WMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes | 2021-08-21 20:24 |
We have observed various enterprise software that continues to rely on Microsoft's Windows Management Instrumentation (WMI) for remote authentication, which can be leveraged by attackers, even passively, to steal hashes that can be converted to credentials. There are WMI clients programs that initiate NTLMSSP authentication flow over the WMI access port (tcp/135), which can be redirected in order to gather all the pieces needed to obtain a valid NetNTLMv2 hash. A valid NetNTLMv2 hash can be cracked into plaintext credentials, to gain further access into the network. The accounts used in these applications are often privileged accounts, as WMI remote authentication is often used to perform administrative tasks such as running remote commands, asset inventory management, and scanning.
WMkick is a TCP protocol redirector/MITM tool that targets the Windows NTLM authentication message flow. Anyone with access to an internal network can leverage WMkick to capture administrative hashes if WMI is being used to remotely administer within the network and mitigations have not been enforced, such as disabling NTLM authentication.
We think the security community should give MS-RPC more attention, and others are starting to do so. Eventually we hope to build/add enough of an MS-RPC implementation and impersonation into WMkick that redirecting is no longer needed.
0 comments | Posted by Houston Hunt at: 20:24 permalink |
WePresent... vulnerabilities! | 2021-01-05 20:21 |
This blog post describes an exploit chain to go from a completely unauthenticated attacker to a root shell on a WePresent WiPG-1600. The device was running firmware version 2.5.1.8, which was the latest version available at the time this research was performed. Several vulnerabilities were found, and CVEs and fixes for each have since been published.
CVE-2020-28329 - Default API credentials
The first vulnerability is the existence of default, hardcoded credentials that can be used to access an API service listening on port 4001/tcp. The password exists as clear text in /etc/lighthttp/admin and in a hashed form in etc/lighttpd/lighttpd.user. This information was obtained by downloading and unpacking the firmware from WePresent's site. The URL for the firmware is https://www.barco.com/en/support/wepresent-wipg-1600w/drivers. Binwalk, with recursive scanning of extracted files, does partially unpack the firmware. A simple, more elegant approach will be discussed later in this blog post.0 comments | Posted by Jim Becher at: 20:21 permalink |
Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools | 2020-06-29 17:18 |
How can vulnerabilities in technologies used by our judicial system affect the outcome of cases brought to the courts?
The Universal Forensic Extraction Device (UFED) device from Cellebrite is used by law enforcement agencies throughout the world. The popularity of their offerings has been well documented by journalists, which is what initially caught my attention. Today I will talk about the process I used to establish a debugging environment and locate issues in their UFED product, which I believe pose a significant concern. This concern demonstrates a need for additional scrutiny of any tool that is designed to acquire digital forensic evidence for use in any court of law. Along the way, we generated multiple advisories and CVEs, which the vendor has addressed, and a bonus "WONTFIX" in Android.
0 comments | Posted by Matt Bergin at: 17:18 permalink |
FTimes, KLEL, and File Hooks | 2019-11-08 10:00 |
This is another blog post in the FTimes series showcasing various aspects and controls that can be utilized within the FTimes framework. This blog post will focus on using file hooks, a feature that offers the ability to run external programs or scripts on matching files during dig, map, or mad stages.
0 comments | Posted by Jay and Klayton at: 10:00 permalink |
Building FTimes With Lua | 2019-09-05 15:40 |
This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Lua interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.
For this exercise, we will be using Kali Linux as our build environment.
0 comments | Posted by Jay at: 15:40 permalink |
FTimes 3.13.0 Released | 2019-09-04 17:30 |
0 comments | Posted by Klayton at: 17:30 permalink |
Unpatched Fringe Infrastructure Bits | 2019-08-19 11:00 |
Typically during internal network penetration tests, pentesters come across many different types of devices. Much of the focus is likely on the Windows/UNIX-like systems and critical infrastructure devices (e.g., storage, DNS servers, routers, switches, etc.). There are, however, a number of other network connected devices that often times get passed over due to factors such as function, purpose, placement, or lack of sensitive data contained within.
A pentester may take a second look at a given device because telnet or FTP is enabled, but after a cursory glance at the HTTP listener and thinking it is a UPS - maybe they will likely skip over it in favor of the Linux system running Apache, MySQL, and SSH.
Welcome to the land of forgotten and misfit toys ... this is not exciting, cutting-edge, sexy stuff. These are devices organizations typically plug in, configure minimally (just enough to "do the job"), and forget about. In this post, I discuss a particular vulnerability of a TrippLite Power Distribution Unit (PDU).
0 comments | Posted by Jim Becher at: 11:00 permalink |
Password Audits – Focus on the Admins | 2019-05-09 17:00 |
Have you considered adding periodic password audits to your corporate security plan? Compared to the cost of a security breach or standard pentest, periodic password audits are relatively inexpensive (e.g., on the order of $7K/quarter for a single medium-sized domain), yet they shed light on an important aspect of security that management has little ability to control: the passwords that administrators and end users choose.
In this article, I discuss the impact of weekly audits on chosen admin passwords over a 4-year period.
0 comments | Posted by Klayton at: 17:00 permalink |
Building FTimes With Python3 | 2019-04-25 11:10 |
This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Python interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.
For this exercise, we will be using Devuan Linux as our build environment.
0 comments | Posted by Jay at: 11:10 permalink |
Building FTimes With Perl | 2019-04-11 00:00 |
This is a first in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Perl interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.
For this exercise, we will be using Ubuntu Linux as our build environment.
0 comments | Posted by Jay at: 00:00 permalink |
FTimes 3.12.0 Released | 2019-03-15 17:00 |
0 comments | Posted by Klayton at: 17:00 permalink |
New LibPathWell Release, and an Updated Talk | 2017-05-12 23:30 |
A couple of weeks ago we released a PathWell update, version 0.7.0, available here. I had the pleasure of giving a talk about it at RMISC yesterday that highlighted the new features; the slides are here. [PDF warning]
The primary user-visible change in this release is an administrator-configurable hinting engine, to provide different levels of feedback to users whose new password choice is rejected.0 comments | Posted by Hank at: 23:30 permalink |
Virtual Appliance Spelunking | 2016-10-10 15:35 |
Hello again and welcome back. Today I want to talk about a Sunday I spent reversing the Cisco Firepower Management Console virtual appliance that resulted in multiple CVEs being issued. The tricks I will show have worked on four or five other virtual appliances from other vendors. Results from those are either pending disclosure or have already been reported by other researchers. Either way, this should be something you can easily recreate to find vulnerabilities.
0 comments | Posted by Matt at: 15:35 permalink |
Nothing To See Here, Move Along | 2016-08-08 13:45 |
Vendors often have interesting ways to facilitate support for their appliances. Today, I'll discuss a few ways we have seen it implemented: one that is vulnerable to exploitation and others that aren't so bad.
When we find vulnerabilities doing independent research, we work with the vendors through our disclosure program to attempt to get the issues fixed, and we are free to publish whether or not the vendor addresses the problems. Occasionally while on an engagement for a client, we come across one or more vulnerabilities in third-party platforms. When this happens, we work with our client to inform their vendor in an effort to get the vulnerabilities corrected, and coordinate disclosure.
Usually, vendors are responsive, and our client and other customers of that vendor get the fix. However, it does not always work that way.
0 comments | Posted by Matt at: 13:45 permalink |
Cracking Grid – Essential Attributes | 2016-05-25 11:30 |
Here at KoreLogic, we are constantly cracking passwords – it's just one of the things we do. While we haven't made a concerted effort to track it, I'd venture to say that cracking for us is pretty close to a 24/7/365 operation. Between paid cracking engagements and penetration tests, our resident cracking expert, Rick, almost always has something cooking on our Distributed Cracking Grid ("Grid"). This week, it happens to be LinkedIn hashes. This level of uptime is made possible by the WebJob framework, the foundation upon which our Grid was built (check out this paper for a brief overview of the technology). WebJob's queuing system allows us to maintain a number of concurrent work orders at any given time. Today, for instance, we have 22 active work orders consisting of 151,995 jobs (or attacks) spread out over 35 queues. At any time, a single attack can be in one of several states (e.g., waiting, working, complete), and resources (i.e., GPU and CPU cores) can be shifted from queue to queue as needs dictate. Additionally, attacks within any given queue can be prioritized. All of this allows us to keep work orders active for days, weeks, or even months at a time, and that's pretty darn cool.
As the Grid's chief architect and primary developer, it's my job to keep the Grid running and add new features/capabilities over time. In this article, I'd like to share with you our aspirations and reasons for creating a cracking grid that is secure, distributed, scalable, and extensible.
0 comments | Posted by Klayton at: 11:30 permalink |
LinkedIn Revisited – Full 2012 Hash Dump Analysis | 2016-05-19 15:00 |
As you may know, a "full" dump of email addresses and password hashes for the Linkedin.com attack that occured in 2012 has become available. Here at KoreLogic, we got our hands on the list of emails and the separate list of passwords (but nothing linking the two together, which we don't want or need). We started to gather some statistics on them using our Password Recovery Service (PRS). The following analysis assumes the lists are real; due to the valid email addresses and confirming some of our own accounts' data from back then, we believe that the dump is real.
What we know so far:
0 comments | Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 15:00 permalink |
Update on Crack Me If You Can – DEFCON 2016 | 2016-03-28 12:12 |
The @CrackMeIfYouCan team at KoreLogic has had a lot of questions about this year's DEFCON Crack Me If You Can (CMIYC) contest ...
The short answer is, we are not doing a CMIYC this year at DEFCON. That does not mean that 2015 was our last year, it just means we aren't doing one in 2016. It's been a very busy year for us so far, and CMIYC is a huge commitment on our schedules. We just cannot make it happen this year.
On a more personal note, I dreamed up CMIYC in 2010 with multiple goals in mind:
0 comments | Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 12:12 permalink |
Hacking an Arris Cablemodem | 2016-02-12 15:00 |
Welcome to part four in our four part series on firmware and embedded devices. In our final part, we will discuss a remote root vulnerability in a popular cable modem. Awhile ago, we were shown the administrator portal for a particular cable modem vendor. Old school, right? Still, what an interesting attack vector, we thought. We realize ISPs need some degree of access in order to properly provision modems, but how much should you trust your ISP (and who they partner with) to make security decisions for you? Personally, we only believe in what can be measured and this meant our hands needed to get dirty... Don't worry root, we're coming for you!
4 comments | Posted by Matt & Hank at: 15:00 permalink |
The importance of access to firmware files | 2015-12-18 16:25 |
Welcome to the third part of our series! Today I hope to spark a conversation amongst the readers about an important topic in a world filled with IoT: access to device firmware. And not just (at best) encrypted opaque blobs provided for device updates, but usable images that can be deconstructed, evaluated, and reconstructed.
There are a few categories of devices for which firmware access would apply. These are consumer, enterprise, medical, and military. My coworkers and I have dealt with all of these to varying degrees. You might think military procurement would always include full firmware/source code access; I mean, they'll want to make sure the device is not designed in a way that is counter to their interests in the same way that I want to ensure the same thing when I (and most other people for that matter) also purchase a device. Mumble mumble...
What about consumer or enterprise grade devices? Most vendors have some support level (i.e. price point) at which they'll give an enterprise customer access to firmware. But for smaller organizations, or one-off purchases, they are often told what I am as a consumer a majority of the time: "no". In the last two parts of our series, I'll go into deeper thought on firmware access using current and upcoming examples from our vulnerability disclosure program.
1 comments | Posted by Matt at: 16:25 permalink |
Unplugging An IoT Device From The Cloud | 2015-12-11 17:45 |
Hello again and welcome back. This is part two in our four-part series on firmware and embedded devices. Today, I will be discussing home automation and the Internet of Things (IoT). More specifically, I'll be talking about Blossom. Blossom is a cloud-based smart lawn watering system that will 'automatically' water your lawn. Normally, our goal is to break into the target device so I may inspect running processes and resident binaries to ensure they are not designed to work in ways that are counter to our interests. Today, I won't be doing that. Instead, I am going to observe the functionality of the device and how it interacts with the manufacturers cloud-based API. Then, I'll force network traffic redirection from the device to a server I control. Finally, I will recreate a bare minimum copy of the manufacturer's API available internally so that the device will no longer require internet access for a somewhat normal operation.
What does this mean? I am going to write an application to water my lawn, when I want my lawn watered. Why? Because I like the functionality of smart-enabled devices, but I do not like adding network potential pivot points anywhere on my networks. My hope is that this part in our series serves as a soft introduction into the thought process I typically use when removing an unwanted third-party from my networks or even attempting to attack the underlying software of a target device.
0 comments | Posted by Matt at: 17:45 permalink |
Q: Can I have your password? A: Yes you can. | 2015-12-04 16:45 |
Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of the series on the Friday of each week in December. The release of the final part in our series is dependent on our responsible disclosure timeline holding for a finding, but we're pretty confident.
We're going to start slowly and with something simple. Today's tale is about a little access point that tried and tried but just couldn't keep its mouth shut. If it has an IP it'll talk, and what it says you might not like. Though, we tried to make it stop (see the timeline in the advisory), it didn't seem to matter to the manufacturer. So here we are: an 0day to help start your holiday season.
Sincerely,
KoreLogic
Onward and upward!
You can purchase the vulnerable device and download the corresponding firmware here: http://www.linksys.com/us/support-product?pid=01t80000003cVuwAAE
3 comments | Posted by Matt at: 16:45 permalink |
LibPathWell 0.6.3 Released | 2015-10-01 15:45 |
I am pleased to announce that a new release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement is now available for download here.
Version 0.6.3 is an update release of PathWell. Generally, code was cleaned up and refined as necessary. The API remains unchanged, but the library did get a revision bump -- the new version is 1:1:0. The primary goals of this release were to work out the build issues previously encountered for some flavors of Linux and to extend configure/build support to MinGW/MSYS build environments. And while the library along with the associated command line utilities compile cleanly and pass all their unit tests under Windows, setting up that build environment and getting the various dependencies (e.g., GMP, PCRE, SQLite, etc.) to compile involves a number of steps, a few hurdles, and fair amount of determination, so be prepared if you decide to venture down that road. Perhaps that will be the topic of a future blog post. Who knows? ...
Anyway, this will likely be our last release for the 0.6.0 branch as our attention has shifted to the 0.7.0 release, which includes new features and tools. More on that to follow in the coming days, so stay tuned ...
0 comments | Posted by Klayton at: 15:45 permalink |
MASTIFF Output Plug-ins | 2015-09-25 17:00 |
MASTIFF is a living project whose continuous goal is to provide an automated means for static analysis of files. To meet this end, the project has multiple short and long term goals in place. Recently we silently released an update that hit one of the major goals we have been working towards since inception of the project: output plug-ins.
0 comments | Posted by Tyler at: 17:00 permalink |
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 – #11 | 2015-08-21 11:20 |
So far I've discussed how puzzles #1-#4 and puzzles #5-#8 in the Yara CTF for Black Hat 2015 contest were solved. In this post, I'll go over the final three puzzles.
As noted before, the puzzles are still accessible at the CTF page, so there are spoilers if you plan to go through them.
0 comments | Posted by Tyler at: 11:20 permalink |
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 – #8 | 2015-08-19 17:00 |
Previously, I posted how I solved puzzles #1-#4 of the Yara CTF for Black Hat 2015, sponsored by phishme.com. In this post, I'll go into how I solved puzzles #5-#8.
As noted before, the puzzles are still accessible at the CTF page, so there are spoilers if you plan to go through them.
0 comments | Posted by Tyler at: 17:00 permalink |
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 – #4 | 2015-08-17 08:00 |
During Black Hat, Ron Tokazowski of phishme.com put together a Yara Capture The Flag (CTF) contest for Black Hat 2015. This CTF consisted of 11 logic and Yara-based puzzles that participants had to solve for a chance to win a DJI Quadcopter. The best part is you could participate in the CTF if you weren't at Black Hat!
I participated in the CTF and won!!! I got through 10 out of 11 puzzles; the 11th and my lack of doing it is explained later. This post, as well as two more, describe how I went through each puzzle and solved them. The puzzles are still accessible at the CTF page, so be warned that spoilers are below!
0 comments | Posted by Tyler at: 08:00 permalink |
LibPathWell 0.6.1 Released | 2015-07-31 16:35 |
I am thrilled to announce the first public release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement. Version 0.6.1 is available for download here.
We have blogged and written and presented about PathWell several times, but now we've finally dropped the code.The LibPathWell release is a PAM module and supporting library to implement password topology complexity enforcement. There is a static component called blacklisting that allows you to seed the PathWell database with the most popular password topologies, so instead of an attacker cracking 25%+ in their first few mask attacks, they get zero. And then there are dynamic components ensuring that enterprise users, as they change their passwords, are forced to choose new passwords that are substantially different from one another.
tl;dr: PathWell makes enterprise user passwords 5-6 orders of magnitude harder to guess!
0 comments | Posted by Hank at: 16:35 permalink |
Hacking Team Documents Claim BIOS-based Persistence | 2015-07-09 16:15 |
A search through the online mirror of the information stolen from Hacking Team shows indications that a BIOS-based infection capability was developed as part of the Remote Control System software. This may be the first time a commercial spyware product claims this type of capability.
0 comments | Posted by Don at: 16:15 permalink |
Giles at Black Hat and in the ISSA Journal | 2015-06-23 18:20 |
The Giles production rule system compiler (which we described here) has gotten some good press lately!
An article describing Giles and its use has been published in the June 2015 issue of The ISSA Journal, which can be seen by subscribers here. The ISSA Journal is the official journal of the Information Systems Security Association, and we're very proud to have an opportunity to discuss Giles on its pages. The article describes what Giles is, how to use it, and how to use the engines it creates. It also talks a little bit about how it works under the hood.
Also of note, I will be presenting a talk about Giles at this year's Black Hat USA in Las Vegas on August 1-6th. This talk will describe the reasons behind the creation of Giles, how it works, and how it can help you build efficient, simple event correlation engines and expert systems. Let us know if you're going to be at Black Hat this summer; we hope to see you there!
And remember, Giles is open source, so be sure to check it out (both in the look-at-it sense and in the grab-a-copy-of-its-code sense) at https://korelogic.com/tools.html.
0 comments | Posted by Rob at: 18:20 permalink |
MASTIFF Online Updated to Add pyOLEScanner | 2015-06-19 16:08 |
- Enabled pyOLEScanner version 1.2 tool as part of processing samples. pyOLEScanner is a python based script written by Giuseppe 'Evilcry' Bonfa and inspired from OfficeMalScanner. It scans office documents in order to assess if they could be malicious. Within MASTIFF Online the plugin is only executed for office document file types (a.k.a., "Office"), and the results of the plugin can be seen by clicking on the "office-analysis" record in the detail pane for those file types.
- Added an "x" icon next to the GUI search box which clears the search box text and refreshes the list when clicked.
0 comments | Posted by Andy at: 16:08 permalink |
The WebJob Framework: An Endpoint Security Solution | 2015-06-10 17:30 |
The WebJob framework is a next generation endpoint security solution that, from a centralized management location, can execute virtually any program on an arbitrary number of end systems at any time. This framework has been deployed in a number of production environments including the Federal government and Fortune 500 businesses to perform various activities such as evidence collection, enterprise searches, incident response, live forensics, system management and monitoring, and grid computing.
The WebJob framework is an open source client-server solution that acts as a force multiplier for anyone who needs to automate various tasks or work on an enterprise scale. It does this by enabling engineers to run arbitrary programs and/or scripts on a wide array of operating systems (e.g., UNIX®, Linux®, Mac OS®, Windows®, Android®, etc.). The results, if any, can be aggregated and collated on the WebJob server where they can be operated on in bulk. With the flexibility that the framework provides, administrators who are inclined to write their own scripts can achive a high level of automation and efficiencies of scale. With the WebJob framework, you can effectively do more with less.
Please click the link below to read more about how the framework could be the next generation endpoint security solution for you.
The WebJob Framework: A Generic, Extensible, and Scalable Endpoint Security Solution
0 comments | Posted by Andy at: 17:30 permalink |
One Month of MASTIFF Online! | 2015-05-27 11:30 |
It has been exactly one month since MASTIFF Online was opened, and to celebrate, we have released the next stable version of MASTIFF! Version 0.7.1 includes a large number of bug fixes, as well as some new analysis plug-ins to get more information out of the files you are analyzing. The new version can be found at https://korelogic.com/tools.html.
0 comments | Posted by Tyler at: 11:30 permalink |
What Did CCleaner Wipe? | 2015-05-18 15:35 |
The use of CCleaner is encountered at times during forensic investigations of computer systems. It has been labeled an "anti-forensics" tool as it has a secure deletion mode where it can overwrite data, filenames, and free space.
Overwriting files and filenames removes the chance to recover the data and subject it to further analyses; hence, the anti-forensics label. There may be some remnants and data left for analysis and comparison; but, at best you can infer what had been wiped. What you are faced with is a case of "You don't know what you don't know".
That is, until now. CCleaner will actually tell you what files it wiped. You just have to work for it.
0 comments | Posted by Don at: 15:35 permalink |
MASTIFF Online Free 1.0.0 Released | 2015-04-27 13:15 |
KoreLogic is pleased to announce the release of MASTIFF Online, a web interface into the open source MASTIFF static analysis framework. With this free online tool, anyone can upload files to be examined by MASTIFF, returning the results within minutes. MASTIFF Online can be accessed at https://mastiff-online.korelogic.com.
0 comments | Posted by Andy at: 13:15 permalink |
SSD Storage - Ignorance of Technology is No Excuse | 2015-03-24 09:15 |
Digital evidence storage for legal matters is a common practice. As the use of Solid State Drives (SSD) in consumer and enterprise computers has increased, so too has the number of SSDs in storage increased. When most, if not all, of the drives in storage were mechanical, there was little chance of silent data corruption as long as the environment in the storage enclosure maintained reasonable thresholds. The same is not true for SSDs.
A stored SSD, without power, can start to lose data in as little as a single week on the shelf.
0 comments | Posted by Don at: 09:15 permalink |
Windows 2003 Privilege Escalation via tcpip.sys | 2015-01-28 22:00 |
In my post for today, I will be discussing a vulnerability that I found within the TCP/IP driver as implemented by Microsoft within their Windows 2003 Operating System with Service Pack 2 installed (advisory here). If an attacker has obtained unprivileged access into the operating system, this vulnerability may be used to elevate their privilege to that of SYSTEM. This is accomplished by abusing a null near pointer dereference within code that runs during the processing of a specific unprivileged IOCTL call.
This vulnerability was issued identifiers: KL-001-2015-001, MS14-070, and CVE-2014-4076.
In order to avoid duplicating content from the advisory issued for this vulnerability, I will only provide a brief tl;dr before diving into the exploit.
0 comments | Posted by Matt at: 22:00 permalink |
Giles 3.0.0 Released | 2015-01-22 17:55 |
The Giles production rule system compiler has just been released! It is available for download here.
Production rule systems (or "engines" in Giles parlance) are tools that are commonly used to efficiently find patterns in streams of data where any number of data items (or "facts") can be added or removed over time. They're very commonly used to perform complex behavior detection (i.e., event correlation), like fraud detection for credit cards via transaction history or multi-part attacks against servers via combined analysis of firewall and server logs. They can also be used to provide some form of artificial intelligence, forming the core of many expert systems and automated planners.
All that sounds great, but what is Giles?
0 comments | Posted by Rob at: 17:55 permalink |
Brain Bleeding JavaScript Obfuscation | 2015-01-12 16:00 |
JavaScript is often used to facilitate web-based attacks. To make analysis more difficult and hide from signature-based systems, attackers will often obfuscate their JavaScript. Fortunately, there are many ways to deobfuscate JavaScript, or at least determine what it is doing. Sometimes, however, you come across obfuscated JavaScript that just makes your brain bleed.
UPDATE: Some have requested the actual JS used in this analysis, so here it is:
- https://blog.korelogic.com/2015/01/12/javascript_deobfuscation/malJS.zip (MD5: 8ad201d4dba1e19295ea1162308f3c0b, pass: infected)
9 comments | Posted by Tyler at: 16:00 permalink |
Using Windows Resource Language Codes for Attribution | 2014-12-23 20:25 |
Since news of the Sony hack broke, a number of reports have been pointing to North Korea as the source of the compromise. Part of the reasoning that North Korea is to blame is undoutedly because the malware recovered from the compromise, and subsequently made available on a number of malware analysis websites, had internal resources that had the Korean language. While the languages associated with Windows resources on executables can be used for attribution, this post will show that they should not be singularly relied upon.
Disclosure: KoreLogic is not involved with this investigation, nor do we have any inside knowledge. This post is based on the public information available and our experience and expertise.
0 comments | Posted by Tyler at: 20:25 permalink |
VMware: "It's not a vulnerability, mmkkkayyy" | 2014-11-18 16:15 |
During a recent review of the VMWare Workstation application, I discovered a method that allows any member of the __vmware__ group to extract arbitrary sections of kernel memory. When you consider the fact that members of this group are not required to already have administrative privileges, this suddenly becomes a significant vulnerability in the sense that it implies that otherwise unprivileged users now have the means to extract and subsequently use/abuse sensitive data like process-level tokens, encryption keys, etc. Needless to say, this poses a significant security risk to any organization that allows unprivileged users to operate virtual machines by way of the __vmware__ group.
To date, VMWare has declined to mitigate this vulnerability despite the detailed evidence we have provided and our repeated attempts to convince them that there is an underlying design flaw here that needs to be addressed. Also note that this vulnerability, officially documented here, has not been assigned a CVE identifier because MITRE declined to do so.
0 comments | Posted by Matt at: 16:15 permalink |
im in ur scm, bein a ninja | 2014-11-05 12:45 |
The other day I presented a much deeper dive at BSides DC, with examples of multiple ways to manipulate CVS, Git, and Subversion repositories, and some thoughts on how companies and code-hosting sites could/should harden their infrastructures.
Watch the presentation, or download the slides. (PDF warning)
Watch for future blog posts that extract and expand upon some of those examples.
Thanks to the BSidesDC folks for a great conference, and to ComputeCycle for the recordings!
0 comments | Posted by Hank at: 12:45 permalink |
Password Security Research Featured in the Huffington Post | 2014-10-17 12:00 |
0 comments | Posted by Klayton at: 12:00 permalink |
Vuln Analysis: Classic write-what-where in XP's BthPan | 2014-10-07 18:00 |
Recently, we came across the BthPan.sys driver while researching Microsoft's Bluetooth implementation within 32-bit Windows XP (SP3), and after conducting a number of fuzzing tests, we discovered that this driver has a vulnerability known as a write-what-where condition. It should be noted that the BthPan.sys driver is not enabled or even installed by default. Thus, the attack described below will only function if the end user or operating system administrator has installed the driver, such as via 'Add/Remove Programs' within the Control Panel, or installing some hardware driver that implicitly enables it.
0 comments | Posted by Matt at: 18:00 permalink |
CISO's Corner: Password Cracking Best Practices and Myths | 2014-10-02 16:00 |
2 comments | Posted by Bob at: 16:00 permalink |
FTimes 3.11.0 Released | 2014-07-30 16:00 |
0 comments | Posted by Klayton at: 16:00 permalink |
KLogTail 1.2.0 Released | 2014-07-22 14:00 |
0 comments | Posted by Klayton at: 14:00 permalink |
Repository Tampering: What You Don't Know Can Hurt You | 2014-06-26 18:05 |
This scenario may seem far-fetched, but think about all of the breaches of software vendors you've read about: Adobe, the victims of Aurora, APT1, etc. Who says they only had their code read?
0 comments | Posted by Hank at: 18:05 permalink |
Callback Functions in Malware | 2014-05-27 15:18 |
0 comments | Posted by Tyler at: 15:18 permalink |
MASTIFF Updates and Git SSL Issue | 2014-04-17 01:50 |
The updates are described below.
0 comments | Posted by Tyler at: 01:50 permalink |
Mini-Crack Me If You Can for ISSW 2014 | 2014-04-07 11:45 |
We made the challenge pretty simple, with 1-2 hashes that were a little bit harder.
The winner was Scot Perkins. Congratulations to the winner! Here are the hashes we posted if you want to play along after the fact:
0 comments | Posted by Rick at: 11:45 permalink |
PathWell Topologies | 2014-04-04 20:55 |
Watch a presentation on PathWell, or download the slides here.
The PathWell software is not yet public, but people have frequently asked us to publish the list of the most popular topologies within enterprises that we compiled during that research. So, that is what we are doing today.
1 comments | Posted by Rick at: 20:55 permalink |
MASTIFF in KoreLogic Git Repository | 2014-03-25 16:03 |
git clone https://github.com/KoreLogicSecurity/mastiff
0 comments | Posted by Tyler at: 16:03 permalink |
ShmooCon Epilogue Prologue: PathWell | 2014-01-09 15:14 |
Over the past couple of years, we - mostly my coworker Rick Redman (Minga) - have given many talks about how enterprise password strength enforcement rules, as currently implemented, are broken and harmful. They make enterprise passwords easy to crack. The only thing worse than having them is not having them.
PathWell ("Password Topology Histogram Wear-Leveling") introduces a new dimension for measuring and enforcing enterprise password strength that attempts to take away from the attacker the advantages that they currently have when cracking (or even just flat-out guessing blindly) an enterprise's passwords.
0 comments | Posted by Hank at: 15:14 permalink |
Converting IDA PAT to Yara Signatures | 2013-11-15 13:15 |
0 comments | Posted by Tyler at: 13:15 permalink |
MASTIFF on Mac OS X | 2013-10-30 17:22 |
This week MASTIFF was finally tested and proven to work on Mac OS X. Mac OS X 10.8.5 (Mountain Lion) was used during testing, although other versions of OS X will likely work as well.
The instructions to install MASTIFF on Mac OS X are below. In these instructions we used Homebrew to install a number of packages. There are many ways to install packages on OS X, this is the one that was chosen this time.
0 comments | Posted by Tyler at: 17:22 permalink |
CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints | 2013-09-04 23:59 |
Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases.
2 comments | Posted by Hank at: 23:59 permalink |
Mini-Password Cracking Challenge for LOLBitCoin Party | 2013-08-12 12:12 |
I supplied the following NTLM hashes:
0 comments | Posted by Rick at: 12:12 permalink |
CMIYC 2013 Post-game | 2013-08-08 15:15 |
In this post I'll talk a little about the structural changes we made in this year's DEFCON contest, what we did that we think worked well, some not so well. We'd love feedback that we can use when planning future contests.
Structure
1 comments | Posted by Hank at: 15:15 permalink |
Submerging a GPU Cluster in Mineral Oil | 2013-06-05 20:55 |
Although this idea isn't really all that new (Cray did it in 1985!), our use of it is relatively rare. We dipped a GPU powered password cracking system in the oil. Thanks to Midas Green Tech's help, it was really easy to do. Our hardware wasn't new or even custom, but it's running, right now, in mineral oil.
So, why did we do it?
2 comments | Posted by Rick at: 20:55 permalink |
Crack Me If You Can 2013 Is On! | 2013-05-09 21:15 |
We've been planning what to do for this year's contest, combining all our lessons learned. Will get the 2013 site up, and start announcing structure and rules soon.
0 comments | Posted by Hank at: 21:15 permalink |
MASTIFF 0.6.0 Released | 2013-04-19 09:50 |
The official changelog is located here, but the major improvements are described below.
Upgrading MASTIFF to the latest version is easy. You can follow this process:
- Download and install pydeep.
- Download MASTIFF 0.6.0 and untar it.
- Run "make test" to ensure you are not missing any dependencies.
- Run "sudo make install" to install the latest version.
- Copy the analysis plug-ins (the plugins directory in the tarball) to your location of choice and ensure the config file is pointing to that directory.
- Add any new options to your MASTIFF config file. The easiest way may be to use sdiff.
0 comments | Posted by Tyler at: 09:50 permalink |
FTimes 3.10.0 Released | 2013-04-01 18:15 |
0 comments | Posted by Klayton at: 18:15 permalink |
KLEL 1.1.0 Released | 2013-02-15 17:36 |
The latest version of KLEL, 1.1.0, has just been released! It's available for download at its SourceForge site.
This release brings a much cleaner and faster parser, and a more consistent API for developers. The KLEL standard library has been extended with a family of "abort" functions to trigger runtime errors in expressions.
0 comments | Posted by Rob at: 17:36 permalink |