SMBLoris 0-day vulnerability presented on Defcon 25

There is a new 0-day vulnerability called SMBloris presented yesterday ny Sean Dillon @zerosum0x0 DEFCON 25 which allows remote attacker to run a DoS attack against SMB called SMBLoris. Remote attacker can lunch DoS attack by requesting multiple SMB requests to the remote machine. SMBLoris vulnerability can be rendered with a single machine and a low bandwidth connection as well. Hence the name is similar as SlowLoris (Similar DoS Vulnerability on Web Servers). Recommended Action: While this has been reported earlier to Microsoft, Microsoft set the risk rating as Medium. and wont issue any Patch for this vulnerability on SMB v1. Hence the best practice is as follows:

1- Assess dependency on SMBv1

2- Block Ingress SMBv1 request on Internet Facing Servers

3- For those dependent Servers and Applications, Monitor the ingress Multiple SMB request connections on port 445 and raise the Flag for it, (Detail: Log all incoming SMB request on firewall, and then define a role on SIEM to detect and raise a flag for multiple SMB request coming from a single source.)

4- and plan to upgrade to the higher SMB version (SMBv2,SMBv3)

5- For independent machines and application, Block SMBv1.

Reference:

1-http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

2-https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

Advertisements

Public exploit for CVE-2017-0199

There is a public exploit for CVE-2017-0199 which leverage Microsoft Office vulnerability which need to be on priority on patching. Hacker can create a crafted Exploit in form of a document using Metasploit and send it as an email or using the Watering hole attack technique to infect the remote victim user. Hackers used this vulnerability to breach the email account of the minitry of Foreing Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world. Vulnerability Details: This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. Microsoft has issued Security Patch Advisory on April. Please kindly check if the bellow affected products are existed in your environment and expedite patching this vulnerability as soon as possible. Note: For critical systems perform testing and validation and for non-critical systems role out the patch please. Affected Products:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) References:
  • 1. http://www.securityweek.com/iranian-copykittens-conduct-foreign-espionage 2. https://www.rapid7.com/db/modules/exploit/windows/fileformat/office_word_hta

    3. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

    0-Day Vulnerability for all Windows Versions and Antivirus

    The new 0-day vulnerability turns the Antivirus software into a malware and allow attacker to take full control of the victim computer. This attack method is called DoubleAgent.
    Windows has feature called Microsoft Application Verifier that verify any applications before they run. There is a security issues that recently has been found that allows attacker to inject a custom verifier into any application to gain fully control over the victim computer. The attacker by injection any DLL into the process, they hijack the computer during or after the booting process to keep their persistency. Attackers can leverage this vulnerability to turn an AV into an malware by manipulating the AV’s behavior to take over the victim machine or execute arbitrary codes such as escalating privileges, modifying process natures and behaviors, and many more.

    All Microsoft versions are vulnerable to this kind of attack, as well as at the present of writing this Advisory, most of the Antvirus vendors have not release any patch yet except Malwarebytes and AVG. TrendMircro mentioned that they are planing to push a patch for upcoming weak, while Symantec has not been seen in the affected list. Since the DoubleAgent is published publicly and there is no mitigation or patch release yet, the risk for such attack is very high.

    for more information please refer to the following addresses:
    https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
    https://github.com/Cybellum/DoubleAgent

    How to Disable Windows Defender in Windows 10:

    Windows Defender

    Microsoft introduced a built-in pre-installed Antivirus called Windows Defender since Windows Vista and 7. In the beginning days, Windows Defender worked as Adware and Spyware detection.  By passing the time it becomes more advanced and joined the Microsoft Security Essential application since Windows 8.0 onward to provide a higher detection rate within malware detection and better protection.

    Why we should disable

    So far everything seems to be good, until you find your daily tasks as Penetration Tester and Digital Forensics Investigation. Running several hacking tools on your host machine such as Nexpose, Exploit Pack, Nessus, Acunetix and any other Windows based tools. I rather to use such as scanners on the host machine to take advantage more CPU and RAM resources rather than on VMs.

    The problem raises up when you find out that, Windows Defender detects the scanners payloads and exploits during the Windows Defender scanning process as well as while my hacking tools are running and it deletes them one by one. I tried several times to turn it off from but still Windows Defender is working behind the scene and you can find it out on running services and process and detecting my exploits and deleting them. This is not pleasant at all when it deletes the files without asking me. Hey AV, make some respect to the user.

    Windows-10-Defender

    How to Disable the Windows Defender in Windows 10:

     First of all, if you are running Windows 10 Home Edition, you cannot make significant changes in Windows Group Policy. Else, you need to upgrade from Home version to Enterprise or Professional version.

    In case you use a different Machine for Penetration Testing (as I do), feel free to disable all the security mechanism, such as Firewall, IDS, AVs…etc. The best way is to disable the Windows Defender from Group Policy. So far it works good for me with our any detection and deleting problem. You can open the group policy using the Run. Type gpedit.msc and press Enter.

    run gpedit

    Then explore Computer Configuration Administrator Templates Windows Components Windows Defender and then select the Turn Off Windows Defender.

    turn off

    Set it on Enable mode, and press OK. You can do the same configuration using the Registry Editor (regedit). I think this is simpler. Now you are good to go.

    Enable

    Please write comments or reach me via My LinkedIn profile or @sinamanavi

    How to fix “Lua: Error during loading” in Loading Wireshark on Kali Linux

    Lua: Error during loading

    Wireshark is very handy tool among Network Engineers, Pen-testers and anyone who cares about network traffic. You may install it on your Windows OS as well as Mac and Linux. Since it is installed by default on Kali Linux so you don’t need to install it on your Pentest machine.

    Usually during my classes, participant complain a warning message during the initialization of the Wireshark. In this short tutorial I am showing you how to get rid of the following warning:

    ******

    Lua: Error during loading:

    [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.

    ******

    Lua: Error during loading

    Open your terminal and type the following command to

    Command: gedit /usr/share/wireshark/init.lua

    Set the “disable_lua” paramter into the True value. Save the file and relaunch the Wireshark. You are good to go without any warning message.

    Cheers!

    How To install Google Play on Genymotion for Android Application Penetration Testing

    As an Android Application Penetration Tester, or bug hunters, we need to download Android application in our playground (Testbed) device/emulator to play around with the desired application. There are many websites that provide .apk file of any Android applications for downloading into the PC such as www.play.google.com, APK Downloader v2, www.apkmirror.com, www.androidapksfree.com, www.apk4fun.com and etc.

    I mostly work with Genymotion and Android Studio for running my Emulators and R.I.P Samsung S3. I tried to find a way to use Google Play on the Android Studio Emulators and still unsuccessful (Please let me know if you have a way to install Google Play service on the Android Studio). Meantime, I am using Genymotion for downloading the applications from Google Play.

    For those who are new in Android application penetration testing, and prefer to use emulators rather than physical devices you can install the Google Play on Genymotion to always get the latest available version from the Google app store.

    Note: Some of Android applications don’t run on emulators to avoid reverse engineering techniques, so you have to do it on your physical device.

    Running Google Play on Genymotion:

    • Install Oracle Virtualbox.
    • Go to the Genymotion website, signup with a valid email (you will need it later) and download  Genymotion into your Desktop and install it ( Next, next, next, finish wizard)

    Note: If you are currently installed either of them on your machine make sure you have upgraded them into the latest version.

    Note: if your emulator is running lower version you may download for your desired version.

    • Now start your emulator and once it successfully booted, drag & drop the “Genymotion-ARM-Translation_v1.1.zip” on the emulator. And then reboot the phone.
    • Do the same step for Google Apps gapps-lp-20150222-signed.zip. Both files will flash your emulator.
    • After step 6 & 7, you google play service or Hangout… will crash several times. No worries, its normal 🙂 Open the installed Google Play application, login with your Gmail account, and let it run and update the required apps and service. You need to update the Google Play application as well. Once you update all of them, you are ready to go.
    • Enjoy Hunting and share your experiences with me.

    I highly recommend you keep this emulator for only downloading apps from Google Play to avoid any updates during the testing.

    How to avoid IDS/Firewall Blocks your IP during Web Penetration Testing

    This is very common during the Penetration testing, since we send an unexpected/payload request toward the servers, the subject web server may pick our IP address and sometimes they block our address. There are many ways such as TOR, VPN (Free/Commercial). Personally, I don’t like to setup the VPN or TOR, since there are other applications that running against the target which I prefer to run on normal network to avoid any slow connections due to VPNs. Although sometimes Spiders and Fuzzers may also alert servers and consequently they block my IP address. In addition, prefer to not send all my laptop traffic through the VPN and Proxies into the network. There are many personal data and application running on my Pentest machine as well.

    Please keep in mind that, the only reason I recommend them is to easily change your IP to easily bypass firewall/IDS restriction during penetration testing progress. So you don’t need to call Admin to unblock your IP, or provide a new IP for you. Obviously I don’t have any personal account on my FireFox/Chrome to protect myself about data leakage and privacy issues.

    Note: A hacker has none of the aforementioned ability to request Server administrator to unblock him, right? 🙂 Act Real.

    I usually use the following two VPNs for  Firefox/Chrome adds-on during Web Penetration Testing.

    Firefox:ZenMate Security, Privacy & Unblock VPN

    This is an Adds-on that you can easily install and ready to go on the FireFox/Chrome browser to change your IP constantly whenever it is required. Although in free version you may only use four country’s IPs (Romania,Hong Kong, Germany and USA), in premium version you may use IP address of other countries as well. but I think these four are enough in this context.

    1

    Chrome: DOTVPN:

    DotVPN is a Chrome based Adds-on extension that works perfectly. just install on your chrome browser and create a username/password and go for bug hunting.

    2

    so next time, if your connection become so slow to access to the target website, or they blocked  your access, just use these VPNs and you may change your IP easily time to time.

    There are some other free VPNs such as Hotspot Shield VPN, ProxMate, Hola Unblocker, CyberGhost VPN, AWB Proxy, AutoProxy, which I use the DotVPN and ZenMate to change my IP on demand.

    Invitation Letter for OWASP Meetup Q3 2015

    this is an open invitation for those who are keen in Information Security Meetups. we are conducting OWASP Talk in UniKL University. everybody are welcome to participate and attend in OWASP Meetup Q3 2015.

    OWASP Meetup Q3 2015 Inivtation

    Contact me for more information

    Kali Linux Version 2 Released.

    In old days, computer users were always waiting for Microsoft or Apple release the latest OS. We all grow up, and now as security evangelist and penetration tester, we are looking forward to see the latest version of Kali Linux v2. You can download ISO image file from Kali Website or you may download the VMware version from Offensive-Security website.

    EnJoY Hunting….