welcome to netwrkspider

Monday, May 15, 2017

WannaCry DLL operations

Reversing WannaCry DLL operations.


1) Checks to see if task already running by attempting to open mutex with name MsWinZonesCacheCounterMutexA

If already exists, app exits

2) Obtains name of current directory.

3) Reads 780 bytes of information from c.wnry which it expects in current directory. This has
bitcoin and TOR info.

4) Checks if running as LocalSystem. Sets a flag used later when running @wanadecryptor@.exe

5) Resolves api from advapi32.dll

  CryptAcquireContextA
  CryptImportKey
  CryptDestroyKey
  CryptEncrypt
  CryptDecrypt
  CryptGenKey

6) Resolves api from kernel32.dll

  CreateFileW
  WriteFile
  ReadFile
  MoveFileW
  MoveFileExW
  DeleteFileW
  CloseHandle

7) Initializes names of files

00000000.res   - C2 communications
00000000.pky   - Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files
00000000.eky   - Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware.
                 It is encrypted using the public key that belongs to a private key embedded inside the ransomware.


8) creates mutex with name MsWinZonesCacheCounterMutexA and sets the security
ACL to allow EVERYONE full access


9) tries to open 00000000.dky. if available, will import key into Crypto API object.
presumably this would be decryption key from the authors of ransomware..


10) if cannot open *.dky file, will generate new RSA key pair of 2048-bits.
Public key is exported as blob and saved to 00000000.pky
Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL.

unsigned char wc_key1[] =
{
  0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
  0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
  0x75, 0x97, 0x4C, 0x3B, 0x84, 0x46, 0xDE, 0x2C, 0x2A, 0xF4,
  0x95, 0xA8, 0x5D, 0xC0, 0xCD, 0x6D, 0xDA, 0xD7, 0xD4, 0x92,
  0x1E, 0x13, 0x82, 0x34, 0x6A, 0x70, 0x8D, 0x8F, 0x7C, 0xF7,
  0x04, 0x92, 0x55, 0x7F, 0xF1, 0xA2, 0x27, 0xB2, 0x9E, 0x41,
  0xAC, 0x90, 0x80, 0x91, 0x18, 0x93, 0xC2, 0xB1, 0x7B, 0xAD,
  0x2B, 0xF3, 0xFF, 0xAF, 0xDB, 0x2B, 0x51, 0xBE, 0x1D, 0xA3,
  0x27, 0xE3, 0xA7, 0x57, 0x08, 0x5A, 0xBE, 0xC1, 0x1D, 0xF6,
  0x04, 0xF8, 0x1C, 0xBE, 0x5B, 0xB1, 0x67, 0xFB, 0xE4, 0xC8,
  0xDA, 0x75, 0x00, 0x70, 0xB1, 0x17, 0x70, 0x24, 0x6C, 0x09,
  0x63, 0x74, 0xAC, 0x4B, 0x0A, 0x1D, 0x71, 0xAE, 0x7F, 0xAE,
  0x65, 0xB8, 0xC5, 0x86, 0x79, 0xC5, 0x7E, 0x9F, 0x98, 0x60,
  0x4C, 0x52, 0xB9, 0x29, 0x62, 0xCB, 0x23, 0x29, 0xED, 0x31,
  0x91, 0x74, 0x7B, 0x7B, 0x0B, 0x26, 0x1B, 0xF2, 0x7D, 0x67,
  0xBF, 0xDA, 0x7A, 0x40, 0xDA, 0xF2, 0x61, 0x4D, 0x94, 0xA5,
  0x7D, 0xAD, 0x59, 0x6B, 0xAD, 0x9E, 0xA3, 0x3A, 0x39, 0xC6,
  0x5B, 0x6E, 0x9F, 0xD2, 0xBB, 0x36, 0xB5, 0xF5, 0xD2, 0x65,
  0xF5, 0x2C, 0x30, 0xD8, 0xC1, 0x17, 0xBD, 0xAF, 0x28, 0x00,
  0x96, 0x20, 0x46, 0xA7, 0x2D, 0x62, 0x03, 0x0C, 0xD7, 0xD0,
  0x75, 0xA0, 0x0B, 0x07, 0xEA, 0xD4, 0x1F, 0xCA, 0xE8, 0xD9,
  0x4E, 0xDB, 0x38, 0xF2, 0x26, 0x75, 0xCB, 0x12, 0xA6, 0x88,
  0x70, 0x9B, 0xE1, 0xEA, 0x32, 0xDC, 0xF8, 0x71, 0x72, 0x50,
  0x41, 0xE6, 0x17, 0x81, 0x68, 0x27, 0x42, 0x8E, 0xDF, 0xE5,
  0xDE, 0xA1, 0x72, 0xD9, 0x3B, 0xFB, 0xE5, 0x9D, 0x30, 0x11,
  0x69, 0x92, 0xCD, 0x60, 0x2B, 0xE2, 0xD5, 0x46, 0x3C, 0x28,
  0xCF, 0x9D, 0x30, 0x4A, 0xF7, 0xAD, 0xB9, 0xFB, 0x0F, 0x91,
  0xFE, 0x2E, 0xBE, 0x18, 0xF1, 0xCE
};

The AES-128 key generated for each file is derived from CryptGenRandom  which
is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky.
In order to decrypt, we need the users private key which is
encrypted using a public key owned by the ransomware authors.

Presumably what authors do is decrypt the users private key in *.eky file
using their private key and then send the user a *.dky file
to decrypt files.

WANNACRY RSA keys in PEM format 


-----BEGIN PRIVATE KEY-----
MIIEzAIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDvz+6DC3rbkfGw
yN1gNs9NhfJkNpzMAIRR7ZYg/x6kvtxmcsfWA3TeoygGW8lSpSf53/wPhEVgbYGE
VbBeTI/3zNZtEbHkyCSo7qHyYQoSWbJqbDqFZ3aRjFAnXAaXZGkDN5ZI5Zar16jw
0XcwLdMToKOfzf6R34YKjJ8KiPVOuF0COglhPLEMT2eJHY83gMmJNgHJnMFsDdVe
iGS+jXG8G2MBYBixAoLCqpuC3sRoCpOQyvaJKJ4nE18F1lIdbSVxQ26r++Ov5/ET
IS4/E51wO/1q1RSrHBhhgFt3tsmD9rRYBVYnsOx7UecV9FAazuHvqTLtX9oen9kK
nAQrTStDAgMBAAECggEBAMeL6PbIJanxDgDBk1vNH8BtNd3nh59EytX1cZfxUYla
e8EPv3M4mxXrA5IO7D3FybblhzNOKABt/nikaMZ+xMk4fDBzqegqFj8vmjg6QQw1
8P0XI7b/+axw6f1mWOG+npcbuQTdbft9z0jbs2a2qs3JPH3sBelR6pJ6opg8kIq3
x+DwTGw0XZbFBArggCXtC/nhBeZbFjaGNdeWhQKwyR5p3mzWYNfwsOOzidyznKSd
v6KGpg7I4htRL6RpBfw9HoFOYpP98V+rVokzNWJuBnlcpeByACKqfxX5PMZbWXIJ
z9qgwBDtpw8CawI2HJwqvx0o78pLqjLJQdKrGCqLNTECgYEA+04DlI84yI24JqHN
gvax+7RhQK9AnyN+bNg5bNYGw1zsKxv77AxlThc9HJCI1EgkXrzNZLl5SzZs2cng
PSDni60wZuQ1PbMujd9dkzBI6DTMk99tC+aKuLItCELkxDz5HOFAnGRIBUyK1l+1
r5gMvklb83ivAr4O+dmGrtoS1xkCgYEA9ErzAWMkz+7Hkuy6PDWN7riBSfA7fIHN
QV/O1iP1TkHz01MSgxMtzIW9MK4s5w8C+ikrTe7N6coDnr2mhPORtDshMacXULl7
nOTXyyiJ6Vj+zA0wQKpqxKUt6p8f5td24t48KYF5NiO3ILBOPwG1HZu9Na0hJd/7
5/dG3V4X7LsCgYBNtQTkZhkP4sqjn3q12WSVyWQdJVPdIZORQpcXMWMr+8rHVcLj
bb3RlNv/vi2hPqGIbecxEy0PdcfY3FSrckZG6YnC9yQDbSmjEwOTZOXWb6UmwHqu
qF4S2H2WRWEJ0TTSmlBpS5T9lnqD6Vp77o9aM8LsGVA8j9p/paTA4ova2QKBgHpG
ZXmFSXC2YLheuxzV5XPecAA1OWEpizY0oU+38dm40zUsOHDZEax0KG0MUTdZ4TCb
mKxKYlCpp8Q1wvp6+6wNiKDUtKvYG1I9jPGIGfdtbyNtWoCTjBtfXis4eHxPzpbh
i5Vu09/QYqH+/Ts2PJRUVpFeVeAiS3Eg6Rx2M11vAoGALiV9fnzHRM+0lrsgkGNm
l4HiH38NYj7xBQE68bqFWf206Ztr/0S2JV2cPFm/yO7CN+/4G5O+FHqV09P/QGcj
jeGAWnn++gobKy53OFguXy1PLzLKfeLsQ52qLaa5PLGtk4Kd3FOaFs4oWdKJp4e5
PfhFjlV3/G1AQ4QFEszWgZSgDTALBgNVHQ8xBAMCABA=
-----END PRIVATE KEY-----


-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA78/ugwt625HxsMjdYDbP
TYXyZDaczACEUe2WIP8epL7cZnLH1gN03qMoBlvJUqUn+d/8D4RFYG2BhFWwXkyP
98zWbRGx5MgkqO6h8mEKElmyamw6hWd2kYxQJ1wGl2RpAzeWSOWWq9eo8NF3MC3T
E6Cjn83+kd+GCoyfCoj1TrhdAjoJYTyxDE9niR2PN4DJiTYByZzBbA3VXohkvo1x
vBtjAWAYsQKCwqqbgt7EaAqTkMr2iSieJxNfBdZSHW0lcUNuq/vjr+fxEyEuPxOd
cDv9atUUqxwYYYBbd7bJg/a0WAVWJ7Dse1HnFfRQGs7h76ky7V/aHp/ZCpwEK00r
QwIDAQAB
-----END PUBLIC KEY-----





Tuesday, December 6, 2016

How Hackers can use web bots to guess your Visa card details.

Newcastle University research reveals the ease with which criminals can hack an account without ANY of the card details.
Find out more http://www.ncl.ac.uk/press/news/2016/...

If you've punched in credit card details while shopping online, you've probably wondered how secure those digits are. According to Newcastle University, the answer is: not very. Its researchers have discovered that thieves are using web bots to guess Visa credit and debit card info thanks to a flaw in the company's payment system. The biggest challenge is obtaining valid 16-digit card numbers, usually by buying them or using an algorithm to generate valid examples. After that, the bots find expiration dates and CVVs (that three-digit number on the back) by spreading guesses across hundreds of shopping sites, plugging numbers into fields until they hit the jackpot. While that sounds like a painstaking process, the bots can figure things out in 6 seconds.


 Source : http://www.ncl.ac.uk/press/news/2016/...
               https://www.engadget.com

Friday, October 21, 2016

How to patch COW vulnerablities on REDHAT/CENTOS 4.x/5.x/6.x/7.x & UBUNTU Servers.


A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Find out more about CVE-2016-5195 from the MITRE CVE dictionary dictionary and NIST NVD.



How to Test  the vulnerabilities.

A ) For Redhat/Centos Based machine.

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Execute the Shell Script to to testing.

bash rh-cve-2016-5195_1.sh




B ) For All Other Linux Distro.

Download the Code:
$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

Run it as follows. First be root:
$ sudo -s
# echo this is not a test > foo

Run it as normal user:
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000



How to Patch The cow vulnerabilities?

A) UBUNTU/DEBIAN Linux

Ubuntu users "Dirty COW" recommended Kernels.

Canonical urged all users to patch their systems immediately by installing:

    linux-image-4.8.0-26 (4.8.0-26.28) for Ubuntu 16.10
    linux-image-4.4.0-45 (4.4.0-45.66) for Ubuntu 16.04 LTS
    linux-image-3.13.0-100 (3.13.0-100.147) for Ubuntu 14.04 LTS
    linux-image-3.2.0-113 (3.2.0-113.155) for Ubuntu 12.04 LTS
    linux-image-4.4.0-1029-raspi2 (4.4.0-1029.36)

The Xenial HWE kernel for Ubuntu 14.04 LTS was updated as well, to version linux-image-4.4.0-45 (4.4.0-45.66~14.04.1), and the Trusty HWE kernel for Ubuntu 12.04 LTS to version linux-image-3.13.0-100 (3.13.0-100.147~precise1).

After logging in, you can check for and apply new updates with:

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade




Restart the Server and verify the kernel version.


Note : When performing an update, first review what apt is going to do, then confirm that you want to apply the updates (this is particularly true when running the development release).

If you would prefer to have updates applied automatically, make sure the unattended-upgrades package is installed, then run 'sudo dpkg-reconfigure unattended-upgrades'. Please note that updates may restart services on your server, so this may not be appropriate for all environments.

B) REDHAT/CENTOS 5.x/6.x/7.x

Platform                                    Package                    State
Red Hat Enterprise MRG 2     realtime-kernel        Affected
Red Hat Enterprise Linux 7     kernel-rt                  Affected
Red Hat Enterprise Linux 7     kernel                      Affected
Red Hat Enterprise Linux 6     kernel                      Affected
Red Hat Enterprise Linux 5     kernel                      Affected


[root@instance-1 ~]# yum update

Reboot the Server.

[root@instance-1 ~]# reboot

verify the kernel.

For RHEL/CENTOS 4.x/

[root@linux4 ~]# up2date -u
[root@linux4 ~]# reboot

C) Opensuse Linux/Suse Enterprise Linux

To apply all needed patches to the system type below commands:

# zypper patch

# reboot

Verify the kernel.



Friday, April 22, 2016

How to : install LAMP Server on Ubuntu 16.04 LTS ( PHP 7.0 , Mysql 5.7, Apache 2.x.x )

How to install LAMP Server on Ubuntu 16.04 LTS.

#Update the system & repository

sudo apt-get update

#Install lamp server


sudo apt-get install lamp-server^





Wednesday, January 28, 2015

How to patch GHOST: glibc vulnerability (CVE-2015-0235) On Redha/Centos/Ubuntu Based Linux


The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.

US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu (link is external) and Red Hat (link is external). The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement.



# How to check the vulnerabilities on server.

1 ) Download the code  : ghost_tester.c

2 ) Compile the code

      root@root:# gcc -o ghost ghost_tester.c
      root@root:# ./ghost  (  It'll gives an output i.e vulnerable or not vulnerable )

 
#How to patch the Ghost vulnerabilities.

1 ) For Redhat/Centos 5.x/6.x/7.x

yum clean all
yum update 


After Reboot :


2 ) Debian/ Ubuntu Linux

sudo apt-get clean
sudo apt-get update
sudo apt-get dist-upgrade


Note : Reboot your machine after successful update.


 


Wednesday, October 15, 2014

How to check SSLv3 POODLE vulnerability & Securing your server from SSLv3 Poodle vulnerability.

#How to scan for SSL POODLE / SSLv3 Bug and Security.

Today Google researchers announced (PDF link) that they have found a bug in the SSL 3.0 protocol. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers. The details are given below.
URL : http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html
PDF : https://www.openssl.org/~bodo/ssl-poodle.pdf

#How to scan SSLv3 on server side.

A ) Method 1: using cipherscan




B ) Mehod 2 : using openssl

root@ThinkPad-T430:/opt/xnull# openssl s_client -connect flipkart.com:443 -ssl3



Note : if handshake failure No sslv3 supporting on server and its secure. if handshake successful then
disable your SSLv3 on Server because there is no patch available for SSLv3.

C) Method 3 : using Nmap

nmap --script ssl-enum-ciphers -p 443 myntra.com


#How to test your client (i.e Browser) for SSLv3 Bug.

https://www.poodletest.com/



#Solution :

https://zmap.io/sslv3/browsers.html


#How to Secure your Server with SSLv3 Bug

A ) Apache httpd Server .

If you're running Apache, just include the following line in your configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3


restart your apache services.

B ) NGINX Server : 


If you're running Nginx, just include the following line in your configuration among the other SSL directives:


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

restart your nginx services.

C ) Postfix SMTP

For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:


D ) Sendmail

These options are configured in the LOCAL_CONFIG section of your sendmail.mc

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

E ) Dovecot

In Dovecot v2.1+, add the following to your /etc/dovecot/local.conf (or a new file in /etc/dovecot/conf.d): Note : depends on your configuration file.

ssl_protocols = !SSLv2 !SSLv3

and restart Dovecot:

F ) HAProxy Server

SSL is supported in HAProxy >= 1.5.

Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3. For example:

bind :443 ssl crt ciphers no-sslv3

G) OpenVPN

Seems to be unaffected (source).

OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE.


Sunday, September 7, 2014

How to : Setup deepWeb (Invisible Web, Hidden Web, or DarkWebsite ) using "tor" network

#How to :  Setup deepWeb (DarkWebsite) using "tor" network

DeepWeb : Deep Web (also called the Deepnet, Invisible Web, or Hidden Web ) is World Wide Web content that is not part of the Surface Web, which is indexed by standard search engines. It should not be confused with the dark Internet, the computers that can no longer be reached via the Internet, or with a Darknet distributed filesharing network, which could be classified as a smaller part of the Deep Web. Some prosecutors and government agencies think that the Deep Web is a haven for serious criminality. by : wikipedia

Video Tutorial for setup DeepWeb[Invisible Web, or Hidden Web]: