There has been a lot of changes lately with CyDefe Labs. We are currently partnered with Cybrary and are providing assessments for their courses. If you are interested in trying out our challenges visit the Cybrary market place to try out our content.
It's been a crazy past month for CyDefe Labs. We have almost 600 players now, tons of new challenges, and some awesome partnerships we are working on. Partnerships such as working with the Midwest Cyber Center as well as Dragos Inc. We also have great content on the way for all of our players and we cant wait to show it off. If you like the content we have produced so far you are going to really enjoy what is coming down the pipeline.
What do we have in store for our amazing players? We have more reverse engineering challenges, brand new ICS related challenges, and a live environment with network traffic to analyze and windows boxes to exploit. The live environment will be hosted by the Midwest Cyber Center, and the ICS related content will be provided by Dragos Inc. A big thank you to both of those partners for their contributions to our platform.
We will also be pumping out more tool usage tutorial on our CyDefe blog so keep and eye for them as well. A few of those tutorials just may help you solve a handful of our challenges, and some of them will be general good to know tools. Either way you will learn something new.
If you are interested in submitting content we would love to have it. Players can submit blog posts, or challenges for our players. If you do submit content you will be listed as a content creator and we will highlight your awesome contributions to our free infosec training platform.
As always a big thank you to all our players, keep checking back every week for our new content., and happy hacking everyone.
The hacker methodology is comprised of a few different phases. They are recon (both active and passive), gaining access (aka exploitation), Escalation of privilege, maintaining access, and covering tracks. Over the next few weeks I will be covering basics for each of these phases and a few tools for accomplishing these phases.
The recon phase of an assessment can be broken down into two parts. The passive recon phase (often called OSINT[Open Source Intel]) and the active recon phase (often called scanning and enumeration). For this article I will be discussing the passive recon, it’s benefits, and some techniques for performing passive recon.
The biggest benefit that can be gained from passive recon is gaining a better understanding of the environment that you will be assessing. For that a few tools that can be used are nslookup, dig, whois, dnsdumpster, and google dorks. These tools will help you paint a picture of the environment, users in that environment, and potential targets for your assessment. These are only a few of the tools that can be used. There are many many more available and I will be writing more guides over the coming weeks.
Some of the first tools I would use to gain information are nslookup and dig, which are two command line based tools that can be found in linux nativley. You can utilize both nslookup and dig in windows as well however you will have to install dig. These tools allow you to check records for a domain like A, MX, TXT, PTR and other advanced DNS records. An example of how these tools would be used is
$ dig google.com
; <<>> DiG 9.10.3 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4373
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 81 IN A 184.108.40.206
;; Query time: 12 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Fri Feb 02 09:00:36 CST 2018
;; MSG SIZE rcvd: 55
$ nslookup google.com
As you can see from this we gain important IP information about our target. This gives us a starting point for further information gathering in the passive phase and targets for our active phase.
The next tool I would utilize is whois. Whois is a web based tool, however there is a cmd line version you can use as well. This tool will give you information such as the domain name, what registrar was used to register the domain, when it was registered, when the registration expires, who registered it, and contact info. This information can tell us a few different things. We know how far back to look with the waybackmachine to identify any kind of sensitive information that may have been on the companies website as well as any web functionality(such as admin pages) they may now be hiding.Read More
Below is a quick guide for dumping and analyzing windows and linux memory. If you wish to utilize the volitility framework it can be found at volatilityfoundation.org. This guide will help you with some of the challenges available on CyDefe Labs. Check those out at Labs.CyDefe.com
Check back frequently for more guides, tips, and trick with DFIR, pentesting, reverse engineering and much much more. Many of the guides and tips we will be post will help you in real world environments and with our platform. Happy hacking everyone.
a. C:\> winpmem_<version>.exe -o F:\mem.aff4
b. C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw
a. ./linpmem_<version>.post4 -o F:\mem.aff4
b. ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw
3. Linux Alt
a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB
Example usage: ./volatility_<version>_lin64_standalone --profile=<profile name> <command> -f <memory file name>
LISTING AVAILABLE PROFILES
1. info - Displays a list of profiles
a. ./volatility_<version>_lin64_standalone --info
ROGUE PROCESS IDENTIFICATION
1. pslist - High level view of running processes
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>
2. psscan - Scan memory for EPROCESS blocks
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>
3. pstree - Display parent-process relationships
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>
1. psxview - Find hidden processes using cross-view
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>
2. modscan - Scan memory for loaded, unloaded, and
a. unlinked drivers
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>
3. apihooks - Find API/DLL function hooks
a. -p Operate only on specific PIDs
b. -Q Only scan critical processes and DLLS
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>
4. ssdt - Hooks in System Service Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>
5. driverirp - Identify I/O Request Packet (IRP) hooks
a. -r Analyze drivers matching REGEX name pattern
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>
6. idt - Display Interrupt Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>
1. Connections - List of open TCP connections
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>
2. connscan - ID TCP connections, including closed
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>
3. sockets - Print listening sockets (any protocol)
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>
4. sockscan - ID sockets, including closed/unlinked
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockscan -f <memory file name>
5. netscan - Scan for connections and sockets
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>Read More
We are back after a very long break due to work. In this episode we have brand new intro music, discuss the yahoo hack and a apache tomcat vulnerability, and record in the same room for the first time in 2.5 years.
Have I been pwned?: https://haveibeenpwned.com/
Apache misconfiguration: Below are examples of misconfigurtions in the web.xml file.
<init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param>
Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true]
New intro music provided by GIANT MONSTERS ON THE HORIZON:
http://giantmonstersonthehorizon.com/ https://www.facebook.com/giantmonstersonthehorizon/ https://open.spotify.com/artist/4HmglWNfF7jAYQxbEjv9Xt
On this episode we discuss malware being discovered pre-installed on android devices. We also discuss Confide and how it isn't as secure as we thought it was.
list of infected smartphones:
Galaxy Note 2
Galaxy Note 4
Galaxy Note 5
Xiaomi Mi 4i
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Vivo X6 plus
Asus Zenfone 2
What is TOR?
Tor allows users to browse the Web anonymously and is run by volunteers worldwide. This Software is a browser and is developed by the Tor Project. The software goes by the alternative names "The Onion Router", and TOR browser. By using this software TOR allows individuals to access "the deep web" which is the not indexed portion of the internet
Why is this software called "The Onion Router"? TOR uses uses a technique called onion routing to conceal the users activity. How does this work? The Tor Browser connects to several different relays, wiping its tracks each step of the way, making it difficult to figure out where, and who, you really are.
How to get started
First you need to download the TOR browser. This software is a modified version of firefox. The software is available for Windows, Linux, and Mac OS. If your looking for a mobile version you can download the android app as well. The mobile app can be found in the google play store a second option is the apk which can be found here.
How to install
tar xzf tor-0.2.9.9.tar.gz cd tor-0.2.9.9 ./configure && make make install
then simply type tor into your terminal to launch the TOR browser
Run the .exe install file.
Once install browse to the folder called Tor Browser and inside you'll see "Start Tor Browser.exe". After you click Start Tor Browser.exe you will recieve a prompt with the option to connect.
After you select connect the TOR browser will launch.
On this episode we talk about the return of carbanak and an individual facing jail time for creating keyloggers.
If you want to watch a recording of our podcast check out the video below.
On this episode we talk about Microsoft's new privacy dashboard, and a lot of ransom happening in the cyber world.
This months puzzle is a programming puzzle.
You have to create code for a computer which uses a language from the 90s. There are only a couple characters it takes and for some reason it is really sensitive to more than 50 characters of input. You need to get it to print out 1000 Xs and it's memory will overload and shutdown.
Wikipedia List of Programming Languages
On this episode mike and i wrap up 2016. Giving some insight into this past years news stories and giving some suggestions for this upcoming year.
On this episode we talk about the mirai botnet and get a bit off topic.
On this episode we discuss a USB killing device, Krebs on security getting DDoSed by an IOT bot, and another data breach.
Check out syncurity at https://www.syncurity.net/ and on twitter @syncurity
On this episode we discuss password leaks from Last.FM and Opera browser.
On this episode Micheal and i talk about CVE-2016-5696 better known as the off path attack.
in /etc/sysctl.conf set the following value
net.ipv4.tcp_challenge_ack_limit = 999999999
Then load the configuration with
# sysctl -p
On this weeks episode we are joined by Ben0xA who works for https://www.trustedsec.com you can follow him on twitter @Ben0xA. This week we discuss Macs and iPhones have a Stagefright-style bug, Android banking malware blocks victims’ outgoing calls to customer service, Hidden 'backdoor' in Dell security software gives hackers full access, and Companies failing to plan for many cyber dangers.
Remember to follow us on twitter @CyDefe and please support us on patreaon patreon https://www.patreon.com/cydefe
Dell back door security advisory - https://www.digitaldefense.com/ddi-six-discoveries/
This is the third minicast. Dont worry we will soon be going back to our full podcasts.
In this episode we discuss the HummingBad Android malware being distributed by yingmob.
This is the second episode of the CyDefe minicast. On this episode we are joined by Dave Kennedy and Ben Miller
On this episode we discuss Facebook being sued over privacy concerns, Facebook tracking non-users, and audio fingerprinting being used to track web users.
This is the first episode of the CyDefe minicast. We will be doing a lot of minicasts in-between our main podcast to keep delivering awesome content to our listeners.
On this episode we discuss the LinkedIn breach and its impact today.
From the show
krebs on security list