My Python Framework v1.0

Python-Framework-v1.0

This Framework is nothing but, Python GUI based 1. Port Scanning and 2. Banner Grabbing Tool

Simple python script can also change the scenario of your assignment, This tool is also do Banner Grabbing with the help of python sock.recv() – low-level network interface. it may take time to load the output on-screen because of addition of such interface in the script. Well, this is GUI based python platform, Please contact me for your questions, comments and feedback to “niraj007m[at]gmail[dot]com”

Required Packages details:

  1. Python 2.7.11+
  2. Tkinter – (pip install Tkinter)

Very Soon, we will add more and more scripts in this framework, so that we can do Complete Security Testing.
Github Repo: https://github.com/niraj007m/Python-Framework-v1.0

PFv1_screenshot_1PFv1_screenshot_2PFv1_screenshot_3

How to do reverse engineering on a AUTOIT scripted Keylogger ?

Question:
How to do the analysis of a keylogger installed on our system so as to get the user id and password bindind with the keylogger, the id is of gmail and hence wireshark is not showing anything due to an ssl connection. Also due the use of L3 switch MITM from BT is not working.
Is there any other way or tool that can help me to get theses things.
The keylogger is scripted in AUTOIT.
infosecplatform:Before going to reverse engineering, let others can understand –
what isAutoit ? and what isAutoitkeylogger ?AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!

AutoIt was initially designed for PC “roll out” situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.

Features:

— Easy to learn BASIC-like syntax
— Simulate keystrokes and mouse movements
— Manipulate windows and processes
— Interact with all standard windows controls
— Scripts can be compiled into standalone executables
— Create Graphical User Interfaces (GUIs)
— COM support
— Regular expressions
— Directly call external DLL and Windows API functions
— Scriptable RunAs functions
— Detailed helpfile and large community-based support forums
— Compatible with Windows 2000/XP/2003/Vista/2008/Windows 7/2008 R2
— Unicode and x64 support
— Digitally signed for peace of mind
— Works with Windows Vista’s User Account Control (UAC)

AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe.

Also supplied is a combined COM and DLL version of AutoIt called AutoItX that allows you to add the unique features of AutoIt to your own favourite scripting or programming languages! AutoIt continues to be FREE

Source URL: http://www.autoitscript.com/site/autoit/
(Book) AutoIt v3: Your Quick Guide: http://shop.oreilly.com/product/9780596515126.do
(Book) Windows Admin Scripting Little Black Book, 2nd Edition: http://shop.oreilly.com/product/9781932111873.do


Lets now understand about some malwares/worm examples that are already analysed by Microsoft Malware Protection Center
Encyclopedia entry: Worm:Win32/Autorun.AGUEncyclopedia entry Updated: Jan 14, 2013 | Published: Dec 25, 2012Aliases
Trojan.MSIL.Agent.akng (Kaspersky)
Alert Level
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.141.2186.0
Released: Dec 19, 2012

System changes
The following system changes may indicate the presence of this malware:

The presence of the following files:

c:\documents and settings\administrator\local settings\temp\windows.exe
c:\documents and settings\administrator\start menu\programs\startup\55b3825ee39ada2fcddf7c7accbde69e.exe

— The presence of the following registry modifications:
Adds value: “55b3825ee39ada2fcddf7c7accbde69e”
With data: “”c:\documents and settings\administrator\local settings\temp\windows.exe” ..”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

— Adds value: “C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe”
With data: “c:\documents and settings\administrator\local settings\temp\windows.exe:*:enabled:windows.exe”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St ​andardProfile\AuthorizedApplications\List

— Removable drives
Worm:Win32/Autorun.AGU may create the following files on targeted drives when spreading:
<targeted drive>:\55b3825ee39ada2fcddf7c7accbde69e.exe

Source URL: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fAutorun.AGU
Quick overview of Worm:Win32/Autorun.AGU

Here is Naming standard of malwares/worms
Worm:Win32/Autorun.AGU — Type:Platform/FamilyName.Variant!Additional_information

Now we understand two things from this post and that is
1) Scripting language – Autoit and Autoit Keylogger
2) Example of Autoit worm (Worm:Win32/Autorun.AGU)
— System changes – Presence of files on Windows platform
— Installation location
— Spreading location/Information
— Payloads and Contact Remote Host


Now we come to your question, lets devide it.. (due to insufficient input to us)

1) how to analyse the keylogger installed on your system (wireshark – SSL connections or any other tool)
2) Can we analyse those packets with wireshark and over ssl connections..
3) L3 switch MITM(Man in the middle) in BT is not working

1st question is about Analyse the keylogger –
From my previous example of Autoit malware Worm:Win32/Autorun.AAO (Its different now Blush). we understand system changes, location, presence, Spread and payloads etc etc..

Now we can focus on Packet analysing.. either your worm/keylogger contact remote host, so we have to analyse/understand the packets those who are travelling thru your machine or those packets you are installing.. hahahaa…

Lets analyse the installed packet/worm/keylogger – Autoit Keylogger/malware has their own custom packets. initially we cannot examine packets so we have to try out with various Unpackers

well There are lot more things on google to study, so thati am not that much explaining about various packersetc etc.. we directly moving tounpacker known asPEiDPEiD: http://www.aldeid.com/wiki/PEiD
Description
PEiD detects most common packers, cryptors and compilers for PE files.
It can currently detect more than 470 different signatures in PE files.With the help of PEiD we got(suppose) the packer named as UPX..
UPX URL: http://upx.sourceforge.net/
Decompress that packer with upx
Find out Autoit Script string within your keylogger scipting..
Many Reverse engineers used Autoit decompiler, so grab and drag your Autoit script into Autoit decompiler for example myAuto2Exe – most known decompiler Angel

Hopefully you will get many things after following these steps TongueBig GrinCool

2nd question is about wireshark —
SSL traffic, you wouldn’t be able to read any of the data contained in the packets, and you certainly wouldn’t see all usernames and passwords transmitted in the clear…Source Contents from Book: Practical Packet Analysis, 2nd Edition
Topic: Protocol Dissection, Page:74
Basic username & password captured image example URL by sans:

 

3rd question is about MITM configuration — Mostly BT forum can help you lot instead of me.
Thread Name: Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.
Thread URL: http://www.backtrack-linux.org/forums/showthread.php?t=6021
Source URL: http://www.backtrack-linux.org/forums/forum.php or you can paste your actual configurations/steps so that we can help you..

Some different packet reverse engineering URL: http://blogs.technet.com/b/mmpc/archive/2011/06/27/malware-packer-integrates-with-upx.aspx

Hopefully we study/understand lot with such reverse engineering topic – Keep posting lot..

Introduction To Malware Analysis

In this session, Lenny Zeltser will introduce you to the process of reverse-engineering malicious software. He will outline behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You’ll learn the fundamentals and associated tools to get started with malware analysis.

Keep updating the list, so that newbie can learn it ! Let me know new URL we will update it here.. Thank you guys

Source link 1: http://www.securitytube.net/video/882
Source link 1: http://www.securitytube.net/video/5154

Dexter – Android apps analysis !!

“Dexter” reminds us lot about Cartoon Network channel in 20’s century. Now its Android phone time to remind and recollect lot memories for next generation.

Here is the another Dexter that introduced by Bluebox. Lets share the knowledge and link about it.

Bluebox Labs is proud to present Dexter, a free Android application analysis framework with a rich web-based user interface. The tool extracts information from either legitimate or malicious Android application packages (APKs) and produces various views of the package & application contents.

Source URL:
http://bluebox.com/technical/blueboxs-dexter-free-android-analysis-tool/
Homepage URL:
https://dexter.bluebox.com/

Source link of mobile thread report analysis:
http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-threats-report.pdf

Happy Learning !!

 

Small but effective script on Domain Scanning by (Fierce)ha.ckers.org !

Hi Auditors,

After a long break with new people and new terms, Here is my next share on, too small, but effective script known as Domain Scanning.
Yes, Its Fierce Domain Scan !

Well the whole story of the author is written on their website – so, I am directly pasting some command that help web sec auditor to find out many things of target terminal.

  • perl fierce.pl -dns target-domain.com -search string1,string2
  • perl fierce.pl -range 10.10.10.0-255 -dnsserver ns1.example.com
  • perl fierce.pl -dns example.com -wide -file output.txt
  • perl fierce.pl -dns example.com -connect headers.txt -fulloutput -file output.txt
  • perl fierce.pl -dns example.com -wordlist dictionary.txt -file output.txt
  • perl fierce.pl -help

Thanks to RSnake and team for wonderful efforts on such perl scripts.
We can easily understand the script and read the function. fierce script is written in PERL.

Here is the two files of Fierce Domain Scan: fierce.pl  &  hosts.txt

Do you think to describe it ?? Naaa.. Its awesome while working on script !!

Happy Scripting !!

Short-basket note on Information Security !!

When i was reading book on Linux Security: Craig Hunt Linux Library By Ramón J. Hontañón, I got very beautiful terms of Information security.

Security is not product. It is not software, and it is also not simply an excuse for a consulting engagement. It is a discipline that needs to be taken into consideration in any decision that you make as a network and system administrator. Security does not start or stop. You cannot install security, and you can’t even buy security. Security is training, documentation, design decision, and appropriate implementations. And the most important aspect of security is monitoring and honing your security policies as needed.

Well many organization follow the security auditing VAPT task, but they don’t follow the security policies. Even they miss to organize security training for their employees. they create disgruntled employee, may be due to senior authority ego, attitude etc.. and that is the loopholes for that company to data leakage.(See my earlier article)

WH-Type Questions on Vulnerability Assessment and Penetration Testing ! (0)

Many times we forgot to take output from many automated tools or Manual testing, we generally worked on raw data, The data which we have to arrange in way that client can understand risk rating of respective target. It is Tester’s skill to represent highly confidential data in-front of client.

Module O

Wh-type questions on VAPT

?


Before going to VAPT, we must have to know some criteria behind information Security. Every one have different point of view to explore their knowledge on any information Security topic, Here is some summary question that surely by searching answer of those, can create your own documentary !! wow..

General Questions on Information Security:-

What is information/data Security ?
What is Confidentiality ?
What is Integrity ?
What is Availability ?
What is Ethical Hacking ?
What are the classification of hackers ?

Future Questions:-

What is the history of hacking ?
why you want to know history of hacking, then go ahead and discover future of hacking 😉 ?

Motivation behind hacking:-

What is your purpose of hacking ? for money, profit, political view, competitive strategy, attitude,
personal grievance, curiosity, mischief, attract attention, credit ?

Optional Question on hacking:-

what is your point of view about hacking ?

A). Easy B). Hard C). neither easy nor hard D). Depends E). Not Applicable

Actual Terms in Ethical hacking:-

What is Vulnerability ?
What is Threats ?
What is Risk Management ?
What is IT Security Audit ?
What is LAW for ethical hacking in your country/state ?
What are the types of security test ?
What is Vulnerability Assessment ?
What is Penetration Testing ?
what is White Box and Black Box Testing ?
What is “Red Teams” ?

Actual Methodology of Testing:-

What is Testing Methodology ?

To be continued…