Episode 25 The One With Frank McGovern

On this episode we discuss Drovorub, Blue Team Con, a Snapdragon chip flaw, and some more conspiracy theories.

Show Notes:

  1. Guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules.

    1. https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

  2. Blue team con info

    1. Dates: 28-29 August 2021

    2. Website: https://blueteamcon.com/

    3. Twitter: @BlueTeamCon

New Lab Alert!

Hashing has become a critical part of the information security landscape, from adding an extra layer of security when you store data, to verifying the integrity of files. This lab will test your ability to both generate and decode hashes. The hashing algorithms used in these labs are utilized every day in corporate environments. By knowing how to generate hashes users can ensure and verify data integrity. Being able to crack hashes gives an auditor the ability to validate the strength of passwords generated by their users

You can find this awesome CyDefe Labs assessment through Cybrary. Check it out at https://www.cybrary.it/catalog/assessment/hashing-assessment/

D2StWvXXQAYDu-6.jpg

CyDefe Labs and Cybrary

Want to check out all of the amazing content we have to offer on CyDefe labs? Go to https://www.cybrary.it/catalog/ and search for CyDefe. Once you choose one of our sets of challenges you will be redirected into our platform.

What categories do our challenges cover?

SOC (Junior)
SOC (Entry)
SOC (Senior)
CTF
Pentest
Attacks 101
ATT&CK Matrix
Basic Network Devices
Basic Network Protocols
Cable basics
Cryptography
Encryption basics
Incident Response
Linux Basics
Linux System Admin Basics
Memory Analysis Basics
Network Types
OSI Model
OSINT
Packet Analysis
Packet Analysis Basics
Password Hashes
Recon
Registry Analysis
Reverse Engineering
Steganography
TCP/IP basics
Vulnerability Scan
Windows Basics
ICS Packet Analysis

 

 

Labs update

There has been a lot of changes lately with CyDefe Labs. We are currently partnered with Cybrary and are providing assessments for their courses. If you are interested in trying out our challenges visit the Cybrary market place to try out our content.

CyDefe Labs quick update

It's been a crazy past month for CyDefe Labs. We have almost 600 players now, tons of new challenges, and some awesome partnerships we are working on. Partnerships such as working with the Midwest Cyber Center as well as Dragos Inc. We also have great content on the way for all of our players and we cant wait to show it off. If you like the content we have produced so far you are going to really enjoy what is coming down the pipeline.

What do we have in store for our amazing players? We have more reverse engineering challenges, brand new ICS related challenges, and a live environment with network traffic to analyze and windows boxes to exploit. The live environment will be hosted by the Midwest Cyber Center, and the ICS related content will be provided by Dragos Inc. A big thank you to both of those partners for their contributions to our platform.

We will also be pumping out more tool usage tutorial on our CyDefe blog so keep and eye for them as well. A few of those tutorials just may help you solve a handful of our challenges, and some of them will be general good to know tools. Either way you will learn something new.

If you are interested in submitting content we would love to have it. Players can submit blog posts, or challenges for our players. If you do submit content you will be listed as a content creator and we will highlight your awesome contributions to our free infosec training platform.

If you want to help keep CyDefe labs running please either donate to our Patreon at https://www.patreon.com/CyDefe or buy some swag at https://www.cafepress.com/cydefe 

As always a big thank you to all our players, keep checking back every week for our new content., and happy hacking everyone.

Hacker methodology 101: recon basics

The hacker methodology is comprised of a few different phases. They are recon (both active and passive), gaining access (aka exploitation), Escalation of privilege, maintaining access, and covering tracks. Over the next few weeks I will be covering basics for each of these phases and a few tools for accomplishing these phases.

The recon phase of an assessment can be broken down into two parts. The passive recon phase (often called OSINT[Open Source Intel]) and the active recon phase (often called scanning and enumeration). For this article I will be discussing the passive recon, it’s benefits, and some techniques for performing passive recon.

The biggest benefit that can be gained from passive recon is gaining a better understanding of the environment that you will be assessing. For that a few tools that can be used are nslookup, dig, whois, dnsdumpster, and google dorks. These tools will help you paint a picture of the environment, users in that environment, and potential targets for your assessment. These are only a few of the tools that can be used. There are many many more available and I will be writing more guides over the coming weeks.

Some of the first tools I would use to gain information are nslookup and dig, which are two command line based tools that can be found in linux nativley. You can utilize both nslookup and dig in windows as well however you will have to install dig. These tools allow you to check records for a domain like A, MX, TXT, PTR and other advanced DNS records. An example of how these tools would be used is

$ dig google.com

; <<>> DiG 9.10.3 <<>> google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4373

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;google.com. IN A

;; ANSWER SECTION:

google.com. 81 IN A 172.217.9.14

;; Query time: 12 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Fri Feb 02 09:00:36 CST 2018

;; MSG SIZE rcvd: 55

and

$ nslookup google.com

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

Name: google.com

Address: 172.217.14.174

As you can see from this we gain important IP information about our target. This gives us a starting point for further information gathering in the passive phase and targets for our active phase.

The next tool I would utilize is whois. Whois is a web based tool, however there is a cmd line version you can use as well. This tool will give you information such as the domain name, what registrar was used to register the domain, when it was registered, when the registration expires, who registered it, and contact info. This information can tell us a few different things. We know how far back to look with the waybackmachine to identify any kind of sensitive information that may have been on the companies website as well as any web functionality(such as admin pages) they may now be hiding.

Tools 101: Volatility Usage

Below is a quick guide for dumping and analyzing windows and linux memory. If you wish to utilize the volitility framework it can be found at volatilityfoundation.org. This guide will help you with some of the challenges available on CyDefe Labs. Check those out at Labs.CyDefe.com

Check back frequently for more guides, tips, and trick with DFIR, pentesting, reverse engineering and much much more. Many of the guides and tips we will be post will help you in real world environments and with our platform. Happy hacking everyone.

MEMORY ACQUSITION

WINPMEM/LINPMEM

1.  Windows

  a.       C:\> winpmem_<version>.exe -o F:\mem.aff4

  b.       C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw

2.  Linux

  a.       ./linpmem_<version>.post4 -o F:\mem.aff4

  b.       ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw

3. Linux Alt

  a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB

VOLATILITY USAGE

      Example usage: ./volatility_<version>_lin64_standalone --profile=<profile name> <command> -f <memory file name>

LISTING AVAILABLE PROFILES

1.  info - Displays a list of profiles

  a.  ./volatility_<version>_lin64_standalone --info

ROGUE PROCESS IDENTIFICATION

1.  pslist - High level view of running processes

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>

2.  psscan - Scan memory for EPROCESS blocks

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>

3.  pstree - Display parent-process relationships

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>

ROOTKIT IDENTIFICATION

1.  psxview - Find hidden processes using cross-view

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>

2.  modscan - Scan memory for loaded, unloaded, and

  a.  unlinked drivers

    i.   # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>

3.  apihooks - Find API/DLL function hooks

  a.  -p Operate only on specific PIDs

  b.  -Q Only scan critical processes and DLLS

     i.   # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>

4.  ssdt - Hooks in System Service Descriptor Table

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>

5.  driverirp - Identify I/O Request Packet (IRP) hooks

  a.  -r Analyze drivers matching REGEX name pattern

     i.   # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>

6.  idt - Display Interrupt Descriptor Table

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>

NETWORK ARTIFACTS

1.  Connections - List of open TCP connections

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>

2.  connscan - ID TCP connections, including closed

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>

3.  sockets - Print listening sockets (any protocol)

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>

4.  sockscan - ID sockets, including closed/unlinked

  a.  # ./volatility_<version>_lin64_standalone  --profile=<profile name> sockscan -f <memory file name>

5.  netscan - Scan for connections and sockets

  a.  # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>

Minicast #12 The one where we record in the same room again.

We are back after a very long break due to work. In this episode we have brand new intro music, discuss the yahoo hack and a apache tomcat vulnerability, and record in the same room for the first time in 2.5 years.

Show Notes:

Have I been pwned?: https://haveibeenpwned.com/

Apache misconfiguration: Below are examples of misconfigurtions in the web.xml file.

<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

or

Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true]

New intro music provided by GIANT MONSTERS ON THE HORIZON:

http://giantmonstersonthehorizon.com/

https://www.facebook.com/giantmonstersonthehorizon/

https://open.spotify.com/artist/4HmglWNfF7jAYQxbEjv9Xt

Minicast #11 The one about Confide

On this episode we discuss malware being discovered pre-installed on android devices. We also discuss Confide and how it isn't as secure as we thought it was.

Show Notes:

Contest: http://www.cydefe.com/root9b/

list of infected smartphones:

  • Galaxy Note 2

  • LG G4

  • Galaxy S7

  • Galaxy S4

  • Galaxy Note 4

  • Galaxy Note 5

  • Xiaomi Mi 4i

  • Galaxy A5

  • ZTE x500

  • Galaxy Note 3

  • Galaxy Note Edge

  • Galaxy Tab S2

  • Galaxy Tab 2

  • Oppo N3

  • Vivo X6 plus

  • Nexus 5

  • Nexus 5X

  • Asus Zenfone 2

  • LenovoS90

  • OppoR7 plus

  • Xiaomi Redmi

  • Lenovo A850

Beginners guide for TOR

What is TOR?

Tor allows users to browse the Web anonymously and is run by volunteers worldwide. This Software is a browser and is developed by the Tor Project. The software goes by the alternative names "The Onion Router", and TOR browser. By using this software TOR allows individuals to access "the deep web" which is the not indexed portion of the internet

Why is this software called "The Onion Router"? TOR uses uses a technique called onion routing to conceal the users activity. How does this work? The Tor Browser connects to several different relays, wiping its tracks each step of the way, making it difficult to figure out where, and who, you really are.

How to get started

First you need to download the TOR browser. This software is a modified version of firefox. The software is available for Windows, Linux, and Mac OS. If your looking for a mobile version you can download the android app as well. The mobile app can be found in the google play store a second option is the apk which can be found here.

How to install

Linux

tar xzf tor-0.2.9.9.tar.gz

cd tor-0.2.9.9

./configure && make

make install

then simply type tor into your terminal to launch the TOR browser

Windows

Run the .exe install file.

Once install browse to the folder called Tor Browser  and inside you'll see "Start Tor Browser.exe". After you click Start Tor Browser.exe you will recieve a prompt with the option to connect.

After you select connect the TOR browser will launch.

tor-browser_4_1085x835.jpg

Monthly puzzle #4

This months puzzle is a programming puzzle.

You have to create code for a computer which uses a language from the 90s. There are only a couple characters it takes and for some reason it is really sensitive to more than 50 characters of input.  You need to get it to print out 1000 Xs and it's memory will overload and shutdown.

Hint:

Wikipedia List of Programming Languages