monday morning. One can always go to malwr.com and use the online version of Cuckoo. It will have the disadvantage that it does not resemble the corporate setup, but off course the advantage of having 0 risk to infect yourself. (site seems to have some difficulties the last 24 hours)

Please leave some comments if you have questions. The above was not meant to be a complete overview of Cuckoo nor an in depth, annotated analysis of Nemucod.

Advissa Ludvinka sends me Nemucod

-> Will update along debugging. Javascript is heavily scrambled so not that easy to read.

Out of curiosity I decided to have a better look at an attachment that came with a spam message this week. The message has no written content and a subject “Receipt 7068-586205”

Apparently the mail was sent from a mailserver in Saudi Arabia. A total spam score of 130 seems to be not enough to pass the message to my inbox.

From – Sat Oct 08 16:11:10 2016
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <alissa.ludvinka@gmail.com>
Delivered-To: bart@bartdecker.nl
Received: from xxxxxx.nl
by xxxxxx.nl (Dovecot) with LMTP id WD6tC6pA9le+cQAAEaLD6Q
for <bart@bartdecker.nl>; Thu, 06 Oct 2016 14:23:59 +0200
Return-path: <alissa.ludvinka@gmail.com>
Envelope-to: bart@bartdecker.nl
Delivery-date: Thu, 06 Oct 2016 14:23:59 +0200
Received: from [172.80.212.249] (port=18241)
by xxxxxxxxx with esmtp (Exim 4.87)
(envelope-from <alissa.ludvinka@gmail.com>)
id 1bs7iQ-0003wp-JI
for bart@bartdecker.nl; Thu, 06 Oct 2016 14:23:59 +0200
Message-ID: <2987b8b6.3ab41d91.19cce.d9ef@mx.google.com>
Date: Thu, 06 Oct 2016 15:53:51 +0430
X-Google-Original-Date: Thu, 06 Oct 2016 15:53:51 +0430
MIME-Version: 1.0
From: alissa.ludvinka@gmail.com
To: bart@bartdecker.nl
Subject: Receipt 7068-586205
Content-Type: multipart/mixed;
boundary=–boundary_117_28089751-6289-1a9f-c770-0c20fb9c6442
X-Original-To: bart@bartdecker.nl
SPFCheck: Soft Fail, 30 Spam score
ReverseDNS: No reverse DNS for mailserver at 172.80.212.249, +100 Spam score
SpamTally: Final spam score: 130

Now the attachment. Uploading it to virustotal gives me 31/54 detections with results ranging from JS:Trojan.JS.Nemucod.DA to HEUR/Suspar.gen. In general, most detections refer to a trojan called Nemucod. Probably no coincidence finding a blog post on welivesecurity with the title “” Nemucod is back and servering an ad-clicking backdoor instead of ransomeware”

From reading I learn that Nemucod is the downloader for the actual Trojan called Win32/Kovter. In the comments at welivesecurity I read that aside of downloading Win32/Kovter, it still encrypts files.

So let’s have a closer look in a lab environment. The “Receipt” attachment is a ZIP file which contains a windows script file (WSF) named 6562871224.wsf

You can check binary files using a tool called binwalk.

 binwalk

So let’s extract the zip file and move the extracted file over to an isolated Windows 7 machine.

Will add to this when analysis progresses ->

TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Pages that seem to hold files to download ->

keygamepc.com 103.7.41.178
kv6j.net 69.161.143.154
naturesagro.com 184.154.142.202
drsearscoach.com 23.235.217.84
stenokeid.org
oofyming.com
veddanagor.net

 

dump /\

Some functions

global
Maze, abbida, efioppocsonny5achievment, efioppocsonny5lololosh, efioppocsonnyEmptyVara, efioppocsonnyREPONAFT, unpack

«dirs»()

«shuffle»(array)

parameter
array
variable
counter

«random»(array)

parameter
array
variable
element, i

«Zhido»(a1a, b2b)

parameter
a1a, b2b

unpack(xs)

parameter
xs

efioppocsonny5achievment(efioppocsonny5bidttt)

parameter
efioppocsonny5bidttt

Using SQLMap for SQL injection in SOAP Service

I spent way too much time behind the terminal lately. Since setting up my test lab with Kali, Metasploitable2, Mutillidae (2.6.40) it’s all terminal and no gardening. As posted before, Mutillidae is “a a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest.” You can find the whole feature list at the Mutillidae site. Today I’m going to show you how to use SQLMAP to exploit a vulnerability in one of Mutillidae’s web services, namely “Lookup User”.

Mutillidae

SOAP/WDSL

First thing you need to do is to download a tool that will enable you to play around with the SOAP message. You can use SoapUI for this purpose. It will enable you to load the WDSL which gives you more information about the services delivered by the mutillidae web-service.

Wiki:

The WDSL is an XML-based interface definition language that is used for describing the functionality offered by a web service

The Mutillidae webservice supports several services as you can see from the WDSL below. You can find the following four webvices: GetUser, CreateUser, UpdateUser and DeleteUser.

We’ll use the CreateUser operation in the example.

&amp;amp;amp;lt;?xml version="1.0" encoding="ISO-8859-1"?&amp;amp;amp;gt;
&amp;amp;amp;lt;definitions xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="urn:ws-user-account" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="urn:ws-user-account"&amp;amp;amp;gt;
&amp;amp;amp;lt;types&amp;amp;amp;gt;
&amp;amp;amp;lt;xsd:schema targetNamespace="urn:ws-user-account"
&amp;amp;amp;gt;
 &amp;amp;amp;lt;xsd:import namespace="http://schemas.xmlsoap.org/soap/encoding/" /&amp;amp;amp;gt;
 &amp;amp;amp;lt;xsd:import namespace="http://schemas.xmlsoap.org/wsdl/" /&amp;amp;amp;gt;
&amp;amp;amp;lt;/xsd:schema&amp;amp;amp;gt;
&amp;amp;amp;lt;/types&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="getUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="getUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="createUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="signature" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="createUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="updateUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="signature" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="updateUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="deleteUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="deleteUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;portType name="ws-user-accountPortType"&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="getUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;Fetches user information is user exists else returns error message
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Length: 458
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Host: localhost
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Connection: Keep-Alive
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:getUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Jeremy&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:getUser&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:getUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:getUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="createUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;Creates new user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:createUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe2&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;signature xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Try Harder&amp;amp;amp;amp;amp;lt;/signature&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:createUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:createUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:createUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="updateUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;If account exists, updates existing user account else creates new user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:updateUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe2&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;signature xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Try Harder&amp;amp;amp;amp;amp;lt;/signature&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:updateUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:updateUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:updateUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="deleteUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;If account exists, deletes user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:deleteUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:deleteUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:deleteUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:deleteUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
&amp;amp;amp;lt;/portType&amp;amp;amp;gt;
&amp;amp;amp;lt;binding name="ws-user-accountBinding" type="tns:ws-user-accountPortType"&amp;amp;amp;gt;
  &amp;amp;amp;lt;soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="getUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#getUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="createUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#createUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="updateUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#updateUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="deleteUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#deleteUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
&amp;amp;amp;lt;/binding&amp;amp;amp;gt;
&amp;amp;amp;lt;service name="ws-user-account"&amp;amp;amp;gt;
  &amp;amp;amp;lt;port name="ws-user-accountPort" binding="tns:ws-user-accountBinding"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:address location="http://xxx.xx.1.1x/mutillidae/webservices/soap/ws-user-account.php"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/port&amp;amp;amp;gt;
&amp;amp;amp;lt;/service&amp;amp;amp;gt;
&amp;amp;amp;lt;/definitions&amp;amp;amp;gt;

Download the WDSL by saving the webpage as XML. The saved XML is to be loaded into SoapUI or your tool of preference.

As you can see in the image below, the WDSL is loaded and showing all possible operations/services provided by the Mutillidae web-service. You can also see the SOAP message for creating a user. Just hit the play button to see what happens. In the left window you’ll see the response of the web-service. In my case user ? already exist. Just because I hit the play button already too often.

Hybrid Cloud Security

BurpSuite

What we now want is to capture the SOAP request going to the web-service with burpsuite. We can use the captured data together with SQLMAP to check if SQL Injection is possible in one of the parameters used in the request. (username, password or signature).

In SoapUI go to File -> Preferences -> Proxy Settings and change the proxy to the same proxy as set in Burpsuite. Proxy -> last tab “Options”is where you set the proxy in Burpsuite. Please make sure the “Intercept Client Request” & “Intercept Server Responses” is set correctly (I have unchecked everything @ both client/server, added “url is in target scope” and upped it to be the first item. In Tab “Target” add the ip/url you use for Mutillidae as in scope)

Check if the listener is up & running by using netstat -l | grep “portnumber you use for proxy”. Once you confirmed the listener is up and running you can go back to SoapUI and hit the play button again to send the SOAP message to the web-service. This time burpsuite intercepts the request. What you see in Burpsuite is the SOAP message with the header for the post request added to it.

Hybrid Cloud Security

SQLMAP

Save the whole request to a file (right click “copy to file”). The file will be input for the Sqlmap -r parameter.

Start a terminal window and use the following command to start of sqlmap ->

sqlmap -r /pathtoyoursavedfile/savedfile.txt –technique B -p username –current-user

Hybrid Cloud Security

This command uses the saved text file as a request to the web-service to see if parameter (the -p) username is exploitable using an SQL injection. The technique used here is boolean-based blind. The –current-user parameter tells SQLMAP to see if it can bring back the current user which is in our case root@locahost. You can play around with the command line with some help from the SQLMAP parameter page.

SQLMAP is an easy to use tool to check for SQL injection points. Once you know how to assemble the request package or what target to hit, SQLMAP does the rest. It saves a lot of time. The downside to using such a tool is that you don’t have to be very knowledge to use it. The above is more like trick which learned you nothing about what SQL injections are about.

Some recommended sources to go through to get a more deeper understanding of SQL Injections:

  1. Testing for SQL Inject @ OWASP.org
  2. Watch the whole web pen testing workshop given by Jeremy Duin & Conray Reynolds.
  3. Vulnerable by Design -> great source for vulnerable VM images

How to change screen resolution for Kali on Hyper-v

Changing the screen resolution for Kali Linux running on Hyper-v is very simple ->

  1. Open Terminal
  2. Type: sudo vi /etc/default/grub (or use nano or other editor)
  3. Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT, and add video=hyperv_fb:[the resolution you want].  The resolution I want is 1280×720.  So my line ends up looking like this:GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash video=hyperv_fb:1280×720″
  4. sudo update-grun
  5. Reboot your system and finished.