Malware Analysis of very basic EXE file

Hi,

Going one step ahead we will start with analyzing simple EXE file and lets figure out what this is all about.


For the moment, very basic thing to understand about compiling, linking you can refer below diagram:

1. Source code written in computer language [ C,C++ ] is present in Source Code file which we save it as .c, .cpp
2. Compiler job is to take this file as input and create Object Code file.
3. Linker job is to add references to external Library Files include those in code and create executable.


In order to reduce programmers work of wring code to get basic functionality, Library files are created.

Ex. You would not want to rewrite code in C programming language for creating a process, creating a file, creating a service etc. for which Microsoft has already created DLL files containing functions which can be imported by programmer and will be used to perform the same tasks.


Every executable contains multiple function call, library imports and we will shortly analyse those in order to conclude that file is performing some malicious activities.


Lets start with a sample .exe file "mfc7sys.exe" which I think is a suspicious file by looking at task manager.

By Looking at process explorer we will get path / registry locations

Lets go ahead and check what's there at registry location and directory path :

Looking at above screenshots its clear that this programs entry is present in registry "RUN" means this program will start at boot.

There are 2 files, exe and dll, it seems EXE is using "mfc7sys.dll" file for XYZ functionality which is yet to explorer.

Now its clear that program is trying to receive keyboard inputs, using "SetWindowsHookEx" and which is most popular way of keyloggers and spywares.

Looking at above screenshots you will see program is using create file, copy file, write file calls and now purpose of this program seems clear that its a type of Keylogger.


Taking closer look at process monitor you will observe txt file created with same process name.
"mfc7sys.txt"

Captured keystrokes are stored in this text file :

We can also perform simple string analysis of this "mfc7sys.dll" and result is same :

Hope this article is helpful.

Regards,
eXpl0i13r

Detecting Simple UPX Packed EXEs with PEiD

Hi,

Packed programs are obfuscated programs containing malicious programs compressed inside it.
There are lot of programs out but lets start with basic where we can pack a program and how we can go ahead with detecting such packers with very basic tools available.

So simply I have packed string.exe program wit UPX packer which is very famous and freely available, and on right side with PEiD we can detect that program is packed which is helpful in malware analysis.

Regards,
eXpl0i13r

CM Security App Lock Bypass on Samsung Galaxy Grand Prime

Hi,

In Samsung galaxy grand prime, there is setting called "Ultra Power Saving Mode"
which will save your battery by utilizing minimum application on your android phones.

This option is specific to Samsung new smartphones.

If you have installed CM Security App Lock to lock your Whats-app/Facebook messages you are at Risk!


1. Samsung Phone with Ultra Power Saving Mode
2. CM Security APP lock must be installed on android device
3. Open Ultra Power Saving Mode from Settings and Enable this functionality.
4. As soon as you enable this functionality Android device will only start selected applications Ex. Browser/Call/SMS
5. There is option to add WhatsApp/Facebook App, you can add WhatsApp and thats it!, you can access private messages locked with CM Security App Lock

This is because when you put your android device in Ultra Power Saving Mode, all processes apart from selected once are closed, and CM Security App Lock process is one of them :)













Access to Whats App Messages

Regards,
eXpl0i13r

From XSS to Domain Admin

Hi,

Recently attended elearning security Webinar, it was quite interesting, where researcher demonstrated way to Domain admin from simple stored XSS attack.

Inspired by that, I thought to create my own scenario and landed up creating this video of around
41 Min 15 Seconds!

My Setup :

Active Directory - Windows 2008 Server
Domain Machine - XP Machine [ With limited User Access ]
Web Server - Apache hosted with vulnerable application [ Ruubikcms ]
Pentester's Machine - Kali Linux


It was fun to create this scenario, setting up Active Directory, Web server and much more!

For reference I have created small PPT which depicts overall scenario.

Download It Here



From XSS to Domain Admin :

1. Stored XSS Malicious script injection.
2. Get access to Victim Computer [ Shell Access ]
3. Privilege Escalation
4. Domain Access


From XSS to Domain Admin - Part 1

From XSS to Domain Admin - Part 2

From XSS to Domain Admin - Part 3

Hope this will be helpful....

I will really appreciate if you can comment on this video and will be helpful for me to work on those areas.


Regards,
eXpl0i13r

Android Meterpreter Shell Hack

It is fun to hack android phones, Its not new but still interesting and thought to put it here...
Metasploit framework has different Android Payloads mentioned below :

I have my HTC One V phone and its rooted , first thing we going to do is create Evil.apk file which will be deployed in android phone, once installed and executed by user we get reverse shell !!

Creating "evil.apk" file and uploaded to HTTP root directory :

evil.apk downloaded in my android phone :

evil.apk download location :

Installing Malicious APK containing reverse shell ;)

Its interesting my CM Security real time protection not detecting any malicious activity! 

After executin "MainActivity" application here is our reverse shell :

Interesting commands from Anroid Meterpreter shell :

Capturing screenshot through meterpreter shell :

Regards,
eXpl0i13r

Wlan Password through Metasploit post exploitation module

In Scenario based hacking, if we get meterpreter session of Victim, we can quickly Enumerate Wlan profiles and their passwords through Metasploit modules present under  : "post/windows/wlan/"


Wlan modules available inside Metasploit framework :

Password Hash Dump Tools Comprehensive List

I came across a website:  http://www.whatsmypass.com/
Which lists windows Password Hash Dump tools Here  this may be handy while doing pen testing, so thought to post it here.

Nice work Guys Keep it up!

Wifi Password using Command Line Windows

Imagine a scenario where you get access to remote machine command prompt, and you want to retrieve WiFi Password so that you can connect to WiFi Network and perform your further penetration testing...

Yes, you can enumerate WiFi profiles and retrieve their passwords in Clear Text through windows commands.

   Command : "netsh wlan show profiles"

    

   Command : "netsh show profiles samsung key=clear"

 

These are very small things, But really powerful when you are working on penetration testing assignments, of course this is all scenario based hacking, hope this is helpful.

Regards,
eXpl0i13r

Sniffing RDP Session Keystrokes with Cain & Able

Cain & Able is very easy to use tool for ARP Poisoning Attack, and at the same time it is powerful.

It has ability to do Man-In-The Middle against the RDP “Remote Desktop Protocol” using which attacker can actually sniff Keystrokes being typed in RDP session, and believe me this can be used in most of real environment while doing Penetration testing

Although ARP Generates lot of traffic, it is worth if you can get hold of credentials ;) in some cases.


Below screenshot shows option where you will find ARP RDP Session details.

   Once captured RDP Session, you can look for "Key released" and in below screenshot you can find
   "cd \" command is executed in RDP session.

Imagine if someone is trying to Log in to other machine from RDP using SMB....or SSH ;)

Hope this helps.

Setting up Freeradius Server on Kali Linux

Hi,

The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access. To use the server, you also need a correctly setup client which will talk to it, including terminal servers, Ethernet Switches, Wireless Access Points or a PC with appropriate software which emulates it.

For more information Visit : http://wiki.freeradius.org/guide/faq

Installing FreeRADIUS server was easy on using 

apt-get install Freeradius*

FreeRadius Server Version Information :

Navigate to /etc/freeradius/radiusd.conf and edit below mentioned parameters for specifying IP Address at 2 Locations :

Specify Clients IP Range in my case (192.168.4.0/24) with secret = password which will be usedby Access Point to authenticate with Radius server.

Now we need to add Credentials for our Clients in users file as mentioned below :
( In my case I have created User with name eXpl0i13r which will be used by client laptops to authenticate with Radius server)

Configure EAP Type to PEAP in /etc/freeradius/eap.conf as mentioned below :

Now time to start our Radius Server with command : freeradius -X

Radius Server Successfully Started on below mentioned Ports:

Configure Access Point to connect with Radius Server :

Access Points Connected to our Radius Server :

Configuring PEAP on client Machine :

Configuring Advanced Settings as mentioned below :

It will Ask for Credentials configured in Users file.

eXpl0i13r User connected to our Radius Server and we can see details about it :

That's It.. You are now connected to Access Point!...
I hope this will help on setting up Radius Server.

Regards,
eXpl0i13r