Monthly Archives: March 2018

pagodo

Pagodo: Automate Google Hacking Database scraping

Category : Blog

Pagodo (Passive Google Dork)

The goal of this project was to develop a passive Google dork script to collect potentially vulnerable web pages and applications on the Internet. There are 2 parts. The first is ghdb_scraper.py that retrieves Google Dorks and the second portion is pagodo.py that leverages the information gathered by ghdb_scraper.py.

 

Pagodo

 

What are Google Dorks?

The awesome folks at Offensive Security maintain the Google Hacking Database (GHDB) found here: https://www.exploit-db.com/google-hacking-database. It is a collection of Google searches, called dorks, that can be used to find potentially vulnerable boxes or other juicy info that is picked up by Google’s search bots.

 

Database

 

Usage:

To start off, pagodo.py needs a list of all the current Google dorks. Unfortunately, the entire database cannot be easily downloaded. A couple of older projects did this, but the code was slightly stale and it wasn’t multi-threaded…so collecting ~3800 Google Dorks would take a long time. ghdb_scraper.py is the resulting Python script.

pagoda

The flow of execution is pretty simple:

  • Fill a queue with Google dork numbers to retrieve based off a range
  • Worker threads retrieve the dork number from the queue, retrieve the page using urllib2, then process the page to extract the Google dork using the BeautifulSoup HTML parsing library
  • Print the results to the screen and optionally save them to a file (to be used by pyfor example)

dork

 

pagodo.py:

Now that a file with the most recent Google dorks exists, it can be fed into pagodo.py using the -g switch to start collecting potentially vulnerable public applications. pagodo.py leverages the google python library to search Google for sites with the Google dork.

file

 

Performing ~3800 search requests to Google as fast as possible will simply not work. Google will rightfully detect it as a bot and block your IP for a set period of time. In order to make the search queries appear more human, a couple of enhancements have been made. A pull request was made and accepted by the maintainer of the Python google module to allow for User-Agent randomization in the Google search queries. This feature is available in 1.9.3 (https://pypi.python.org/pypi/google) and allows you to randomize the different user agents used for each search. This emulates the different browsers used in a large corporate environment.

python

 

Future Work:

Future work includes grabbing the Google dork description to provide some context around the dork and why it is in the Google Hacking Database.

Hacking

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


WifiGod

WifiGod: Python script to test network security

Category : Blog

WifiGod

WifiGod is a tool coded and developing by Blackhole, it is written in the Python programming lanuage and is used to test network security. Coded and Developed by Blackhole.

WifiGod

 

Need to know about WifiGod:

  • Monitor Interface is created for you:When you enter your network interface in the options, always use one that is not already in monitor mode, use your main wireless interface (Ex: wlan0) this is because wifigod creates its’ own wireless interface titled ‘wifigod’ when asked for a interface after the wifigod network interface is added (After first time of entering your main network interface) type ‘wifigod’ where it requests a network interface, the wifigod network interface is a prerequisite to the program, for it will not work without it.

Monitor

 

  • Turn of the main network interface for Network Jam and DeAuthentication:It is recommended that you turn off your wireless interface (ex: wlan0) when using these options (DO NOT turn off Wifi). To temporarily disable the interface type: ‘ifconfig wlan0 down’ in which your network interface would replace ‘wlan0’. The reason for doing this is when the program sends the arbitrary packets to network it WILL preclude anyone on the network that YOU ARE CONNECTED TO from having an external wireless connection while the program runs. You are able to run this options fine without wifi. !HOWEVER! You must turn your wifi off AFTER you have executed the option for the program needs a working external connection to resolve device types for the DeAuthentication and ‘Scan a Network for Devices’ Options.

Network

 

  • External Connection must be present for ‘Scan a Network for Devices’:When Scanning a remote network for devices, it is imperative that you are able to connect to the internet. This is because the program looks up the found MAC addresses in a MAC Address Vendor Database.

MAC

 

  • DNS traffic Interception will only word when the target device is being impersonated with option 5.

DNS

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


GyoiThon: growing penetration test tool using Machine Learning

Category : Blog

GyoiThon

GyoiThon is a growing penetration test tool using Deep Learning. Deep Learning improves classification accuracy in proportion to the amount of learning data. Therefore, GyoiThon will be taking in new learning data during every scan. Since GyoiThon uses various features of software included in HTTP response as learning data, the more you scan, the more the accuracy of software detection improves. For this reason, GyoiThon is a growing penetration test tool.

GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc…) based on the learning data. After that, GyoiThon executes valid exploits for the identified software. GyoiThon automatically generates reports of scan results. GyoiThon executes the above processing automatically.

GyoiThon

 

GyoiThon consists of three engines:

  • Software analysis engine – It identifies software based on HTTP response obtained by normal access to web server using Deep Learning base and signature base.
  • Vulnerability determination engine – It collects vulnerability information corresponding to identify software by the software analysis engine. And, the engine executes an exploit corresponding to the vulnerability of the software and checks whether the software is affected by the vulnerability.
  • Report generation engine – It generates a report that summarizes the risks of vulnerabilities and the countermeasure.

engine

 

Processing flow:

Step 1. Gather HTTP responses.

Gathers several HTTP responses of target website while crawling.

HTTP

 

Step 2. Identify product name.

It identifies product name installed on web server using following two methods.

product

 

1. Based on Machine Learning.

By using Machine Learning (Naive Bayes), it identifies software based on a combination of slightly different features (Etag value, Cookie value, specific HTML tag etc.) for each software. Naive Bayes is learned using the training data which example below (Training data). Unlike the signature base, Naive Bayes is stochastically identified based on various features included in HTTP response when it cannot be identified software in one feature.

Machine

 

2. Based on String matching.

It can identify the CMS Drupal. It is very easy.

Drupal

Step 3. Exploit using Metasploit.

Executes exploit corresponding to the identified software using Metasploit and it checks whether the software is affected by the vulnerability.

Metasploit

 

Step 4. Generate scan report.

Generates a report that summarizes vulnerabilities. Report’s style is html.

report

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


FakeDns: Python MITM DNS server with support for DNS Rebinding attacks

Category : Blog

FakeDns

FakeDns is A regular-expression based python MITM DNS server with correct DNS request passthrough and “Not Found” responses.

Now with round-robin & improved options. A python regular-expression based DNS server.

FakeDns

 

 

How to use the hosts file to fake DNS:

The hosts file is stored on a computer or device to provide local entries for DNS lookup. Normally when you try to resolve a hostname or domain, your computer will consult your specified DNS server to discover the IP address that it points to. This requires that there is an existing DNS server out there with the record that you require, with the hosts file you can fake DNS entries that will resolve only on the local machine.

DNS

It’s great for testing or troubleshooting. If any one want to use a specific hostname that no DNS exists for, though ideally you should create DNS records where possible as they can be centrally managed. It can help to get around DNS propagation issues, for example if a DNS record has been updated but had a TTL of 24 hours you may have to wait up to this long (assuming the cache cannot be cleared) before the record will resolve to the new IP address. By adding a temporary host file entry you can resolve to the new IP address straight away as the hosts file takes precedence over external DNS.

host

Round-Robin:

Round-robin rules are implemented. Every time a client requests a matching rule, FakeDNS will serve out the next IP in the list of IP’s provided in the rule.
A list of IP’s is comma-separated.

Round-robin

DNS Rebinding:

FakeDNS supports rebinding rules, which basically means that the server accepts a certain number of requests from a client for a domain until a threshold (default 1 request) and then it changes the IP address to a different one.

rebinding

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


NetRipper

NetRipper: Smart traffic sniffing for penetration testers

Category : Blog

NetRipper

NetRipper is a fairly recent tool that is positioned for the post-operating system based on Windowsand uses a number of non-standard approaches to extract sensitive data. It uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. This tool was first demonstrated at the Defcon 23 in Vegas.

NetRipper

How does NetRipper work:

[IP] It has two main components:

  1. dll – A DLL that will be injected in various processes (the main component)
  2. The DLL configurator and injector

The DLL configurator and injector comes in three flavours:

  1. exe – Command line version
  2. rb – Metasploit post-exploitation module
  3. Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y

So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.

DLL

API hooking

  • Basic network sniffing
  • DLL Injection and API hooking

While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.

Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.

network

 

NetRipper main goals:

[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.

It should capture plain-text traffic from any application, from Chrome or Firefox to FileZilla or SQL Management Studio. By hooking Windows API function responsible with plain-text network traffic – send/recv and WSASend/WSARecv – it should just work.

But network or system administrators are professionals that do not use unencrypted channels to do their job, so NetRipper must be able to handle as many applications as possible. Some applications use Windows API functions and it is easy to intercept them but other applications such as WinSCP or Putty require special work.

A partial list of the supported applications is the following: Google Chrome, Mozilla Firefox, Internet Explorer, FileZilla, Skype for Business, SQL Server Management Studio, Microsoft Outlook, Putty, WinSCP, Yahoo! Messenger.

 

system

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


TrickBot

TrickBot (WebRoot) ship a new module, “screenlocker”

Category : Blog

TrickBot

TrickBot the recent version of banking trojan now includes a screenlocker component, suggesting the malware’s operators might soon start holding victims for ransom if infected targets don’t appear to be e-banking users.

The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development.

Nonetheless, security researchers have spotted the new module dropped on victims’ computers, suggesting development is advanced enough to have reached field trials.

 

TrickBot

 

Trickbot Component:

The good news is that TrickBot’s lock screen function is not yet fully functional and seems to be still in development. However, this new component has indeed been found to be installed on the victim’s computer, indicating that the attacker has at least been able to implant it on the infected computer.

computer

 

WebRoot said that since the beginning of 2016, the TrickBot Bank Trojan has been constantly updating and changing, trying to stay ahead of the defenders forever. TrickBot initially appeared to the public as a bank Trojan, but in recent years it has evolved into a malware downloader.

 

Trojan

 

The “ScreenLocker_x86.dll” file for the component. details as follows:

  • dll – Through the combined use of the “Eternal romance” vulnerability in the NSA hacker’s arsenal and other attacks that may be patched by the MS17-010 security patch, attempts to propagate to other computers via the SMB protocol in the same network;
  • exe – traverses the configuration file in the registry and goes to each configuration file to add the copied binary file link to the boot path to establish a persistence mechanism on the infected computer;
  • dll – The screen used to lock the infected computer is not currently available.

ScreenLocker

 

Screenlocker module developed for enterprise networks:

The thing that stands out is the fact that TrickBot already had an SMB self-spreading worm component since the summer of 2017, dropped as a file named wormDll32.dll.

All the three files dropped via this newly discovered module appear to be designed to work together, one after the other, ignoring the original worm component, and with the screenlocker triggered after spreading laterally through a network.

This has led security researchers to believe that this module was developed as a one-click method to monetize infections in corporate networks where users are less likely to use e-banking services, independently from the original SMB worm.

“If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model,” says Jason Davison, Advanced Threat Research Analyst for security firm Webroot.

worm

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 


SafeSQL

Safesql: Tatic analysis tool for Go that protects against SQL injections

Category : Blog

SafeSQL

SafeSQL is a static analysis tool for Go that protects against SQL injections.

SQL Injection is one of the vulnerabilities in OWASP’s Top Ten List for Web Based Application Exploitation. These types of attacks takes place on Dynamic Web applications as they interact with the databases for the various operations.

 

SafeSQL

 

How does SafeSQL work:

SafeSQL uses the static analysis utilities in go/tools to search for all call sites of each of the query functions in packages (database/sql,github.com/jinzhu/gorm,github.com/jmoiron/sqlx) (i.e., functions which accept a parameter named query,sql). It then makes sure that every such call site uses a query that is a compile-time constant.

The principle behind SafeSQL’s safety guarantees is that queries that are compile-time constants cannot be subverted by user-supplied data: they must either incorporate no user-controlled values, or incorporate them using the package’s safe placeholder mechanism. In particular, call sites which build up SQL statements via fmt.Sprintf or string concatenation or other mechanisms will not be allowed.

query

 

False positives:

If SafeSQL passes, your application is free from SQL injections (modulo bugs in the tool), however, there are a great many safety programs which SafeSQL will declare potentially unsafe. These false positives fall roughly into two buckets:

First, SafeSQL does not currently recursively trace functions in the call graph.

Only call MyQuery with compile-time constants, your program is safe; however, SafeSQL will report that (*database/sql.DB).Query is called with a non-constant parameter (namely the parameter to MyQuery). This is by no means a fundamental limitation: SafeSQL could recursively trace the query argument through every intervening helper function to ensure that its argument is always constant, but this code has yet to be written.

 

MyQuery

 

The second sort of false positive is based on a limitation in the sort of analysis SafeSQL performs: there are many safe SQL statements which are not feasible (or not possible) to represent as compile-time constants. More advanced static analysis techniques (such as taint analysis) or user-provided safety annotations would be able to reduce the number of false positives, but this is expected to be a significant undertaking.

 

SafeSQL

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Trape: People tracker on the Internet

Category : Blog

Trape

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.

Trape

 

Trape – Some benefits

 

  • One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy(SOP)
  • Currently, you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
  • Registration of victims, requests among other data are obtained in real time.
  • If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
  • You can do real-time phishing attacks
  • Simple hooking attacks
  • Mapping
  • Important details of the objective
  • Capturing credentials
  • Open Source Intelligence(OSINT)

Remote

 

Recognizes the sessions of the following services:

  • Facebook
  • Twitter
  • VK
  • Reddit
  • Gmail
  • tumblr
  • Instagram
  • Github
  • Bitbucket
  • Dropbox
  • Spotify
  • PayPal
  • Amazon
  • Foursquare (new)
  • Airbnb (new)
  • Hackernews (new)
  • Slack (new)

 

Facebook

 

Example of execution:

 

  • In the option –url you must put the lure, can be a news page, an article something that serves as a presentation page.
  • In the –port option you just put the port where you want it to run.
  • Do you like to monitor your people? Everything is possible with Trape.
  • Do you want to perform phishing attacks? Everything is possible with Trape.
  • In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Trape

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Chrome Zero

Chrome Zero: Chrome extension

Category : Blog

Chrome Zero

Chrome Zero is a Google Chrome extension to protect users from microarchitectural and side-channel attacks.

Chrome Zero implements JavaScript Zero, a fine-grained policy-based system which allows changing the behavior of standard JavaScript interfaces and functions. Using so-called policies, Chrome Zero enforces certain restrictions to a website to protect users from malicious JavaScript. The policies allow to quickly adapt the permission system to protect against any newly discovered attack.

 

Chrome Zero is a proof of concept implementation that defends against these attacks. It installs as a Chrome extension and protects functions, properties, and objects that can be exploited to construct attacks. The basic idea is very simple, functions are wrapped with replacement versions that allow injection of a policy. This idea of wrapping functions (and properties with accessor properties, and certain objects with proxy objects) goes by the fancy name of virtual machine layering.

Chrome Zero

 

Chrome Zero: Extension blocks 11 JavaScript-based side-channel attacks:

 

Experts say that currently there are eleven state-of-the-art side-channel attacks that can be performed via JavaScript code running in a browser.

Each attack needs access to various local details, for which it uses JavaScript code to leak, recover, and gather the needed information before mounting the actual side-channel attack.

After looking at each of the eleven attacks, researchers say they’ve identified five main categories of data/features that JavaScript side-channel attacks attempt to exploit: JS-recoverable memory addresses, accurate timing (time difference) information, the browser’s multithreading (web workers) support, data shared among JS code threads, and data from device sensors.

JavaScript

 

Chrome Zero has a minimum performance impact:

Experts said that despite the extension’s intrusive behavior, tests showed a minimum performance impact of only 1.54% on resource usage, and an indiscernible page loading latency ranging from 0.01064s and 0.08908s —depending on the number of protection policies active at runtime.

The extension may be very well able to thwart even future and unknown Chrome zero-days as well, mainly because of its habit of rewriting dangerous functions to safer versions.

extension

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Attacks

List of 29 Different Types of USB Attacks

Category : Blog

 Attacks of USB

Attacks of USB is the driver-related attacks family in which an attacker plugs in a compromised malicious USB device that causes the host to download a specific malicious driver crafted in such a way as to execute malicious code on the host.

Researchers from the Ben-Gurion University of the Negev in Israel have identified 29 ways in which attackers could use USB devices to compromise users’ computers.

These 29 exploitation methods in four different categories, depending on the way the attack is being carried out.

A) By reprogramming the USB device’s internal microcontroller. The device looks like a particular USB device (e.g.: charger), but carries out the operations of another (e.g.: keyboard —injects keystrokes).

B) By reprogramming the USB device’s firmware to execute malicious actions (such as malware downloading, data exfiltration, etc.).

C) By not reprogramming USB device firmware, but leveraging flaws in how operating systems normally interact with USB protocols/standards.

D) USB-based electrical attacks.

attacks

 

Reprogrammable microcontroller USB attacks:

  1. Rubber Ducky – a commercial keystroke injection attack platform released in 2010. Once connected to a host computer, the Rubber Ducky poses as a keyboard and injects a preloaded keystroke sequence.
  2. PHUKD/URFUKED attack platforms – similar to Rubber Ducky, but allows an attacker to select the time when it injects the malicious keystrokes.
  3. USB driveby – provides quick covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB in a matter of seconds by emulating an USB keyboard and mouse.
  4. Evilduino – similar to PHUKD/URFUKED, but uses Arduino microcontrollers instead of Teensy. Also works by emulating a keyboard/mouse and can send keystrokes/mouse cursor movements to the host according to a preloaded script.
  5. Unintended USB channel – a proof of concept (POC) USB hardware trojan that exfiltrates data based on unintended USB channels (such as using USB speakers to exfiltrate data).
  6. TURNIPSCHOOL (COTTONMOUTH-1) – a hardware implant concealed within a USB cable. Developed by the NSA.
  7. RIT attack via USB mass storage – attack described in a research paper. It relies on changing the content of files while the USB mass storage device is connected to a victim’s computer.
  8. Attacks on wireless USB dongles – a category of attacks first explored with the release of the KeySweeper attack platform by Samy Kamkar, a tool that covertly logs and decrypts keystrokes from many Microsoft RF wireless keyboards.
  9. Default Gateway Override – an attack that uses a microcontroller to spoof a USB Ethernet adapter to override DHCP settings and hijack local traffic.

attacks

 

Maliciously reprogrammed USB peripheral firmware attacks:

  1. Smartphone-based HID attacks – first described in a research paper for which researchers created custom Android gadget drivers to overwrite how Android interacted with USB devices. The malicious driver interacted with the Android USB gadget API to simulate USB keyboard and mouse devices connected to the phone.
  2. DNS Override by Modified USB Firmware – researchers modified the firmware of a USB flash drive and used it to emulate a USB-ethernet adapter, which then allowed them to hijack local traffic.
  3. Keyboard Emulation by Modified USB Firmware – several researchers showed how poisoning the firmware of USB flash drives, an attacker could inject keyboard strokes.
  4. Hidden Partition Patch – researchers demonstrated how a USB flash drive could be reprogrammed to act like a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
  5. Password Protection Bypass Patch – a small modification of a USB flash drive’s firmware allows attackers to bypass password-protected USB flash drives.
  6. Virtual Machine Break-Out – researchers used USB firmware to break out of virtual machine environments.
  7. Boot Sector Virus – researchers used a USB flash drive to infect the computer before it boots.
  8. iSeeYou – POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning.

smartphone

 

Attacks based on unprogrammed USB devices:

  1. CVE-2010-2568 .LNK exploit used by Stuxnet and Fanny malware.
  2. USB Backdoor into Air-Gapped Hosts – attack used by the Fanny malware, developed by the Equation Group (codename for the NSA). Attack uses USB hidden storage to store preset commands tha map computers in air-gapped networks. Info on networks is saved back to the USB flash drive’s hidden storage.
  3. Data Hiding on USB Mass Storage Devices – a large collection of tricks of hiding malware or stolen data inside a USB flash drive (eg.: storing data outside of the normal partitions, hiding the file inside an invisible folder by making that folder’s icon and name transparent, etc.).
  4. AutoRun Exploits – depending on how host computers were configured, some PCs would auto-execute predetermined files located on a USB device’s storage. There’s an entire malware category dedicated to this called autorun malware.
  5. Cold Boot Attacks – aka the RAM dump attack. Attackers can store a memory dumper on a USB flash drive and extract left-over data from RAM by booting from a USB device.
  6. Buffer Overflow based Attacks – Several attacks that rely on exploiting OS buffer overflows when a USB device is inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted.
  7. Driver Update – very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device is inserted. This attack is possible, but very hard to pull off in the real world.
  8. Device Firmware Upgrade (DFU) – attackers can use the Device Firmware Upgrade (DFU), a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version.
  9. USB Thief – a USB flash drive based data-stealing malware that was recently discovered by ESET.
  10. Attacks on Smartphones via the USB Port – attackers can hide and deliver malware (malicious) via USB phone chargers.
  11. USBee attack – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data.

Device

 

Electrical attacks:

  1. USB Killer – permanently destroy devices by inserting a USB device that triggers an electrical surcharge.

Killer

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Show Buttons
Hide Buttons