Monday, 30 November 2015

Wi-Fi से 100 गुना तेज Li-Fi, 1 सेकंड में 3 घंटे की फिल्‍म करें डाउनलोड

फिलहाल 3जी और वाई-फाई की जिंदगी जी रहा भारत अब 4जी के दरवाजे पर खड़ा है। लेकिन क्‍या आपको पता है कि जिस वाई-फाई और 4जी को आप सबसे तेज मानते हैं उससे 100 गुना तेज इंटरनेट भी उपलब्‍ध है। वैज्ञानिकों ने अब इंटरनेट की 224 जीबी प्रति सेकंड की रफ्तर हासिल कर ली है।
यह रफ्तार पलक झपकते ही 18 फिल्‍में डाउनलोड करने के बाराबर है। अब तक लैब में रहा यह प्रयोग अब अलस जिंदगी में आ गया है और फिलहाल इसे फ्रांस के एक अस्‍पताल में लगाया जा रहा है। किसी बल्‍ब या टॉर्च की रोशनी की तर्ज पर काम करने वाली इस तकनीक में बल्‍ब ऑन होते ही इसकी रोशनी बायनरी कोड में परिवर्तित होती है।
यह है लाई-फाई
इसकी खोज 2011 में स्कॉटलैंड एडिनबर्ग यूनिवर्सिटी के साइंटिस्ट हेराल्ड हैस ने की थी। यह विजिबल लाइट कम्युंनिकेशन पर आधारित है, इसमे रोशनी को बाइनरी कोड में ट्रांस्मिट किया जाता है। हाल ही में लाई-फाई पर लैब से बाहर प्रयोग किया गया जो काफी सफल रहा।
ऐसे करता है काम
लाई-फाई तकनीक में लेड बल्ब के जरिए इंटरनेट एक्सेस किया जाता है, इसके लिए एलईडी बल्ब में एक माईक्रोचिप लगाई जाती है। ये वाई-फाई की तुलना में ज्यादा सुरक्षित है क्योंकि लाईट दीवार को पार नहीं कर सकती। जैसे ही बल्‍ब को चालू किया जाता है तो इसमें से निकलने वाली रोशनी बायनरी कोड में बदलकर यूजर तक पहुंचती है।

Millions of IoT Devices Using Same Hard-Coded CRYPTO Keys

iot-device-crypto-keys

Millions of embedded devices, including home routers, modems, IP cameras, VoIP phones, are shareing the same hard-coded SSH (Secure Shell) cryptographic keys or HTTPS (HTTP Secure) server certificates that expose them to various types of malicious attacks.
A new analysis by IT security consultancy SEC Consult shows that the lazy manufacturers of the Internet of Things (IoTs) and Home Routers are reusing the same set of hard-coded cryptographic keys, leaving devices open to Hijacking.
In simple words, this means that if you are able to access one device remotely, you can possibly log into hundreds of thousands of other devices – including the devices from different manufacturers.

Re-Using Same Encryption Keys

In its survey of IoT devices, the company studied 4,000 embedded devices from 70 different hardware vendors, ranging from simple home routers to Internet gateway servers, and discovered that…
…over 580 unique private cryptographic keys for SSH and HTTPS are re-shared between multiple devices from the same vendor and even from the different vendors.
The most common use of these static keys are:
  • SSH host keys
  • X.509 HTTPS certificates
SSH host keys verify the identity of a device that runs an SSH server using a public-private key pair. If an attacker steals the device’s SSH host private key, he/she can impersonate the device and trick the victim’s computer to talk to his computer instead.
The same happens in the case of websites if an attacker gains access to the device’s HTTPS private certificate, which is actually used to encrypt traffic between users and its Web-based management interface.
The attacker can then decrypt the traffic to extract usernames, passwords and other sensitive data with the help of device’s HTTPS private key.

MILLLLLIONS of Devices Open to Attacks

When scanned the Internet for those 580 keys, the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.
Moreover, the researchers recovered around 150 HTTPS server certificates that are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.
The remaining crypto keys might be used by various other devices that are not connected to the Internet, but could still be vulnerable to man-in-the-middle (MITM) attacks within their respective local area networks.
As a result, potentially Millions of Internet-connected devices can be logged into by attackers, or their HTTPS web server connections can silently be decrypted by MitM attackers, using these crypto keys and certs once they’re extracted from their firmware.

Where Does the actual Problem Reside?

The issue lies in the way vendors build and deploy their products. Typically, the vendors built their device’s firmware based on software development kits (SDKs) received from chipmakers…
…without even bothering to change the source code or even the keys or certificates that are already present in those SDKs.
There are many reasons why this large number of devices are accessible from the Internet via HTTPS and SSH. These include:
  • Insecure default configurations by vendors
  • Automatic port forwarding via UPnP
  • Provisioning by ISPs that configure their subscribers’ devices for remote management
“The source of the keys is an interesting aspect. Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various vendors,” Sec Consult wrote in its blog post.

List of Vendors that are Re-Using Encryption Keys

Although SEC Consult identified more than 900 vulnerable products from roughly 50 manufacturers, the actual number could be even higher considering that its study only targeted firmware the company had access to.
According to SEC Consult, these are the companies that were found reusing encryption keys:
ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco, Clear, Comtrend, D-Link, Deutsche Telekom, DrayTek, Edimax, General Electric (GE), Green Packet, Huawei, Infomark, Innatech, Linksys, Motorola, Moxa, NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opengear, Pace, Philips, Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart RG, TP-LINK, TRENDnet, Technicolor, Tenda, Totolink, unify, UPVEL, Ubee Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and ZyXEL.

Most Affected Countries

Here’s the list of Top 10 countries that are affected by SSH/HTTPS encryption key reuse:
  • United States
  • Mexico
  • Brazil
  • Spain
  • Colombia
  • Canada
  • China
  • Russian Federation
  • Taiwan
  • United Kingdom
SEC Consult has “worked together with CERT/CC to address this issue since early August 2015.” and it recommends vendors to use securely random cryptographic keys for each IoT-capable device.
Moreover, ISPs are advised to make sure that there is no possibility to remotely access CPE (customer premises equipment) devices via WAN port. In case they need access for remote support purposes,“setting up a dedicated management VLAN with strict ACLs is recommended.” 

Swedish Court — ‘We Can’t Ban The Pirate Bay’

Swedish court — 'We can't ban The Pirate Bay'
The controversial file-sharing website The Pirate Bay will still be running in Sweden as the District Court of Stockholm on Friday ruled that they be unable to force the internet service providers (ISPs) to block the website from operating.
The Pirate Bay is an infamous Swedish search engine predominantly used worldwide for pirating material, such as software, movies, music files and TV shows, entirely free of charge.
Numerous ISPs around Europe block the Pirate Bay, but the notorious site will not be inaccessible in its home country Sweden, at least for now, according to the local media.
Last year, a lawsuit was filed by Warner Music, Sony Music, Universal Music, Nordisk Film and the Swedish Film Industry in order to force Swedish ISP broadband companies to block the Pirate Bay, claiming them liable for the infringements of its customers.
However, the Broadband companies refused to comply, stating that their only role is to provide their clients with access to the Internet while facilitating the free flow of information.

Sweden – We can’t Ban The Pirate Bay

Now, a Stockholm District Court has handed down its decision in favor of ISPs, ruling that Sweden can not make them block the access to the Pirate Bay website, as those broadband companies are not responsible for what their customers do.
“A unanimous district court considers, therefore, that it is not in a position to authorize such a ban as the rights holders want, and, therefore, rejects their requests,” presiding Chief Magistrate Anders Dereborg said.
In other words, the ISP networks are not participating in any crimes, according to the court ruling, as they are just the delivery medium.
While it is possible that the group representing the copyright holders could appeal a higher court, in the meantime, the group will still have to pay the ISPs legal costs thus far, which amounts to more than $150,000.
So, before the group appeals a higher authority, this is something it might want to reconsider.
A few month back, The Pirate Bay co-founders Gottfrid Svartholm, Fredrik Neij, Peter Sunde and Carl Lundström cleared all the charges alleging criminal copyright infringement and abuse of electronic communications in a Belgian court.

Sunday, 29 November 2015

ZARP A Network Attacking Tool

 
ZARP A Network Attacking Tool

Zarp is a network attack tool centered around the exploitation of local networks.

This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.

The long-term goal of zarp is to become the master command center of a network; to provide a modular, well-defined framework that provides a powerful overview and in-depth analysis of an entire network. This will come to light with the future inclusion of a web application front-end, which acts as the television screen, whereas the CLI interface will be the remote. This will provide network topology reports, host relationships, and more. zarp aims to be your window into the potential exploitability of a network and its hosts, not an exploitation platform itself; it is the manipulation of relationships and trust felt within local intranets. Look for zeb, the web-app frontend to zarp, sometime in the future.

Current version: 1.5 Current dev version: 1.6

Installation

zarp is intended to be as dependency-free as possible. When available, zarp has opted to use pure or native Python implementations over requiring or importing huge libraries. Even as such, zarp requires the following to run:
  •     Linux
  •     Python 2.7.x
  •     Scapy (packaged with zarp)

It is also recommended that user's have the following installed for access to specific modules:
  •     airmon-ng suite (for all your wireless cracking needs)
  •     tcpdump
  •     libmproxy (packaged with zarp)
  •     paramiko (SSH service)
  •     nfqueue-bindings (packet modifier)

The recommended installation process is to run:

git clone git://github.com/hatRiot/zarp.git

pip install -r requirements.txt

You can then run:

sudo python zarp.py --update

to update zarp. The update flag will not work if you download the tarball from the Git page.

Scapy comes packaged with Zarp and no installation is required. Wifite is used for wireless AP cracking; a specific version (ballast-dev branch) is required. This comes packaged with zarp. There are some dependencies required for Scapy, but most should be pretty easy to install or already be installed.


Tool Overview

Broad categories are (see wiki for more information on these):
  •     Poisoners
  •     Denial of Service
  •     Sniffers
  •     Scanners
  •     Services
  •     Parameter
  •     Attacks

CLI Usage and Shortcuts

> help

  zarp options:
    help            - This menu
    opts            - Dump zarp current settings
    exit            - Exit immediately
    bg          - Put zarp to background
    set [key] [value]   - Set key to value

  zarp module options:
    [int] [value]       - Set option [int] to value [value]
    [int] o         - View options for setting
    run (r)         - Run the selected module
    info            - Display module information

Modules can be navigated to by nesting entries:

bryan@debdev:~/tools/zarp$ sudo ./zarp.py
[!] Loaded 34 modules.
     ____   __   ____  ____
    (__  ) / _\ (  _ \(  _ '
     / _/ /    \ )   / ) __/
    (____)\_/\_/(__\_)(__)  [Version: 0.1.5]

    [1] Poisoners       [5] Parameter
    [2] DoS Attacks     [6] Services
    [3] Sniffers        [7] Attacks 
    [4] Scanners        [8] Sessions

0) Back
> 6 2
    +-----+----------------+----------------------------+------+----------+-
    |     | Option         | Value                      | Type | Required | 
    +-----+----------------+----------------------------+------+----------+-
    | [1] | Displayed MOTD | b4ll4stS3c FTP Server v1.4 | str  | False    | 
    +-----+----------------+----------------------------+------+----------+-
    | [2] | Listen port    | 21                         | int  | False    | 
    +-----+----------------+----------------------------+------+----------+-



0) Back
FTP Server > 

Nested entries go as far as modules will. Note that right now it's 'dumb' in that, if you enter in a ton of numbers, it's going to continue dumping that out as module selection!

Usage Examples

List of modules accessible from the command line:


bryan@debdev:~/tools/zarp$ sudo ./zarp.py --help
[!] Loaded 34 modules.
     ____   __   ____  ____
    (__  ) / _\ (  _ \(  _ '
     / _/ /    \ )   / ) __/
    (____)\_/\_/(__\_)(__)  [Version: 0.1.5]

usage: zarp.py [-h] [-q FILTER] [--update] [--wap] [--ftp] [--http] [--smb]
               [--ssh] [--telnet] [-w] [-s] [--service-scan]

optional arguments:
  -h, --help      show this help message and exit
  -q FILTER       Generic network sniff
  --update        Update Zarp

Services:
  --wap           Wireless access point
  --ftp           FTP server
  --http          HTTP Server
  --smb           SMB Service
  --ssh           SSH Server
  --telnet        Telnet server

Scanners:
  -w              Wireless AP Scan
  -s              Network scanner
  --service-scan  Service scanner
bryan@debdev:~/tools/zarp$

Main menu when launched with the command line GUI:

bryan@devbox:~/zarp$ sudo ./zarp.py
[!] Loaded 33 modules.
     ____   __   ____  ____
    (__  ) / _\ (  _ \(  _ '
     / _/ /    \ )   / ) __/
    (____)\_/\_/(__\_)(__)
        [Version 0.1.4]        
    [1] Poisoners       [5] Parameter
    [2] DoS Attacks     [6] Services
    [3] Sniffers        [7] Attacks 
    [4] Scanners        [8] Sessions

0) Back
>

Navigating a module is pretty simple, and there are really only a few commands to know. When in the context of a module, the command 'info' can be used to dump a help or informational string:

ARP Spoof > info
---------------------------------------------------------
The heart and soul of zarp.  This module exploits the ARP
protocol to redirect all traffic through the attacker's
chosen system.

http://en.wikipedia.org/wiki/ARP_poison
    +-----+------------------------------------+-------+------+----------+-
    |     | Option                             | Value | Type | Required |
    +-----+------------------------------------+-------+------+----------+-
    | [1] | Interval to send respoofed packets | 2     | int  | False    |
    +-----+------------------------------------+-------+------+----------+-
    | [2] | Address to spoof from target       | None  | ip   | True     |
    +-----+------------------------------------+-------+------+----------+-
    | [3] | Target to poison                   | None  | ip   | True     |
    +-----+------------------------------------+-------+------+----------+-
0) Back
ARP Spoof >

To set an option, give it the option number followed by the value:


ARP Spoof > 2 192.168.1.219

If an option supports a choice list, give it the option number followed by the lowercase letter o:

HTTP Sniffer > 2 o
[!] Options: ['Site Only', 'Request String', 'Request and Payload', 'Session IDs', 'Custom Regex']
    +-----+-----------------------------+--------------+-------+----------+-
    |     | Option                      | Value        | Type  | Required |
    +-----+-----------------------------+--------------+-------+----------+-
    | [1] | Regex for level 5 verbosity | None         | regex | False    |
    +-----+-----------------------------+--------------+-------+----------+-
    | [2] | Output verbosity            | 1            | int   | False    |
    +-----+-----------------------------+--------------+-------+----------+-
    | [3] | Address to sniff from       | 192.168.1.97 | ip    | False    |
    +-----+-----------------------------+--------------+-------+----------+-0) Back
HTTP Sniffer >

Modules, once all required options are set, can be run by specifying a lowercase '''r'''. 
Note : All information only for education purpose , don't try it on real host , otherwise you will caught by police , I am not responsible for any missuses .

रोजना स्‍मार्टफोन चार्ज करने की झंझट खत्‍म करेगा नया टचस्‍क्रीन मटेरियल

ब्रिटिश वैज्ञानिकों ने नई तरह के टचस्‍क्रीन मटेरियल को खोजा है जो सूर्य की सीधी रोशनी में उच्‍च दृश्‍यता वाली है और इसे चलने के लिए काफी कम पावर की आवश्‍यकता है।
नये मटेरियल की क्षमता देखने के लिए कंज्‍यूमर इलेक्‍ट्रॉनिक्‍स में कुछ बड़े प्‍लेयर्स के साथ टीम अभी भी बात-चीत कर रही है कि यह नया मटीरियल अगले कुछ सालों में वर्तमान के एलसीडी टचस्‍क्रीन की जगह ले सकता है या नहीं। बॉडी टेक्‍नोलॉजीज द्वारा विकसित, नयी टेक्‍नोलॉजी कंज्‍यूमर्स को उनके स्‍मार्टफोन के प्रतिदिन के चार्जिंग की समस्‍या से निजात दिला सकती है।
एक रिसर्चर पिमैन होसैनी ने कहा, ‘हम नए बाजार का निर्माण कर सकते हैं। आपको प्रत्‍येक रात को स्‍मार्टवॉच को चार्ज करना पड़ता है लेकिन अब आपके पास ऐसा स्‍मार्टवॉच या स्‍मार्ट ग्‍लास होगा जिसे अधिक पावर की जरूरत न हो, आप इसे हफ्ते में एक बार चार्ज करेंगे।‘
शोधकर्ताओं का कहना है कि उनका अल्‍ट्रा-थिन डिस्‍प्‍ले मटेरियल सीधी सूर्य की रोशनी में भी काफी अच्‍छे रेज्‍योलूशन के साथ बेहतर रंग दिखाता है।

Basic Malware Analysis Tools

Basic Malware Analysis Tools
In the upcoming posts we will be talking about basic malware analysis and we will start with discussing the many different Basic Malware Analysis Tools which are available. A Malware Analyst is someone highly skilled in reverse engineering malware to get a deep understanding about what a certain piece of malware does and how it does it. To become a malware analyst it is important to have a good understanding of operating systems, software, networking, programming in general, malware in general and assembly language. Assembly language is the low level programming code between the high level programming code and the machine instructions. In other words: it translates the high level language into machine instructions which will be processed by your computers hardware.
In this tutorial we will be looking at simple but popular tools for basic static malware analysis like: PEiD to detect packers, Dependency Walker to view dynamically linked functions, Resource Hacker to view the malware’s resources and PEview and FileAlyzer to examine the PE file headers and sections. These tools are used for basic static malware analysis to try to determine the kind of malware and it’s function without actually running the malware. Running and analysing the malware will be covered in laters tutorials. After this we will be looking at the malware analysis advanced tools available for advanced static analysis and advanced dynamic malware analysis in the next article: Dynamic Malware Analysis Tools. Note that we will be discussing the tools in general first and get into detailed tutorials later. In the upcoming tutorials we will be using them on sample malware in detailed step-by-step hacking tutorials.
Basic Malware Analysis Tools

As promised we’ll be looking at the following basic malware analysis tool: PEiD, Dependency Walker, Resource Hacker, PEview and FileAlyzer. For your convenience we will supply a download link for the tools as well so you can get your malware analysis toolbox ready for the upcoming tutorials. Be sure to subscribe to our newsletter as we will be updating this list and our toolbox along the upcoming tutorials.

PEiD

Basic Malware Analysis Tools - PEiD
PEiD is a small application which is used to detect common packers, cryptors and compilers. Malware writers often attempt to pack or obfuscate their malware to make it harder to detect and to analyse. The current version of PEiD can detect over 470 different signatures in PE files which are loaded from a txt file called userdb. The official PEiD website is not active anymore but you can download PEiD-0.95-20081103 from Hacking Tutorials using the following download link: PEiD-0.95-20081103.zip (222 downloads)
You need to replace the userdb.txt file with the following file to add the signatures; PEiD Userdb (236 downloads)

Dependency Walker

Basic Malware Analysis Tools - Dependency Walker
Another great basic malware analysis tool is Dependency Walker. Dependency Walter is a free application which can be used to scan 32 and 64 bit Windows modules (.exe, .dll, .ocx, etc.) and is used to list all the imported and exported functions of a module. Dependency Walker also displays the dependencies of the file which will result in a minimum set of required files. Depency Walker also displays detailed information about those files including the filepath, version number, machine type, debug information etc.
Dependency Walker can be downloaded here.

Resource Hacker

Basic Malware Analysis Tools - Resource Hacker
Resource Hacker, or sometimes called ResHackers, is a free application used to extract resources from Windows binaries. Resource Hacker can extract, add and modify most resources like strings, images, menus, dialogs, VersionInfo, Manifest resources etc. The latest version of Resource Hacker, which is version 4.2.4, was release in July 2015.
Resource Hacker can be downloaded using the following link: Resource Hacker

PEview

Basic Malware Analysis Tools - PEview
PEview is a free and easy to use application to browse through the information stored in Portable Executable (PE) file headers and the different sections of the file. In the following tutorials we will be learning how to read those headers when we’re examining real malware.
PEview can be downloaded using the following link: PEview.

FileAlyzer

Basic Malware Analysis Tools - FileAlyzer
FileAlyzer is also a free tool to read information stored in PE file headers and sections but offers slightly more features and functionality than PEview. Nice features are the VirusTotal tab which can be used to submit malware to VirusTotal for analysis and the functionality to unpack UPX and PECompact packed files. And yes, Filealyzer is a typo but the developer decided to stick with the name which is kinda cool in our opinion.
FileAlyzer can be downloaded using the following link: FileAlyzer.

Dynamic Malware Analysis Tools

Dynamic Malware Analysis Tools
In this tutorial we will be covering Dynamic Malware Analysis Tools which are used to analyse activity after the execution of malware in virtual machines. We will be looking at tools like Procmon, Process Explorer, Regshot, ApateDNS, Netcat, Wireshark and INetSim to analyse the malware. Dynamic Malware Analysis is typically performed after static malware analysis has reached a dead end. You will reach a dead end quickly when malware is packed or obfuscated for example. Dynamic Malware Analysis is also a great way to identify the type of malware quickly, if you are facing Ransomware you will notice the encrypted files and forced payment methods quickly after executing the malware.
Dynamics Malware Analysis Risks

Please be aware of the fact that Dynamic Malware Analysis can put your system and network at risk, you will be executing real malware to analyse it’s behaviour. We advise you to only execute malware on virtual machines or dedicated systems in isolated networks which are not connected to the internet. We do not need an internet connection on our malware analysis machine since there are serveral tools available for simulating an internet connection. We will be covering a few of these tools in this article. Even though we’re executing the malware in virtual machines, it is not guaranteed that the host or your network is perfectly safe because malware developers always find surprising new ways for infection and make malware analysis harder to perfom.

Dynamic Malware Analysis Tools

As already mentioned we’ll be looking at the following tools for dynamic malware analysis: Procmon, Process Explorer, Regshot, ApateDNS, Netcat, Wireshark and INetSim. For your convenience we will supply a download link for the tools. We will be updating this list along the way so be sure to subscribe to our newsletter.

Procmon

Dynamic Malware Analysis Tools procmon
Procmon, or Process Monitor, is a free tool developed by Windows SysInternals and is used to monitor the Windows filesystem, registry and process activity real-time. The tool is a combination of 2 legacy tools; FileMon and RegMon. Procmon has some great features added on top of FileMon and Procmon like non-destructive filtering of data and boottime logging. Non-destructive filtering means that all data is captured but only filtered data is displayed to the user.
The latest version of Process Monitor is version 3.2 which can be downloaded here.

Process Explorer

Dynamic Malware Analysis Tools Process explorer
Process Explorer is also a free tool available from Microsoft which should be running when performing Dynamic Malware Analysis. Process Explorer is used to monitor the running processes and shows you which handles and DLL’s are running and loaded for each process.
The latest version of Process Explorer can be downloaded here.

Regshot

Dynamic Malware Analysis Tools Regshot
Regshot is a great open source utility to monitor your registry for changes by taking a snapshot which can be compared to the current state of your registry. This allows you to see the changes made to your registry after the malware has been executed on your system.
The latest version of Regshot is available for download here.

ApateDNS

Dynamic Malware Analysis Tools Apatedns
Another great tool for performing Dynamic Malware Analysis is ApateDNS. ApateDNS is a tool for controlling DNS responses and acts as a DNS server on your local system. ApateDNS will spoof DNS responses to DNS requests generated by the malware to a specified IP address on UDP port 53. The IP address or hostname is often retrieved from the malware by performing static malware analysis, for example by examining the resources sections, or by using sandboxes. ApateDNS is also capable of recovering multiple domains using the NXDOMAIN parameter since malware often tries multiple hosts to connect to.
ApateDNS is available from FireEye and can be downloaded using the following link: ApateDNS.

Netcat

Dynamic Malware Analysis Tools Netcat
Netcat, ncat or just simply nc is a tool used to read and write to network connections using TCP and UDP. Netcat is also called the Swiss Army Knife because of the many features it offers like: port scanning, port forwarding, tunneling, proxying and a lot more. Netcat is a great tool to perform Dynamic Malware Analysis because it can make almost any network connection a malware analyst might ever need. Netcat can be used to make inbound and outbound connections on any port and can be used in client mode for connecting and in server mode for listening.
A lot of malware communicates over port 80 (HTTP) and 443 (HTTPS) because on most systems these ports are not blocked by a firewall. When performing Dynamic Malware Analysis we could use ApateDNS to redirect a DNS request made by the malware to a host which is running Netcat in servermode listening to the specified IP address on the specified port. This way we can monitor the requests made by malware using ApateDNS for redirecting requests and Netcat for monitoring the requests. In the Dynamic Malware Analysis tutorials we will be covering the use of ApateDNS and Netcat in more detail.
Netcat can be downloaded from the Nmap website here and is also included in Kali Linux.

Wireshark

Dynamic Malware Analysis Tools Wireshark
Wireshark is one of the best network protocol analyser tools available, if not the best. If you didn’t know Wireshark you probably wouldn’t be reading this article about Dynamic Malware Analysis. Wireshark is used to analyse a network to the greatest detail to see what is currently happening and capture packets to files. Wireshark can be used for live packet capturing, deep inspection of hundreds of protocols, browse and filter packets and is multiplatform. When performing Dynamic Malware Analysis Wireshark can be used to inspects packets and log network traffic to files.
Wireshark is included with Kali Linux but also available for Windows and Mac. Wireshark can be downloaded here.

INetSim

Dynamic Malware Analysis Tools InetSim
INetSim is a Linux based tool build for Malware Analysis to simulate the most common internet services like http, https, DNS, FTP and many more. When performing Dynamic Malware Analysis on a windows machine you can use a virtual machine in the same network as you malware analysis machine to run INetSim. INetSim fakes the common internet services which malware might use and answers the requests made accordingly. For example when malware requests a file, INetSim will return the file. When malware scans a webserver, INetSim will return a Microsoft IIS webserver banner in order to keep the malware running. INetSim will also log all incoming connections so you can analyse which services the malware is using and what requests it makes. INetSim is also highly configurable, when a malware uses a non-standard port for a service, you can change the listener port on a specific service in INetSim.
INetSim 1.2.5 is the current version which is included with Kali Linux 2.0 and can be downloaded here.

Malware Types Explained

Malware Types explained
In this article we will be looking at the different kinds of malware and what they do. When performing static or dynamic malware analysis it is crucial to have a good understanding of the different malware types available so you are able to recognize them and focus your investigation. During static malware analysis the imported DLL’s and functions often tell us a lot about the malware’s intentions and behaviour. For example when malware imports networking functions together with functions to edit the Windows registry and compression functions, we could be dealing with spyware, a downloader malware or a Trojan which executes itself or other malware at start up. In the simplest case of statically imported DLL’s you can use an application like Dependency Walker to find out which functions are used in malware. Further inspection of the DLL’s, functions, PE headers and resources should narrow the possible kinds of malware a lot. Let’s continue to look at the different kinds of malware available and what they exactly do.

Adware

Adware as malware is malicious software which presents unwanted advertising to the user. This kind of malware often uses pop-up windows which cannot be closed by the user. Adware is often included with free software and browser toolbars. Malware which is also collecting user data, activity and other information for targeted advertising is called spyware.

Backdoor

A backdoor is a piece of malicious code which allows an attacker to connect to the infected target and take control of the target machine. In most cases there is no authentication required to log in the remote machine other than authentication methods required by the malware. A backdoor is often generated by a Trojan which goes unnoticed if the host has no effective detection mechanisms. Backdoors can use a lot of methods to communicate home. Also port 80 is commonly used by malware over the HTTP protocol because this port is open on most machines connected to the internet. We will discuss 2 kinds of backdoors; the reverse shell and the Remote Access/Administration Tool (RAT).

Reverse Shell

A reverse shell is a connection initiated from the infected host to the attacker and provides the attacker with a shell access to the host. The reverse shell is often created by a Trojan and functions as a backdoor on the infected host. After the reverse shell has been set up the attacker is able to execute commands as if they were executed locally. There are a couple ways for malware developers to set up a reverse shell. Commonly used methods for reverse shells are Netcat and Windows cmd.exe packaged inside malware. A simple method used by malware using the Windows CMD to set up a reverse shell is to create a socket to establish a connection to the attacker and than tying it to the standard streams (standard input, output and error) for cmd.exe. The cmd.exe is than run with suppressed window to hide it from the victim’s view and can than be used to execute commands on the infected host.
Metasploit CVE-2015-5122 Flash Exploit 5

RAT – Remote Access Trojan

A Remote Access Trojan (RAT), or sometimes called a Remote Administration Tool or Remote Access Tool, is software which allows an attacker to take control of the infected host by the use of a backdoor. We’ll call it a Remote Access Trojan in this article to emphasize the maliciousness of this kind of RAT. We are talking about the malicious RAT’s and not the ones which are used by system administrators or software vendors for remote support and troubleshooting. Remote Access Trojans are often included with free software and send as attachment by e-mail.

Botnet

A botnet is a network of remote controlled private computers with backdoors which are being controlled by a command and control server. All infected hosts in the botnet are controlled as a group and receive the same instructions from the server which is controlled by the attacker. Botnets are often used to send spam, to perform distributed denial-of-service (DDoS) attacks or malware distribution.

Browser Hijacker

A browser hijacker is a piece of malicious code developed to control your browser settings like the homepage for example, or the standard search provider. Browser hijackers are often included with free software and browser toolbars and may also contain adware and spyware. Some browser hijackers also change your browser’s proxy settings which compromises your online privacy and safety.

Downloader Malware

Downloader Malware is malicious software which downloads other malicious software. Attackers often infect a machine with downloader malware when they have gained first access to the system. The downloader malware than infects the target machine silently with other malware.

Information Stealing Malware

Information stealing malware is a collection of malware types which are developed to steal information like credit card numbers, bank account details, account details and other personal information. The collected information is usually send to the attacker who often uses it to gain access to your personal account or to put it up for sale on the deep web. Information stealing malware often comes in the form as keyloggers, password (hash) grabbers and sniffers. The stolen information is often send to a command and control server for further processing.

Keyloggers

Keylogger malware is a malicious piece of software (or hardware) which records your keystrokes in order to retrieve passwords, conversations and other personal details. The recorded keystrokes are than send to the attacker. A keylogger is a very effective way for attackers to steal passwords because there is no need to crack hashes, decrypt information or to sniff secured connections for passwords.

Launcher malware

A launcher is a piece of malicious software which is used to launch other malware. This piece of malicious software is often combined with downloader malware. The launcher malware often uses stealthy and unconventional methods to launch other malicious code to avoid detection.

Ransomware

Technically speaking all malware which prevents a user from accessing the computer or files and demanding money in exchange for access is called ransomware. Ransomware often encrypts your hard drive or files and demands money in exchange for the decryption key. This kind of ransomware is also called a crypto locker. After infection the ransomware presents the user some payments methods which can be used to unlock the computer or decrypt the files. If the ransomware or crypto locker will actually unlock your hard drive or files, the decryption keys and payment are often controlled by a command and control server.
Ransomware has become increasingly popular over time because it is highly profitable for malware developers. Especially ransomware in combination with anonymous payments methods like bitcoin are making this kind of malware very profitable and lowering the risks of getting caught. Popular ransomware malware is: Cryptolocker, Cryptowall and Tox ransomware which is known as the first ransomware as a service available for everybody through the TOR network.

Rootkit

A rootkit is malicious software designed to conceal the existence of other malware. The concealed malware is often a backdoor to provide full access to the attacker or information stealing malware. Rootkits may be hard to detect and remove based on where the rootkit resides. Rootkits on firmware level for example may require hardware replacement and rootkits on kernel level may require a new installation of the operating system.

Bootkit

Another dangerous and almost impossible to detect rootkit is the bootkit. The bootkit is a rootkit hidden in the boot sector that infects the Master Boot Record. This kind of rootkit is able to bypass drive encryption for example because the Master Boot Record (MBR) is not encrypted. The MBR contains the decryption software to decrypt the drive. A bootloader is a piece of codes which runs before the operating system does.

Scareware

Scareware is malicious software which forces the victim into purchasing something by frightening him or her. You might call it blackmailing malware too since it often includes embarrassing viruses or files. The most common scareware malware looks like a virus scanner which has detected some viruses which will be removed after the victim has purchased the virus scanner. In reality only the scareware will be removed (hopefully). Scareware often uses scare tactics which will embarrass the victim to avoid that the victim escalates the problem to a system administrator at work or call in professional help for virus removal for example. Because of these tactics a lot of victims will pay for the software to have the virus or other embarrassing materials removed silently. Scareware or blackmailing malware is just like ransomware, very profitable for malware developers.

Spam Sending Malware

Spam Sending Malware is malicious software which uses the infected machine to send spam. The spam sending malware might be part of a botnet controlled by a command and control server functioning as a distributed spam sending network. Because of the distributed approach there is not a single point of failure, if ¼ of the infected machines are cleaned the other ¾ will keep sending spam mails. Big botnets can send billions of spam messages per week and very often new malware is spread together with the spam messages. Spam sending malware can get you into trouble because ISP’s cut off your internet connection or you e-mail address can be blacklisted so be sure to remove this kind of malware as soon as possible. This type of malware is profitable for malware developers because they can sell the spam sending services.

Trojan

A Trojan or a Trojan horse as malware is a malicious program functioning as a backdoor. Just like the ancient Greek story of the wooden horse with Greek troops inside which was used to invade the city of Troy, a Trojan in computing tends to appear like a regular application, media or any other file but containing a malicious payload. Trojans are often spread through social engineering where the victim is fooled into executing the file or application with the Trojan. Most Trojans contain backdoors which can be used by the attacker to steal information, spread other malware or use the infected machine’s resources in a botnet. Literally anything is possible when infected with a Trojan which was installed or run with elevated privileges. Trojans in computing have been around for a long time, a few old and popular Trojans are: Netbus, SubSeven or Sub7 and Back Orifice or BO in short.
Malware types explained - Trojan files

Virus

A virus is a malicious program which replicates itself into other applications, files or even the boot sector. A virus then can do anything it is programmed to like stealing information, log keystrokes or even render a computer useless. The defining characteristic of a virus lies in the self-replication and insertion of malicious code into other programs without user consent. Just like most other malware a virus is designed for seeking profit.

Worm

A worm is a piece of malware that replicates itself in order to spread and infect other systems. Computer worms use the network, links, P2P networks, e-mail and exploit vulnerabilities to spread themselves. Often more than one wat is used to spread the worm. The difference with a virus is that a virus inserts code into other programs where a worm does not and replicates only itself. Worms do not necessarily contain a payload but most worms do. Worms can also be designed to only spread without a payload.

How to Root Windows Phone and Unlock the Bootloader to Install Custom ROMs

How to Root Windows Phone and Unlock the Bootloader to Install Custom ROM
Yes, Now it is possible to unlock a Windows Lumia Phone for Root Access and run custom ROMs.
Both Microsoft as well as Nokia have made Windows Lumia smartphones difficult to break into at a low-level by locking down their bootloaders, but a software hacker, who go by the name HeathCliff, has just proven that it is not impossible.
HeathCliff has released an excellent tool called “Windows Phone Internals” that allows Windows phone owners to unlock their smartphone’s bootloaders, gain root access and even create and run custom ROMs.
What’s more interesting is the tool supports “most versions of Windows Phone 8.1 and Windows 10 Mobile“.
HeathCliff is very well known XDA Developer and one of the Windows Phone legends. On Windows Phone part, HeathCliff is loved mostly for the WP7 Root Tools.
Windows Phone Internals or WP Internals is completely free to download though HeathCliff welcomes donations by those who have found the tool useful.

Here’s the List of Things Windows Phone Internals can Do

  • You can unlock the bootloader of the specific Lumia Windows Phone models, and then enable Root Access
  • You can load your custom apps with higher privileges and without sandboxing in Windows Phone OS.
  • You can create Backup images of your phone and can also access the file-system in Mass Storage Mode.
  • You can even install your custom ROMs.
You can also watch the video provided by HeathCliff, showing what the tool is capable of doing.

Models Supported by Windows Phone Internals Tool

Here’s the list of Lumia Phones Supported by the tool right now:
  • Lumia 520, 521 and 525
  • Lumia 620, 625
  • Lumia 720
  • Lumia 820
  • Lumia 920
  • Lumia 1020
  • Lumia 1320
How to Get Started?
Here’s the introduction video for you to get started with Windows Phone Internals:
So, if you are ready to tinker with your Windows Phone then Download Windows Phone Internals for Free from here.

Should You Root Your Phone?

However, I would caution against using this tool to root Windows phone for those who do not understand the underlying architecture of their Windows Phones and Windows 10 Mobiles.
Rooting your phone gives you complete control over the OS, but that power can also be misused if you’re not careful.
Heathcliff also states that after a tweak is completed, you should unroot your device to reduce the chance of malware or other bad stuff making their way on.

Critical ‘Port Fail’ Vulnerability Reveals Real IP Addresses of VPN Users

vpn-hacking
A newly discovered flaw affecting all VPN protocols and operating systems has the capability to reveal the real IP-addresses of users’ computers, including BitTorrent users, with relative ease.
The vulnerability, dubbed Port Fail by VPN provider Perfect Privacy (PP) who discovered the issue, is a simple port forwarding trick and affects those services that:
  • Allow port forwarding
  • Have no protection against this specific attack
Port Forwarding trick means if an attacker uses the same VPN (Virtual Private Network) as the victim, then the real IP-address of the victim can be exposed by forwarding Internet traffic to a specific port.
“The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work,” Perfect Privacy wrote in a blog post on Thursday.
Port Fail affects all VPN protocols including…
  • OpenVPN
  • IPSec
…as well as applies to all operating systems, posing a huge privacy risk.

How Does ‘Port Fail’ Work?

A successful IP address leak attack requires an attacker to be on the same VPN network as the victim and to know the victim’s VPN exit IP address, which could be discovered by tricking a victim into visiting a website control controlled by the attacker.
For example, an attacker with port forwarding enabled can see the request from the victim’s actual IP addresses by tricking the victim into opening an image file.
The same attack is possible for BitTorrent users, but, in this case, there is no need for the attacker to redirect the victim to their page.
In this case, the attacker only with the activated port forwarding for the default BitTorrent port, can expose the real IP-address of a VPN user on the same network.

Affected VPN Providers

The flaw affected various large VPN providers. Perfect Privacy tested nine VPN providers out of which five were found to be vulnerable to this flaw and were alerted last week.
VPN providers including Private Internet Access (PIA), Ovpn.to and nVPN have fixed the issue before publication.
However, the company warned, “other VPN providers may be vulnerable to this attack as we could not possibly test all.”
VPN aims to make you sure that your real identity remains anonymous on the Internet so that nobody could track the origin of your connection back to you, but this newly discovered flaw shows that it’s quite easy to bypass this on some VPN providers.