Recently in Network Security Category

Introducing Ncrack, a Network Brute Forcer on Crack

By Tom on 8 March 2010

"Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic engine that can adapt to different network situations. Ncrack can also be extensively fine-tuned for special cases, though the default parameters are generic enough to cover almost every situation. It is built on a modular architecture that allows for easy extension to support additional protocols. Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords in a rapid and reliable way. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services."

I've always had a bit of a Hydra addiction when it comes to brute forcing services however Ncrack looks pretty tasty, especially with the parallel goodness.  Better than Hydra?  Only time will tell...

Check the screenshots and man page out at http://nmap.org/ncrack/man.html#man-description

Read more and grab Ncrack at http://nmap.org/ncrack/

Kneber Botnet - The End is Nigh! Not Quite!

By Tom on 19 February 2010

Just a quick one this morning...  A botnet has been discovered that has apparently hijacked more than 75,000 boxes across the world, named "Kneber".  The media have got hold of this information and are spinning it so fast that even I'm a little dizzy.

The Kneber botnet is a VARIANT of the ZeuS trojan, which allows botnet herders an easy GUI to customise their malware, botnets and dropzones.  Kneber, as far as a malware, is NOT new!  Kneber as a botnet IS new.

Don't panic!  The ZeuS trojan (and variants) are being picked up by most good AVs... so if you keep these up to date then you should* be OK.

Symantec and Fortinet have written good papers on the ZeuS trojan.

FortiGuard | Zeus: God of DIY Botnets
http://www.fortiguard.com/analysis/zeusanalysis.html

Symantec | Zeus, King of the Underground Crimeware Toolkits
http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

OK, great, I'm glad we cleared that up. :o)

* Excluding the use of 0day packers, ack!

Nmap 5.20 released

By Tom on 21 January 2010
More than 150 significant improvements,
30+ new Nmap Scripting Engine (NSE) scripts
Enhanced Performance and Reduced Memory Consumption
Protocol-specific Payloads for more Effective UDP Scanning
A Completely rewritten traceroute engine
Massive OS and version detection DB updates (10,000+ signatures)

Don't just take my word for it, read the changelog at http://nmap.org/changelog.html

Grab it at http://nmap.org/download.html
 

BackTrack Final 4 released

By Tom on 20 January 2010

BackTrack 4 (Final) is officially released.

If you didn't already know, "BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking."

This release includes a new kernel, a larger than life toolset repository, custom tools a plenty, and more importantly, fixes for all those annoying bugs in the pre-release.

You can download it at http://www.backtrack-linux.org/downloads/

However, the site has been getting hit pretty hard this week so I suggest you grab the torrent at http://www.backtrack-linux.org/bt4-final.iso.torrent

Read more here.

t0mn3av3s - Botnet Experiment

By Tom on 10 July 2009

t0mn3av3s 217.112.87.104 - Botnet Experiment

http://www.tomneaves.co.uk/t0mn3av3s.html

Please ignore.  Will fill everyone in later.

SCADA / HVAC fail

By Tom on 6 July 2009

Without further ado, straight from Wikipedia:

"SCADA stands for Supervisory Control And Data Acquisition. It generally refers to an industrial control system: a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility based as described below:

  • Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes.
  • Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, civil defense siren systems, and large communication systems.
  • Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption."
This too:

"HVAC (pronounced either "H-V-A-C" or "H-vak") is an initialism or acronym that stands for "heating, ventilating, and air conditioning". HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments such as aquariums, where humidity and temperature must all be closely regulated while maintaining safe and healthy conditions within. In certain regions (e.g., UK) the term "Building Services" is also used, but may also include plumbing and electrical systems. Refrigeration is sometimes added to the field's abbreviation as HVAC&R or HVACR, or ventilating is dropped as HACR (such as the designation of HACR-rated circuit breakers)."

Think hospital, think critical air-conditioning systems for surgery and sterilisation - think the screenshot below (click to enlarge).

envision1.pngA naughty security guard at a hospital (The Carrell Clinic in Dallas) installed some malware onto the HVAC systems that controls all this goodness and welcomed it to his botnet.  He then had remote control of it from his home.  To cut a long story short, he planned to shut it down on 4th July.  It was only his posting of these images to a forum and a security researcher spotting this that led him to being raided and arrested.

The full story is at The Register.

Here are some more screenshots (which he posted up) to show you why it is so important that these old school SCADA systems have appropriate security controls applied to them.  Again, click to enlarge.

envision2.pngenvision.pngI won't be checking into here anytime soon.

Botnets: Why Automated Malware Analysis Tools Often Don't Tell The Full Story

By Tom on 22 April 2009

Abstract

The trouble with automated malware analysis tools is that they often don't tell the full story, both from a host and network perspective. Botnets can infect in multiple stages, be it IRC, P2P or HTTP botnets. In some cases I have seen three stages of infection. I will use botnet "f5e661a23396c863ccd189413e102d9a" as a case study in this paper, captured at 20:15pm GMT on 17th April 2009.

Nothing too fancy, just a case study I did earlier.  Grab the full paper here.

Packet Wizardry: Ruling the Network with Python

By Tom on 27 March 2009

I've posted and yapped on about Scapy before but I came across a nice little paper that explains step-by-step how to do *useful* things with it.  I reckon that even if you don't know Python that you'll still be able to pick up how to use Scapy from the examples alone.

You can find the paper at http://www.hackaholic.org/papers/blackmagic.txt

Backtrack 4 Beta released

By Tom on 12 February 2009
Lots of new things - details of exactly what a bit sketchy at the moment - go download and have a look.  Originally released at ShmooCon the other day.  Go grab it here.

Barcardi, Botnet and Lime

By Tom on 23 December 2008

To me, a virtual machine represents what a petri dish does to a Scientist... welcome to my lab! :o)

Lets slice up some botnets!

Specimen 41b9df60db731805fe22413dfb0806ee.exe
Captured via Nepenthes from http://217.***.***.122:15040/ObzgIA== via its attempted RFI exploit of one of my honeypots.  Thursday 27th November 2.47am GMT.

NETWORK BASED ACTIVITY

Connects to ns.ircstyle.net TCP 1867 (irc), joins IRC channel #ns.

Connects to zonetech.info TCP 80 (www), downloads lb3.exe.

Connects to alwayssam.com TCP 80 (www), downloads lal222.exe.

Botnet master (nicknamed "EH") issues following command: * ipscan s.s.s.s dcom2 -s

Infected machine starts scanning class C for TCP 135, starting from its own IP address, increases source port with each host.

IRC is *completely* locked down, unable to do /list, /lusers, /links, /mode, /map, etc.  Possibly M0dded R0Xnet, fatalz or UNK IRCD.

HOST BASED ACTIVITY

Creates:

C:\Windows\system32\ws2_32.dll
C:\Windows\system32\ws2help.dll
C:\Windows\system32\imm32.dll
C:\Windows\system32\shell32.dll
C:\Windows\system32\pstorec.dll
C:\Windows\system32\atl.dll
C:\Windows\system32\psapi.dll
C:\Windows\system32\rsaenh.dll
C:\Windows\system32\crypt32.dll

Changes Registry key in:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Creates:

C:\Windows\system32\firewall.exe

Which spawns and then creates:

%currentdir%\celibzeg.bat
C:\Windows\system32\rpcss.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\MSCTF.dll
C:\Windows\system32\ieframe.dll
C:\Windows\system32\clbcatq.dll
C:\Windows\system32\COMRes.dll
C:\Windows\Registration\R000000000007.clb

Queries registry for hostname, makes modifications to TCPIP properties and parameters to maximise sockets, etc.

Creates:

C:\Windows\system32\rasadhlp.dll
C:\Windows\system32\hnetcfg.dll
C:\Windows\system32\wshtcpip.dll
C:\Windows\system32\webcl32.dll

Firewall.exe then sends a TCP SYN packet from source port 1054 to 67.43.232.35:1867 which correspondes to the network activity; IRC connection to ns.ircstyle.net.

Cleans itself up, removes initial binary and other .bat files.  Adds "firewall.exe" to Registry under "...\Current Version\Run" so that it is run on startup.

Do you want ice with that?

Tag Cloud

Other Posts

fwknop released - Single Packet Authorization and Port Knocking
Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite…
onesixtyone 0.3.2 released - An Efficient SNMP Scanner
The SNMP protocol is a stateless, datagram oriented protocol. An SNMP scanner is a program that sends SNMP requests to…
PorkBind v1.3 released - Nameserver (DNS) Security Scanner
This program retrieves version information for the nameservers of a domain and produces a report that describes possible vulnerabilities of…
Phalanx: Withstanding Multimillion-Node Botnets
An academic paper proposing a possible solution to solve the ever-growing botnet DDoS problem.Abstract:"Large-scale distributed denial of service (DoS) attacks…
Nipper 0.11.5 released
Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations,…
Ferret 1.1 released
Ferret works on the concept of "data seepage": bits of benign data that people willingly broadcast to the world (as…
Hack My CCTV
Think the ability to SEE, HEAR and CONTROL this......is cool? If so, read on!CCTV, it's bloody everywhere. The majority of…
Honey Tokens, The Universe and Everything
Let's start off with a lovely definition of what a honey token actually is, from none other than Wikipedia."In the…
Botnets + VMware = Fun
Right, let's start off with a quote from Wikipedia. They explain what a botnet is far better than I ever…
Yet another Morpheus Hole / Trick
This was written way back in 2001 when I was 17. Of course, this seems more than obvious to people…