Monthly Archives: April 2018

  • 0

Noriben: Portable, Simple, Malware Analysis Sandbox

Category : Uncategorized

Noriben

Noriben   is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample’s activities.

Noriben allows you to not only run malware similar to a sandbox but to also log system-wide events while you manually run malware in ways particular to make it run. For example, it can listen as you run malware that requires varying command line options, or user interaction. Or, to watch the system as you step through malware in a debugger.

Noriben solely requires Sysinternals procmon.exe (or procmon64.exe) to function. It requires no pre-filtering (although it might tremendously assist) because it incorporates quite a few white record gadgets to scale back undesirable noise from system exercise.

Noriben

 

Cool Features of Noriben:

If  you will have a folder of YARA signature information, you’ll be able to specify it with the –yara choice. Every new file create shall be scanned towards these signatures with the outcomes displayed within the output outcomes.

If you will have a VirusTotal API, place it right into a file named “virustotal.api” (or embed immediately within the script) to auto-submit MD5 file hashes to VT to get the variety of viral outcomes.

You can add lists of MD5s to auto-ignore (resembling your entire system information). Use md5deep and throw them right into a textual content file, use –hash to learn them.

You can automate the script for sandbox-utilization. Using -t to automate execution time, and –cmd “pathexe” to specify a malware file, you’ll be able to routinely run malware, copy the outcomes off, after which revert to run a brand new pattern.

YARA

 

Bypassing Anti-Sandboxing

One   common instance to use Noriben is with malware that is VM and Sandbox aware. Throwing the sample into any existing sandbox will most likely result in a report with no artifacts as the malware didn’t run. Some applications look for manual user activity, such as mouse movement and clicking. Other malware may infect the WinHTTP stack and only trigger when a web browser is used. By just launching Noriben in the background, all of the system behavior is logged as the analyst manually controls the system to give the impression of a normal user. Once the file has been detonated, the results can be reviewed as a standard sandbox report.

sandbox

 

Command Line-Based Applications

 

In   rarer cases are malware samples that require command line options in order to run. Launching these executables within a sandbox would immediately fail as the malware does not have the arguments to operate. However, an analyst manually controlling the malware while Noriben is running can quickly gather all system artifacts from various command line options.

command

 

General Attack Artifacts

Even   more interesting, Noriben has been used by pentesters to determine what system artifacts exist when launching an attack against a system or service. By monitoring files created or registry entries modified, a security analyst can determine all artifacts that result from running an attack, a PowerShell command, or a Javascript-based web page.

Javascript

 

Perfect for Malware Analysis on the Road

It’s    commonly a scenario where an analyst may have a proper sandbox environment in a home lab but on the road has only a laptop. In working with various Sales Engineers and Support individuals from security companies, there were many times where they needed an immediate malware answer out of their hotel room. Noriben was designed to be used with little effort, little setup, and little maintenance. Even if you don’t have a dedicated malware VM, any Windows VM will do! Even <a snapshot copy of> your corporate environment!

VM

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Ethical Hacking Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Secured Coding in Java

Certified Network Penetration Tester 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


  • 0

Pharos – Automated static analysis tools for binary programs

Category : Blog

Pharos

Pharos is a open source, static binary analysis framework that uses the ROSE compiler, developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics. These features help you automate common reverse engineering tasks with a focus on malicious code analysis. The Pharos framework is made up of the following static binary analysis tools.

 

Pharos

 

Pharos Static Binary Analysis Framework

The Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We’ve tested a few select build configurations, but have not actively tested the portability of the source code. See the installation instructions for more details.

Framework

 

Pharos Static Binary Analysis Tools

APIAnalyzer: The APIAnalyzer is a signature driven tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction parameters such as opening a file, writing to it, and the closing it.

APIAnalyzer

 

OOAnalyzer: OOAnalyzer is a tool for the analysis and recovery of object oriented constructs. It helps you identify object members and methods by tracking object pointers between functions in the program. This tool was previously named “Objdigger” and is being redesigned to use XSB Prolog rules to recover the object attributes. Earlier, ObjDigger used definition-use analysis to identify object pointers, known as this pointers. It accumulates context-free facts that are exported to Prolog for higher-level semantic analysis. When a line of reasoning doesn’t work out, Prolog backtracks and searches for a different solution.

OOAnalyzer

 

CallAnalyzer: Callanalyzer is a tool for reporting the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides useful analysis of the code in a program.

CallAnalyzer

 

FN2Yara: FN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are are likely to have behavior in common.

FN2Yara

 

FN2Hash: FN2Hash is tool for generating a variety of hashes and other descriptive properties for functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for machine learning algorithm.

FN2Hash

 

DumpMASM: DumpMASM is a tool for dumping dis-assembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE’s standard recursiveDisassemble instead.

DumpMASM

 

PyObjDigger: PyObjDigger is included as a plugin for the IDA Pro Dis-assembler (located at tools/objdigger/ida) to allow you to ingest, view, and modify ObjDigger results directly into IDA Pro. One of the most useful PyObjdigger features is its ability to annotate virtual function calls with clickable labels.

PyObjDigger

 

 

 

 

Highest Selling  Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bangalore

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bangalore

Summer Training for CSE, IT, BCA & MCA Students 

Certified Ethical Hacker Certification – C|EH v10 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Secured Coding in Java

Certified Network Penetration Tester 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

 

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bangalore

Bhubaneswar


  • 0
Risks of Using Public Wi-Fi

Danger of Using Public WiFi | What You Need to Know – ICSS

Category : Blog

Danger of Using Public WiFi

WiFi users are at risk from hackers, but fortunately there are safeguards against them. The recent explosion of free, public WiFi has been an enormous boon for working professionals. Since these free access points are available at restaurants, hotels, airports, bookstores, and even random retail outlets, you are rarely more than a short trip away from access to your network, and your work. This freedom comes at a price, though, and few truly understand the public WiFi risks associated with these connections.

Along with convenience for the public, public WiFi hotspots can also provide an easy way for identity thieves and cybercriminals to monitor what you’re doing online and to steal your passwords, your personal information, or both. Never assume that a public WiFi network is safe or secure. Remember, these passwords are shared, so anyone nearby can easily hop onto the network and see what you’re doing.

WiFi

 

Tips & Advice:

Risks of Using Public WiFi:

Today many, if not most, people carry some form of Internet-enabled device with them, whether it is a phone, laptop, tablet or some other technology. To get online, and avoid extra expenses by using a cellular connection, However, there are many potential risks involved in using public Wi-Fi. Users are often not aware of exactly whose network they are joining, what data they are sharing or how they may be subject to a cyber attack.

cyber attack

 

Whose network you are joining?

Anyone can set up a wireless hotspot and name it as they wish. By setting their own network name (Service Set Identifier or SSID) to a common or commercially used SSID, someone running a rogue hotspot can attract connections from users who think they are joining a legitimate network. Some devices will automatically join networks with familiar SSIDs.

SSID

 

Which networks are safe

It is safest to assume that no public WiFi is secure. Airports are                                      particularly risky locations due to the high concentration of                                    targets that may not have access to a domestic cellular network and may have an urgent need to get online. Need often outweighs any perceived risk.

Network

 

What are you agreeing to?

If you are asked to accept terms and conditions, ensure you read exactly what you are agreeing to. You may be agreeing to share more with your WiFi supplier than you think.

agreeing

 

 

What data are you sharing?

Any encrypted data sent through a WiFi network can be monitored and collected. You may be potentially giving away information such as passwords, email content and web searches.

encrypted

 

 

Risk & Attacks:

Rogue WiFi Networks:

An attacker set up a honeypot in the form of a free WiFi hotspot in order to harvest valuable data. The attacker’s hotspot becomes the conduit for all data exchanged over the network.

Rogue Wi-Fi Networks

 

 

Man-In-The-Middle (MITM) Attacks:

An attacker compromises a WiFi hotspot in order to insert himself into the communications between the victim and the hotspot, to intercept and modify the data in transit.

MITM

 

Packet Sniffing:

An attacker monitors and intercepts unencrypted data as it travels across an unprotected network.

Packet Sniffing

 

Anyone Can be an Attacker:

The tools required to carry out such an attack can often be easily obtained, therefore an attacker requires little technical experience or skill to carry out his criminal activities.

Attacker

 

Data is a Valuable Commodity:

Attackers can monetise many types of stolen data and therefore they seek information such as online banking credentials, Bitcoin wallets and other sensitive data that can be used in identify fraud.

Data

Safety Considerations:

 

Safety

 

DO’s 

 

  • Use a virtual private network (VPN) to keep
    your data encrypted in transit. They are quick
    and easy to use while providing you
    with privacy and safety.
  • Enable your firewall.
  • Look out for HTTPS in your browser bar – this
    indicates that SSL encryption is active and
    your communication is more likely to be secure.
  • Turn off the automatic connection feature within
    the Wi-Fi settings to prevent your device from
    connecting to public or open Wi-Fi networks
    without your consent.
  • Keep your software patched and updated
  • Use anti-virus software and ensure it is up-to-date

 

vpn

 

DONT’s

 

  • Assume that a Wi-Fi network with a trustworthy SSID is genuine.
  • Share sensitive or personal data over a public Wi-Fi network unless you are sure the connection is secure. i.e. encrypted via HTTPS or a VPN.

 

https

 

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

 

 


  • 0

Deep-pwning | Metasploit for machine learning

Category : Blog

Deep-pwning

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is nowhere close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Deep-pwning

 

Structure:

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

clusterer

This framework is built on top of Tensorflow, and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository.

All of the included examples and code implement deep neural networks, but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of ‘transferability’ in machine learning, which was Papernot et al. expounded expertly upon in this paper. This means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B, as well as some other SVM model C.

Tensorflow

 

Components:

Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).

These are the code modules that make up the current iteration of Deep-pwning:

  1. DriversThe drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.
  2. Models is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function within lenet5.py.

Deep-pwning

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

 


  • 0
Malware

Malware | Trojans & Keyloggers | ICSS Student |Gopal Roy

Category : Blog

Malware

Malware means malicious software.in fact, it has been a problem for ages.it is basically a program designed to infect a computer without the owner’s knowledge.

Malware

Type of Malware

Malware exists in Manu forms. Some common types of malware that one needs to keep track of are:

  1. Trojan Horse-Trojan virus or Trojan horse is a common type of malware.it is mostly used to control the victimized computer rather than infect or destroy files on it.A Trojan, horse once installed into the victim’s system, can give the hacker complete access to the victim’s computer Trojan are of the most dangerous forms of malware.

Trojan Horse

2. Computer Virus-A computer virus is a malicious program, which is mostly developed to infect a computer once it infects a computer, it replicates itself, A virus needs another host on which it can get attached in order to infect a computer.

Computer Virus

 

3. Worms- Worms are almost similar to computer viruses. The only difference is that a computer virus does not require another host to attach to in order to infect a computer. Once a worm infects a computer.it replicates itself. Computer worms are major threats to large networks.

Worms

4. Keyloggers- It is a hardware or software device, which monitors every keystroke, screenshots,chats,etc ,typed on a computer . A key logger program does not require physical access to the user’s computer. Any person whit basic knowledge of computer can use a key logger.

Keyloggers

5. Adware- Adware stands for Advertisement-supported Software. Adware is commonly designed to display Advertisement on a computer .However, some adware may contain harmful viruses and spying programs, which can harm the computer system.

Adware

 

After understanding malwares, their types and their function, learn about keyloggers in detail.

Keyloggers:

Keyloggers are of two Types:

  • Hardware Keyogger
  • Software Keyogger

Hardware keylogger IS USED FOR keyloggers loggers. A hardware keylogger is plugged between the keyoggers plug and the USB or PS/2 port socket, and it works with PS/2 keylogger and USB Keyboards looks similar to a normal USB drive or any other computer peripheral. Due to this, the victims can never about that is a keyogger. Hardware keyogger has inbuilt memory. Which stores the typed keylogger.

Keylogger

1.Hardware keyloggers

 

Hardware keyloggers

 

2. ps/2 keylogger

 

ps/2 keylogger

 

3.  Usb keylogger

Usb keylogger

 

Keygrabber – Best Hardware Keylogger

Keygrabber is one of the best and most popular hardware keyloggers across the globe. The is primarily because of its large storage capacity. Keygrabber keystroke recorder comes in a standard version-4MB memory capacity, 2,000,000 keystrokes(over 1,000 pages of text), and a Venom version 2 billion keystrokes (over 1 million pages of text), organized into an advance flash FAT file system. It is compatible with all the three operating systems,i.e., windows, Linux and Mac OS.

Keygrabber

 

Features of hardware keylogger:

*Observer www.e-mail and chat usage by children and employees

*Monitors employee productivity

*Protects children from online hazards and predators

*saves a copy of the typed text

*Records all keystrokes-even Facebook Password

*Huge memory capacity, organized as an advance flash FAT system

Features of hardware keylogger

 

Software Keyloggers:

The hardware keylogger is useful only if you have physical access to the victim’s computer However, if you don’t and if by any chance the victim notices it and knows about your intention, It is only then that the software keylogger come into the picture.

Hardware

Software keylogger can also be classified into two types:

*Local Keylogger

*Remote keylogger

Local keylogger: They are used to monitor local computer(even your own PC).They are easy to install and are completely undetectable.However,once installed in the computer, they become

Really difficulty to find them. This is because the keylogger hide themselves from the Task manager. Windows registry,etc.

Whenever you want to see logs, screenshot,etc,press a short key (example,ship+ctrl+f10)

There are hundreds of keyloggers available nowadays.However,some of them are user-friendly and actually capable of hiding themselves once they are installed.

keylogger

 

Some popular local keyloggers are:

  • Spy Agent
  • Refog Keylogger

Spy Aggent:

Spy Agent is an award-winning software, which is used to monitor both local and remote computers. It invisible monitors all computer usage and internet activities.spyAgent’s logging capabilities are unmatched. Spy agent can log anything from what the users type, to the files they print and programs they run-all time stamped by date for easy viewing .ALL logs are easily saved and exported for later use.spyagent can be confifured to log all users on you computer with ease.spyagent monitors and log both sides of all chat conversations made on chat clients (supported clients include the latest versions of AOL,AOL instant Messnger,MSN Messenger,ICQ pro and ICQ Lite).

Spy Agent

Spy Agent keylogger:

Features of spy agent keylogger

It records:

*Keystroke monitoring

*Internet Connections

*Internet Conversations

*Website activate

*E-mail sent and received

*File/documents accessed and printed

*Windows activate

*Application usage

*Screenshot capturing

*Clipboard logging

*Events logging

*Activity logging

Refog is extremely powerful and has very low antivirus detection rete. It is one of the leading remote passwords hacking software combined whit Remote Install and Remote Viewing features. Once installed on the remote PC (s),the user only needs to login to his/her personal Refog account to view activity logs of the remote PC.This means that the user can view logs of the remote PC from any where in the would, as long as he/she has Internet access.

Refog

 

Features of Refog Keylogger are as follows:

  1. Keystroke recording: Once installed and running. Refog registers all keys pressed by the user, thus action as a keylogger. This function captures all data that has been entered using the keyboard, including chats, username,password,e-mail, search queries and other content. In addition to key logging, refuge is also enabled to log clipboard text.
  2. Web History Logging: Even If users delete their prowler history, the information is retained in refog’s log database, and is always available via the reports function. All relevant information can be collected including URLs visited page titles, etc.
  3. Application monitoring: since Refog can record all programs executed on a PC, it is hence possible to establish if a child is playing game instead of doing homework, an employee is wasting time logs etc sitting in any part of the world.

You can find tons of Remote keyloggers on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rete.one keylogger worth the price is win spy.

Refog

 

Remote Keylogger:

Remote keylogger are used for the purpose of monitoring a remote pc, once a remote keylogger is installed on your computer the attacker can get your keystrokes, your webcam shots, chat logs etc sitting in any part of the world.

You can find tons of Remote keylogger on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rate. One keylogger worth the price is win Spy.

Remote Keylogger

 

Winspy Keylogger:

WinSpy Software is a complete stealth Monitoring software that both monitor your Local PC and remote PC.It includes remote install and real-time remote PC viewer. Win spy software will capture anything the user sees or type the keyboard.

WinSpy Software

 

Features:

*Remote Screen Capture

*Remote Monitoring

*Remote PC Browser

*Notify’s User Online

*Remote Sound Listening/Recording

*Remote Camera view/Recording

*Remote File Launch

*Dualside Chat Recording

*Remote shutdown

*Remote FTP

*Webcam-motion Detect

*WebAccess Remote PC

*SMS Intruder Alert

*Works behind Firewall

WinSpy

 

RAT (TROJANS):

Rat or ‘Remote Administration Tool’s is one of the most dangerous types of malware. It is very similar to a Trojan. Once a RAT is installed in a computer, the attacker can do almost anything on the remote computer, such as installing a keylogger, shutting down the computer, infecting files, uploading & downloading files, etc If this is successful, the Trojan can operate with increased privileges, and go about installing other malicious codes. If the user has administrative access to the operating system, the Trojan can do anything that an administrator can.

A Compromise on any system on a network may have consequences for other system on the network. Particularly vulnerable are system that transmit authentication material, such as passwords, overshared networks in clear text or in a trivially encrypted from, which very common. If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and password or other sensitive information as if navigates through the network.

Some common types of RATS are:

*ProRat

*Lost Door

 

RAT (TROJANS)

 

FUNCEHION:

Trojan work similar to the client-server model. Trojan come in two parts, Client and server part. The attacker deploys the Client to connect to the server, which runs on the remote machine when the remote user(unknowingly) executes the Trojan on the machine. The typical protocol user by most Trojan is the TCP?IP protocol;however,some functions of the Trojans may mark use of the UDP protocol as well.

When the server is activated on the remote computer, it will try remain in a stealth mode or simply stay hidden, This is configurable, for example, in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its processes.Onec activated, the server starts to listen on default or configured ports for incoming connections from the attacker.it is usual for Trojan to also modify the registry and/or use some other auto-starting methods.

FUNCEHION

 

Most Trojan use auto-starting methods so that server are restarted every time the remote machine reboots/starts, which in turn also notifies the attacker. As these features are being countered, new auto-starting methods are evoling.The Startup method ranger from associating the Trojan whit certain common executable files such as exploere.exe to the known methods such as modifying the system files or the Windows Registry. Some of the Popular system files targeted by Trojan are Auto start Folder, Win.ini,system.ini,wininit.ini,winstart.bat,Autoexec.bat ,Config.sys

Now, after getting the clear idea about RATS (TROJANS),let us see as to how we can even use Trojan to hack into a system.

FUNCEHION

 

ProRat:

ProRat is a powerful remote administrator tool ( RAT ) based on backdoor Trojan . It opens a port on the infected system , which allows the client to perform various operations on the infected computer . ProRat cannot to users over the WANs ( Wide Area Networks ) . It can connect only over LANs ( Local Area Networks ) . However , once ProRat is installed , almost impossible to remove it without up – to date antivirus software .

The following procedure is usually followed by a hacker to take control of the victim ‘ s computer using ProRat . it also dis cusses some of the author is using functions , which can be  performed with the help of this Trojan . Here the author is using the term `you ‘ to the hacker .

ProRat

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 


  • 0
Pentmenu

Pentmenu: a bash script for recon and DOS attacks

Category : Blog

Pentmenu

Pentmenu is a bash script inspired by pentbox. It is designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most Linux distributions without having to resort to multiple specialist tools.

Pentmenu

 

Requirements for Pentmenu:

  • bash
  • sudo
  • curl
  • netcat (must support ‘-k’ option, openbsd variant recommended)
  • hping3 (or nping can be used as a substitute for flood attacks)
  • openssl
  • stunnel
  • nmap
  • whois (not essential but preferred)
  • nslookup (or ‘host’)
  • ike-scan

Bash

 

Module detail:

Recon Modules:

Show IP – uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP’s.

DNS

DNS Recon – passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP’s, not hostnames).

Ping

 

Dos Modules:

  • ICMP Echo Flood – uses hping3 to launch a traditional ICMP Echo flood against the target. On a modern system you are unlikely to achieve much, but it is seful to test against firewalls to observe their behaviour. Use ‘Ctrl C’ to end the flood. The source address of flood packets is configurable.
  • ICMP Blacknurse Flood – uses hping to launch an ICMP flood against the target. ICMP packets are of type “Destination Unreachable, Port Unreachable”. This attack can cause high CPU usage on many systems. Use ‘Ctrl C’ to end the attack. See http://blacknurse.dk/ for more information. The source address of flood packets is configurable.

ICMP

 

Extraction Modules:

Send File – This module uses netcat to send data with TCP or UDP. It can be extremely useful for extracting data. An md5 and sha512 checksum is calculated and displayed prior to sending the file. The file can be sent to a server of your choice; the Listener is designed to receive these files.

Listener – uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network.

File

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


  • 0
AWS

AWS S3 Security Scanning Tool | AWSBucketDump

Category : Blog

AWS

AWS launched in 2006 from the internal infrastructure that Amazon.com built to handle its online retail operations. AWS was one of the first companies to introduce a pay-as-you-go cloud computing model that scales to provide users with compute, storage or throughput as needed.

Amazon Web Services provides services from dozens of data centers spread across availability zones (AZs) in regions across the world. An AZ represents a location that typically contains multiple physical data centers, while a region is a collection of AZs in geographic proximity connected by low-latency network links. An AWS customer can spin up virtual machines (VMs) and replicate data in different AZs to achieve a highly reliable infrastructure that is resistant to failures of individual servers or an entire data center.

AWS

 

AWSBucketDump

AWSBucketDump is an AWS S3 Security Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files. It’s similar to a subdomain brute-forcing tool but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.

This is a tool that enumerates Amazon S3 buckets and looks for interesting files.

AWSBucketDump

 

 How To Fix AWS

AWS Simple Storage Service (often shortened to S3) is used by companies that don’t want to build and maintain their own storage repositories. By using Amazon Simple Storage Service, they can store objects and files on a virtual server instead of on physical racks – in simple terms, the service is basically “A Dropbox for IT and Tech teams”. After the user has created their bucket, they can start storing their source code, certificates, passwords, content, databases and other data. While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations.

S3

 

AWSBucketDump S3 Security Tool Requirements :

Non-Standard Python Libraries:

  • xmltodict
  • requests
  • argparse
  • Created with Python 3.6

Python

 

Usage:

usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]

optional arguments:

-h, –help    show this help message and exit

-D            Download files. This requires significant diskspace

-d            If set to 1 or True, create directories for each host w/ results

-t THREADS    number of threads

-l HOSTLIST

-g GREPWORDS  Provide a wordlist to grep for

-m MAXSIZE    Maximum file size to download.

python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

usage

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


  • 0
SandiFlux

Sandiflux: Another botnet using Fast Flux technology has emerged

Category : Blog

SandiFlux

SandiFlux is a new Fast flux infrastructure has been identified. Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

SandiFlux

 

Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).

Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.

DarkCloud

 

Similar services as SandiFlux:

Similar services are offered by operators Dark Cloud, also Fluxxy, a multi-purpose botnet, whose activities in Proofpoint have been monitored since 2014. This infrastructure allows you to quickly and automatically change IP addresses, domains and even DNS servers to extend the life of fraudulent sites, malicious sites and C & C servers .

Dark Cloud is widely used by carders , exploit-pack operators , authors of malvertising-campaigns, spammers, phishers, herdsmen and malware operators – for example, downhiller Furtim, also SFG .

botnet

 

Now, according to Proofpoint, some of these intruders began to migrate to SandiFlux. So, in February a new opportunity was tested by the distributor zloader – the author of malicious campaigns, which the researchers conventionally call TA547. In November, this attacker, according to observations, used the infrastructure of Dark Cloud.

Proofpoint

 

Conclusion:

Fast Flux DNS has proved to be a powerful tool for threat actors looking to hide dark web sites, malicious infrastructure, and other web-based operations from researchers and law enforcement. While DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both DarkCloud and SandiFlux are operated by the same actor who rents capabilities to other actors. GandCrab ransomware in particular now has its command and control proxied behind SandiFlux, although a number of other actors we track are making use of the infrastructure to mass their operations. While direct effects on compromised hosts include performance and bandwidth degradation, the more significant global impact is increased capacity for providing Fast Flux DNS to threat actors.

Fluxxy

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 


  • 0
StreamAlert

Streamalert: Serverless, Realtime Data Analysis Framework

Category : Blog

Streamalert

StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. A serverless framework for real-time data analysis and alerting.

Airbnb needed a product that empowered both engineers and administrators to ingest, analyze, and alert on data in real-time from their respective environments.

StreamAlert

 

Features of Streamalert:

  • Deployment is automated: simple, safe and repeatable for any AWS account
  • Easily scalable from megabytes to terabytes per day
  • Infrastructure maintenance is minimal, no devops expertise required
  • Infrastructure security is a default, no security expertise required
  • Supports data from different environments (ex: IT, PCI, Engineering)
  • Supports data from different environment types (ex: Cloud, Datacenter, Office)
  • Supports different types of data (ex: JSON, CSV, Key-Value, or Syslog)
  • Supports different use-cases like security, infrastructure, compliance and more

Supports

 

Benefits:

As partially outlined above, StreamAlert has some unique benefits:

  • Serverless — StreamAlert utilizes AWS Lambda, which means you don’t have to manage, patch or harden any new servers
  • Scalable — StreamAlert utilizes AWS Kinesis Streams, which will “scale from megabytes to terabytes per hour and from thousands to millions of PUT records per second”
  • Automated — StreamAlert utilizes Terraform, which means infrastructure and supporting services are represented as code and deployed via automation
  • Secure — StreamAlert uses secure transport (TLS), performs data analysis in a container/sandbox, segments data per your defined environments, and uses role-based access control (RBAC)
  • Open Source — Anyone can use or contribute to StreamAlert

Source

 

StreamAlert utilizes the following services:

  • AWS Kinesis Streams — Datastream; AWS Lambda polls this stream (stream-based model)
  • AWS Kinesis Firehose — Loads streaming data into S3 long-term data storage
  • AWS Lambda (Python) — Data analysis and alerting
  • AWS SNS — Alert queue
  • AWS S3 — Optional datasources, long-term data storage, & long-term alert storage
  • AWS Cloudwatch — Infrastructure metrics
  • AWS KMS — Encryption and decryption of application secrets
  • AWS IAM — Role-based Access Control (RBAC)

AWS

 

If you’re not an AWS customer, StreamAlert can support data such as:

  • Host Logs (e.g. Syslog, osquery, auditd)
  • Network Logs (e.g. Palo Alto Networks, Cisco)
  • Web Application Logs (e.g. Apache, nginx)
  • SaaS providers (e.g. Box, OneLogin)

It should be noted that StreamAlert is not intended for analytics, metrics or time series use-cases. There are many great open source and commercial offerings in this space, including but not limited to Prometheus, DataDog and NewRelic.

Data

 

Concluding Thoughts:

Open source has allowed us as a community, to both share, collaborate, and iterate on common needs and goals. Now with the ability to represent infrastructure as code, this goal can be further realized with reduced costs for both development and deployment.

We hope StreamAlert serves as an example of this, making deployment simple, repeatable and safe so that anyone can use it easily.

Deployment

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


  • 0

GScript: Scriptable dynamic runtime execution of malware

Category : Blog

GScript (Genesis Scripting Engine)

Genesis Scripting (gscript for short) is a technology I’ve developed to enable more intelligent malware stagers. Typically, stagers are pretty dumb. Most stagers are unique to the malware they deploy and do not allow for “bundling” of multiple payloads. Sophisticated attackers do in fact bundle their payloads, which makes runtime uncertainty even more assured.

GScript changes that. GScript allows for dynamic execution logic per payload. This is achieved by a modified Javascript runtime that is statically embedded in the final stager binary. This runtime/virtual machine runs “hook” functions that you’ve defined in your script, checking to ensure the script wishes to proceed after each hook.

GScript

 

GScript has significant benefits over traditional tactics:

Scripts are far more “sandboxed” from each other. If you’re bundling 10 payloads and 1 of them has a syntax error in its script, with gscript, only that scripts VM dies, not the entire program.

GScript’s VM, while sandboxed, has native hooks injected into it. This allows the VM to interact with things outside of the VM (filesystem, network, registry, etc.).

These functions are by and large, completely cross-platform. This allows someone to only learn GScript to write scripts without having to learn a different programming language.

Execution is also parallelized using the very effective go routine paradigm, resulting in the much faster execution of stagers with multiple payloads.

This development process is incredibly efficient with our gscript CLI utility.

sandboxed

Compiler

The compiler is what translates your gscripts and their assets into a finalized binary. Some features of the compiler:

  • Support native binary compilation for all major operating systems: Windows, Linux, OS X
  • Can support large numbers of scripts and assets into a single executable.
  • Built-in lossless compression and obfuscation of both scripts and embedded assets.
  • VERY FAST. Compilation times generally less than 5 seconds.
  • Post compilation obfuscation to remove references to the library.
  • Defaults to a null logger for the final binary (no output ever!), but can be overridden to inject a development logger into the final binary for testing.

compiler

 

VM Engine

The final binary contains the gscript engine with all scripts and their imported assets. It will initialize VMs, one for each script, and execute them generally in parallel (there’s priority overrides, but more on that below!).

The VMs cannot interact with one another and errors in one VM will be gracefully handled by the engine. This prohibits one VM from causing instability or fatal errors preventing other scripts from executing.

The Engine has been designed to be lean and free from bloated imports. It’s come a long way, but there will be more improvements here in the future as well.

scripts

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Show Buttons
Hide Buttons