Ethical Hacking and Penetration Testing

Discussion on ethical hacking and penetration testing subjects.

InfoSec Institute's most popular information security and hacking training goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises . While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to hacking in this network security training course.

Some of the instructor-led hands-on hacking lab exercises in this security training experience:

* Capture the Flag hacking exercises every night
* Abusing DNS for host identification
* Leaking system information from Unix and Windows
* Stealthy Recon
* Unix, Windows and Cisco password cracking
* Remote buffer overflow exploit lab I - Smashing the Stack
* Remote buffer overflow exploit lab II - Integer Overflows
* Remote heap overflow exploit lab III - Beyond the Stack
* Desktop exploitation
* Remote keylogging
* Data mining authentication information from clear-text protocols
* Remote sniffing
* Breaking wireless security
* Malicious event log editing
* Transferring files through firewalls
* Hacking into Cisco routers
* Harvesting web application data
* Data retrieval with SQL Injection Hacking
* Calculating the Return on Investment (ROI) for an ethical hack


Click here to learn more about the most hands-on Ethical Hacking course ever!

Tuesday, March 21, 2006

Circumventing Antivirus via Transmutation

Researchers at Kumatori Accelerator-driven Reactor Test Facility (KART) (Economist article, if you subscribe) have discovered a way to forcibly decay radioactive waste (neptunium, plutonium, americium, curium, etc.) into less-lethal isotopes of elements that are only radioactive for years, instead of tens of thousands or tens of million years. Essentially, they slam radioactive waste with a neutron beam that adds mass to the radioactive waste, causing it to transmutate into another element, which in turn causes it to decay faster. This got me thinking, if you can slam an element with with a neutron beam to create a new element, well, maybe you can do the same thing to a file in order to avoid "pesky Anti-Virus"?

Well, it seems you can. A good example of this is Holy Father's Morphine. Morphine works by including its own PE loader. This enables it to put whole source image to the .text section of new PE file. It also contains a polymorphic engine which always creates absolutely different decryptor for the new PE file each time Morphine is run. Morphine was released in March of 2004, and the major Antivirus companies did not have a method of generically detecting "Morphined" executables until Q4 2005. The private version of Morphine still creates verisons of binaries that are undetectable to every Antivirus maker on the market.

Other ideas are simply to rearrange the executable so that it does essentally "the same thing", but modify the underlying instructions of the binary. An example would be to move the value in the edx register into the eax register. Typically, the program would do a mov edx, eax instruction to accomplish this. Well, a push eax followed by a pop edx will do effectively the same thing as a mov edx,eax --- take the value in edx and put it into eax. You see where I am going here, we can totally modify the static signature of the binary in this process. But, does it work....

....Well, not really. If I take a 3 byte instruction (mov edx, eax) and replace it with two 2 byte instructions (push eax and pop edx), I have changed the offset within the program by one byte. This means that every jump, every call in the program will be off by one byte, meaning the program will no longer work. Three possible solutions to this problem:

1. Only substitute equal size instructions
2. Recalculate all jumps and calls after the insertion or deletion of the total number of bytes.
3. Write our own trojan/virus, or whatever we are trying to accomplish (not the focus of this article though)

Ok, well if we do some googling, someone has already attempted #1. A guy named z0mbie already wrote a program called code pervertor that did this. Unfortunately, it didnt work very well as the heueristic engine in most AVs can catch these simple modifications. For #3, go ahead a create your own trojan or virus. But this is not an option if you aren't a trojan writer or programmer, or dont have the time to learn.

For #2, we actually find that another guy, tibbar, has created a very cool program to do just this. He calls his program CodeCrypter. He was nice enough to email me a verision with source to play with. You can see the result of tibbar's CodeCrypter here. You can see in the first column the address of the instruction, in the next, is the original instruction, and in the last is the new instruction(s) . Well, how does it work? Pretty well, most AV will be defeated by it. If you take a standard program you know AV will freak out out (Hacker Defender) and send it over to one of many sites that will check a binary against all 20 AV companies (I use virustotal.com), you will get a report similar to this:

This is a report processed by VirusTotal on 04/05/2006 at 00:03:33 (CET) after scanning the file "hxdef100.exe" file.
AntivirusVersionUpdateResult
AntiVir6.34.0.1404.04.2006BDS/HacDef.073.B.1
Avast4.6.695.004.03.2006Win32:Hacdef-G
AVG38604.04.2006BackDoor.Generic.XPG
Avira6.34.0.5404.04.2006BDS/HacDef.073.B.1
BitDefender7.204.04.2006Backdoor.Hacdef.AE
CAT-QuickHeal8.0004.04.2006Backdoor.HacDef.ae
ClamAVdevel-2006020204.04.2006Trojan.HacDef.073.B
DrWeb 4.3304.04.2006BackDoor.HackDef.134
eTrust-InoculateIT23.71.11904.04.2006no virus found
eTrust-Vet12.4.214804.04.2006Win32/HacDef.E
Ewido3.504.04.2006Backdoor.HacDef.ae
Fortinet2.71.0.004.04.2006W32/HacDef.AE!tr
F-Prot3.16c04.04.2006security risk named W32/Hackdef.FI
Ikarus0.2.59.004.04.2006Backdoor.Win32.HacDef.084
Kaspersky4.0.2.2404.04.2006Backdoor.Win32.HacDef.073.b
McAfee473304.04.2006HackerDefender.gen.c
NOD32v21.147104.04.2006Win32/HacDef
Norman5.90.1504.04.2006W32/Hacdef.CM
Panda9.0.0.404.04.2006Bck/Hacdef.ED
Sophos4.04.004.04.2006Troj/HacDef-Fam
Symantec8.004.04.2006Backdoor.HackDefender
TheHacker5.9.7.12404.03.2006Trojan/hackdef.d3
UNA1.8304.04.2006Backdoor.Hacdef
VBA323.10.504.04.2006Backdoor.Win32.HacDef.ae

Note: The only Antivirus that doesnt find Hacker Defender is CA's eTrust. I can't believe anyone would attempt selling something even called "Antivirus" if it didnt at least find Hacker Defender. If you have eTrust installed, it is just wasting processor cycles, you are better off virtually folding protiens or something.

Anyway, if we run the binary through tibbar's code cryptor, we get much better results:

This is a report processed by VirusTotal on 04/05/2006 at 00:20:29 (CET) after scanning the file "hxdef100.exe" file.
AntivirusVersionUpdateResult
AntiVir6.34.0.1404.04.2006no virus found
Avast4.6.695.004.03.2006no virus found
AVG38604.04.2006no virus found
Avira6.34.0.5404.04.2006no virus found
BitDefender7.204.04.2006MemScan:Backdoor.Hacdef.AE
CAT-QuickHeal8.0004.04.2006(Suspicious) - DNAScan
ClamAVdevel-2006020204.04.2006no virus found
DrWeb 4.3304.04.2006no virus found
eTrust-InoculateIT23.71.11904.04.2006no virus found
eTrust-Vet12.4.214804.04.2006no virus found
Ewido3.504.04.2006no virus found
Fortinet2.71.0.004.04.2006suspicious
F-Prot3.16c04.04.2006no virus found
Ikarus0.2.59.004.04.2006Backdoor.Win32.HacDef.084
Kaspersky4.0.2.2404.04.2006Backdoor.Win32.HacDef.073.b
McAfee473304.04.2006no virus found
NOD32v21.147104.04.2006a variant of Win32/HacDef
Norman5.90.1504.04.2006no virus found
Panda9.0.0.404.04.2006Suspicious file
Sophos4.04.004.04.2006no virus found
Symantec8.004.04.2006no virus found
TheHacker5.9.7.12404.03.2006no virus found
UNA1.8304.04.2006no virus found
VBA323.10.504.04.2006Backdoor.Win32.HacDef.ae

The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something. ;)

So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.

Comments? Suggestions?

~jack koziol~

Tuesday, March 14, 2006

De-anonymizing the Internet

Well, I've recently undertaken a quite interesting project--- attempting to de-anonymize specific portions of the Internet. This is by far not a new idea. I can think of 10 "projects" in different forms that have all attempted, with various degrees of success. I'll list three of them.

eBay feedback system: Forces buyers & sellers to treat each other with some degree civility. But, is easily circumvented by creating dozens of accounts through different proxies and leaving positive feedback on fake items sold between two non-existant accounts.

USAF Bot Network Traceback
: The USAF solicited bids for a R&D project to trace back through bot nets to discover the controller of the bot network. I saw some of the bids, some were very brute force (root all of the bots and then root the botmaster, then root all of his friends, his mother, and then kick his dog), others were much more creative. If you run a botnet, maybe the Air Force is watching you right now?

Google Toolbar: If you have advanced options enabled with the Google toolbar, any page you visit is transmitted to Google. Google does this primarily to track relevancy of its search results.

Obviously there are lots of ideas about reducing anonymity on the internet. Some (like the Google Toolbar) require huge scale. Others rely on technology (USAF project) and others rely on communities volunteering to give up anonymity for increased trust (eBay feedback). This all lends a question, is a de-anonymized internet better? Is it more secure? You can bet that most businesses and governments would love an internet where your IP was tied to your SSN and then to thumbprint. (Of course, this would be lame, because IPs, SSNs and even thumbprints can be spoofed by high school kids with nmap, photoshop and elmers glue, respectively) .

Its a hard question. If you look at society 200 years ago, people had a very little degree of anonymity in their daily lives. You were an apprentice for a trade (meaning you had one boss for life and you lived in his basement), you knew your neighbors, you likely had little ability to travel place yourself into new surroundings where you could pretend to be someone else. Were people better off? It would be impossible to measure, and if it was, it would be equally impossible to control for other factors, such as healthcare, political representation, etc.

Generally if you are going to do something bad or unethical, you are going to want to be anonymous (or at least assume some other sucker's identity). Conversely, if what you are doing is deemed "bad" by the powers that be, but is truely ethical and moral, you are also going to hang out on "anonymous networks" with all of the truely unethical folks.

So, the question becomes, if you have been tasked with reducing or eliminating anonymity on the Internet, how do you distinguish the bad guys from the good guys? What can you build into the system so that it can only detect traders of child porn, state-backed Chinese hackers getting into government networks, and click fraud dorks making 100k a month from Adsense?

Jack

Do you Xfocus?

I try to make it a habit to run by a number of security-related sites everyday. One thing you have to realize as an English-speaking person, is that although there is a huge amount of material out there on the internet in English (or broken English), there is an equal number of good security articles, tutorials and research in non-western languages.

One website I regularly check out is Xfocus.net. They are a pretty famous group of Chinese hackers. If you have been in security for a while, you may have seen some of their exploits posted to bugtraq over the last few years.

Take example some good posts from 2006:

Reversing Kaspersky Antivirus (english)(chinese)
A really creative way to play with saved frame pointers in stack overflows exploits (english)(chinese):
A hacklog for a when some guy rooted hackerschool.org (english)

Here is a good one for all you web app pen-testers:

Netcat implemented in perl (perl):

Lots of other good stuff in there. Highly recommended!

Jack