Monday, January 8, 2018

Recently on Security StackExchange, I saw a lot of people asking how to use properly THC Hydra for Password Cracking, so in this post I'm going to explain how to install the command line utility, and also how to install the graphical user interface (GUI) for it. Then you can find step by step instructions on how to use this tool properly to attack an http-form-post that simulates a Login form for a corporate website. Hope you enjoy this post as much as I did when I was writing it.

Monday, December 4, 2017

A few days ago, we received an invitation to the BlitzCTF001, a very short and fast cybersecurity CTF. The challenges contained in this CTF covers: Crypto (Encoding), SQLi, Broken Access Control, Session Manipulation and Steganography.

In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope you like and enjoy them as we did.

Friday, January 3, 2014

A password (commonly knows as passwd in linux) is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification, the password, known only to that person and to the system itself, is entered by the user. Most networks require that end users change their passwords on a periodic basis.
passwd command

The passwd command is used to create and change the password of a user account. A normal user can run passwd to change their own password, and a system administrator (the superuser ROOT) can use passwd to change another user’s password, or define how that account’s password can be used or changed.

passwd [OPTION] [USER]
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the named account (root only)
-u, --unlock unlock the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration
 (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes 
disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Change the password for Normal user
When you logged in as non-root user like user1 in my case and run passwd command then it will reset password of logged in user.
[user1@localhost ~]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
all authentication tokens updated successfully.
When you logged in as root user and run passwd command then it will reset the root password by default and if you specify the user-name after passwd command then it will change the password of that particular user.

Display Password Status Information
To display password status information of a user , use -S option in passwd command.
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 -1 (Password set, SHA512 crypt.)
In the above output first field shows the user name and second field shows Password status ( PS = Password Set , LK = Password locked , NP = No Password ), third field shows when the password was changed and last & fourth field shows minimum age, maximum age, warning period, and inactivity period for the password.

We can display password status information for all users at a time by using the option –Sa
root@localhost:~# passwd -Sa
Removing Password of a User
We can remove the password for particular user by using option -d
[root@localhost ~]# passwd -d user1
Removing password for user user1.
passwd: Success
[root@localhost ~]#
Lock the password of System User
Use ‘-l‘ option in passwd command to lock a user’s password, it will add “!” at starting of user’s password. A User can’t Change it’s password when his/her password is locked.
[root@localhost ~]# passwd -l user1
Locking password for user user1.
passwd: Success
Unlock User’s Password using -u option
use -u option to unlock the user accounts locked by passwd -l option
[root@localhost ~]# passwd -u user1
Unlocking password for user user1.
passwd: Success
Setting inactive days using -i option
use -i option along with  passwd command to set inactive days for a system user. This will come into the picture when password of user  expired and user didn’t change its password in ‘n‘ number of days ( i.e 7 days in my case)  then after that user will not able to login.
[root@localhost ~]# passwd -i 7 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#
Setting Minimum No.of Days to Change Password using passwd -n option
Using the option -n along with passwd command we can set the minimum number of days to change the password. A value of zero shows that user can change it’s password in any time.
[root@localhost ~]# passwd -n 90 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 90 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#

Setting the Warning days before password expire using passwd -w option

Using the option -w along with passwd can be used to set the warning days before the password expires.
[root@localhost ~]# passwd -w 30 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# chage -l user1
Last password change                                    : Apr 21, 2016
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 90
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 30
[root@localhost ~]#
Source: Unixmen

Sunday, November 3, 2013

In this post I am going to talk about a new tool: "Adobe Malware Classifier", this is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.

Thursday, October 3, 2013

Nowadays a common problem for many companies is Distributed Denial of Service Attack (DDoS), so in this post is explained: what is a DDoS and a possible solution for it?

Distributed Denial of Service (DDoS):
In computing, this attack is an attempt to make a machine (usually a web server) or a network resource unavaliable to its intended users, the reasons for this attack may vary, but it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, a visual explanation is shown in Figure 1.

Tuesday, September 3, 2013

Figure 1: New Search Engine in Development
A malicious code had access to a small enterprise of web developers, who are working on building a new search engine that will be participating on the market. Figure 1 shows a screenshot of the new project.

To verify the functionalities of this new search engine, we are going to make some tests. First, we will enter the word "trololo" to see the results. The server response to the request mentioned above is:
Figure 2: Search results for trololo of the new project

As you can see, this modest search engine is not ready to compete in the market, since the database is still very small, and only responds to keywords like "facebook" or "trololo":

Figure 3: Search results for facebook of the new project

Because the database is so poor, the developer has decided to redirect searches to other popular search engine in case that you don't get results. For example, let's try it with the word "nirvana" which is not found in the database corresponding to the new project:

Figure 4: Nirvana Search in the new project

The search is redirected to another search engine and the result can be seen below:

Figure 5: Nirvana Search Results on Bing

As you can see, the previous action aims to continue loading the database based on the response of the other search engines. Broadly speaking, we can understand how the server works.

The problem seems to be that this company has an internal attacker, who was devoted to analyzing vulnerabilities in the search engine, even knowing that it was an alpha version. Additionally, remember that there is a malware that is actively reporting all traffic from the internal network to the outside thereby filtering sensitive information.

A capture of the final traffic sent by the malware can be downloaded here.
Finally, after four days, the server was found in the following state:

Figure 6: Defacement of the search engine

Your job will be to see if it is an external attack executed by the malware author who infiltrated the systems, or whether it is an internal attack. To accomplish this objective You will have to verify the capture available to see if you can get the password of the administrator of that site. If it is possible, what is the password?

Note: In case you find irrefutable proof of his innocence, leave a comment and then develop a small tutorial, demonstrating the accuracy of the analysis. Apparently, only the root user had permissions to modify the files in the web.

First, we need a tool to open the file, you can download Wireshark for this purpose, after that, we need to find something unusual in the traffic, as shown in Figure 7, there is an access to a FTP server where a file named data-intrusion.rar was downloaded:

Figure 7: FTP Server Access on Wireshark

In order to get a better view of this traffic we can use the option "Follow TCP Stream", let's see the results:
Figure 8: "Follow TCP Stream" of FTP Server

With this information we can see the credentials that were used to access to the server and the file that was downloaded, then we are going to reassemble the file and see what it contains:

Figure 9: This Image shows the transfer of "data-intrusion.rar"

And the next Figure shows the "Follow TCP Stream" of the RAR File in Raw:

Figure 10: "Follow TCP Stream" of "data-intrusion.rar" in Raw

This stream can be reassembled by pressing "Save as", then name it as you want, but don't forget the ".rar" extension:
Figure 11: "data-intrusion.rar" contains access.log

In the file "access.log" we can see all the requests made to the server and an interesting thing is that the server was attacked by an automated tool to inject SQL sentences.

Figure 12: SQLi requests by an automated tool (sqlmap)

In this case, the log file shows the requests but these are encoded, to learn more about this, please follow this link: HTML URL Encoding Reference
So we need to decode them, in order to make them easier to understand, you can use any tool for that purpose (I used a web app):

Figure 13: SQLi requests decoded (Easier to understand).

Example of one of the requests found in the log file:
"GET /search.php?q=facebook' AND ORD(MID((SELECT IFNULL(CAST(user AS CHAR),0x20) FROM challenge.users ORDER BY id LIMIT 1,1),5,1)) > 116 AND 'zJfx'='zJfx HTTP/1.1" 302 622 "-" "sqlmap/1.0-dev (1bae9955b7) ("

We can see that the tool (sqlmap) made some requests with the objective of getting a dump of the database, the tool is using the keyword "facebook" that would return a 200 code, with this the attacker can dump sensible information, to verify this, we can create a script that shows the results of the requests:

Figure 14: Script to extract useful information from access.log

In Figure 14, we can see the users & passwords that were extracted by the attacker, the last 2 lines are md5 hashes that can easily be cracked.

Decrypted Info:
user: root
password: pepe

user: guest
password: hacker

With these credentials the external attacker can easily make a defacement, so with this we verify that there is no internal attacker, or in this case, the internal attacker was not responsible for the defacement.

Saturday, August 3, 2013

In this post I am going to explain how to solve a "Crackme" challenge that I found on the Internet, in this example you can see a Login form but we don't know the Username or the Password, so what do you think could be a possible solution?, or the first step to solve it?

Wednesday, July 3, 2013

A common technique, used by malicious attackers to fool their victims, is using the Unicode special character U+202E known as an annulment from right to left to make the malicious file appears as a PDF document instead of a potentially dangerous executable file.

To understand this concept, let's imagine that our malicious file is "document.exe" (see Figure 1):
Figure 1: Malicious file recently created with no changes.

Now we are going to follow the steps below to accomplish our goal:
  • Open the Windows Character Map (Start, Run, charmap)
  • Find and Copy the Unicode character U+202E. Notice that at the bottom left shows the ASCII value of the characters (see Figure 2).
Figure 2: Charmap with U+202E selected and copied.

  • Paste (Ctrl + V) the character just before the extension point: "document[[U+202E]].exe"
  • Enter the extension that you want but in reverse, for example, if we want "doc", we need to write "cod", or if we want "pdf", then we need to write "fdp".
The result will be something like the file shown in Figure 3.
Figure 3: Malicious file renamed with the special character.
(The real name of the file without the special character should be: "documentfdp.exe")

Finally, to perfect the infection vector, a good idea would be to change the icon of the malicious file and also use a name that can trick the user, considering that the "exe" or the original extension must remain. E.g.:
Figure 4: Malicious file disguised as a Microsoft Word file, with a tricky name in order to preserve the original extension and fool the user.

The malicious file is ready to be delivered to the target and the following happens:
Figure 5: Common Infection Flow (TrendMicro)

If the victim executes the malware (Double Click or Enter), the following screen would appear:

Figure 6: Malicious File starts a command prompt and shows a message: "Hello World".

Now, let's look at the title of the shell: "annexe.doc", apparently our technique is almost perfect because we can't see the original extension even in the command line, or we can?

Possible Countermeasures:

  • If we try to rename the file (F2), we will see something strange, this effect is produced by the special character, so this is a clue to realize that something is wrong.
  • If you are in a GNU/Linux based system, you can check the headers of the file with some commands.
  • Another trick that you can use to verify the name of any file and its extension could be using the command prompt, but how?
To prove this theory we need to open a new "cmd.exe" in the location of the suspicious file, after that, we write the first two characters of the name and press "Tab", the system will autocompletes the true name, then we will know the truth!! (See Figure 7).

Figure 7: Revealing the true name of the suspicious file and executing it.

As shown in Figure 7, the name of the file has (one or more) strange characters that aren't recognized and are shown as 2 question marks, revealing the presence of the "U+202E" character, that's all, hope you like this post. =)