Hacking, Malware

Some notes on rootkits – Part 1

Rootkit major features Maintain access Conceal existence through stealth Rootkit types User-mode Kernel-mode User-mode rootkit main injection techniques Windows hooks CreateRemoteThread + LoadLibrary() CreateRemoteThread + WriteProcessMemory() Hooking techniques Import Address Table hooking Inline function hooking Rings Ring 3 – user-mode Ring 0 – kernel-mode Ring -1 – hypervisor Bridging the rings SYSENTER System call Interrupt …

Hacking, Malware

Some notes on malware – Part 2

Keyloggers Software based. Hardware based. User/Kernel based. Windows/Linux based. Hook based. Typical install locations This is rather a long list, a few examples follow: Windows Application Data\Microsoft\ System\filename.dll Program Files\Internet Explorer\filename.dll Program Files\Movie Maker\filename.dll All Users Application Data\filename.dll Temp\filename.dll Linux /bin/login /bin/.login /bin/ps /etc/ /etc/rc.d/ /tmp/ /usr/bin/.ps /usr/lib/ /usr/sbin/ /usr/spool/ /usr/scr/ Local Drives installation Malware …

Hacking, Malware

Some notes on malware – Part 1

The Motivation Behind Malware these days This is rather a long list but it can be narrowed down to the following: Steal sensitive data (identity theft, illegal immigration, terrorism, drug trafficking, blackmail, etc). Banking fraud (credit card fraud, etc). Spamming. Espionage. Advertisements/Click fraud. Medical insurance fraud. Money. Propagation Techniques Social Engineering (emails, spamming, phishing, office …

Penetration Testing

Debugging Telegram

Debug Mode To enable debug mode, type debugmode in the settings page of Telegram desktop and confirm it. Log files * /home/username/.TelegramDesktop/log.txt * /home/user/.TelegramDesktop/DebugLogs/tcp_xx_xx.txt * /home/user/.TelegramDesktop/DebugLogs/mtp_xx_xx.txt * /home/user/.TelegramDesktop/DebugLogs/log_xx_xx.txt To disable the debug mode, type in debugmode again. Burp Proxy Intercept * Open Telegram settings -> Advanced settings -> Connection type -> HTTP with custom http-proxy. …

C/C++, libCurl

Send email with attachment using Gmail, C and libcurl – Part 3

Requirements * A Gmail account (Use a dedicated account! Do not use your personal one!) * Turn on “Access for less secure apps” under the security settings of the account. less secure apps * You may also have to enable IMAP in the account settings. The following code snippets is from Post-recon project. This project …

C++, libCurl

libcurl – Disable specific Protocols in Windows builds

libCurl – https://curl.haxx.se/docs/install.html The configure utility, unfortunately, is not available for the Windows environment, therefore, you cannot use the various disable-protocol options of the configure utility on this platform. However, you can use the following defines to disable specific protocols: HTTP_ONLY disables all protocols except HTTP CURL_DISABLE_FTP disables FTP CURL_DISABLE_LDAP disables LDAP CURL_DISABLE_TELNET disables TELNET …

C/C++, libCurl

Send email using Gmail, C and libcurl – Part 1

libcurl is a free and easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, …

Debian, Linux, SmokingLinuxEveryDay

p7zip – file archiver

p7zip is the Unix command-line port of 7-Zip, a file archiver that handles the 7z format which features very high compression ratios. p7zip provides: – /usr/bin/7zr – a standalone minimal version of the 7-zip tool that only handles 7z, LZMA and XZ archives. 7z compression is 30-50% better than ZIP compression. – /usr/bin/p7zip – a …

Hardening, Microsoft Windows server 2016

Windows Server Hardening – Account Policies

The following were tested on Windows Server 2016 (Screenshots included). Account Policies Password Policy 1. Ensure ‘Enforce password history’ is set to ’24 or more password(s) Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value …