Monday, November 16, 2020

A Sad Story: Don't Invest, Just Prodigalize

Last week, a friend called me, gave some bad news about a company. The company was looking for help since they became a victim of Egregor ransomware and trying to learn what to do against attacker since the attacker got their all data, encrypted it and gave three days to be paid 500k dollars. The attacker threatened them to publish their data in public in three days. Meanwhile, the only problem was not that all data would be published publicly, but also they lost all their private data. But, how can it be possible?

Ransomware is the biggest problem of the cyber world for some years. We heard about it, work on it and have seen paid bitcoins too much in these years. There are tens (or maybe hundreds) of webinars, talks and articles about it, trying to help about being safe against ransomware. It is ok while the weakest link is human, it is possible to be exposed a ransomware but it is not too difficult to confine it to a small area.

The company I told about above was a chemical company and of course has too many private data like formulas. I mean they also lost their backups while I am saying they lost all their data. Since, they did not isolate their backup network, their backups was also being encrypted. Meanwhile, they have some backup tapes but cannot use them because they have never tested whether the backup tapes working, and of course they did not when the company need them.

There are some basic prevention steps against ransomware. If we mention briefly, we can say user awareness, regular phishing tests, not only an anti-spam product but also a sandbox or another technology against malicious emails, EDR to response faster against a malicious behavior, NDR to determine the anomaly in the network, to backup data and test these backups regularly, to isolate backup network so infiltrated attackers cannot harm backups, to isolate private data and apply need to know, to limit users' internet access, and more. the list seems too long but most of them do not require much expenditure. But it if you do not invest to professionals and to any technology, then you just prodigalize your money. However, you can never count lost reputation and also secret formulas and data.

All these measures can take too much. I can understand if a company cannot invest all of them for security. But as I said above, this company's backup network is not isolated and can be accessed from all other networks. And, as I learnt, they only use an antivirus software but it is not up to date, and I am sure they do not track whether all PCs or servers have this antivirus. So, like these measures, most of them are not expensive. To have these measures at least, every company needs to invest talented security professionals to save money. However, I think, any of these measures cost more than 500k$ + reputation + publicly published private data. To invest security is not wasting money. It is directly saving money. Everyone needs to understand this without living.

Saturday, November 7, 2020

TOR As A SOCKS Proxy

Almost all applications and web sites are trying to learn who we are and what we are looking for on the internet. These informations are being used for many different reasons like advertisements and to detect malicious attempts. Again, for many reasons, it is very important to surf internet anonymously. Tor is used for anonymous surfing all over the world. It is free to install and use in both Windows, Linux and OS X operating systems.

It is very easy to install Tor and use as a browser in operating systems, however it will not be enough to use it as a browser only especially you want to use some other applications anonymously. For using other applications and command line tools anonymously, Tor SOCKS proxy needs to be installed.

For installation, we need to add related software repositories, so we edit the sources.list file;

# vim /etc/apt/sources.list

Then, we are adding the line below, to the bottom of the sources.list file.

deb http://deb.torproject.org/torproject.org wheezy main

We need to introduce the software repository's key (gpg key) to the system;

# gpg --keyserver keys.gnupg.net --recv 886DDD89

# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Now, start Tor and check the service if it is running;

# /etc/init.d/tor start

# service tor status

If the Tor service is running successfully, you need to see output as above. We need to enter one more command to start Tor service automatically after rebooting the machine.

# update-rc.d tor enable

After you enter this command, you can test it with rebooting the system. After reboot, check the status of the service;

# service tor status

Now, this means we can use Tor for all applications that are supporting SOCKS proxy. For test, you can use Firefox. Change the proxy settings as localhost:9050 and check your IP address. Tor is using 9050 as default.

Monday, October 26, 2020

How to Install Metasploit on Ubuntu

If you are familiar with infosec, you must know already what Metasploit is. So, I will not explain it here again. Metasploit is a predefined tool in Kali but if you use Ubuntu like me, it is better to install Metasploit on it even if switching to Kali for using. It is very easy to install Metasploit on Ubuntu (all versions).

Firstly, you must update the system;

#sudo apt update
#sudo apt dist-upgrade

When your Ubuntu is updated, to get installer for Metasploit;

#cd /tmp
#curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

After getting installer, use these commands to make it executable and run it;

#chmod +x msfinstall
#sudo ./msfinstall

After installation, run commands below to enable and start local database (you must run this command with a non-root user);

$msfdb init

$ msfdb init
Creating database at /home/attacker/.msf4/db
Starting database at /home/attacker/.msf4/db...success
Creating database users
Writing client authentication configuration file /home/attacker/.msf4/db/pg_hba.conf
Stopping database at /home/attacker/.msf4/db
Starting database at /home/attacker/.msf4/db...success
Creating initial database schema
[?] Initial MSF web service account username? [attacker]:
[?] Initial MSF web service account password? (Leave blank for random password):
Generating SSL key and certificate for MSF web service
Attempting to start MSF web service...success
MSF web service started and online
Creating MSF web service user attacker

    ############################################################
    ##              MSF Web Service Credentials               ##
    ##                                                        ##
    ##        Please store these credentials securely.        ##
    ##    You will need them to connect to the webservice.    ##
    ############################################################

MSF web service username: attacker
MSF web service password: WDq33xRU6lVpVy+7bvdISdg9KusbHy7rfXSguE7GoQs=
MSF web service user API token: 8d4e7374d90b19f1a20a99da46cc2bc07684244e5b30b1061990be11fc31fbf5ccc761011a98c241

MSF web service configuration complete
The web service has been configured as your default data service in msfconsole with the name "local-https-data-service"

If needed, manually reconnect to the data service in msfconsole using the command:
db_connect --token 8d4e7374d90b19f1a20a99da46cc2bc07684244e5b30b1061990be11fc31fbf5ccc761011a98c241 --cert /home/attacker/.msf4/msf-ws-cert.pem --skip-verify https://localhost:5443

The username and password are credentials for the API account:
https://localhost:5443/api/v1/auth/account

If you see the text above, it means Metasploit is ready to use;

$msfconsole

$ msfconsole


     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`

                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd: ``                 .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue

       =[ metasploit v6.0.13-dev-                         ]
+ -- --=[ 2072 exploits - 1120 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: View advanced module options with advanced

msf6 >

Sunday, October 11, 2020

C&C with Empire - A Mitre Att&ck T1071 and T1086 Demo

".. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015."

ReadMe file of Empire

Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.

It is important to install Empire with this command to use all functions of it;

git clone https://github.com/BC-SECURITY/Empire

After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.

After enabling listener, we must use a stager. Here, we are using a batch stager;

With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the "agents" command, we can see active sessions like below. Then with the "interact <agent id>" command, we can get the C&C connection to the victim.

Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;

For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post.

Saturday, October 10, 2020

Credential Dumping - Attack and Defense Techniques (MITRE ATT&CK T1003)

Credential Dumping

As MITRE says on its website, adversaries dump credentials to obtain login credentials to perform lateral movement when they got access to a computer. Several tools and techniques may be used to dump credentials of a computer. Here, I will try to show two different credential dumping techniques and prevention of it using FireEye's Endpoint Security product, as a quick demo.

lsass

Before demo, I wanna give a short brief about lsass. LSA (Local Security Authority) is a process that authenticates user to computer. It checks SAM (Security Accounts Manager) database to validate user information. LSASS.exe (Local Security Authority Subsystem Service) is the process that is responsible for enforcing the local security policy on the system. If someone can dump lsass on the computer and get this dump file, it means the users' credentials are stolen because lsass stores the credentials as clear text.

FireEye HX Process Guard

HX is the Endpoint Security producth of FireEye as you know already. I will not explain what it is and what it does here but typically it is an EDR solution with AV and some other prevention modules also. I wanted to try its Process Guard module, basically blocking attackers to dump lsass process.

"The Process Guard Module for FireEye Endpoint Security prevents attackers from obtaining access to credential data or key material stored within the lsass.exe process, thus protecting endpoints against common credential theft attacks" says FireEye about Process Guard.

Here, I will try to show some dump techniques to dump lsass and how Process Guard preventing it. This techniques are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Credential Dumping with comsvcs.dll

comsvcs.dll is a part of Windows OS. It is a system file and hidden. It is found in \Windows\System32 and can call minidump with rundll32.exe, so it can be used to dump credentials via lsass.exe process.

Firstly, process ID of lsass.exe process must be identified;

Then, the command below will dump the lsass;

A file about 48MBs being created with this process;

Now, it is time to use Mimikatz and get the passwords as clear text or hashes of the passwords (depends on the OS);

As you can see, it is very easy to get the credentials of the user of a compromised computer, if you do not prevent lsass.exe process against malicious behaviours. Now, I will try to prevent it using FireEye HX's Process Guard module. For this, I enable Process Guard module on my computer's policy;

lsass dump command again;

After that, when I check the created dump file, I can see a 0MB sized file has been created;

When I check Process Guard module in HX's console, I can see HX has detected this behavior done by PowerShell;

Credential Dump with ProcDump

ProcDump is a Sysinternals tool used to generate memory dumps of applications. After disabled Process Guard module on HX again, I try to dump lsass using ProcDump;

A 48MBs sized file has been created;

Again Mimikatz and get the passwords or hashes (depends on the OS);

Then, let's try again after enabling Process Guard. I try ProcDump again, but this time Process Guard is enabled;

It got error while creating the file and could not create any dump file.

NOTE 1: This tests are done while Antivirus of HX is disabled. Otherwise, AV would block and delete or quarantine Mimikatz. This is an alarm of this behavior;

NOTE 2: Even if you do not enable Process Guard and Antivirus at the same time, HX generates an IOC alert for these attacks. The IOC says us "-ma" command is being used with "lsass.exe" on cmd. This attack and IOC are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003