On July 19th 2017, WikiLeaks distributes reports from the CIA temporary worker Raytheon Blackbird Technologies for the “Offense Component Library” (UCL) extend. The records were submitted to the CIA between November 21st, 2014 (only two weeks after Raytheon obtained Blackbird Technologies to assemble a Cyber Powerhouse) and September eleventh, 2015. They generally contain Proof-of-Concept thoughts and evaluations for malware assault vectors – mostly in view of open archives from security analysts and private endeavors in the PC security field.
Raytheon Blackbird Technologies went about as a sort of “innovation scout” for the Remote Development Branch (RDB) of the CIA by dissecting malware assaults in the wild and offering suggestions to the CIA improvement groups for assist examination and PoC advancement for their own malware ventures.
On July 13th 2017, WikiLeaks distributes reports from the Highrise venture of the CIA. HighRise is an Android application intended for cell phones running Android 4.0 to 4.3. It gives a redirector capacity to SMS informing that could be utilized by various IOC apparatuses that utilization SMS messages for correspondence amongst inserts and listening posts. HighRise goes about as a SMS intermediary that gives more noteworthy partition between gadgets in the field (“targets”) and the listening post (LP) by proxying “approaching” and “active” SMS messages to a web LP. Highrise gives an interchanges channel between the HighRise field administrator and the LP with a TLS/SSL secured web correspondence.
First download the iso file and vmware workstation (you can use other VM too) from above link.
Install vmware and open it and click on *Create a New Virtual Machine*. Then choose iso file you have downloaded and click on next.
Now in this step customize Hardware same as following Screenshot and click on finish.
Now go to your vm and click on *Play virtual machine*.
Once image boots up type ifconfig and note down IPv4 IP (in my case its 192.168.234.129) .
Now open browser and type IP in the address bar (My IP is different from above for some reasons in your case use the same IP as shown in your VM).
Its done !! Your vulnerable Image is ready for testing and attacks now.
Testing Web Applications to Find SQL Injection Vulnerabilities
Now the question is how can you find vulnerabilities in the web application. You can use following Characters to check vulnerabilities. Or you can use Spidering . Watch following video to know more abut Spidering . Read Spidering article here
‘ String indicator (‘string’)
” String indicator (“string”)
+ Arithmetic operation, or concatenate (combine) for MS SQL Server and DB2
|| Concatenate (combine) for Oracle, PostgreSQL
concat(“”,””) Concatenate (combine) for MySQL
* Wildcard (“All”) used to indicate all columns in a table
% Wildcard (“Like”) used for strings:
‘%abc’ (ending in abc)
‘%abc%’ (containing abc)
; Statement terminator
() Group of data or statements
— Comment (single line)
# Comment (single line)
/*comment*/ Multiline comment
Example of using above Character to check Vulnerability
First find a url with ‘id=’ exa: “example.com?id=”.
Here in following screenshot the url is *http://192.168.234.136/cat.php?id=18*
Now put the first character from above table in the last of the url to check vulnerability. If the page gives SQL error then the web application is vulnerable to SQLi. SQL error looks like following Screenshot.
Thankyou for reading!! Hope you like this article. Share it with your friends. Like us on facebook!!
SQL Injection is a code injection technique,
used to attack data-driven applications, in
which nefarious SQL statements are inserted
into an entry field for execution
(e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability
in an application's software, for example, when
user input is either incorrectly filtered for
string literal escape characters embedded in
SQL statements or user input is
not strongly typed and unexpectedly executed.
SQL injection is mostly known as an attack vector
for websites but can be used to attack any type
of SQL database.
SQL injection attacks allow attackers to spoof identity,
tamper with existing data, cause repudiation issues such
as voiding transactions or changing balances, allow the
complete disclosure of all data on the system, destroy
the data or make it otherwise unavailable, and become
administrators of the database server.
Types of SQL Injections (SQLI)
Classic SQLI (In-band SQLi)
Blind SQLI (Inferential SQLi)
Out-of-band SQL Injection
Classic SQLI (In-band SQLi)
In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
The two most common types of in-band SQL Injection are Error-based SQLi and Union-based SQLi.
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.
Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
Blind SQLI (Inferential SQLi)
Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.
The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.
Boolean-based (content-based) Blind SQLi
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
Time-based Blind SQLi
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).
Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.
WikiLeaks distributes records from the BothanSpy and Gyrfalcon activities of the CIA. The inserts depicted in both undertakings are intended to catch and exfiltrate SSH certifications however take a shot at various working frameworks with various assault vectors.
BothanSpy is an embed that objectives the SSH customer program Xshell on the Microsoft Windows stage and takes client accreditations for all dynamic SSH sessions. These qualifications are either username and secret key if there should arise an occurrence of watchword verified SSH sessions or username, filename of private SSH key and key secret word if open key confirmation is utilized. BothanSpy can exfiltrate the stolen certifications to a CIA-controlled server (so the embed never touches the circle on the objective framework) or spare it in an enrypted petition for later exfiltration by different means. BothanSpy is introduced as a Shellterm 3.x expansion on the objective machine.
Gyrfalcon is an embed that objectives the OpenSSH customer on Linux stages (centos,debian,rhel,suse,ubuntu). The embed can not just take client accreditations of dynamic SSH sessions, but on the other hand is fit for gathering full or incomplete OpenSSH session activity. All gathered data is put away in a scrambled document for later exfiltration. It is introduced and designed by utilizing a CIA-created root pack (JQC/KitV) on the objective machine.
WikiLeaks distributes reports from the OutlawCountry venture of the CIA that objectives PCs running the Linux working framework. OutlawCountry takes into account the redirection of all outbound system movement on the objective PC to CIA controlled machines for ex-and penetration purposes. The malware comprises of a part module that makes a shrouded netfilter table on a Linux focus; with learning of the table name, an administrator can make decides that outweigh existing netfilter/iptables governs and are covered from a client or even framework chairman.
The establishment and industriousness technique for the malware is not portrayed in detail in the record; an administrator should depend on the accessible CIA endeavors and secondary passages to infuse the piece module into an objective working framework. OutlawCountry v1.0 contains one part module for 64-bit CentOS/RHEL 6.x; this module will just work with default pieces. Additionally, OutlawCountry v1.0 just backings adding secretive DNAT tenets to the PREROUTING chain.
Today, June 28th 2017, WikiLeaks distributes records from the ELSA venture of the CIA. ELSA is a geo-area malware for WiFi-empowered gadgets like tablets running the Micorosoft Windows working framework. Once constantly introduced on an objective machine utilizing separate CIA abuses, the malware examines noticeable WiFi get to focuses and records the ESS identifier, MAC address and flag quality at standard interims. To play out the information accumulation the objective machine does not need to be on the web or associated with a get to point; it just should be running with an empowered WiFi gadget. In the event that it is associated with the web, the malware consequently tries to utilize open geo-area databases from Google or Microsoft to determine the position of the gadget and stores the longitude and scope information alongside the timestamp. The gathered get to point/geo-area data is put away in scrambled frame on the gadget for later exfiltration. The malware itself does not guide this information to a CIA back-end; rather the administrator should effectively recover the log document from the gadget – again utilizing separate CIA endeavors and secondary passages.
The ELSA extend enables the customization of the embed to coordinate the objective condition and operational goals like inspecting interim, most extreme size of the logfile and summon/determination technique. Extra back-end programming (again utilizing open geo-area databases from Google and Microsoft) changes over natural get to point data from exfiltrated logfiles to geo-area information to make a following profile of the objective gadget.
It has been reported that variants of Petya ransomware with worm-like capabilities is spreading. The ransomware leverages etenalblue exploit, genuine psexec or wmic with appropriate credentials for a quick spread.
These mechanisms are used to attempt installation and execution of the dropped file “C:\Windows\perfc.dat” on other devices to spread laterally. The dropped file, if managed to get the Administrator privileges, will encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom bootloader making the system unusable. Further the malware creates a scheduled task via schtasks /at to reboot the system one hour after infection. After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive.
In case the fail to get the privileges rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted:
3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.
The spreading mechanism thus far is by;
EternalBlue – the same exploit used by WannaCry.
Psexec – a legitimate Windows administration tool.
C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1 [dllhost.dat is psexec.exe]
WMI – Windows Management Instrumentation, a legitimate Windows component.
Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″ [ there are unconfirmed reports about the usage of mimikaz /lsadump to get the system credentials]
There are open source reports about the usage of Microsoft Office HTA handler vulnerability [CVE-2017-0199] as one of the infection vector.
The malware clears system logs using the following command:
“wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:” to make further analysis more difficult.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Maintain updated Antivirus software on all systems.
Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
Block the attachments of file types,
Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
Recently a multinational company and the largest manufacturer of processors , Intel has launched their brand new X series processors with extensive capacity of overclocking upto 4.30 GHz and base speed of 3.30 GHz with 13.73 MB of extreme cache memories. It comes with the support of Intel turbo boost 3.0 .
About newly launched Core i9
The dawn of a new breed of extreme desktop processors is here, elevating everything you do to new heights. Powered by a massive 18 cores and 36 threads, this processor enables extreme single-threaded performance with the updated Intel® Turbo Boost Max Technology 3.0. This technology now identifies the two best performing cores to provide increased single and dual-core performance. The new Extreme Edition boasts 44 PCIe lanes and support for multiple discrete graphics cards, Thunderbolt™ technology, and high-speed storage like Intel® Optane™ technology. And of course, it is fully unlocked for extreme performance. Costs whooping 2k dollars (approx).
Intel® Core™ X-Series Processor Family
Something for every enthusiast! The new Intel® Core™ X-series processor family is designed to scale to your performance needs by delivering options between 4 to 18 cores for extreme performance, the latest technological advancements and headroom for the future. This platform comes ready to install Intel® Optane™ memory and Intel® Optane™ SSDs for amazing system responsiveness. Support for immersive 4K visuals, four channel DDR4 2666 memory, Thunderbolt™ 3 delivering a 40Gb/s bi-directional port for almost any peripheral you want to connect and up to 8 SATA ports for a RAID storage array makes this the ultimate desktop platform.
Today, June 22nd 2017, WikiLeaks distributes archives from the Brutal Kangaroo venture of the CIA. Brutal Kangaroo is an apparatus suite for Microsoft Windows that objectives shut systems via air hole bouncing utilizing thumbdrives. Brutal Kangaroo parts make a custom secret system inside the objective shut system and giving usefulness to executing reviews, registry postings, and subjective executables.
The reports depict how a CIA operation can penetrate a shut system (or a solitary air-gapped PC) inside an association or venture without coordinate get to. It initially contaminates an Internet-associated PC inside the association (alluded to as “essential host”) and introduces the BrutalKangaroo malware on it. At the point when a client is utilizing the essential host and embeds a USB stick into it, the thumbdrive itself is contaminated with a different malware. In the event that this thumbdrive is utilized to duplicate information between the shut system and the LAN/WAN, the client will at some point or another connect the USB plate to a PC on the shut system. By perusing the USB drive with Windows Explorer on such an ensured PC, it likewise gets contaminated with exfiltration/overview malware. On the off chance that various PCs on the shut system are under CIA control, they frame a secret system to facilitate assignments and information trade. Despite the fact that not unequivocally expressed in the archives, this strategy for trading off shut systems is fundamentally the same as how Stuxnet functioned.
The Brutal Kangaroo extend comprises of the accompanying parts: Drifting Deadline is the thumbdrive disease apparatus, Shattered Assurance is a server instrument that handles robotized contamination of thumbdrives (as the essential method of engendering for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to assess gathered data) and Shadow is the essential diligence component (a phase 2 device that is conveyed over a shut system and goes about as an undercover charge and-control arrange; once different Shadow occurrences are introduced and share drives, entrusting and payloads can be sent forward and backward).
The essential execution vector utilized by contaminated thumbdrives is a powerlessness in the Microsoft Windows working framework that can be abused by hand-created connect records that heap and execute programs (DLLs) without client collaboration. More seasoned variants of the device suite utilized a component called EZCheese that was a 0-day exploit until March 2015; more up to date forms appear utilize a comparable, however yet obscure connection document powerlessness (Lachesis/RiverJack) identified with the library-ms usefulness of the working framework.