zitstif.no-ip.org is still alive…

by zitstif on Jul.03, 2014, under Posts

Thanks to Microsoft, no-ip.com domains and subdomains experienced outages due to Microsoft hijacking no-ip domains to capture traffic from infected hosts. Their intention was to only affect the websites that were malicious but instead they affected malicious and non-malicious websites as well (like zitstif.no-ip.org).

http://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/

http://www.theregister.co.uk/2014/07/01/sorry_chaps_microsoft_unborks_legitimate_noip_users_domains/

I want to thank Microsoft for their recent mistake and I also want to thank them for the wonderful user interface Metro on Windows 8 that is alienating desktop computer users. All Microsoft needs to do now is cut off support for Windows 7…

Leave a Comment :, , , , , , , more...

I kind of regret having ads on my website…

by zitstif on Mar.03, 2014, under Posts

Today I decided to take a look at my website without any ad blocking software through Internet Explorer 11. With my web history cleared and with no cookies for Google’s ad service to create targeted ads for me, I was served a suspicious ad with this link:

hxxp://file-downloads.net/download/?pi=zitstif.no-ip.org&gclid=CJLtkeHr97wCFcURMwodTnQAtg

That looks legit!

Let’s see what VirusTotal says about this URL:

https://www.virustotal.com/en/url/f0e704606da846903a630c56cee42812a7a943b897fa550a50db0e0bbb19fccd/analysis/1393900872/

It’s too legit to quit now!

Upon visiting this link I was served up immediately an EXE file with the title, “7zip_14381_stn.exe”… how wonderful. Why don’t we just upload this to VirusTotal?

https://www.virustotal.com/en/file/fc80f6307596ce2d6139710873be7ede8693a65681067c75b9bf17617a1af070/analysis/

Granted this piece of software isn’t necessarily malicious per se but it’s the kind of crap I get sick of seeing on Windows systems. Here are some tools I strongly recommend using when dealing with this kind of junkware:

http://www.bleepingcomputer.com/download/rkill/
http://www.bleepingcomputer.com/download/junkware-removal-tool/
http://www.bleepingcomputer.com/download/adwcleaner/

In addition, I recently found a tool that is kind of equivalent to having a portable version of VirusTotal:

http://www.herdprotect.com/downloads.aspx

Even though it doesn’t delete/quarantine/cure anything, use the herdprotect scanner with care because it can throw off false positives but it is still very useful. Anyways, I wish Google’s ad service would stop referring people to crapware, but they’re paying customers too and no, you won’t offend me if you use ad blocking software on my website.

Leave a Comment :, , , , , , , , , , more...

Getting authy-ssh to work (or at least what worked for me)

by zitstif on Dec.14, 2013, under Uncategorized

This will be a relatively short post. It is my objective for this post to be useful for other individuals who are having issues setting up authy-ssh on their Secure Shell servers. First, if you’re not familiar with two-step verification, have a look at this:

https://en.wikipedia.org/wiki/Two-step_verification

I was inspired to install this on one of my SSH servers due to enabling this feature on my Gmail account:

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

I had heard about authy-ssh a while back through news.ycombinator but had never put the time into setting it up. To set it up you can follow these directions:

https://www.authy.com/products/ssh#installation

I ran into issues though. My SSH server did not possess ’seq’ and I received error messages from the authy-ssh script that were not very clear. I then dug into the authy-ssh shell script and discovered that it heavily depended on ‘curl’ connecting to Authy’s web servers over https. ‘curl’ would give me SSL certificate errors and I’m highly confident this is an issue with ‘curl’ on my server and not Authy’s SSL certificates. To bypass this issue in the authy-ssh script at lines 398, 482, 497, 533, and 605 you will need to add on the ‘-k’ flag to ‘curl’ to ignore the SSL certificate errors. I will warn you that this is NOT very secure but if you need authy to work, this should work.

In addition to this, you may want to run this shell script as well:

http://zitstif.no-ip.org/authyfix.txt

The authy-ssh bash shell script does a check to see if bash exists or if seq exists. If you’re on an OSX system, the OSX equivalent of ’seq’ is ‘jot’. The equivalent of ’seq 10′ with ‘jot’ is ‘jot – 1 10′.

Leave a Comment :, , , , , , , , more...

DERBYCON 2013 – LIVING OFF THE LAND: A MINIMALIST’S GUIDE TO WINDOWS POST-EXPLOITATION – CHRISTOPHER CAMPBELL, MATTHEW GRAEBER

by zitstif on Oct.19, 2013, under Posts, Videos

Leave a Comment :, , , , , , more...

Sewing Patches in the Veil AV Evasion Framework

by zitstif on Aug.24, 2013, under Code, Posts

I have to admit that I am a little bit weary about the gaining popularity of Veil. AV evasion is really a game of cat and mouse, between the anti-virus companies and the individuals who are trying to evade detection. In this article we will be taking the role of the ‘mouse’ per se by working with this framework. We will first fix a bug in the framework and I will also show you how to use this framework in an ARM Kali chroot environment where wine is not readily available.

First, let us fix Veil because without this fix, Veil’s use under a Linux environment is diminished greatly. To get the Veil framework, you can either do:

git clone https://github.com/ChrisTruncer/Veil veil

Or

sudo apt-get install veil #If you have the right repositories or are using Kali Linux


To get the newest bleeding edge version, you’ll want to use the git method. However, if you use this method you will need to run the setup.sh script under the setup directory. This will handle the installing of the necessary dependencies. If you’re running an ARM Kali chroot environment on an Android based device, you will want to use ‘git’ because if you attempt to use apt-get to install veil, it will bomb out and give you an error message that wine is unavailable.

Upon my first use of Veil, I followed this post from the SANS Penetration Testing website closely. One issue I ran into was in the ‘How would you like to create your payload executable?‘ stage. The default method ‘Pyinstaller’ method did not seem to be creating an executable  in the veil/output/compiled/ directory, but it would create a source file in the source directory (which is still useful, more on this later).

I knew the framework relied on wine and a wine installed version of python to generate payloads under a Linux environment but wasn’t sure where to look for where this took place in Veil’s code. I started greping for wine in the Veil python modules and soon discovered this interesting piece of code that appeared to be the source of the problem.

Line 84 of the supportfiles.py file which is in the veil/modules/common/ directory contains this line of code:

os.system(‘wine ‘ + os.path.expanduser(‘~/.wine/drive_c/Python27/python.exe’) + ‘ ‘ + os.path.expanduser(‘~/pyinstaller-2.0/pyinstaller.py’) + ‘ –noconsole –onefile ‘ + payloadFile )

Due to the fixed path of ‘~/pyinstaller-2.0/pyinstaller.py’ for Veil to work with this current code, one must have this directory structure and files in their home directory. If you’re using Kali Linux, change this piece of code to ‘/usr/share/pyinstaller/pyinstaller.py’ and Veil will now create portable windows executables.

Before I discovered the source of this bug and simple fix for it, I took the harder route and attempted to create the portable executables under wine following these requirements (from https://github.com/ChrisTruncer/Veil/blob/master/README.md ) :

Windows

  1. Python (tested with x86 – http://www.python.org/download/releases/2.7/)
  2. Py2Exe (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
  3. PyCrypto (http://www.voidspace.org.uk/python/modules.shtml)

I soon learned there were issues with py2exe working under wine. py2exe under wine creates invalid windows portable executables. (http://stackoverflow.com/questions/12170373/python-to-windows-executable-under-wine). I was then stuck with the Py2Exe method that relies on having a Windows machine readily available.

Veil Mobile Scenario

This then brings me back to the mobile scenario. To the best of my knowledge at the moment (and correct me if I’m wrong) you can’t install wine under an ARM Kali Linux chroot environment. So if you want to create payloads using Veil on your Android device, you will have to first obtain Veil via git. Secondly, there is no need to fix the code like I posted. You can leave the code as is.

You can now create python source files using either pyinstaller or py2exe under Veil. If you use the pyinstaller method, you will have to copy the files to a Linux machine that has necessarily dependencies for Veil and you can simply create an executable doing something like this:

wine ~/.wine/drive_c/Python27/python.exe /usr/share/pyinstaller/pyinstaller.py meterpreterpayload.py

Or you can use the py2exe method and copy the files to a Windows machine and compile your executable that way.

Other issues with Veil

One minor annoyance with Veil, is that I’ve noticed the portable executables are kind of hefty in size. If you create a payload using the pyinstaller method, the executable is about 2.4 megs and if you create one using the py2exe method under windows, the executable is over  5 megs. This is quite large in comparison to using msfpayload/msfencode or msfvenom, which creates payloads that are typically less than 100 kilobytes.

I would also like to see Veil being able to bind the obfuscated payload to non malicious executable like putty, however all in all I’m very impressed with this framework and hope the developers like Chris Truncer keep up the good work.

Leave a Comment :, , , , , , , , , more...

]

Searching for something?

Use the form below to search the site:

Still not finding what you're looking for? Leave a comment or contact me if you wish.