UCL / Raytheon

On July 19th 2017, WikiLeaks distributes reports from the CIA temporary worker Raytheon Blackbird Technologies for the “Offense Component Library” (UCL) extend. The records were submitted to the CIA between November 21st, 2014 (only two weeks after Raytheon obtained Blackbird Technologies to assemble a Cyber Powerhouse) and September eleventh, 2015. They generally contain Proof-of-Concept thoughts and evaluations for malware assault vectors – mostly in view of open archives from security analysts and private endeavors in the PC security field.

Raytheon Blackbird Technologies went about as a sort of “innovation scout” for the Remote Development Branch (RDB) of the CIA by dissecting malware assaults in the wild and offering suggestions to the CIA improvement groups for assist examination and PoC advancement for their own malware ventures.

 

Click Here For Files

Highrise

On July 13th 2017, WikiLeaks distributes reports from the Highrise venture of the CIA. HighRise is an Android application intended for cell phones running Android 4.0 to 4.3. It gives a redirector capacity to SMS informing that could be utilized by various IOC apparatuses that utilization SMS messages for correspondence amongst inserts and listening posts. HighRise goes about as a SMS intermediary that gives more noteworthy partition between gadgets in the field (“targets”) and the listening post (LP) by proxying “approaching” and “active” SMS messages to a web LP. Highrise gives an interchanges channel between the HighRise field administrator and the LP with a TLS/SSL secured web correspondence.

For Files click here

SQL Injection Part 1

In SQL Injection – Intro we have learned: What is SQLi? and Types of SQLi. Now in this article we will setup lab for SQLi and test SQL vulnerabilities in Web Applications.

I have used Pentester Lab VM image, you can download it from here.

vmware workstation – Download

Setup Lab

First download the iso file and vmware workstation (you can use other VM too) from above link.

  • Install vmware and open it and click on *Create a New Virtual Machine*. Then choose iso file you have downloaded and click on next.
    VM screenshot
    Choose iso

     

  • Now in this step customize Hardware same as following Screenshot and click on finish.
    Setting Screenshot
    Hardware setting

     

  • Now go to your vm and click on *Play virtual machine*.
  • Once image boots up type ifconfig  and note down IPv4 IP (in my case its 192.168.234.129) .
  • Now open browser and type IP in the address bar (My IP is different from above for some reasons in your case use the same IP as shown in your VM).

Its done !! Your vulnerable Image is ready for testing and attacks now.

Testing Web Applications to Find SQL Injection Vulnerabilities

Now the question is how can you find vulnerabilities in the web application. You can use following Characters to check vulnerabilities. Or you can use Spidering . Watch following video to know more abut Spidering . Read Spidering article here

Character                     Function
‘                                    String indicator (‘string’)
”                                   String indicator (“string”)
+                                  Arithmetic operation, or concatenate (combine) for MS SQL Server and DB2
||                                  Concatenate (combine) for Oracle, PostgreSQL
concat(“”,””)                 Concatenate (combine) for MySQL
*                                   Wildcard (“All”) used to indicate all columns in a table
%                                  Wildcard (“Like”) used for strings:
‘%abc’                          (ending in abc)
‘%abc%’                       (containing abc)
;                                   Statement terminator
()                                 Group of data or statements
—                                 Comment (single line)
#                                  Comment (single line)
/*comment*/                Multiline comment

 

Example of using above Character to check Vulnerability

  • First find a url with ‘id=’ exa: “example.com?id=”.
  • Here in following screenshot the url is *http://192.168.234.136/cat.php?id=18*
  • Now put the first character from above table in the last of the url to check vulnerability. If the page gives SQL error then the web application is vulnerable to SQLi. SQL error looks like following Screenshot.
Vulnerability Check Screenshot
Vulnerability Check

 

 

Thankyou for reading!! Hope you like this article. Share it with your friends. Like us on facebook!!

 

SQL Injection – Intro

SQL Injection is a code injection technique, 
used to attack data-driven applications, in 
which nefarious SQL statements are inserted
into an entry field for execution 
(e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability
in an application's software, for example, when 
user input is either incorrectly filtered for 
string literal escape characters embedded in 
SQL statements or user input is
not strongly typed and unexpectedly executed. 
SQL injection is mostly known as an attack vector 
for websites but can be used to attack any type 
of SQL database.
SQL injection attacks allow attackers to spoof identity, 
tamper with existing data, cause repudiation issues such
as voiding transactions or changing balances, allow the 
complete disclosure of all data on the system, destroy 
the data or make it otherwise unavailable, and become 
administrators of the database server.

Types of SQL Injections (SQLI)
  • Classic SQLI (In-band SQLi)
  • Blind SQLI (Inferential SQLi)
  • Out-of-band SQL Injection

 Classic SQLI (In-band SQLi)

In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.

The two most common types of in-band SQL Injection are Error-based SQLi and Union-based SQLi.

Error-based SQLi

Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.

Union-based SQLi

Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

Blind SQLI (Inferential SQLi)

Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.

The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.

Boolean-based (content-based) Blind SQLi

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

Time-based Blind SQLi

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.


Out-of-band SQLi

Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

BothanSpy

On July 6th 2017

WikiLeaks distributes records from the BothanSpy and Gyrfalcon activities of the CIA. The inserts depicted in both undertakings are intended to catch and exfiltrate SSH certifications however take a shot at various working frameworks with various assault vectors.

BothanSpy is an embed that objectives the SSH customer program Xshell on the Microsoft Windows stage and takes client accreditations for all dynamic SSH sessions. These qualifications are either username and secret key if there should arise an occurrence of watchword verified SSH sessions or username, filename of private SSH key and key secret word if open key confirmation is utilized. BothanSpy can exfiltrate the stolen certifications to a CIA-controlled server (so the embed never touches the circle on the objective framework) or spare it in an enrypted petition for later exfiltration by different means. BothanSpy is introduced as a Shellterm 3.x expansion on the objective machine.

Gyrfalcon is an embed that objectives the OpenSSH customer on Linux stages (centos,debian,rhel,suse,ubuntu). The embed can not just take client accreditations of dynamic SSH sessions, but on the other hand is fit for gathering full or incomplete OpenSSH session activity. All gathered data is put away in a scrambled document for later exfiltration. It is introduced and designed by utilizing a CIA-created root pack (JQC/KitV) on the objective machine.

Download Documents :- https://wikileaks.org/vault7/#BothanSpy

OutlawCountry

On June 30th 2017

WikiLeaks distributes reports from the OutlawCountry venture of the CIA that objectives PCs running the Linux working framework. OutlawCountry takes into account the redirection of all outbound system movement on the objective PC to CIA controlled machines for ex-and penetration purposes. The malware comprises of a part module that makes a shrouded netfilter table on a Linux focus; with learning of the table name, an administrator can make decides that outweigh existing netfilter/iptables governs and are covered from a client or even framework chairman.

The establishment and industriousness technique for the malware is not portrayed in detail in the record; an administrator should depend on the accessible CIA endeavors and secondary passages to infuse the piece module into an objective working framework. OutlawCountry v1.0 contains one part module for 64-bit CentOS/RHEL 6.x; this module will just work with default pieces. Additionally, OutlawCountry v1.0 just backings adding secretive DNAT tenets to the PREROUTING chain.

Download documents :- https://wikileaks.org/vault7/#BothanSpy

Elsa – CIA Malware to Track Geo- Location of Target

Today, June 28th 2017, WikiLeaks distributes records from the ELSA venture of the CIA. ELSA is a geo-area malware for WiFi-empowered gadgets like tablets running the Micorosoft Windows working framework. Once constantly introduced on an objective machine utilizing separate CIA abuses, the malware examines noticeable WiFi get to focuses and records the ESS identifier, MAC address and flag quality at standard interims. To play out the information accumulation the objective machine does not need to be on the web or associated with a get to point; it just should be running with an empowered WiFi gadget. In the event that it is associated with the web, the malware consequently tries to utilize open geo-area databases from Google or Microsoft to determine the position of the gadget and stores the longitude and scope information alongside the timestamp. The gathered get to point/geo-area data is put away in scrambled frame on the gadget for later exfiltration. The malware itself does not guide this information to a CIA back-end; rather the administrator should effectively recover the log document from the gadget – again utilizing separate CIA endeavors and secondary passages.

 

The ELSA extend enables the customization of the embed to coordinate the objective condition and operational goals like inspecting interim, most extreme size of the logfile and summon/determination technique. Extra back-end programming (again utilizing open geo-area databases from Google and Microsoft) changes over natural get to point data from exfiltrated logfiles to geo-area information to make a following profile of the objective gadget.

 

Download Elsa user manual here

Don’t forget to like us on Facebook and subscribe our newsletter for latest update.

 

Petya – Everything You Need to Know

It has been reported that variants of Petya ransomware with worm-like capabilities is spreading. The ransomware leverages etenalblue exploit, genuine psexec or wmic with appropriate credentials for a quick spread.

These mechanisms are used to attempt installation and execution of the dropped file “C:\Windows\perfc.dat” on other devices to spread laterally. The dropped file, if managed to get the Administrator privileges, will encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom bootloader making the system unusable. Further the malware creates a scheduled task via schtasks /at to reboot the system one hour after infection. After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive.

In case the fail to get the privileges rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted:
3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The spreading mechanism thus far is by;

  • EternalBlue – the same exploit used by WannaCry.
  • Psexec – a legitimate Windows administration tool.
    C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1 [dllhost.dat is psexec.exe]
  • WMI – Windows Management Instrumentation, a legitimate Windows component.
    Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″ [ there are unconfirmed reports about the usage of mimikaz /lsadump to get the system credentials]

There are open source reports about the usage of Microsoft Office HTA handler vulnerability [CVE-2017-0199] as one of the infection vector.

Petya Example
Petya Example

The malware clears system logs using the following command:
“wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:” to make further analysis more difficult.

Potential Indicators of compromises

ip: 95.141.115.108
ip-dst: 185.165.29.78
ip-dst: 84.200.16.242
ip-dst: 111.90.139.247
domain: coffeinoffice.xyz
domain: french-cooking.com
domain: sundanders.online
url: http[:]//french-cooking[.]com/myguy[.]exe
url: http[:]//84[.]200[.]16[.]242/myguy[.]xls
url: http://84[.]200[.]16[.]242/Profoma[.]xls
url: http://84[.]200[.]16[.]242/Lucky[.]exe
url: http://185.165.29.78/~alex/svchost.exe
sha256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
sha256: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
sha256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
sha256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
sha256: fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
sha256: ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
md5: 9B853B8FE232B8DED38355513CFD4F30
md5: CBB9927813FA027AC12D7388720D4771
md5: a809a63bc5e31670ff117d838522dec433f74bee
md5: bec678164cedea578a7aff4589018fa41551c27f
md5: d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
md5: aba7aa41057c8a6b184ba5776c20f7e8fc97c657
md5: 0ff07caedad54c9b65e5873ac2d81b3126754aac
md5: 51eafbb626103765d3aedfd098b94d0e77de1196
md5: 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
md5: 7ca37b86f4acc702f108449c391dd2485b5ca18c
md5: 2bc182f04b935c7e358ed9c9e6df09ae6af47168
md5: 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
md5: 82920a2ad0138a2a8efc744ae5849c6dde6b435d
sha256: 22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
sha256: 1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
sha256: EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95
filename: C:\0487382a4daf8eb9660f1c67e30f8b25.hta
filename: petwrap.exe
filename: C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll
filename: Order-20062017.doc
filename: myguy[1].hta
filename: myguy.xls
filename: dllhost.dat
named pipe: {df458642-df8b-4131-b02d-32064a2f4c19}

emails: wowsmith123456@posteo.net
emails: wowsmith123456@posteo.net
emails: iva76y3pr@outlook.com
emails: carmellar4hegp@outlook.com
emails: amanda44i8sq@outlook.com

Recommendations

  • In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
    https://technet.microsoft.com/library/security/MS17-010
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1.
    https://support.microsoft.com/en-us/help/2696547
  • Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
  • A quick fix to prevent by creating the files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions. A brief description is here:
    https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Maintain updated Antivirus software on all systems.
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Block the attachments of file types,
    exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications.
  • Employ data-at-rest and data-in-transit encryption.

Source :- http://www.cyberswachhtakendra.gov.in

 

Like us on facebook :- Like

All about “Intel X Series” processors

Intel’s X series

Recently a multinational company and the largest manufacturer of processors , Intel has launched their brand new X series processors with extensive capacity of overclocking upto 4.30 GHz and base speed of 3.30 GHz with 13.73 MB of extreme cache memories. It comes with the support of Intel turbo boost 3.0 .

About newly launched Core i9

The dawn of a new breed of extreme desktop processors is here, elevating everything you do to new heights. Powered by a massive 18 cores and 36 threads, this processor enables extreme single-threaded performance with the updated Intel® Turbo Boost Max Technology 3.0. This technology now identifies the two best performing cores to provide increased single and dual-core performance. The new Extreme Edition boasts 44 PCIe  lanes and support for multiple discrete graphics cards, Thunderbolt™ technology, and high-speed storage like Intel® Optane™ technology. And of course, it is fully unlocked for extreme performance. Costs whooping 2k dollars (approx).

 

Intel® Core™ X-Series Processor Family

Something for every enthusiast! The new Intel® Core™ X-series processor family is designed to scale to your performance needs by delivering options between 4 to 18 cores for extreme performance, the latest technological advancements and headroom for the future. This platform comes ready to install Intel® Optane™ memory and Intel® Optane™ SSDs for amazing system responsiveness. Support for immersive 4K visuals, four channel DDR4 2666 memory, Thunderbolt™ 3 delivering a 40Gb/s bi-directional port for almost any peripheral you want to connect and up to 8 SATA ports for a RAID storage array makes this the ultimate desktop platform.

 

 

 

WikiLeaks – Brutal Kangaroo

Today, June 22nd 2017, WikiLeaks distributes archives from the Brutal Kangaroo venture of the CIA. Brutal Kangaroo is an apparatus suite for Microsoft Windows that objectives shut systems via air hole bouncing utilizing thumbdrives. Brutal Kangaroo parts make a custom secret system inside the objective shut system and giving usefulness to executing reviews, registry postings, and subjective executables.

The reports depict how a CIA operation can penetrate a shut system (or a solitary air-gapped PC) inside an association or venture without coordinate get to. It initially contaminates an Internet-associated PC inside the association (alluded to as “essential host”) and introduces the BrutalKangaroo malware on it. At the point when a client is utilizing the essential host and embeds a USB stick into it, the thumbdrive itself is contaminated with a different malware. In the event that this thumbdrive is utilized to duplicate information between the shut system and the LAN/WAN, the client will at some point or another connect the USB plate to a PC on the shut system. By perusing the USB drive with Windows Explorer on such an ensured PC, it likewise gets contaminated with exfiltration/overview malware. On the off chance that various PCs on the shut system are under CIA control, they frame a secret system to facilitate assignments and information trade. Despite the fact that not unequivocally expressed in the archives, this strategy for trading off shut systems is fundamentally the same as how Stuxnet functioned.

The Brutal Kangaroo extend comprises of the accompanying parts: Drifting Deadline is the thumbdrive disease apparatus, Shattered Assurance is a server instrument that handles robotized contamination of thumbdrives (as the essential method of engendering for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to assess gathered data) and Shadow is the essential diligence component (a phase 2 device that is conveyed over a shut system and goes about as an undercover charge and-control arrange; once different Shadow occurrences are introduced and share drives, entrusting and payloads can be sent forward and backward).

The essential execution vector utilized by contaminated thumbdrives is a powerlessness in the Microsoft Windows working framework that can be abused by hand-created connect records that heap and execute programs (DLLs) without client collaboration. More seasoned variants of the device suite utilized a component called EZCheese that was a 0-day exploit until March 2015; more up to date forms appear utilize a comparable, however yet obscure connection document powerlessness (Lachesis/RiverJack) identified with the library-ms usefulness of the working framework.

Click Here to Brutal Kangaroo Tools

Some of Past Leaks :-