Ethical Hacking and Penetration Testing

Discussion on ethical hacking and penetration testing subjects.

InfoSec Institute's most popular information security and hacking training goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises . While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to hacking in this network security training course.

Some of the instructor-led hands-on hacking lab exercises in this security training experience:

* Capture the Flag hacking exercises every night
* Abusing DNS for host identification
* Leaking system information from Unix and Windows
* Stealthy Recon
* Unix, Windows and Cisco password cracking
* Remote buffer overflow exploit lab I - Smashing the Stack
* Remote buffer overflow exploit lab II - Integer Overflows
* Remote heap overflow exploit lab III - Beyond the Stack
* Desktop exploitation
* Remote keylogging
* Data mining authentication information from clear-text protocols
* Remote sniffing
* Breaking wireless security
* Malicious event log editing
* Transferring files through firewalls
* Hacking into Cisco routers
* Harvesting web application data
* Data retrieval with SQL Injection Hacking
* Calculating the Return on Investment (ROI) for an ethical hack


Click here to learn more about the most hands-on Ethical Hacking course ever!

Tuesday, March 21, 2006

Circumventing Antivirus via Transmutation

Researchers at Kumatori Accelerator-driven Reactor Test Facility (KART) (Economist article, if you subscribe) have discovered a way to forcibly decay radioactive waste (neptunium, plutonium, americium, curium, etc.) into less-lethal isotopes of elements that are only radioactive for years, instead of tens of thousands or tens of million years. Essentially, they slam radioactive waste with a neutron beam that adds mass to the radioactive waste, causing it to transmutate into another element, which in turn causes it to decay faster. This got me thinking, if you can slam an element with with a neutron beam to create a new element, well, maybe you can do the same thing to a file in order to avoid "pesky Anti-Virus"?

Well, it seems you can. A good example of this is Holy Father's Morphine. Morphine works by including its own PE loader. This enables it to put whole source image to the .text section of new PE file. It also contains a polymorphic engine which always creates absolutely different decryptor for the new PE file each time Morphine is run. Morphine was released in March of 2004, and the major Antivirus companies did not have a method of generically detecting "Morphined" executables until Q4 2005. The private version of Morphine still creates verisons of binaries that are undetectable to every Antivirus maker on the market.

Other ideas are simply to rearrange the executable so that it does essentally "the same thing", but modify the underlying instructions of the binary. An example would be to move the value in the edx register into the eax register. Typically, the program would do a mov edx, eax instruction to accomplish this. Well, a push eax followed by a pop edx will do effectively the same thing as a mov edx,eax --- take the value in edx and put it into eax. You see where I am going here, we can totally modify the static signature of the binary in this process. But, does it work....

....Well, not really. If I take a 3 byte instruction (mov edx, eax) and replace it with two 2 byte instructions (push eax and pop edx), I have changed the offset within the program by one byte. This means that every jump, every call in the program will be off by one byte, meaning the program will no longer work. Three possible solutions to this problem:

1. Only substitute equal size instructions
2. Recalculate all jumps and calls after the insertion or deletion of the total number of bytes.
3. Write our own trojan/virus, or whatever we are trying to accomplish (not the focus of this article though)

Ok, well if we do some googling, someone has already attempted #1. A guy named z0mbie already wrote a program called code pervertor that did this. Unfortunately, it didnt work very well as the heueristic engine in most AVs can catch these simple modifications. For #3, go ahead a create your own trojan or virus. But this is not an option if you aren't a trojan writer or programmer, or dont have the time to learn.

For #2, we actually find that another guy, tibbar, has created a very cool program to do just this. He calls his program CodeCrypter. He was nice enough to email me a verision with source to play with. You can see the result of tibbar's CodeCrypter here. You can see in the first column the address of the instruction, in the next, is the original instruction, and in the last is the new instruction(s) . Well, how does it work? Pretty well, most AV will be defeated by it. If you take a standard program you know AV will freak out out (Hacker Defender) and send it over to one of many sites that will check a binary against all 20 AV companies (I use virustotal.com), you will get a report similar to this:

This is a report processed by VirusTotal on 04/05/2006 at 00:03:33 (CET) after scanning the file "hxdef100.exe" file.
AntivirusVersionUpdateResult
AntiVir6.34.0.1404.04.2006BDS/HacDef.073.B.1
Avast4.6.695.004.03.2006Win32:Hacdef-G
AVG38604.04.2006BackDoor.Generic.XPG
Avira6.34.0.5404.04.2006BDS/HacDef.073.B.1
BitDefender7.204.04.2006Backdoor.Hacdef.AE
CAT-QuickHeal8.0004.04.2006Backdoor.HacDef.ae
ClamAVdevel-2006020204.04.2006Trojan.HacDef.073.B
DrWeb 4.3304.04.2006BackDoor.HackDef.134
eTrust-InoculateIT23.71.11904.04.2006no virus found
eTrust-Vet12.4.214804.04.2006Win32/HacDef.E
Ewido3.504.04.2006Backdoor.HacDef.ae
Fortinet2.71.0.004.04.2006W32/HacDef.AE!tr
F-Prot3.16c04.04.2006security risk named W32/Hackdef.FI
Ikarus0.2.59.004.04.2006Backdoor.Win32.HacDef.084
Kaspersky4.0.2.2404.04.2006Backdoor.Win32.HacDef.073.b
McAfee473304.04.2006HackerDefender.gen.c
NOD32v21.147104.04.2006Win32/HacDef
Norman5.90.1504.04.2006W32/Hacdef.CM
Panda9.0.0.404.04.2006Bck/Hacdef.ED
Sophos4.04.004.04.2006Troj/HacDef-Fam
Symantec8.004.04.2006Backdoor.HackDefender
TheHacker5.9.7.12404.03.2006Trojan/hackdef.d3
UNA1.8304.04.2006Backdoor.Hacdef
VBA323.10.504.04.2006Backdoor.Win32.HacDef.ae

Note: The only Antivirus that doesnt find Hacker Defender is CA's eTrust. I can't believe anyone would attempt selling something even called "Antivirus" if it didnt at least find Hacker Defender. If you have eTrust installed, it is just wasting processor cycles, you are better off virtually folding protiens or something.

Anyway, if we run the binary through tibbar's code cryptor, we get much better results:

This is a report processed by VirusTotal on 04/05/2006 at 00:20:29 (CET) after scanning the file "hxdef100.exe" file.
AntivirusVersionUpdateResult
AntiVir6.34.0.1404.04.2006no virus found
Avast4.6.695.004.03.2006no virus found
AVG38604.04.2006no virus found
Avira6.34.0.5404.04.2006no virus found
BitDefender7.204.04.2006MemScan:Backdoor.Hacdef.AE
CAT-QuickHeal8.0004.04.2006(Suspicious) - DNAScan
ClamAVdevel-2006020204.04.2006no virus found
DrWeb 4.3304.04.2006no virus found
eTrust-InoculateIT23.71.11904.04.2006no virus found
eTrust-Vet12.4.214804.04.2006no virus found
Ewido3.504.04.2006no virus found
Fortinet2.71.0.004.04.2006suspicious
F-Prot3.16c04.04.2006no virus found
Ikarus0.2.59.004.04.2006Backdoor.Win32.HacDef.084
Kaspersky4.0.2.2404.04.2006Backdoor.Win32.HacDef.073.b
McAfee473304.04.2006no virus found
NOD32v21.147104.04.2006a variant of Win32/HacDef
Norman5.90.1504.04.2006no virus found
Panda9.0.0.404.04.2006Suspicious file
Sophos4.04.004.04.2006no virus found
Symantec8.004.04.2006no virus found
TheHacker5.9.7.12404.03.2006no virus found
UNA1.8304.04.2006no virus found
VBA323.10.504.04.2006Backdoor.Win32.HacDef.ae

The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something. ;)

So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.

Comments? Suggestions?

~jack koziol~

11 Comments:

Post a Comment

<< Home