Snow
Forest
Mountains
Snow
Snow

Monthly Archives: April 2018

DAMP

DAMP: Persistence Through Host-based Security Descriptor Modification

Category : Blog

Security Descriptor Modification | Host Based | DAMP

Security Descriptor Modification, host based persistence into DAMP.

This project contains several files that implement host-based security descriptor “backdoors” that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals.

tl;dr – this grants users/groups (local, domain, or ‘well-known’ like ‘Everyone’) of an attacker’s choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group.

Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.

Security Descriptor

 

Remote Hash Extraction On Demand Via Host Security Descriptor Modification

This is the long overdue follow-up to the “An ACE in the Hole: Stealthy Host Persistence via Security Descriptors” presentation (slides and video) that @tifkin_, @enigma0x3, and I gave at DerbyCon last year. This past weekend we gave a talk at @Sp4rkCon titled “The Unintended Risks of Trusting Active Directory” that explored combining our host-based security descriptor research with the work that @_wald0 and I detailed at Black Hat and DEF CON last year on Active Directory security descriptor backdooring. One of the more interesting case studies at both DerbyCon and Sp4rkCon involved a host-based security descriptor modification primitive that allows indefinite remote retrieval of a machine’s account hash. This post will dive deeply into this approach, the newly released weaponized code that implements it, and the extension allowing for the extraction of local account hashes and domain cached credentials.

Security Descriptors

 

 

Security Descriptor Operations

The Windows API provides functions for getting and setting the components of the security descriptor associated with a securable object. Use the GetSecurityInfo and GetNamedSecurityInfo functions to retrieve a pointer to an object’s security descriptor. These functions can also retrieve pointers to the individual components of the security descriptor: DACL, SACL, owner SID, and primary group SID. Use the SetSecurityInfo and SetNamedSecurityInfo functions to set the components of an object’s security descriptor.

The Windows API provides additional functions for manipulating the components of a security descriptor. For information about working with access control lists (DACLs or SACLs), see Getting Information from an ACL and Creating or Modifying an ACL. For information about SIDs, see Security Identifiers (SIDs).

 

SetSecurityInfo

 

 

Remote Registry:

Add-RemoteRegBackdoor.ps1

Add-RemoteRegBackdoor

Implements a new remote registry backdoor that allows for the remote retrieval of a system’s machine and local account hashes, as well as its domain cached credentials.

RemoteHashRetrieval.ps1

Get-RemoteMachineAccountHash

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.

Get-RemoteLocalAccountHash

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.

Get-RemoteCachedCredential

Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.

 

Remote

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


Top 6 best Linux Distribution for new Linux users

Category : Blog

Linux Distribution

Linux distributions are “easy to use”. Some users may refute this view, but in fact, when it comes to Linux, most people who are not engaged in IT or software development work will be attracted by the easiest user experience.

 

Linux

 

Ubuntu

Ubuntu is an open source operating system first released on October 20, 2004. It is built upon the code base of Debian Linux. It is named after Ubuntu, a South African philosophy which embodies the belief in the bond of sharing which connects all of humanity.

Website: https://www.ubuntu.com/

 

Ubuntu

 

Linux Mint

Mint Linux, also known as Linux Mint, is a Linux distribution for desktop computers. Its design focuses on prioritizing open-source software components, with exceptions for proprietary multimedia software, such as the Adobe Flash plugin. Known as one of the more user-friendly variants, It is comes with many popular free software packages such as LibreOffice, Pidgin, and GIMP, and its default web browser is Firefox.

It is designed to strike a balance between simplicity and elegance. The updated version is numbered so that the user can more clearly understand which updates have the greatest impact on the system. Another benefit of it’s update tool is that it can detect unmodified mirroring and apt problems, as well as options for selecting native images.

Website: https://linuxmint.com/

 

Linux Mint

 

Fedora

Fedora Linux, also known as Fedora, is a Linux variant created by a community of developers known as the Fedora Project. It is owned by the company Red Hat. It was first released in 2003, shortly after Red Hat discontinued its official Linux distribution, Red Hat Linux.

The design focus of Fedora is security and innovation. It has a reputation for integrating the newest changes to operating system technologies as early as possible. Fedora is also noted for implementing SELinux, which enforces mandatory access controls on all files.

Website: https://getfedora.org

 

Fedora

 

PCLinuxOS

First released in 2003, PCLinuxOS (also known as PCLOS) is a variant for desktop and laptop computers. There are several special versions available for download, which come packaged with various desktop environments, including MATE, KDE, and LXDE.

PCLinuxOS implementation of the KDE control center is very easy to use.

Website: http://www.pclinuxos.com/

 

PCLinuxOS

 

Arch Linux

First released in 2002, Arch Linux is a Linux distribution for i686 and x86-64 computer architectures. Its design focuses on simplicity, security, and efficiency. Unlike other operating systems that use discrete versions, its updates on a rolling release model, offering continuous, incremental upgrades to keep the system up-to-date.

Website: https://www.archlinux.org/

 

Arch Linux

 

Manjaro

Manjaro is a user-friendly based on the independently developed Arch operating system. Developed in Austria, France, and Germany, Manjaro provides all the benefits of the Arch operating system combined with a focus on user-friendliness and accessibility. Available in both 32 and 64-bit versions, Manjaro is suitable for newcomers as well as experienced users.

Website: https://manjaro.org/

 

Manjaro

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Geoip attack

Geoip attack map: Cyber security geoip attack map

Category : Blog

Geoip attack map Visualization

Geoip attack   map visualizer was developed to display network attacks on your organization in real time. The data server follows a syslog file, and parses out source IP, destination IP, source port, and destination port. Protocols are determined via common ports, and the visualizations vary in color based on protocol type.

This project would not be possible if it weren’t for Sam Cappella, who created a cyber defense competition network traffic visualizer for the 2015 Palmetto Cyber Defense Competition.

Geoip attack

 

Important of Geoip attack map

This   program relies entirely on syslog, and because all appliances format logs differently, you will need to customize the log parsing function(s). If your organization uses a security information and event management system (SIEM), it can probably normalize logs to save you a ton of time writing regex.

Send all syslog to SIEM.

Use SIEM to normalize logs.

Send normalized logs to the box (any Linux machine running syslog-ng will work) running this software so the data server can parse them.

SIEM

 

Configuration:

  1. Make sure in /etc/redis/redis.conf to change bind 127.0.0.1 to bind 0.0.0.0 if you plan on running the DataServer on a different machine than the AttackMapServer.
  2. Make sure that the WebSocket address in /AttackMapServer/index.html points back to the IP address of the AttackMapServer so the browser knows the address of the WebSocket.
  3. Download the MaxMind GeoLite2 database, and change the db_path variable in DataServer.py to the wherever you store the database.
  4. ./db-dl.sh
  5. Add headquarters latitude/longitude to hqLatLng variable in index.html
  6. Use syslog-gen.py, or syslog-gen.sh to simulate dummy traffic “out of the box.”
  7. IMPORTANT: Remember, this code will only run correctly in a production environment after personalizing the parsing functions. The default parsing function is only written to parse ./syslog-gen.sh traffic.

 

AttackMapServer

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


VMware Escapes: A bunch of Red Pills

Category : Blog

VMware

VMware is one of the leaders in virtualization nowadays. They offer VMware ESXi for cloud, and VMware Workstation and Fusion for Desktops (Windows, Linux, macOS).
The technology is very well known to the public: it allows users to run unmodified guest “virtual machines”.
Often those virtual machines are not trusted, and they must be isolated.
VMware goes to a great deal to offer this isolation, especially on the ESXi product where virtual machines of different actors can potentially run on the same hardware. So a strong isolation of is paramount importance.

VMware

 

How VMware works:

In a nutshell it often uses (but they are not strictly required) CPU and memory hardware virtualization technologies, so a guest virtual machine can run code at native speed most of the time.

But a modern system is not just a CPU and Memory, it also requires lot of other Hardware to work properly and be useful.

This point is very important because it will consist of one of the biggest attack surfaces of VMware: the virtualized hardware.

Virtualizing a hardware device is not a trivial task. It’s easily realized by reading any datasheet for hardware software interface for a PC hardware device.

hardware

 

Altough recently lot of VMware blogpost and presentations were released, we felt the need to write our own for the following reasons:

  • First, no one ever talked correctly about our Pwn2Own bugs, so we want to shed light on them.
  • Second, some of those published resources either lack of details or code.

emulate

 

Overall architecture:

complex product like VMware consists of several components, we will just highlight the most important ones, since the VMware architecture design has already been discussed extensively elsewhere.

  • VMM: this piece of software runs at the highest possible privilege level on the physical machine. It makes the VMs tick and run and also handles all the tasks which are impossible to perform from the host ring 3 for example.
  • vmnat: vmnat is responsible for the network packet handling, since VMware offers advanced functionalities such as NAT and virtual networks.
  • vmware-vmx: every virtual machine started on the system has its own vmware-vmx process running on the host. This process handles lot of tasks which are relevant for this blogpost, including lot of the device emulation, and backdoor requests handling. The result of the exploitation of the chains we will present will result in code execution on the host in the context of vmware-vmx.

vmnat

 

Backdoor:

The  so called backdoor, it’s not actually a “backdoor”, it’s simply a mechanism implemented in VMware for guest-host and host-guest communication.

A useful resource for understanding this interface is the open-vm-tools repository by  itself.

Basically at the lower level, the backdoor consists of 2 IO ports 0x5658 and 0x5659, the first for “traditional” communication, the other one for “high bandwidth” ones.

The guest issues in/out instructions on those ports with some registers convention and it’s able to communicate with it running on the host.

backdoor

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Jackhammer

Jackhammer: Security vulnerability assessment/management tool

Category : Blog

Jackhammer

Jackhammer  is a collaboration tool built with an aim of bridging the gap between Security team vs dev team, QA team and being a facilitator for TPM to understand and track the quality of the code going into production. It could do static code analysis and dynamic analysis with inbuilt vulnerability management capability. It finds security vulnerabilities in the target applications and it helps security teams to manage the chaos in this new age of continuous integration and continuous/multiple deployments.

It completely works on RBAC (Role Based Access Control). There are cool dashboards for individual scans and team scans giving ample flexibility to collaborate with different teams. It is totally built on pluggable architecture which can be integrated with any open source/commercial tool.

Jackhammer uses the OWASP pipeline project to run multiple open source and commercial tools against your code, web app, mobile app, cms (wordpress), network.

 

Jackhammer

 

Features of Jackhammer:

  • Provides unified interface to collaborate on findings
  • Scanning (code / web-app / mobile-app /wordpress / network) can be done for all code management repositories and URLs
  • Scheduling of scans based on 3 intervals # daily, weekly, monthly
  • Advanced false positive filtering
  • Integrate other open source/ commercial/ your custom scanner within few minutes to Jackhammer
  • Realtime notification for scans
  • Publish vulnerabilities to bug tracking systems
  • Keep a tab on statistics and vulnerability trends in your applications
  • Integrates with majority of open source and commercial scanning tools
  • User and roles management giving greater control
  • Configurable severity levels on list of findings across the applications
  • Built-in vulnerability status progression
  • Additional support to upload result from other scanners(14 scanners already supported) and manage the vulnerabilities in Jackhammer
  • Intelligent filtering of vulnerabilities on different criteria to see what is actually needed

 

Scanning

 

Static Code Analysis

Built-in scanning tools support a majority of popular languages such as Java, Ruby, Python, and Nodejs, etc. In addition to security vulnerabilities, it also finds vulnerabilities in deprecated libraries and the applicable publically available CVEs.

For static analysis, this open source tool integrates with Brakeman, Bundler-Audit, Checkmarx, Dawnscanner, FindSecurityBugs, Xanitizer, NodeSecurityProject, PMD and Retire.js. If you are looking to find hard coded secrets/tokens/credentials, then Jackhammer uses Trufflehog. The base of all scans is a Nmap scan. For web application scanning, it uses Arachni and WPScan. Mobile scanning is also supported with Androbugs and Androguard. Not only that, you can also add new scanners within a few minutes. This is a nice user guide which tells you how to do it. Not only that, you can also import results from other scanners such as – Nmap, Burp Suite, ZAP, Nessus, QualysGuard, OpenVAS, Metasploit, Nexpose, Arachni, IBMApp, Fortify, SkipFish, W3af and Acunetix.

 

Static

 

Dynamic Analysis

It can scan all web applications / mobile applications / network / content managmenet system with and without authentication and has a unique way of managing sessions for better identification of vulnerabilities.

 

Dynamic

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


Noriben: Portable, Simple, Malware Analysis Sandbox

Category : Uncategorized

Noriben

Noriben   is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample’s activities.

Noriben allows you to not only run malware similar to a sandbox but to also log system-wide events while you manually run malware in ways particular to make it run. For example, it can listen as you run malware that requires varying command line options, or user interaction. Or, to watch the system as you step through malware in a debugger.

Noriben solely requires Sysinternals procmon.exe (or procmon64.exe) to function. It requires no pre-filtering (although it might tremendously assist) because it incorporates quite a few white record gadgets to scale back undesirable noise from system exercise.

Noriben

 

Cool Features of Noriben:

If  you will have a folder of YARA signature information, you’ll be able to specify it with the –yara choice. Every new file create shall be scanned towards these signatures with the outcomes displayed within the output outcomes.

If you will have a VirusTotal API, place it right into a file named “virustotal.api” (or embed immediately within the script) to auto-submit MD5 file hashes to VT to get the variety of viral outcomes.

You can add lists of MD5s to auto-ignore (resembling your entire system information). Use md5deep and throw them right into a textual content file, use –hash to learn them.

You can automate the script for sandbox-utilization. Using -t to automate execution time, and –cmd “pathexe” to specify a malware file, you’ll be able to routinely run malware, copy the outcomes off, after which revert to run a brand new pattern.

YARA

 

Bypassing Anti-Sandboxing

One   common instance to use Noriben is with malware that is VM and Sandbox aware. Throwing the sample into any existing sandbox will most likely result in a report with no artifacts as the malware didn’t run. Some applications look for manual user activity, such as mouse movement and clicking. Other malware may infect the WinHTTP stack and only trigger when a web browser is used. By just launching Noriben in the background, all of the system behavior is logged as the analyst manually controls the system to give the impression of a normal user. Once the file has been detonated, the results can be reviewed as a standard sandbox report.

sandbox

 

Command Line-Based Applications

 

In   rarer cases are malware samples that require command line options in order to run. Launching these executables within a sandbox would immediately fail as the malware does not have the arguments to operate. However, an analyst manually controlling the malware while Noriben is running can quickly gather all system artifacts from various command line options.

command

 

General Attack Artifacts

Even   more interesting, Noriben has been used by pentesters to determine what system artifacts exist when launching an attack against a system or service. By monitoring files created or registry entries modified, a security analyst can determine all artifacts that result from running an attack, a PowerShell command, or a Javascript-based web page.

Javascript

 

Perfect for Malware Analysis on the Road

It’s    commonly a scenario where an analyst may have a proper sandbox environment in a home lab but on the road has only a laptop. In working with various Sales Engineers and Support individuals from security companies, there were many times where they needed an immediate malware answer out of their hotel room. Noriben was designed to be used with little effort, little setup, and little maintenance. Even if you don’t have a dedicated malware VM, any Windows VM will do! Even <a snapshot copy of> your corporate environment!

VM

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Ethical Hacking Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Secured Coding in Java

Certified Network Penetration Tester 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Pharos

Pharos – Automated static analysis tools for binary programs

Category : Blog

Pharos

Pharos is a open source, static binary analysis framework that uses the ROSE compiler, developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics. These features help you automate common reverse engineering tasks with a focus on malicious code analysis. The Pharos framework is made up of the following static binary analysis tools.

 

Pharos

 

Pharos Static Binary Analysis Framework

The Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We’ve tested a few select build configurations, but have not actively tested the portability of the source code. See the installation instructions for more details.

Framework

 

Pharos Static Binary Analysis Tools

APIAnalyzer: The APIAnalyzer is a signature driven tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction parameters such as opening a file, writing to it, and the closing it.

APIAnalyzer

 

OOAnalyzer: OOAnalyzer is a tool for the analysis and recovery of object oriented constructs. It helps you identify object members and methods by tracking object pointers between functions in the program. This tool was previously named “Objdigger” and is being redesigned to use XSB Prolog rules to recover the object attributes. Earlier, ObjDigger used definition-use analysis to identify object pointers, known as this pointers. It accumulates context-free facts that are exported to Prolog for higher-level semantic analysis. When a line of reasoning doesn’t work out, Prolog backtracks and searches for a different solution.

OOAnalyzer

 

CallAnalyzer: Callanalyzer is a tool for reporting the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides useful analysis of the code in a program.

CallAnalyzer

 

FN2Yara: FN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are are likely to have behavior in common.

FN2Yara

 

FN2Hash: FN2Hash is tool for generating a variety of hashes and other descriptive properties for functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for machine learning algorithm.

FN2Hash

 

DumpMASM: DumpMASM is a tool for dumping dis-assembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE’s standard recursiveDisassemble instead.

DumpMASM

 

PyObjDigger: PyObjDigger is included as a plugin for the IDA Pro Dis-assembler (located at tools/objdigger/ida) to allow you to ingest, view, and modify ObjDigger results directly into IDA Pro. One of the most useful PyObjdigger features is its ability to annotate virtual function calls with clickable labels.

PyObjDigger

 

 

 

 

Highest Selling  Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bangalore

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bangalore

Summer Training for CSE, IT, BCA & MCA Students 

Certified Ethical Hacker Certification – C|EH v10 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Secured Coding in Java

Certified Network Penetration Tester 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

 

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bangalore

Bhubaneswar


Risks of Using Public Wi-Fi

Danger of Using Public WiFi | What You Need to Know – ICSS

Category : Blog

Danger of Using Public WiFi

WiFi users are at risk from hackers, but fortunately there are safeguards against them. The recent explosion of free, public WiFi has been an enormous boon for working professionals. Since these free access points are available at restaurants, hotels, airports, bookstores, and even random retail outlets, you are rarely more than a short trip away from access to your network, and your work. This freedom comes at a price, though, and few truly understand the public WiFi risks associated with these connections.

Along with convenience for the public, public WiFi hotspots can also provide an easy way for identity thieves and cybercriminals to monitor what you’re doing online and to steal your passwords, your personal information, or both. Never assume that a public WiFi network is safe or secure. Remember, these passwords are shared, so anyone nearby can easily hop onto the network and see what you’re doing.

WiFi

 

Tips & Advice:

Risks of Using Public WiFi:

Today many, if not most, people carry some form of Internet-enabled device with them, whether it is a phone, laptop, tablet or some other technology. To get online, and avoid extra expenses by using a cellular connection, However, there are many potential risks involved in using public Wi-Fi. Users are often not aware of exactly whose network they are joining, what data they are sharing or how they may be subject to a cyber attack.

cyber attack

 

Whose network you are joining?

Anyone can set up a wireless hotspot and name it as they wish. By setting their own network name (Service Set Identifier or SSID) to a common or commercially used SSID, someone running a rogue hotspot can attract connections from users who think they are joining a legitimate network. Some devices will automatically join networks with familiar SSIDs.

SSID

 

Which networks are safe

It is safest to assume that no public WiFi is secure. Airports are                                      particularly risky locations due to the high concentration of                                    targets that may not have access to a domestic cellular network and may have an urgent need to get online. Need often outweighs any perceived risk.

Network

 

What are you agreeing to?

If you are asked to accept terms and conditions, ensure you read exactly what you are agreeing to. You may be agreeing to share more with your WiFi supplier than you think.

agreeing

 

 

What data are you sharing?

Any encrypted data sent through a WiFi network can be monitored and collected. You may be potentially giving away information such as passwords, email content and web searches.

encrypted

 

 

Risk & Attacks:

Rogue WiFi Networks:

An attacker set up a honeypot in the form of a free WiFi hotspot in order to harvest valuable data. The attacker’s hotspot becomes the conduit for all data exchanged over the network.

Rogue Wi-Fi Networks

 

 

Man-In-The-Middle (MITM) Attacks:

An attacker compromises a WiFi hotspot in order to insert himself into the communications between the victim and the hotspot, to intercept and modify the data in transit.

MITM

 

Packet Sniffing:

An attacker monitors and intercepts unencrypted data as it travels across an unprotected network.

Packet Sniffing

 

Anyone Can be an Attacker:

The tools required to carry out such an attack can often be easily obtained, therefore an attacker requires little technical experience or skill to carry out his criminal activities.

Attacker

 

Data is a Valuable Commodity:

Attackers can monetise many types of stolen data and therefore they seek information such as online banking credentials, Bitcoin wallets and other sensitive data that can be used in identify fraud.

Data

Safety Considerations:

 

Safety

 

DO’s 

 

  • Use a virtual private network (VPN) to keep
    your data encrypted in transit. They are quick
    and easy to use while providing you
    with privacy and safety.
  • Enable your firewall.
  • Look out for HTTPS in your browser bar – this
    indicates that SSL encryption is active and
    your communication is more likely to be secure.
  • Turn off the automatic connection feature within
    the Wi-Fi settings to prevent your device from
    connecting to public or open Wi-Fi networks
    without your consent.
  • Keep your software patched and updated
  • Use anti-virus software and ensure it is up-to-date

 

vpn

 

DONT’s

 

  • Assume that a Wi-Fi network with a trustworthy SSID is genuine.
  • Share sensitive or personal data over a public Wi-Fi network unless you are sure the connection is secure. i.e. encrypted via HTTPS or a VPN.

 

https

 

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

 

 


Deep-pwning | Metasploit for machine learning

Category : Blog

Deep-pwning

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is nowhere close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Deep-pwning

 

Structure:

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

clusterer

This framework is built on top of Tensorflow, and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository.

All of the included examples and code implement deep neural networks, but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of ‘transferability’ in machine learning, which was Papernot et al. expounded expertly upon in this paper. This means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B, as well as some other SVM model C.

Tensorflow

 

Components:

Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).

These are the code modules that make up the current iteration of Deep-pwning:

  1. DriversThe drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.
  2. Models is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function within lenet5.py.

Deep-pwning

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

 


Malware

Malware | Trojans & Keyloggers | ICSS Student |Gopal Roy

Category : Blog

Malware

Malware means malicious software.in fact, it has been a problem for ages.it is basically a program designed to infect a computer without the owner’s knowledge.

Malware

Type of Malware

Malware exists in Manu forms. Some common types of malware that one needs to keep track of are:

  1. Trojan Horse-Trojan virus or Trojan horse is a common type of malware.it is mostly used to control the victimized computer rather than infect or destroy files on it.A Trojan, horse once installed into the victim’s system, can give the hacker complete access to the victim’s computer Trojan are of the most dangerous forms of malware.

Trojan Horse

2. Computer Virus-A computer virus is a malicious program, which is mostly developed to infect a computer once it infects a computer, it replicates itself, A virus needs another host on which it can get attached in order to infect a computer.

Computer Virus

 

3. Worms- Worms are almost similar to computer viruses. The only difference is that a computer virus does not require another host to attach to in order to infect a computer. Once a worm infects a computer.it replicates itself. Computer worms are major threats to large networks.

Worms

4. Keyloggers- It is a hardware or software device, which monitors every keystroke, screenshots,chats,etc ,typed on a computer . A key logger program does not require physical access to the user’s computer. Any person whit basic knowledge of computer can use a key logger.

Keyloggers

5. Adware- Adware stands for Advertisement-supported Software. Adware is commonly designed to display Advertisement on a computer .However, some adware may contain harmful viruses and spying programs, which can harm the computer system.

Adware

 

After understanding malwares, their types and their function, learn about keyloggers in detail.

Keyloggers:

Keyloggers are of two Types:

  • Hardware Keyogger
  • Software Keyogger

Hardware keylogger IS USED FOR keyloggers loggers. A hardware keylogger is plugged between the keyoggers plug and the USB or PS/2 port socket, and it works with PS/2 keylogger and USB Keyboards looks similar to a normal USB drive or any other computer peripheral. Due to this, the victims can never about that is a keyogger. Hardware keyogger has inbuilt memory. Which stores the typed keylogger.

Keylogger

1.Hardware keyloggers

 

Hardware keyloggers

 

2. ps/2 keylogger

 

ps/2 keylogger

 

3.  Usb keylogger

Usb keylogger

 

Keygrabber – Best Hardware Keylogger

Keygrabber is one of the best and most popular hardware keyloggers across the globe. The is primarily because of its large storage capacity. Keygrabber keystroke recorder comes in a standard version-4MB memory capacity, 2,000,000 keystrokes(over 1,000 pages of text), and a Venom version 2 billion keystrokes (over 1 million pages of text), organized into an advance flash FAT file system. It is compatible with all the three operating systems,i.e., windows, Linux and Mac OS.

Keygrabber

 

Features of hardware keylogger:

*Observer www.e-mail and chat usage by children and employees

*Monitors employee productivity

*Protects children from online hazards and predators

*saves a copy of the typed text

*Records all keystrokes-even Facebook Password

*Huge memory capacity, organized as an advance flash FAT system

Features of hardware keylogger

 

Software Keyloggers:

The hardware keylogger is useful only if you have physical access to the victim’s computer However, if you don’t and if by any chance the victim notices it and knows about your intention, It is only then that the software keylogger come into the picture.

Hardware

Software keylogger can also be classified into two types:

*Local Keylogger

*Remote keylogger

Local keylogger: They are used to monitor local computer(even your own PC).They are easy to install and are completely undetectable.However,once installed in the computer, they become

Really difficulty to find them. This is because the keylogger hide themselves from the Task manager. Windows registry,etc.

Whenever you want to see logs, screenshot,etc,press a short key (example,ship+ctrl+f10)

There are hundreds of keyloggers available nowadays.However,some of them are user-friendly and actually capable of hiding themselves once they are installed.

keylogger

 

Some popular local keyloggers are:

  • Spy Agent
  • Refog Keylogger

Spy Aggent:

Spy Agent is an award-winning software, which is used to monitor both local and remote computers. It invisible monitors all computer usage and internet activities.spyAgent’s logging capabilities are unmatched. Spy agent can log anything from what the users type, to the files they print and programs they run-all time stamped by date for easy viewing .ALL logs are easily saved and exported for later use.spyagent can be confifured to log all users on you computer with ease.spyagent monitors and log both sides of all chat conversations made on chat clients (supported clients include the latest versions of AOL,AOL instant Messnger,MSN Messenger,ICQ pro and ICQ Lite).

Spy Agent

Spy Agent keylogger:

Features of spy agent keylogger

It records:

*Keystroke monitoring

*Internet Connections

*Internet Conversations

*Website activate

*E-mail sent and received

*File/documents accessed and printed

*Windows activate

*Application usage

*Screenshot capturing

*Clipboard logging

*Events logging

*Activity logging

Refog is extremely powerful and has very low antivirus detection rete. It is one of the leading remote passwords hacking software combined whit Remote Install and Remote Viewing features. Once installed on the remote PC (s),the user only needs to login to his/her personal Refog account to view activity logs of the remote PC.This means that the user can view logs of the remote PC from any where in the would, as long as he/she has Internet access.

Refog

 

Features of Refog Keylogger are as follows:

  1. Keystroke recording: Once installed and running. Refog registers all keys pressed by the user, thus action as a keylogger. This function captures all data that has been entered using the keyboard, including chats, username,password,e-mail, search queries and other content. In addition to key logging, refuge is also enabled to log clipboard text.
  2. Web History Logging: Even If users delete their prowler history, the information is retained in refog’s log database, and is always available via the reports function. All relevant information can be collected including URLs visited page titles, etc.
  3. Application monitoring: since Refog can record all programs executed on a PC, it is hence possible to establish if a child is playing game instead of doing homework, an employee is wasting time logs etc sitting in any part of the world.

You can find tons of Remote keyloggers on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rete.one keylogger worth the price is win spy.

Refog

 

Remote Keylogger:

Remote keylogger are used for the purpose of monitoring a remote pc, once a remote keylogger is installed on your computer the attacker can get your keystrokes, your webcam shots, chat logs etc sitting in any part of the world.

You can find tons of Remote keylogger on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rate. One keylogger worth the price is win Spy.

Remote Keylogger

 

Winspy Keylogger:

WinSpy Software is a complete stealth Monitoring software that both monitor your Local PC and remote PC.It includes remote install and real-time remote PC viewer. Win spy software will capture anything the user sees or type the keyboard.

WinSpy Software

 

Features:

*Remote Screen Capture

*Remote Monitoring

*Remote PC Browser

*Notify’s User Online

*Remote Sound Listening/Recording

*Remote Camera view/Recording

*Remote File Launch

*Dualside Chat Recording

*Remote shutdown

*Remote FTP

*Webcam-motion Detect

*WebAccess Remote PC

*SMS Intruder Alert

*Works behind Firewall

WinSpy

 

RAT (TROJANS):

Rat or ‘Remote Administration Tool’s is one of the most dangerous types of malware. It is very similar to a Trojan. Once a RAT is installed in a computer, the attacker can do almost anything on the remote computer, such as installing a keylogger, shutting down the computer, infecting files, uploading & downloading files, etc If this is successful, the Trojan can operate with increased privileges, and go about installing other malicious codes. If the user has administrative access to the operating system, the Trojan can do anything that an administrator can.

A Compromise on any system on a network may have consequences for other system on the network. Particularly vulnerable are system that transmit authentication material, such as passwords, overshared networks in clear text or in a trivially encrypted from, which very common. If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and password or other sensitive information as if navigates through the network.

Some common types of RATS are:

*ProRat

*Lost Door

 

RAT (TROJANS)

 

FUNCEHION:

Trojan work similar to the client-server model. Trojan come in two parts, Client and server part. The attacker deploys the Client to connect to the server, which runs on the remote machine when the remote user(unknowingly) executes the Trojan on the machine. The typical protocol user by most Trojan is the TCP?IP protocol;however,some functions of the Trojans may mark use of the UDP protocol as well.

When the server is activated on the remote computer, it will try remain in a stealth mode or simply stay hidden, This is configurable, for example, in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its processes.Onec activated, the server starts to listen on default or configured ports for incoming connections from the attacker.it is usual for Trojan to also modify the registry and/or use some other auto-starting methods.

FUNCEHION

 

Most Trojan use auto-starting methods so that server are restarted every time the remote machine reboots/starts, which in turn also notifies the attacker. As these features are being countered, new auto-starting methods are evoling.The Startup method ranger from associating the Trojan whit certain common executable files such as exploere.exe to the known methods such as modifying the system files or the Windows Registry. Some of the Popular system files targeted by Trojan are Auto start Folder, Win.ini,system.ini,wininit.ini,winstart.bat,Autoexec.bat ,Config.sys

Now, after getting the clear idea about RATS (TROJANS),let us see as to how we can even use Trojan to hack into a system.

FUNCEHION

 

ProRat:

ProRat is a powerful remote administrator tool ( RAT ) based on backdoor Trojan . It opens a port on the infected system , which allows the client to perform various operations on the infected computer . ProRat cannot to users over the WANs ( Wide Area Networks ) . It can connect only over LANs ( Local Area Networks ) . However , once ProRat is installed , almost impossible to remove it without up – to date antivirus software .

The following procedure is usually followed by a hacker to take control of the victim ‘ s computer using ProRat . it also dis cusses some of the author is using functions , which can be  performed with the help of this Trojan . Here the author is using the term `you ‘ to the hacker .

ProRat

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery