Monthly Archives: June 2013

Nmap Static File Fingerprinter

Nmap is one of the most indispensable tools in a network engineers analyst toolkit. Whether it is to fingerprint an OS or check for signs of infection, Nmap has plugins or scan modes that’ll help you. The most interesting part about Nmap is its scripting engine. The NSE or Nmap Scripting Engine allows you to create scripts in Lua which are able to access the scan results of Nmap and act on it. It allows you to create customized scripts that do everything from crawling web applications to checking for Conficker infections.

I’ve been working on a script that would enumerate web applications using hashes. Currently the http-enum library recognizes web applications by grepping the entire page, which is resource intensive and prone to false positives. This script stores the hashes of static files in web applications in a separate file. When the script is executed with a resource parameter which contains the file to check for, the file is obtained from the server, hashed and the hash is compared to the list. This allows you recognize web applications based on their files.

Code: https://gist.github.com/Sp3ctr3/5786362

Database file:https://gist.github.com/Sp3ctr3/5788511

Put the static file in nselib/data folder

It’ll be better to install the latest nmap version from svn since it’ll have the latest version of NSE too.  Run:
svn co https://svn.nmap.org/nmap
./configure
make
make install

Copy staticfile.db to /usr/share/nmap/nselib/data and the http-staticfile.nse to /usr/share/nmap/scripts

To scan the changelog file of a web application located at /changelog.txt use nmap as follows:
nmap --script http-staticfile --script-args=resource=/changelog.txt target_ip

This will scan the web applications changelog.txt file and return an entry if it’s found in the hash list.

 

Raspberry Pi Malware Scanner

USB devices are the bane of security conscious personnel in corporate environments. No matter how secure the network perimeter is, the moment an unwitting person brings in a USB storage device containing a malware, the entire system will be compromised. This is how malware such as Flame and Stuxnet spread.
IcarusLabs, Cyber Security & Privacy Foundation have created a program that would turn the Raspberry Pi, a small computer running Linux, into a handheld malware scanner. A person can plug in a USB that is to be scanned into the device. The Pi will scan all the files in the device and check the signatures of 44 different antivirus providers to see if the file is malicious or not. This is done by obtaining a unique value associated with every file, called an MD5 hash, for each file and then submitting it to a server for processing. The server will see if the file is present in its malware database and respond accordingly.
The red LED lights up when a malware is detected in the USB
As a device this has many uses. In certain corporate environments, USB devices are not allowed because they would contain malware. This device can be deployed at entrypoints where it will be used to scan the USBs that are allowed in. This will prevent malicious software from getting in. The program is also made in such a way that once it is started, no further maintenance would be necessary. Even non technically oriented personnel like security guards can use it.
Currently it has been developed as a proof of concept. If any organisation would like to know more, all communications should go through  [email protected] .

PyTriage

I’ve been reading the Malware Analyst’s Cookbook for the past few days and I got inspired by the programming recipes shown in the book to create an integrated malware analysis framework. I’ve created a bare bone version of it and I intend to add more functionality to it. My intention was to create a program that would allow an analyst to obtain all the information about a file on one screen instead of using multiple tools and pooling the data. As of now only static analysis and signature generation for Yara and ClamAV is implemented. I hope to add dynamic analysis and some disassembly functionality later on.

You can get PyTriage from:

https://github.com/Sp3ctr3/PyTriage

There are some dependencies that you will need to satisfy first: Simplejson, magic and pefile.

For simplejson refer to my earlier post. For python magic
sudo apt-get install python-magic

and pefile can be obtained by:
sudo pip install pefile

Once you have the requirements for the script satisfied, you might need to install clamAV and Yara for trying out the signatures that are automatically generated by the application:
sudo apt-get install clamav

Yara can be downloaded from https://code.google.com/p/yara-project/.

The program has a curses GUI and can be launched by typing:
python pytriage.py

The initial screen that you get should look something like this:

pytriage1
Each of the red letters are hotkeys. We have to choose a file first, so we press F:

pytriage2

and then O.

pytriage3

 

A listing of the files in the current folder will appear. Type the number of the file that you want to analyse and press Enter.

pytriage4

To see a basic overview of the files properties press I. The info tab will open up:

pytriage5

 

As you can see, it has important information like the MD5 and SHA1 hashes of the file, what all sections are there in the PE alongside their hashes and their sizes and the type of file present.

To see the imported DLLs as well as the exported function can be seen by pressing A. This switches over to Advanced tab showing:

pytriage6

The program has functionality that allows you to upload the hashes of the file to VirusTotal and check if it’s malicious. To use this, press S. The script will switch to the Submit tab. You have to wait a few seconds as it is querying the database of VirusTotal. Since I was using the Stuxnet sample, the following will be the result.

pytriage7

Now that we know that file is malicious, we can generate signatures for it in the Generate tab. Press G:

pytriage8

PyTriage will allow you to generate signatures for Yara and ClamAV. To generate for Yara, press Y or for ClamAV press C.

The Clam signature will be written to clam.hdb and Yara signature to sig.yara.

 

Yashin Mehaboobe

 

VirusTotal Scanner

Malware analysis is a very exciting but long task. Sometimes instead of reinventing the wheel, you need to just check if the binary you’re analyzing has already been detected and analyzed by the major AntiVirus companies. There are various sites that allow you to submit binaries and check them against a large list of AV databases. I’ve written a short script here that’ll allow you to automate the process.

https://gist.github.com/Sp3ctr3/5689969

import sys
try:
 from termcolor import colored,cprint
except:
 print "[*]Please install termcolor[*]"
 sys.exit()
try:
 import simplejson
except:
 print "[*]Please install simplejson library[*]"
import urllib
import urllib2
import hashlib
import os
def check(rsc,file):
    parameters= {"resource":rsc,"apikey":"VIRUS_TOTAL_KEY"}  
    data = urllib.urlencode(parameters)
    req = urllib2.Request(url,data)
    response = urllib2.urlopen(req)
    try:
     dt=simplejson.load(response)
    except:
     cprint(file+": Server Error","yellow")
     return
    if dt and dt.get('positives'):
     cprint("%s INFECTED Detections:%d AV "%(file,dt.get('positives')),'red')
     dt=""
    else:
     cprint("%s CLEAN"%(file),'green')
if len(sys.argv) is not 3:
 print "Usage:\n"+sys.argv[0]+" OPTIONS"
 print "OPTIONS:\n -f file_name\n -d directory_name"
 sys.exit()
url= "https://www.virustotal.com/vtapi/v2/file/report"
if sys.argv[1]=="-d":
 path=sys.argv[2]
 for (path, dirs, files) in os.walk(path):
  for file in files:
     f = open(os.path.join(path,file),'rb')
     filehash = hashlib.md5()
     response=None
     while True:
         data = f.read(10240)
         if len(data) == 0:
             break
         filehash.update(data)
     rsc=filehash.hexdigest()
   # print rsc
     check(rsc,file)
if sys.argv[1]=="-f":
 f=open(sys.argv[2])
 filehash=hashlib.md5()
 while True:
   data = f.read(10240)
   if len(data) == 0:
    break
   filehash.update(data)
 rsc=filehash.hexdigest()
 check(rsc,sys.argv[2])

This python script will scan the directories or a specific file that you specify and will upload the MD5 to the VirusTotal servers for checking. It’ll return information on whether the file is infected and if it is, how many AVs recognize it.

Please note that you need to have termcolor and simplejson installed on your system. This can be installed via pip:

First install pip:

sudo apt-get install pip

Then install termcolor and simplejson modules via pip:

sudo pip install termcolor simplejson

For Windows user prepackaged binaries are available at:

http://www.lfd.uci.edu/~gohlke/pythonlibs/

 

After you have installed both, you’ll need to apply for an API key from VirusTotal. It’s free and instantly available at www.virustotal.com . Once you get it paste it in the script in the VIRUS_TOTAL_KEY. Now you’re script is ready for scanning.

To scan a file run:

python avcheck.py -f FILE_NAME

To scan a directory:

python avcheck.py -d FOLDER_NAME

Detections will be displayed in red. Please note that the public API limits requests to 4 requests per minute. If you need more, contact VirusTotal for a private API.

A quick demonstration:

I’m downloading a few malware samples to show you that the script works. I get the Duqu and Stuxnet samples from http://openmalware.org/ and eicar.com malware test file from www.eicar.org/download/eicar.com.txt .

I put them all in a folder named malcode along with a file containing the string “benign” as a test case and ran:
python avcheck.py -d malcode/

Note that the EICAR file shows detection across all AVs.

Note that the EICAR file shows detection across all AVs.

 

Yashin Mehaboobe

ATM Security

Here in India, everyone has an ATM card. But most are not aware of the security that is being implemented in these cards and so is often scammed out of money. Card skimmers or carders as they are known in the hacker community are purely motivated by money and will stop at nothing to get yours. The technological sophistication of similar criminals range from the local ruffian who will snatch your wallet and extort the pin out of you to the techno-crooks who will fit skimming machines to the Point of Sale devices in most retail shops. Let’s first go over what protections,if any, your ATM card offers against such attackers. Your account data is stored in your ATM card along with a PIN verification number. Most banks in India today store this in the form of magnetic stripes. These are the black stripes you see along the top end of the back side of your card. If the PIN you enter does not match the one indirectly stored on the card, then the transaction won’t go through. Once the ATM makes sure the PIN and the card matches, it usually contacts the Bank via a dial up connection. It then goes through with the transaction if the account has sufficient balance. Some banks issue a card with electronic chip technology to further improve the security.

Seems like a pretty secure mechanism overall doesn’t it?
Unfortunately no.
There are various ways in which the carders can get money from you and in some cases just “jackpot” the entire ATM.
Most successful cases of ATM fraud comes from skimming machines. These are little devices attached to the ATMs as unobtrusively as possible. The thing about magnetic stripes on the back of the ATM cards is that the data can be read off these using openly available machines. From there it’s a short jump to creating readers that will fit over the ATM card receptacle. The look of the skimming machine will vary from case to case. The advent of 3d printers have made it very simple to create look alikes. But in most cases these will be flimsy and fitted loosely to the original machine. Here are a few pictures courtesy of  www.krebsonsecurity.com:
ATM skimmer removed.
Pin Hole Camera in an ATM skimmer

These machines will grab Track 1 and Track 2 information off a magnetic stripe. These are the information that identifies a card and contains the PIN verification key. To get the PIN most skimmers usually use either a pin hole camera or an overlay keypad. The camera will record the PIN visually and

is pretty easy to foil. Just cover the PIN pad with your hands as you type it in. The second is more advanced and requires careful examination to detect. Once the crooks have your magnetic stripe data as well as your PIN, your account is at their mercy. Also be wary of the classic shoulder surfing attack. So how do we detect and prevent such attacks?
  • Always use ATMs you are familiar with.
  • Check the ATM for any signs of tampering.
  • See if there is anything flimsy over  the receptacle.
  • Cover the keypad with your hands as you type in the password.
  • Do not accept help from anyone while conducting a transaction.
  • Be wary of anyone attempting to glance at the keypad while you type in the PIN.
  • Keep an eye on your bill statements to check for any missing funds.

Of course, such attacks are not limited to ATMs. They are also used in POS or Point of Sale devices. The information gathered from all such devices are either stored on onboard memory or sent via wireless connection to nearby receivers. There are even cases of  waiters being paid by criminal organisations to steal credit card data from the diners. So what about these electronic chip ATM cards that are supposed to be pretty secure. The electronic chip itself is very secure. Data can’t be read off it easily. But most cards with chips also have a magnetic strip that is there for backward compatibility. The only thing a skimmer has to do is obtain the track data from the magnetic card, copy it to a similar card and break the chip in the card. When the system can’t process the chip, it will automatically revert to the stripe information. Also there are only a few banks that give out cards containing electronic chips.

There have also been widely publicized reports of merchants storing track data along with PINs that allowed criminals to break into the computers and steal enough information to clone their customers ATM/Debit Cards.
These carders use this stolen track data plus PIN numbers to clear out your bank account or in some cases sell them to the highest bidder. There are various forums and chat rooms dedicated to this form of activity. It is indeed a very lucrative field for criminals.
There have also been reports of ATM cards being trapped inside the machine by another class of malicious devices called trappers. These will trap the ATM card inside the machine, allowing people to steal the card physically. Here’s a picture of trapping device:
Trapper
Removed trapper
Coming to the other side, there are various ways crooks can outright rob an ATM. Most are attacks showcased at DEFCON or BlackHat which are security conferences for hackers. The most alarming one would most probably be the one by Barnaby Jack. He demonstrated a way to make an ATM literally spit out money using a key and a USB! He also discovered that he could find the ATMs that were connected to the Internet, hack them using a tool he wrote (“Dillinger”) and make it issue money endlessly. Brian Krebs reported about a person arrested for successfully hacking into an ATM machine using nothing more than a USB keyboard connected to the port uncovered by removing a camera.
There is also another unconventional attack on ATMs. In a Defcon presentation by Andrea Barisani, it was shown that it is possible to capture keyboard input by plugging specialized instruments in to a power plug in the same building. He pointed out that the PIN pads used in most ATMs are actually just keyboards and so can be monitored in this fashion.
It is also becoming quite common to see projects on freelancer.com asking for custom made banking trojans designed to work on ATMs.
These incidents demonstrate that ATM skimming, like any other crime, is evolving and if we don’t catch up with it we might soon wake up one day without a single penny to our name.
Here are a few links that might help you be prepared against such high tech crimes:
  • www.krebsonsecurity.com (Might be down currently. Due to the nature of his work Kreb’s website is constantly under attack by carders).
  • http://usa.visa.com/personal/security/learn-the-facts/protection-tips/atms-and-retail-store-protection.html
  • http://www.visa.co.in/personal/atm/security.shtml
  • http://www.mastercard.us/atm-safety-tips.html


Yashin Mehaboobe
Security Researcher
CSPF