Friday, October 10, 2014

Nmap - Get it on!

Nmap  -  What is it and how to make best of it?

Nmap is the network mapper that is used to discover the number of hosts and devices on the network that it is accessing, thus mapping the whole network.
Let's not jump into the details of the installation as that is not the information everyone is looking around. Some of you might even have it on the system beforehand but not using it. So here are some details on the information it could provide us with.

scan your own host to determine the open ports and connections:

nmap -sV -p 1-65535 localhost/24

Here sV - get the service version that is running on open ports
-p - specify the port numbers to be scanned.
localhost - target to be probed.  (24 means the first 3 octets are part of the network and the remaining 1 octet is open for the other hosts on the network ). This way you can scan multiple hosts at the sametime.

It will return a series of open ports and service running on the ports.
Some basics you got to know to understand the nmap.
1. nmap establishes a 3-way TCP handshake with the "host" as any other client would do.
       different ports - service that should be noted :
                    port 80   - web server
                         81   - firewall (this drops all the packets that could potentially harm the server)
 Any connection to a webserver passes through the firewall(80). Closed ports mean that there are no service running on those ports.
     
2. Host specified can either be a ip address or the url.
3. nmap basically probes every port on the host network to determine what service is established.
                 Open ports means - service/port is open for any public connection and is accepting any TCP/UDP client connections.
                 Closed ports means - port is not providing any service or application but can be accessed to find some other information about the OS or server
                 filtered ports means - these ports cannot provide any kind of information as the firewall/router drops any packets trying to access these ports.
                 open/filtered means - the probe cannot determine the type of the port. The open port doesn't give any response which means the firewall simply drops the packets sent to the port.

4.  nmap -A google.com
     Gets you the OS detection of the target server.
5. nmap -iL textfile.txt
     Reads the list of targets from the text file.
6. nmap -sA target.com
     Tells you if the target server is protected by a firewall .
     If such a firewall exists then use nmap -PN target.com to scan the network. How is this different from the normal scan?
   
Almost on any information associated with the ports, server OS, servicces attached to the ports can be accessed without any credentials.

Nmap - SQL access:
We can do a whole lot with the Nmap to get all  the more information about SQL server/databases access. We can pass additional scripts along with the nmap command on the port -p as "ms-sql-info"  -  Get database information
                   "ms-sql-brute"  -  Pass brute force attacks to check for weak credentials within the database
                   "ms-sql-empty-password" - Check if the database has empty passwords set for any table/user. Once we know which user has no password set,we can try to detect the databases or privileges that user has been provided.
                   "ms-sql-hasdbaccess.nse --script-args mysql.username=" - Check the dbaccess provided to the user.
                    "ms-sql-tables --script-args mysql.username=" - gives the table names and description in each db under the user.
                 
Any details obtained from these scripts could provide the entire infrastructure and any credential associated. If there is a empty password set to any user in the db schema, it could provide the whole table schema which is very scary and harmful.
There are whole lot of customized scripts that can get the password hashes from the server and thus providing direct access into the server to any outsider.

All of this information on this Nmap/mysql access pings are provided so that any security assessment can be made. Don't try to hack into anyone's server. Be it productive.

Remember, Every code is breakable. That doesn't mean you have to be the black hat hacker!!!!!!!

More exploits coming soon...










Tuesday, March 4, 2014

"THE MASK" - Real data breach threat.


The MASK - Most sophisticated(frightening) attack till data!

 When we say "data breach" these path months,we think of "Target, Neiman Marcus" and all other typical public use places. There has been a major threat which has attacked all the nation's most classified data , research interests, financial settlements and highly valued data within government offices, diplomats, educational institutions,..etc.  Irony is this attack is been under the radar "invisible" almost 6 years in almost every country / systems possible.


What is MASK ?

  • The Mask - advanced threat actor that has been involved in cyber-espionage operations since at least 2007, was found only by the end of 2013. Thought to be from Spanish group because of the word “Careto” used in the some of the modules. 
  • Has infected 31 countries and 1000 + IPs worldwide.
  • Most Advanced threat at current time.
  • Suspected  to be the nation state attack - because it is sophisticated, highly organized, .

Targets of the Attack:

        
    Once the malware is active in the system,it collects a list of documents from the infected system, including encryption keys, VPN configurations, SSH keys. Some of this files are related to custom military/government-level encryption tools.

  • *.AKF,*.ASC,*.AXX,*.CFD,*.CFE,*.CRT,*.DOC,*.DOCX,*.EML,*.ENC,*.GMG,*.GPG,*.HSE,*.KEY,*.M15,*.M2F,*.M2O,*.M2R,*.MLS,*.OCFS,*.OCU,*.ODS,*.ODT,*.OVPN,*.P7C,*.P7M,*.P7Z,*.PAB,*.PDF,*.PGP,*.PKR,*.PPK,*.PSW,*.PXL,*.RDP,*.RTF,*.SDC,*.SDW,*.SKR,*.SSH,*.SXC,*.SXW,*.VSD,*.WAB,*.WPD,*.WPS,*.WRD,*.XLS,*.XLSX
  • Targets : Government institutions, Diplomatic offices , energy and gas companies, research institutions.
Detection : Extremely difficult because of the stealth capabilties.  Malware changes when downloaded to new systems. So its sign is never the same.                                                       

Infestation :   

    It uses multiple vectors 

- phishing emails

- exploit old adobe flash player vulnerability (first used to break chrome sandbox) Chrome broken

- prompting the user for java update / chrome plugin 

- Subdomain of genuine websites. Guardian links used in malware         

Malware uses the packages for spreading through all the connected systems:

Careto and SGH. Careto – general purpose backdoor that collects all the information and executes arbitrary codes by remote C&C servers. SGH -  primarily works in Kernel and maintains its own connection to the C&C.

Files from these packages are signed with a certificate as "valid".     

Each works standalone without other.   

What does it do ?              

Once active, Mask can intercept network traffic, keystrokes, intercept Skype conversations, analyse WiFi traffic, fetch all information from Nokia /Android devices, screen captures and monitor all file operations.
Collects large chunks of data from the victim including encryption keys, VPN configurations,SSH keys and so.            

Complexity : An extremely sophisticated piece of malware, a rootkit, a bootkit, Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

Customized attack on old Kaspersky lab products to hide in the system “invisible”. This is the step where Kaspersky got alert that someone is exploting their vulnerability and eventually discovered this malware.

Supports plug-ins,configuration files, built-in functionalities and any additional modules could be uploaded.                                                                                                                                                                                                                                                     

Stealth and platform independency:           

         The Digital signature is given as issued by a fake "Techsystem" Company.

Careto conquest:

 

                  Sample CARETO code "Careto ..." and with all other modules are "encrypted".


Careto - Map of Conquest.