SMBLoris 0-day vulnerability presented on Defcon 25

There is a new 0-day vulnerability called SMBloris presented yesterday ny Sean Dillon @zerosum0x0 DEFCON 25 which allows remote attacker to run a DoS attack against SMB called SMBLoris. Remote attacker can lunch DoS attack by requesting multiple SMB requests to the remote machine. SMBLoris vulnerability can be rendered with a single machine and a low bandwidth connection as well. Hence the name is similar as SlowLoris (Similar DoS Vulnerability on Web Servers). Recommended Action: While this has been reported earlier to Microsoft, Microsoft set the risk rating as Medium. and wont issue any Patch for this vulnerability on SMB v1. Hence the best practice is as follows:

1- Assess dependency on SMBv1

2- Block Ingress SMBv1 request on Internet Facing Servers

3- For those dependent Servers and Applications, Monitor the ingress Multiple SMB request connections on port 445 and raise the Flag for it, (Detail: Log all incoming SMB request on firewall, and then define a role on SIEM to detect and raise a flag for multiple SMB request coming from a single source.)

4- and plan to upgrade to the higher SMB version (SMBv2,SMBv3)

5- For independent machines and application, Block SMBv1.

Reference:

1-http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

2-https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

Advertisements

How to Disable Windows Defender in Windows 10:

Windows Defender

Microsoft introduced a built-in pre-installed Antivirus called Windows Defender since Windows Vista and 7. In the beginning days, Windows Defender worked as Adware and Spyware detection.  By passing the time it becomes more advanced and joined the Microsoft Security Essential application since Windows 8.0 onward to provide a higher detection rate within malware detection and better protection.

Why we should disable

So far everything seems to be good, until you find your daily tasks as Penetration Tester and Digital Forensics Investigation. Running several hacking tools on your host machine such as Nexpose, Exploit Pack, Nessus, Acunetix and any other Windows based tools. I rather to use such as scanners on the host machine to take advantage more CPU and RAM resources rather than on VMs.

The problem raises up when you find out that, Windows Defender detects the scanners payloads and exploits during the Windows Defender scanning process as well as while my hacking tools are running and it deletes them one by one. I tried several times to turn it off from but still Windows Defender is working behind the scene and you can find it out on running services and process and detecting my exploits and deleting them. This is not pleasant at all when it deletes the files without asking me. Hey AV, make some respect to the user.

Windows-10-Defender

How to Disable the Windows Defender in Windows 10:

 First of all, if you are running Windows 10 Home Edition, you cannot make significant changes in Windows Group Policy. Else, you need to upgrade from Home version to Enterprise or Professional version.

In case you use a different Machine for Penetration Testing (as I do), feel free to disable all the security mechanism, such as Firewall, IDS, AVs…etc. The best way is to disable the Windows Defender from Group Policy. So far it works good for me with our any detection and deleting problem. You can open the group policy using the Run. Type gpedit.msc and press Enter.

run gpedit

Then explore Computer Configuration Administrator Templates Windows Components Windows Defender and then select the Turn Off Windows Defender.

turn off

Set it on Enable mode, and press OK. You can do the same configuration using the Registry Editor (regedit). I think this is simpler. Now you are good to go.

Enable

Please write comments or reach me via My LinkedIn profile or @sinamanavi

How to fix “Lua: Error during loading” in Loading Wireshark on Kali Linux

Lua: Error during loading

Wireshark is very handy tool among Network Engineers, Pen-testers and anyone who cares about network traffic. You may install it on your Windows OS as well as Mac and Linux. Since it is installed by default on Kali Linux so you don’t need to install it on your Pentest machine.

Usually during my classes, participant complain a warning message during the initialization of the Wireshark. In this short tutorial I am showing you how to get rid of the following warning:

******

Lua: Error during loading:

[string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.

******

Lua: Error during loading

Open your terminal and type the following command to

Command: gedit /usr/share/wireshark/init.lua

Set the “disable_lua” paramter into the True value. Save the file and relaunch the Wireshark. You are good to go without any warning message.

Cheers!

How To install Google Play on Genymotion for Android Application Penetration Testing

As an Android Application Penetration Tester, or bug hunters, we need to download Android application in our playground (Testbed) device/emulator to play around with the desired application. There are many websites that provide .apk file of any Android applications for downloading into the PC such as www.play.google.com, APK Downloader v2, www.apkmirror.com, www.androidapksfree.com, www.apk4fun.com and etc.

I mostly work with Genymotion and Android Studio for running my Emulators and R.I.P Samsung S3. I tried to find a way to use Google Play on the Android Studio Emulators and still unsuccessful (Please let me know if you have a way to install Google Play service on the Android Studio). Meantime, I am using Genymotion for downloading the applications from Google Play.

For those who are new in Android application penetration testing, and prefer to use emulators rather than physical devices you can install the Google Play on Genymotion to always get the latest available version from the Google app store.

Note: Some of Android applications don’t run on emulators to avoid reverse engineering techniques, so you have to do it on your physical device.

Running Google Play on Genymotion:

  • Install Oracle Virtualbox.
  • Go to the Genymotion website, signup with a valid email (you will need it later) and download  Genymotion into your Desktop and install it ( Next, next, next, finish wizard)

Note: If you are currently installed either of them on your machine make sure you have upgraded them into the latest version.

Note: if your emulator is running lower version you may download for your desired version.

  • Now start your emulator and once it successfully booted, drag & drop the “Genymotion-ARM-Translation_v1.1.zip” on the emulator. And then reboot the phone.
  • Do the same step for Google Apps gapps-lp-20150222-signed.zip. Both files will flash your emulator.
  • After step 6 & 7, you google play service or Hangout… will crash several times. No worries, its normal 🙂 Open the installed Google Play application, login with your Gmail account, and let it run and update the required apps and service. You need to update the Google Play application as well. Once you update all of them, you are ready to go.
  • Enjoy Hunting and share your experiences with me.

I highly recommend you keep this emulator for only downloading apps from Google Play to avoid any updates during the testing.

How To Remove “Secure Browsing” Virus

This is very common that we use our Pendrive within others PCs or Laptops. One of the viruses which I recently have faced is called “Secure Browser”. For the first time, when I see that, was the time I went to a print shop. I thought this is their security application to avoid running malicious codes or malware. Today, I found that my pendrive has the same directories and folders in hidden form. In addition some new and suspicious processes in my Task Manager were running. Obviously I never installed it. So I tried TrendMicro it couldn’t detect or clean it. I tried my own Esset Smart Security as well with the latest version; it could detect and quarantine them. So I started digging google, to see if there is any introduced tool for “Secure Browser” virus. I found USBfix which is free. This is very easy and straight forward tool which ask you to connect your external drives such as SD card, Hard Drives, Pendrives and will scan and clean all of them, as well as your registry and system directories. It’s good to have it next to your Malwarebytes application. You may need to future as well. In the following the steps are explained.

Once you have downloaded, run the USBfix and wait for the first wizard appear and then click on Next as follows:

1

In the next step it pop up a message box that tell you to connect your external drives, simply click on ok and go for the next step.

2

While it starts to analyze your system and external drives, it invites you to participate in the SOSVirus.net Forum. Its up to you to join or not. So I click on “No” to go for the next step.

3

Finally USBfix thanks you for choosing their tool. actually we should say thanks for helping us to stop this annoying virus.

4

And then it goes to start analyzing and removing the infected files. This is secure application, it doesn’t damage your system. at least so far my PC had  no issue since the last time running J. It might ask you to restart your computer, save your files and works and then restart your machine.

keep the USBFix in your pendrive, whenever you see this in others computer you may help them by simply running it and clean their system for free.

Mail App of iOS 8.3, is vulnerable to Phishing attack

There is always a debate between Apple Lovers and Android or Windows OS fans. there is an wrong believe that iOS never get hacked, or virus, or this is the best product. several times I have showed in my classes how Apple devices, similarly may get hacked  as  windows or Android devices can be a target for hackers. Hereby, there is a news that shows how a phishing attack my cause Apple user to lose their iCloud credential over Maill app. This vulnerability can be findout on iOS 8.3. Phishing attack is one the most significant and fast track methods allows hackers to obtain credential information or remote attack and many more. The prove of Concept of this attack has been uploaded in youtube and the PoC code of it has been shared with github for learning purpose.

lets say hi to new Gmail #Inbox and #Google #Photo

Seems Google​ has some new updates, Google Daily Photos​ to compete with Instagram, and now they have upgraded their Inbox.
now you may switch into Inbox and install the Inbox app as well. for the beginning it seems a bit creepy, but no choice, we are living in technology edge which everything is changing daily, and we need to adopt to new systems and updates.
Google Inbox:

Google Photo:


 

writing script to Automate running Metasploit services, and call it from anywhere

Hi guys, that’s been a while I didn’t have time to update my blog. I would like to write a simple post about how to automate some works and run them easily any time. Many of us, during our playing time with the Penguin, run some tasks and commands repeatedly. Writing bash scripts is my hobbies and I like to automate things, even automating Eat-Rave-Linux  process 🙂 . So I am writing a simple script and show you how to call it from anywhere, similar to other Linux tools and commands such as ifconfig or ls …etc.

Today I had a call from a friend of mine, about running Metasploit. His problem was that, sometimes some services such as Apache2 or prostgresql are not running which cause might cause the Metasploit malfunction or slow running. So it’s better to check if these services are running before running the msfconsole. What I do is, I wrote a very simple bash script that restart the services, update the Metasploit, and finally run the Metasploit automatically. I have a “my-scripts” directory that I put my scripts there and hence, you may call them from anywhere. So here is my Metasploit script.

#! /bin/bash

service postgresql stop

service postgresql start

service apache2 stop

service apache2 start

service metasploit stop

service metasploit start

msfupdate

msfconsole

Once you created your script, just save it as a bash file. You may call it Metasploit.sh to avoid any confliction with msfconsole. Then just make this file as a executable program using: Chmod 755 Metasploit.sh In the next step, I move this script in “my-scripts” directory which I located it  in the root directory. I have added this directory to my variables $path. So I can call my script anytime from anywhere by just simply call its name. Do to so, you may use the following command.

now edit your .bashrc file and add the following line at the end of .bashrc file to make it as  permanent parameter. you may need  to reboot your system to apply the changes. so now you may call your Metasploit from anywhere.

nano /root/.bashrc

add the following after the last line:

export PATH=$PATH:~/my-scripts   

Good Luck and let me know if you have any alternative way to do so.

Stay Annoumoys while Black-box Penetration Testing (Tor and Proxychain)

During the black-box penetration testing sometimes we need  to hide our identity and stay anonymous, sometimes some firewalls and IDPS detect us while we are testing the machine, and might block our IP address. In this manner we need to keep changing the IP. So if the firewall blocks the companies IP so, then even if you change the local IP you may not have access to the website again. So the best way to hide the identity, is to you Tor and proxychain.

Install tor:

Apt-get install tor

 Then you just need to run tor service.

 Service tor start

So then you need to modify your proxychain configuration and polish it a little bit. So open the proxychain and uncomment the dynamic, comment the static, and at the end of the file you may find the socks4 127.0.0.1 9050.0.

You need to add the following code as well.

socks5 127.0.0.1 9050

************************Notice:*******************************

The file should be look like bellow after editing.

# proxychains.conf  VER 3.1

#

#        HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

#

# The option below identifies how the ProxyList is treated.

# only one option should be uncommented at time,

# otherwise the last appearing option will be accepted

#

dynamic_chain

#

# Dynamic – Each connection will be done via chained proxies

# all proxies chained in the order as they appear in the list

# at least one proxy must be online to play in chain

# (dead proxies are skipped)

# otherwise EINTR is returned to the app

#

#strict_chain

#

# Strict – Each connection will be done via chained proxies

# all proxies chained in the order as they appear in the list

# all proxies must be online to play in chain

# otherwise EINTR is returned to the app

#

#random_chain

#

# Random – Each connection will be done via random proxy

# (or proxy chain, see  chain_len) from the list.

# this option is good to test your IDS 🙂

# Make sense only if random_chain

#chain_len = 2

# Quiet mode (no output from library)

#quiet_mode

# Proxy DNS requests – no leak for DNS data

proxy_dns

# Some timeouts in milliseconds

tcp_read_time_out 15000

tcp_connect_time_out 8000

# ProxyList format

#       type  host  port [user pass]

#       (values separated by ‘tab’ or ‘blank’)

#

#

#        Examples:

#

#                    socks5        192.168.67.78        1080        lamer        secret

#                http        192.168.89.3        8080        justu        hidden

#                 socks4        192.168.1.49        1080

#                http        192.168.39.93        8080

#

#

#       proxy types: http, socks4, socks5

#        ( auth types supported: “basic”-http  “user/pass”-socks )

#

[ProxyList]

# add proxy here

# meanwile

# defaults set to “tor”

socks4         127.0.0.1 9050

socks5 127.0.0.1 9050

And the restart your tor service:

Service tor restart

Now you can open any application or browser using proxychain with the following command:

proxychains iceweasel www.ipchicken.com

Or

Proxychain nmap yourtargetip

Enjoy the anonymous surfing and penetration testing

Please let me know how do you keep your identity anonymous during penetration testing.

Enjoy the anonymous surfing and penetration testing