Top
Sponsor

Search

Recent Articles

Security Videos
Sunday
Dec162012

TekTip ep17 - Web scanning with WhatWeb

DateSunday, December 16, 2012 at 2:14PM
Description:   What Web is a flexible web scanning utility that allows for varying degrees of aggression in scanning.
*Version 0.4.8 by Andrew Horton aka urbanadventurer from Security-Assessment.com
*Homepage: http://www.morningstarsecurity.com/research/whatweb
Usage:  
Options include target selection, Agression level, HTTP options, Proxy, Plugins, logging, and performance.
./whatweb -l
./whatweb tekdefense.com
./whatweb -v tekdefense.com
./whatweb -v -a 4 securitytube.net
-FIN
AuthorAdmin | CommentPost a Comment |
tagged , , , , , , in
Sunday
Dec092012

TekTip ep16 - Collect Malware with MWCrawler

DateSunday, December 9, 2012 at 10:52AM
Description: mwcrawler is a simple python script that parses malicious url lists from well known websites (i.e. MDL, Malc0de) in order to automatically download the malicious code. It can be used to populate malware repositories or zoos.
https://github.com/ricardo-dias/mwcrawler/
Sources the script pulls from:
Installation: 
wget https://raw.github.com/ricardo-dias/mwcrawler/master/mwcrawler.py
chmod +x mwcrawler.py
*Requires BeautifulSoup 3.0.8 or greater
Usage:
./mwcrawler.py
./mwcrawler.py -t
*Thug is a Python low-interaction honeyclient aimed at mimicing the 
behavior of a web browser in order to detect and emulate malicious 
AuthorAdmin | CommentPost a Comment |
tagged , , , , , , , , , , , in
Tuesday
Dec042012

Are you feeling lucky?

DateTuesday, December 4, 2012 at 5:06PM
Today something happened that I thought was nearly impossible.  Gmail spam filters failed me, letting a culprit slip through to my inbox.  Not only did Gmail let this spam through but it had the audacity to mark it as an important message. What is this world coming to?
In all seriousness, as good as Google and the other mail providers are, no technology is perfect. At this point you are probably reading this and thinking I should be a nominee for Defcon's Captain Obvious award.  I assure you, while not unique, this is at least a hipster class attack. What I thought was interesting in this one was the link, but before getting into that, here are the details of the email for those who are interested.
*changed addresses to protect the innocent*
Delivered-To: mygmailaccount@gmail.com
Received: by 10.58.230.3 with SMTP id su3csp41229vec;
        Tue, 4 Dec 2012 11:17:34 -0800 (PST)
Received: by 10.58.172.103 with SMTP id bb7mr12819169vec.41.1354648653873;
        Tue, 04 Dec 2012 11:17:33 -0800 (PST)
Return-Path: <somerandomdude@nc.rr.com>
Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com. [75.180.132.120])
        by mx.google.com with ESMTP id jd5si1502108vcb.68.2012.12.04.11.17.33;
        Tue, 04 Dec 2012 11:17:33 -0800 (PST)
Received-SPF: pass (google.com: domain of somerandomdude@nc.rr.com designates 75.180.132.120 as permitted sender) client-ip=75.180.132.120;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of somerandomdude@nc.rr.com designates 75.180.132.120 as permitted sender) smtp.mail=somerandomdude@nc.rr.com
Return-Path: <somerandomdude@nc.rr.com>
Authentication-Results:  cdptpa-omtalb.mail.rr.com smtp.user=somerandomdude@nc.rr.com; auth=pass (LOGIN)
X-Authority-Analysis: v=2.0 cv=b+UwE66x c=1 sm=0 a=05ChyHeVI94A:10 a=IkcTkHD0fZMA:10 a=ayC55rCoAAAA:8 a=1XWaLZrsAAAA:8 a=wzPgKpAVP4n484FzqIcA:9 a=QEXdDO2ut3YA:10 a=u6pmmePcEMEA:10 a=0EOytqNtNh4q28ximZfgKQ==:117
X-Cloudmark-Score: 0
X-Authenticated-User: somerandomdude@nc.rr.com
Received: from [10.127.132.168] ([10.127.132.168:34037] helo=cdptpa-web17-z02)
by cdptpa-oedge02.mail.rr.com (envelope-from <somerandomdude@nc.rr.com>)
(ecelerity 2.2.3.46 r()) with ESMTPA
id 4C/96-00778-B4C4EB05; Tue, 04 Dec 2012 19:17:31 +0000
Message-ID: <20121204191731.ZJV9L.107832.root@cdptpa-web17-z02>
Date: Tue, 4 Dec 2012 14:17:31 -0500
From:  <somerandomdude@nc.rr.com>
To: showings.thebremnergroup@gmail.com
Subject: hey
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
Sensitivity: Normal
X-Originating-IP: 
Okay, now that you have that out of your system, back to what I think is somewhat unique. I should preface this by saying that this is probably not the first time this technique has been used, but it is the first time I have seen it.
As you savvy readers have probably already noticed the link is:
google.com/search?btnI=I%27m+Feeling+Lucky&q=bigmacsandwhich+40yr&sourceid=navclient
So like every phishing email, this one wants us to click the link to view malicious content.  This is usually done by:
1. hiding the link using html in the email
<a href="malicioussiteisbad.com">TotallyLegitSite.com</a>
2. using a url shortner
bit.ly/1amn0tbad
3. or using a url that seems legitimate'ish.
mail.tekdefense.com.co.uk.ws.tk
This attacker instead did something a little bit more clever.  Using a particular query string in the Google URI the attacker utilizes the "I'm Feeling Lucky" feature of Google to give them a link that seemingly goes to Google, but instead is a redirect to a malicious site.  For those of you who aren't aware, the "I'm Feeling Lucky" feature is a Google search option will bring the user directly to the first result for a specific search query.
In the case of the email I recieved the query is for "bigmacsandwhich" and "40yr".  The first result for this is a page set to redirect through a few other sites until you reach the final destination where the bad stuff is set to happen.
The final landing site is http://cnbc-20news(.)net/blamom23.htm.  This is of course a fake version of a CNBC site with a somewhat legitimate looking URL promoting a work from home program.
I checked the URL with Virustotal which showed clean. Looking at the source I saw that almost every link went to a specific URL (http://cnbc-20news(.)net/article2592au2b.php).  This link of course redirects us again leading us to http://www.leadinghomeincome(.)com/?aid=44&sid=&sid2=&sid3=&. This is your typical "lets make a deal now on this exciting offer" site. Good thing I had NoScript running or leaving that would have been a nightmare with all the popups and "are you sure you want to leave?" messages.  Now I wish this got more exciting with perhaps a drive-bye malware attempt, but nope.  All seems to end there.  To make sure I ran the URLs through my Cuckoo instance to see if anything out of the normal occurred.  Seems all of this for click fraud and a work from home scam.
How sustainable is this technique though, and I am referring specifically to the Google "I'm feeling lucky" trick.  In order for this to work an attacker needs to get his/her site or a site that was compromised to be the first for some query in Google.  I'm not an SEO expert so its hard for me to say how easy or not this is.  I am not sure even if it isn't too bad to setup, is it worth the extra time verse the normal methods?
What do you guys and gals think?  Let me know.
AuthorAdmin | Comment2 Comments |
tagged , , , , , , in
Sunday
Nov252012

Automater 1.0 - Passive IP and URL Analysis

DateSunday, November 25, 2012 at 2:33PM
Update: Automater gets its own project page http://www.tekdefense.com/automater/

Description:
Automater is an IP and URL analysis tool that I created to assist analyst in pulling data quickly and passively in mass.  This is the first stable release of the tool.
Features:
IPVoid: Pulls blacklist, ISP, and Geo Location
Robtex: Pulls DNS information. *A records only.
Fortiguard: Pulls URL Categorization
Unshotren.me: Will determine if the URL is shortened.  If it is it will display the final destination.
URLVoid - Pulls IP Address, blacklist, ISP, Geo Location, Domain creation date.
Installation:
 1. Download from github: 
wget https://github.com/1aN0rmus/TekDefense/archive/master.tar.gz
 2. Unzip the file:
tar -xvcf master.tar.gz 
 3. Make executable:
cd TekDefense-master
chmod +x *
 4. Now you are ready to run!
*Required Libraries: httplib2, re, sys, argparse, urllib, urllib2
Examples:
Display help information
./Automater.py -h
./Automater.py -t 188.95.52.162
./Automater.py -t securitytube.net
./Automater.py -e bit.ly/XDlV1q
./Automater.py -f hostsss
./Automater.py -f hostsss -o host.out
Video Demo:
Known Bugs:
  • If the IP or URL has not been previously scanned at IPVoid or URLVoid, the script is supposed to submit the IP or URL and then pull results.  This seems to work most of the time, but on occasion it will not wait long enough to pull the appropriate result.  Running the command a second time will work though.
  • Can not use the -e and -f switch together.
  • URLs with http:// cannot be scanned.  Must take the http:// out for it to work.
  • Please submit any other bugs to 1aN0rmus@tekdefense.com

Upcoming Features:

 

  • For those who would like to be able to just query a specific engine or source such as robtex, we will be creating an option to do so.
  • Check IP and/or URL against Malwaredomainlist
  • Check IP and/or URL against malware sandboxes such as ThreatExpert.
  • Summary report that will give statistics on the targets highlighting the known bad information such as blacklists and malicious URL categories.
  • Please submit feature requests to 1aN0rmus@tekdefense.com

 

AuthorAdmin | Comment1 Comment |
tagged , , , , , , , , , , , in ,
Sunday
Nov182012

Connectusers Adobe Leak - 223 passwords in 2 seconds

DateSunday, November 18, 2012 at 7:06PM

As most of you already know there is word of a leak involving Adobe's Connectusers forum.  You can read more about this at The HNN.  The important things to know in relation to this post is that 642 hashes have been released so far and the attacker claims to have 150,000 more to share.  The attacker also released other information with these hashes such as name, title, phone, email, company, and username.

What I have done with the release is first strip out the data I don't want leaveing me with just the hashes.

cat adobe-leaks.txt | grep Password | cut -d: -f 2 >adobehashes 

Now that I have a file with just the hashes, I ran hashcat against the hashes using a few wordlists.

root@bt:./hashcat-cli32.bin --output-file /root/leakedpasswords/ah3.out /root/leakedpasswords/adobehashes /pentest/passwords/wordlists/rockyou.txt /pentest/passwords/wordlists/darkc0de.lst /root/leakedpasswords/yahoopassesonly.txt

In less than 2 seconds, usin only those three wordlists I was able to extract 223 of the 642 passwords.  I mention this because people who do not use these tools may not understand how fast and easy it can work.   

Here is a small sampling of the hashes and passes:

a66edf0fea452ada254f5b9df1e06a37:3622125
db3b81e16cc975d2edcc1c4acf36e895:357008
49858a41a0d7d1d2e38b61513046403d:Daniel81
b23e8ea5a3a6ba0bd3ba22630ee3f153:8biggtoes
17120d69065bd6a1b6393c6e2db4174e:CDE#4rfv
c21435496168ad21cc9ba0a8e5542ec8:C0nn3ct
a4f2a54552dc5f7e1fecb1a3e9c94a59:2more2go
e20d81b83905638dbda34442b4703b4e:2925208
34e2d1989a1dbf75cd631596133ee5ee:Video
d4a6f575e71a416ff8894c6baae0ccd9:48jjfan
14dec073747d945943aaddc07a0d965e:Soccer_14
91381b03056102fcfe5538f87721e144:@WSX4rfv
6a4de56cfde1980ea9667ef3bfb77d54:9982d26
9508cbf2647fd5a5cb23fe3a524c8cc3:Heidi123
cbbd41ba72c93d17f17f2a484295b221:404526
55d7443eeb55ed7786fa89a2cc1bf446:Pass123Word
d4af0320ac68d2b8ad0f8e5faa5a1977:mdnite
11a7a5d55a91adb201e113967eff93fe:collaboration
826805d5bdaa87a3b9c7ead9027a3067:aftereffects
71f698950c9cdadc3d19bb7411177a78:Adobe
952f9dc3ad0b4c8f94de8ec75f8daeb3:trek930
d05a718ceb3cc5c368cc166729c7c7cb:Tanner07
f896dcdeb0ca7d797b439624b0e04ffe:inciner8

The full list can be downloaded here.

So, since I just did a TekTip episode on Pipal I figured I should run the output against there as well.

cat ah.out | cut -d: -f2 > ahpassesonly

 

./pipal.rb ~/leakedpasswords/ahpassesonly -o ahanalysis.txt

 

Here are the pipal results
Total entries = 538
Total unique entries = 223
Top 10 passwords
letmein = 3 (0.56%)
lighthouse = 3 (0.56%)
fisher = 3 (0.56%)
popper = 3 (0.56%)
carefree = 3 (0.56%)
stanley = 3 (0.56%)
Video = 3 (0.56%)
Winston = 3 (0.56%)
louie = 3 (0.56%)
manish = 3 (0.56%)
Top 10 base words
buster = 6 (1.12%)
adobe = 6 (1.12%)
marina = 5 (0.93%)
soccer = 5 (0.93%)
connect = 5 (0.93%)
jonathan = 3 (0.56%)
video = 3 (0.56%)
winston = 3 (0.56%)
louie = 3 (0.56%)
manish = 3 (0.56%)
Password length (length ordered)
5 = 29 (5.39%)
6 = 174 (32.34%)
7 = 130 (24.16%)
8 = 128 (23.79%)
9 = 45 (8.36%)
10 = 21 (3.9%)
11 = 5 (0.93%)
12 = 3 (0.56%)
13 = 3 (0.56%)
Password length (count ordered)
6 = 174 (32.34%)
7 = 130 (24.16%)
8 = 128 (23.79%)
9 = 45 (8.36%)
5 = 29 (5.39%)
10 = 21 (3.9%)
11 = 5 (0.93%)
12 = 3 (0.56%)
13 = 3 (0.56%)
      |                                                                 
      |                                                                 
      |                                                                 
      |                                                                 
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      |||                                                               
      ||||                                                              
      ||||                                                              
     |||||                                                              
     ||||||                                                             
|||||||||||||||                                                         
000000000011111
012345678901234
One to six characters = 203 (37.73%)
One to eight characters = 461 (85.69%)
More than eight characters = 77 (14.31%)
Only lowercase alpha = 302 (56.13%)
Only uppercase alpha = 3 (0.56%)
Only alpha = 305 (56.69%)
Only numeric = 29 (5.39%)
First capital last symbol = 2 (0.37%)
First capital last number = 19 (3.53%)
Months
june = 2 (0.37%)
november = 2 (0.37%)
Days
None found
Months (Abreviated)
mar = 12 (2.23%)
jun = 2 (0.37%)
nov = 2 (0.37%)
Days (Abreviated)
mon = 5 (0.93%)
sat = 2 (0.37%)
sun = 2 (0.37%)
Includes years
1979 = 2 (0.37%)
1989 = 2 (0.37%)
2002 = 4 (0.74%)
2007 = 2 (0.37%)
Years (Top 10)
2002 = 4 (0.74%)
1979 = 2 (0.37%)
1989 = 2 (0.37%)
2007 = 2 (0.37%)
Colours
orange = 2 (0.37%)
red = 8 (1.49%)
white = 3 (0.56%)
Single digit on the end = 52 (9.67%)
Two digits on the end = 57 (10.59%)
Three digits on the end = 19 (3.53%)
Last number
0 = 11 (2.04%)
1 = 45 (8.36%)
2 = 16 (2.97%)
3 = 24 (4.46%)
4 = 6 (1.12%)
5 = 14 (2.6%)
6 = 13 (2.42%)
7 = 11 (2.04%)
8 = 13 (2.42%)
9 = 14 (2.6%)
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 | |                                                                    
 | |                                                                    
 | |                                                                    
 |||                                                                    
 ||| || ||                                                              
|||| |||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
0123456789
Last digit
1 = 45 (8.36%)
3 = 24 (4.46%)
2 = 16 (2.97%)
5 = 14 (2.6%)
9 = 14 (2.6%)
6 = 13 (2.42%)
8 = 13 (2.42%)
0 = 11 (2.04%)
7 = 11 (2.04%)
4 = 6 (1.12%)
Last 2 digits (Top 10)
23 = 16 (2.97%)
99 = 6 (1.12%)
12 = 6 (1.12%)
08 = 6 (1.12%)
25 = 6 (1.12%)
56 = 5 (0.93%)
13 = 4 (0.74%)
14 = 4 (0.74%)
66 = 4 (0.74%)
02 = 4 (0.74%)
Last 3 digits (Top 10)
123 = 14 (2.6%)
002 = 4 (0.74%)
456 = 3 (0.56%)
388 = 2 (0.37%)
085 = 2 (0.37%)
989 = 2 (0.37%)
900 = 2 (0.37%)
110 = 2 (0.37%)
966 = 2 (0.37%)
325 = 2 (0.37%)
Last 4 digits (Top 10)
2002 = 4 (0.74%)
3456 = 3 (0.56%)
2898 = 2 (0.37%)
1085 = 2 (0.37%)
1989 = 2 (0.37%)
6900 = 2 (0.37%)
6966 = 2 (0.37%)
2325 = 2 (0.37%)
3388 = 2 (0.37%)
2007 = 2 (0.37%)
Last 5 digits (Top 10)
23456 = 3 (0.56%)
12898 = 2 (0.37%)
61085 = 2 (0.37%)
26900 = 2 (0.37%)
16966 = 2 (0.37%)
52325 = 2 (0.37%)
13388 = 2 (0.37%)
52963 = 2 (0.37%)
55225 = 2 (0.37%)
11979 = 2 (0.37%)
US Area Codes
456 = Inbound International (--)
989 = Upper central Michigan: Mt Pleasant, Saginaw (MI)
900 = US toll calls -- prices vary with the number called (--)
325 = Central Texas: Abilene, Sweetwater, Snyder, San Angelo (TX)
Character sets
loweralpha: 302 (56.13%)
loweralphanum: 149 (27.7%)
numeric: 29 (5.39%)
mixedalphanum: 23 (4.28%)
mixedalpha: 18 (3.35%)
mixedalphaspecialnum: 12 (2.23%)
upperalpha: 3 (0.56%)
mixedalphaspecial: 2 (0.37%)
Character set ordering
allstring: 323 (60.04%)
stringdigit: 132 (24.54%)
alldigit: 29 (5.39%)
stringdigitstring: 24 (4.46%)
othermask: 18 (3.35%)
digitstring: 6 (1.12%)
stringspecial: 2 (0.37%)
digitstringdigit: 2 (0.37%)
stringspecialdigit: 2 (0.37%)
Hashcat masks (Top 10)
?l?l?l?l?l?l: 120 (22.3%)
?l?l?l?l?l?l?l: 71 (13.2%)
?l?l?l?l?l?l?l?l: 56 (10.41%)
?l?l?l?l?l?l?d?d: 22 (4.09%)
?l?l?l?l?l: 18 (3.35%)
?l?l?l?l?l?l?l?l?l: 17 (3.16%)
?d?d?d?d?d?d: 17 (3.16%)
?l?l?l?l?l?l?l?d: 15 (2.79%)
?l?l?l?l?l?d?d: 12 (2.23%)
?l?l?l?l?l?l?l?l?l?l: 11 (2.04%)
AuthorAdmin | CommentPost a Comment |
tagged , , , , in
Page 1 ... 7 8 9 10 11 ... 13 Next 5 Entries »