EvilZone
Community => General discussion => : blindfuzzy November 29, 2015, 11:48:03 PM
-
I have setup an channel in IRC #security in the hopes to promote discussion on Security related topics. Application Security, Web Security...etc. Various discussion topics can be covered. I am making this a weekly thing. A day and a time has not been set yet so I am open to any suggestions regarding this. (ie the best fit for everyone's schedule)
Possible topics include:
Tool Discussion- New tools are being made all the time. I do my best to stay up on them and how they can be used in various security related testing/exploitation.
Security Testing Methodology
Advanced Persistent Threats
Discussion on various security white papers
Security exam discussion
Lessons learned
Skills desired/Career related information
Digital forensic topics
The list can go on but you guys get the point. I just want to promote an environment where we can discuss this on a weekly basis.
Ez.Sec.Meet Streaming:
Meeting #2 - Appuse
https://www.youtube.com/watch?v=49v06n9bZKs (https://www.youtube.com/watch?v=49v06n9bZKs)
Meeting #4 - Intro Malware
https://www.youtube.com/watch?v=xjE-ppTojhA (https://www.youtube.com/watch?v=xjE-ppTojhA)
Meeting #6 or 7? lol- Tools are tools and I don't mean that in a good way.
https://www.youtube.com/watch?v=kPFTv5NvZb0
Meeting #7- Fucking up Dridex
https://youtu.be/pkRpWjMAYN4
(Thanks to Abyss for recording this session)
Meeting #8 02.17.2016
Topic: Apple vs FBI
https://www.youtube.com/watch?v=u-36WSkzlp4
-
I have setup an channel in IRC #security in the hopes to promote discussion on Security related topics. Application Security, Web Security...etc. Various discussion topics can be covered. I am making this a weekly thing. A day and a time has not been set yet so I am open to any suggestions regarding this. (ie the best fit for everyone's schedule)
Possible topics include:
Tool Discussion- New tools are being made all the time. I do my best to stay up on them and how they can be used in various security related testing/exploitation.
Security Testing Methodology
Advanced Persistent Threats
Discussion on various security white papers
Security exam discussion
Lessons learned
Skills desired/Career related information
The list can go but you guys get the point. I just want to promote an environment where we can discuss this on a weekly basis.
That's interesting, do you feel dissatisfied with the discussion in #Evilzone? xD lol
On a more serious note, that's pretty cool. I actually just looked around and realized that there isn't really any other channel for actual security-related talk. (Well, anyone could talk about security, but they just don't.) Anyhow, thanks for that, I guess I'll hang around the channel in hopes of learning something from all you smart folk : P
-
Yea just need some more folks to chime in on a good day and time to get it going. I am not opposed to holding it twice a week to fit into everyone's schedule.
-
pretty neat idea
-
Thats a great idea, I was surprised when I saw a coding channel but not a dedicated security one. That solves that, youll see me in there :)
-
What's everyone's take on a day/time? I was leaning toward Wednesdays @1700 UTC
-
I would like to be a fly on the wall and learn and contribute if i can. But very limited on knowledge at this point
-
What's everyone's take on a day/time? I was leaning toward Wednesdays @1700 UTC
Sounds fine to me, I'll be in the channel whenever I'm on IRC,
so if it happens when I'm there, "yeppie"!
-
I can be available Wednesday at 1700 UTC, albeit at work I'm usually on IRC anyways
-
Very interested, great idea to have just a security IRC. I'll be there!
-
Wednesday @ 1700 UTC
Topic: Mobile Application Testing Methodology
*I will use this thread to post topic updates, which will be posted every Monday. Any schedule changes will also be noted as sometimes I have to work at a client(s) site.*
-
I can't get my IRC client to work on my phone :/ would love to join. Bummed out
Sent from my iPhone using Tapatalk
-
I can't get my IRC client to work on my phone :/ would love to join. Bummed out
Sent from my iPhone using Tapatalk
Use colloquy like a real iPhone user
-
Next Week's Agenda: Watch and follow along as I exploit the Android Application
Screenshare/conference call will be set up. Everyone will be able to talk and I can talk my way through as I'm doing the app testing.
If you are going to follow along I recommend getting the AppUse vm. I will be using that during the testing and exploitation along with drozer, which is open-source and can be found here: https://github.com/mwrlabs/drozer (https://github.com/mwrlabs/drozer)
-
What's everyone's take on a day/time? I was leaning toward Wednesdays @1700 UTC
Sounds neat man.... My preference would be something around 0300-0900 UTC... Or anytime on the weekends.
-
Sounds neat man.... My preference would be something around 0300-0900 UTC... Or anytime on the weekends.
We spoke on this in irc but I just want to let everyone know that Sunday will most likely be the day for the weekend. Haven't figured out a time. Ummm this will most likely NOT start this Sunday as I have my kid.
-
Next Week's Agenda: Watch and follow along as I exploit the Android Application
Screenshare/conference call will be set up. Everyone will be able to talk and I can talk my way through as I'm doing the app testing.
If you are going to follow along I recommend getting the AppUse vm. I will be using that during the testing and exploitation along with drozer, which is open-source and can be found here: https://github.com/mwrlabs/drozer (https://github.com/mwrlabs/drozer)
Just getting this here on page 2 for everyone to see. Sundays will start next week.
-
So, this weeks meeting all but failed. I didn't really get to exploit the app but I did cover AppUse and various other subjects. I've been short on time this week.
What we established from this "live" run:
- We will be using Google Hangouts to run screenshare
- I need to get everything in one spot
I have data all over the place. My fault as I ran out of time to get everything setup. A blog is going to be setup also for videos and chat logs of the weekly meetings. This one just sucked and I want to apologize to everyone that was there for that.
-
So, this weeks meeting all but failed. I didn't really get to exploit the app but I did cover AppUse and various other subjects. I've been short on time this week.
What we established from this "live" run:
- We will be using Google Hangouts to run screenshare
- I need to get everything in one spot
I have data all over the place. My fault as I ran out of time to get everything setup. A blog is going to be setup also for videos and chat logs of the weekly meetings. This one just sucked and I want to apologize to everyone that was there for that.
Here is the screen recording, please ignore any hangout messages and the grey boxes covering them. Next meeting i hope to have a dedicated machine for recording so I wont need to spend time editing out shit.
Security Meeting 2 - Appuse.mp4 (http://upload.evilzone.org?page=download&file=Y0wd8dDsCnWNPZz7SL3bdvykyrckBTY9NHhBK1DuT8x2hbW0uj)
BTW - sorry about that, was trying to record sound but also not trying to have people at work hear the voice in the box, i kinda screwed myself by reducing the vol. My bad.
VLC - Volume raise 150%
Ez.Sec.Meet Streaming:
Meeting #2 - Appuse
https://www.youtube.com/watch?v=49v06n9bZKs (https://www.youtube.com/watch?v=49v06n9bZKs)
Meeting #4 - Intro Malware
https://www.youtube.com/watch?v=xjE-ppTojhA (https://www.youtube.com/watch?v=xjE-ppTojhA)
-
Thanks OE for being the go to video guy. I appreciate you getting that setup and squared away. 8)
-
This is awesome, I would join the upcoming meeting
-
This is awesome, I would join the upcoming meeting
The more people the better. I like growth. ;D
-
With the holidays up on us I have decided not to have a discussion on any topic this week. Everyone enjoy the holidays!
(If you guys wanna hangout in the channel and talk about things a good topic is the Juniper backdoor)
-
Wednesdays @1700 UTC #security
This weeks topic: Threat Intel and a Career Q&A. Hope to see everyone there!
-
This weeks topic: Threat Intel and a Career Q&A. Hope to see everyone there!
What day and time ?
-
What day and time ?
Wednesdays @1700 UTC
-
I am currently on nights but I would love to join this weekly meeting. I go to Days in about 5 weeks so I will mark this in my calendar for then and look forward to being apart of the meeting.
-V
-
This weeks topic: Malware: Intro
Wednesday @ 1700 UTC in #security
I am currently on nights but I would love to join this weekly meeting. I go to Days in about 5 weeks so I will mark this in my calendar for then and look forward to being apart of the meeting.
-V
See you there!
This has been bumped an hour! #security @ 1800 UTC
-
For all those who missed meeting #4 - Intro Malware:
https://www.youtube.com/watch?v=xjE-ppTojhA
-
For all those who missed meeting #4 - Intro Malware:
https://www.youtube.com/watch?v=xjE-ppTojhA
Awesome job man! Thank you!
IRC:
<Anorak> ARE WE GONNA START OR WHAT?
<blindfuzzy> sorry i forgot you werent in there lmfao
<blindfuzzy> Macro Malware: Introduced back in the 1990’s, macro malware has been practically extinct until a recent resurgence. Malware authors are revisiting macro malware because of its sheer simplicity not only in coding it, but also in how it is distributed – the most popular way being phishing emails.
<blindfuzzy> Macro malware targets Microsoft Office applications (Word, Excel, etc.). Malicious VBA macros are used to infect anyone who opens the file, mostly with Trojan downloaders. Any application that supports the uploading/downloading of Microsoft Office documents is at risk.
<blindfuzzy> VBA is Visual Basic for Applications, a macro programming environment of the Microsoft Office Suite. It is the modern version of the BASIC programming language. It is typically used to set up macros for specific document formats that are commonly used to format text in documents. Essentially a macro is just a shortcut to a task you would otherwise have to do repeatedly.
<blindfuzzy> Starting in Office 2007, Microsoft Office has VBA macros disabled by default. This is good for security, yet macro malware is still alive and well because malware authors are using social engineering to trick users into enabling macros in malicious documents. Some enterprises also re-enable macros because their document workflows require them to run unimpeded.
<blindfuzzy> The problem lies in how simple it is to code this “macro malware”. It is no longer necessary to learn VBA as there are ready-made VBA malware templates all over the internet, which streamlines the creation of malicious documents. There are hundreds of new malware variants based on these templates since early 2015.
<blindfuzzy> Macro malware decreased in prevalence after Microsoft patched their Office Suite, and began warning users about macros included in the files they received. This functionality was implemented in Office 2007 and has been effective at preventing a significant amount of macro malware. However, a resurgence began in late 2014, when researchers at CYREN observed an outbreak of over 3.02 billion emails containing new macro malware.
<blindfuzzy> Subsequent outbreaks in December consisted of as many as 1.2 billion emails a day. The chart above only shows a small number of the newly formed macro malware in quarter one of 2015, but it gives a picture of recent macro malware growth.
<blindfuzzy> VBA malware is hardly ever self-contained, but instead acts as a “downloader”. The VBA will connect to the internet, specifically to a server that hosts a malicious .EXE, download the malicious executable and run it, all without a single prompt for a user decision.
<blindfuzzy> Now, the attackers have an executable with full malicious capabilities that will keep running in the background not only after you exit the Word document, but potentially even when their victims log out and reboot. This attack vector is becoming increasingly difficult to detect as newer VBA malware code has been seen making calls to lesser known system functions. These calls frequently turn out to be longer time-wasting
<blindfuzzy> loops in an attempt to avoid detection. This is achieved by slowing down the malware execution time making it hard for antivirus to detect it as malicious. Most AV’s have a time period of scanning per file scanned so the AV will usually drop a file if it is taking too long to scan.
<blindfuzzy> Malware authors know that VBA is blocked within Microsoft Office by default, and overcome this obstacle by deploying social engineering tricks. They prepare the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection.
<blindfuzzy> VBA can be implemented that will actually blur out the entire contents of the document until the user enables macros, which in turn will execute the embedded macro virus.
<blindfuzzy> The user is left with no other option but to “enable macros” to view the document. A company that uploads and downloads documents or a user that unknowingly opens a file received from the all too common phishing emails becomes at risk for these types of attacks. More information on obfuscation techniques used by VBA malware authors will be covered in part two of this series.
<oe800> i dont want to redirect your lesson, but are .scr malware vba?
<Anorak> no oe800 but it can be converted and run as vba
<oe800> thnx
<blindfuzzy> In Microsoft Word, these events are tied to starting the Word application (the event could be captured with a macro procedure named AutoExec), exiting Word (AutoExit), opening a document (AutoOpen), closing a document (AutoClose), or creating a new document (AutoNew).
<blindfuzzy> Microsoft Excel has a wider selection of automatic macros, but includes similar functions, such as starting Excel (Auto_Open), exiting Excel (Auto_Close), opening a workbook (Workbook_Open), and closing a workbook (Workbook_Close). The structure of the Trojan’s macro code ensures that the code is executed whenever the document is opened. Even though the code itself is not cross-application, Workbook_Open and Auto_Ope
<blindfuzzy> n could make it work in Excel.
<blindfuzzy> Most VBA malware calls the UrlDownloadToFile Windows API function to download the final payload from a hard-coded URL. The file is then saved either to the %TEMP% folder or the %APPDATA% folder, and executed it using the ShellExecute function. The dropped executable was usually registered for automatic execution during system start-up in one of the registry autorun locations, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
We talked a lot about SIFT workstation. You need an account with SANS to download it for free. This is the alternative: https://www.dropbox.com/s/qqbt5i6cmupl4fz/SIFT%20Workstation%203%20-%20Virtual%20Machine%20Distro%20Version.zip?dl=0 (https://www.dropbox.com/s/qqbt5i6cmupl4fz/SIFT%20Workstation%203%20-%20Virtual%20Machine%20Distro%20Version.zip?dl=0)
Unfortunately, I am unable to upload this through ez due to file size restrictions it is 2.36gb zipped.
-
I will download vm and convert to liveiso for people who would rather boot from USB or install to hdd.
Might even optimize it by removing unity and using lxde or xfce. Thanks blindfuzzy for your time and proactive approach to educate this community.
-
The front page will now include links to the recordings so you guys don't have to sift through a million posts to find them.
-
Today's Discussion:
<blindfuzzy> Lets get started with Rekall
<blindfuzzy> What is Rekall? It's an advanced memory analysis solution.Historically a fork of the Volatility memory analysis framework Most code re-written/updated.Fully open source and GPL - all commits are public.Focus on: code quality - public code reviews. performance. ease of use as a library - Integrated into other tools.
* Synfer googles around
<blindfuzzy> aka it's awesome...and more specifcally it's awesome for live memory analysis
<blindfuzzy> http://www.rekall-forensic.com/
<blindfuzzy> ^Synfer
<Synfer> Was on it yep
<blindfuzzy> If you weren't here last week we talked about a SANS VM SIFT Workstation
<blindfuzzy> Rekall is one of the many tools included in that VM
<Synfer> Hmhm
<blindfuzzy> Typically the proccess for acquiring a memory image goes like this winpmem on malicious computer > mount memory image from winpmem into SIFT > start up Rekall and analize
<blindfuzzy> Rekall is different from all the other memory analysis tools because it doesnt rely on guessing global values and instead focuses on exact symbol information on the analyized system.
<blindfuzzy> Rekall holds over 200 different kernel profiles
<Synfer> :O
<blindfuzzy> Which takes guessing global values out the equation
<blindfuzzy> In turn making Rekall faster, more reliable and more acurate
<blindfuzzy> It works similar to a kernal debugger just without debugger blocking which malware can easily overwrite
<blindfuzzy> It also supports tools like Winpmem, OSXpmem, Linux pmem + LAMP tool
<blindfuzzy> Rekall has 3 user interfaces: Command line (my fav), Interactive, and a Web GUI
<blindfuzzy> Using the command line interface allows us to interactively examine data and script complex analysis
<blindfuzzy> The Web GUI is awesome too! IT allows the user to annontate notes, create a "mini" report, and persistent file storage in the form of Zip files errr based on Zip files if I remember
<blindfuzzy> The output of Rekall plugins is in JSON format. Which we know is machine readable and can be exported
<blindfuzzy> I was actually albe to siphon the data to a Splunk instance and analyize data further
<Synfer> Looks great, although I didn't really get interested in forensics I might have a look at it
<blindfuzzy> Getting into image formats with Rekall
<blindfuzzy> Traditionally acquisition tools (like dd) simply wrote out a RAW format image. This is by far the simplest image file format. In this format, the physical address space is written byte for byte directly into the image file.
<blindfuzzy> The nice thing about a raw image is that you don’t need any special tools to read it - every byte in the file corresponds to the same address in physical memory. Some of the earliest memory analysis tools therefore only worked on RAW images.
<blindfuzzy> There are some issues with raw images
<blindfuzzy> No ability to store sparse regions - all reserved regions must be padded in the image with zeros giving a larger image size. For example if you have 4GB of RAM, there will be about 1GB PCI hole reserved for DMA (e.g. video cards), so the RAW image is actually 5GB in size.
<blindfuzzy> No support for compression, encryption etc. This is a problem because sometimes using a fast compressor can actually produce higher throughput by minimizing IO.
<blindfuzzy> No support for additional metadata. This is required for the acquisition tool to tell us these critical constants we need for analysis...
<blindfuzzy> No support for embedding additional files, such as the pagefile, kernel image etc.
<blindfuzzy> There are some others used but none of them have the feaures we need
<blindfuzzy> The Microsoft Crashdump file, for example, is commonly used with windows images - however this is a proprietary, undocumented file format with no support for compression or embedding (although it supports some windows specific metadata) it is also non-extensible. I do not recommend acquiring with this format directly - if you need to analyze the image with the windows debugger I recommend using the Rekall "raw2dmp" plugin to create a dump file later.
<blindfuzzy> AFF4 format is built on top of the standard ZIP format. Which means we can use a regular zip program to check out an AFF4 volume
<blindfuzzy> AFF4 is pretty standard although raw files come in all the time for analysis
<blindfuzzy> so the winpmem command would look like this: winpmem_2.0.1.exe -o test.aff4
<blindfuzzy> Loading it into Rekall looks like this: "c:\Program Files\Rekall\rekal.exe" -f test.aff4
<blindfuzzy> More info here: http://forensicswiki.org/wiki/Rekall
<blindfuzzy> http://www.rekall-forensic.com/docs/References/Presentations/AntiForensic.html <---great presentation
<blindfuzzy> Thie biggest difference between Rekall and Volatility is Rekall is more modular and supports a great deal more
<blindfuzzy> The guys I know that work on Volatility would kill me for saying that but it's true
<blindfuzzy> Rekall can be a pain though
<blindfuzzy> It's a 'newish" concept. So there are bumps and bruises it has.
<blindfuzzy> Like with anything
<blindfuzzy> So I don;t want to get into all of Rekalls plugins because I will be covering those "live" next week. Where I will walk through the proccess of memory acquistion and sending the image to rekall and conducting intial analysis on the image using Rekall's plugins
<blindfuzzy> We'll examine a keylogger I wrote for SANS in the live show next week and get into more about using Rekall. This talk was ment to be something that got everyones "feet wet" persay
-
I'm getting lazy but this weeks topic was on: Tools are tools...and I don't mean that in a good way.
I pretty much bitched about how new people are coming in to the industry and relying heavily on tools and scanners and not having much manual testing skills. A big epidemic in the industry these days in my opinion.
STAY TUNED FOR THE LINK TO THE DISCUSSION!
-
Meeting #6 (maybe its 7?)
1.27.2016
Tools are for tools:
https://www.youtube.com/watch?v=kPFTv5NvZb0
-
Meeting #6 (maybe its 7?)
1.27.2016
Tools are for tools:
https://www.youtube.com/watch?v=kPFTv5NvZb0
Thank you sir! Front page has been updated with the link.
-
This weeks topic will be on Dridex the banking trojan.
Quick resource here to spin you up on what exactly Dridex is and does...etc: https://www.us-cert.gov/ncas/alerts/TA15-286A
-
Front page has been updated with Meeting #7 video.
-
Tomorrows meeting has been cancelled. Can pm me for further details.
-
This weeks topic is: You can no haz mai dataz FBI
-
@Sec_Meet
Meeting #8 02.17.2016
Apple vs FBI
https://www.youtube.com/watch?v=u-36WSkzlp4