Saturday, September 24, 2016

Intel Assembly Basics movl , cmpl , jns

Intel Assembly Basics



Here's a simple code block, what does it do?

0x080483c1 <+6>: movl $0x15,-0x4(%ebp)
0x080483c8 <+13>: cmpl $0x0,-0x4(%ebp)
0x080483cc <+17>: jns 0x80483d5
0x080483ce <+19>: movl $0xf,-0x4(%ebp)
0x080483d5 <+26>: ...

movl is 'move long' which in this case is a 32 bit integer. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4).

cmpl is 'compare long' so it's comparing 2 integers, the value 0x0 which is simply 0 and the first value on the stack (-0x4) which from the previous line we know has a value 21. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4). Compare wants to determine if the values are the same or different. So it does that by subtracting 21 - 0 . If the result of the subtraction is 0 then it would set the Zero Flag (ZF) to 1 (or true). If the result of the subtraction is anything else then it sets the Zero Flag (ZF) to 0 (or false). Thus in this case 21-0=21 so the Zero Flag (ZF) is set to 0 (or false). Also the compare instruction sets the Sign Flag (SF) to 1 if the result is a negative number and and 0 if it's positive. In this case it's +21 to it's positive so it's set to 0.

jns is 'jump if not signed'. Jump if not signed jumps if the Sign Flag (SF) is 0 (thus if the previous compare result was positive +). So in this case SF was set to 0 which means the value was positive (or not signed), so it's going to jump to address 0x80483d5.

movl is 'move long' again just like above, and this time it's putting 15 into the top value in the stack (-0x4), but in this case since we jumped, this instruction never actually gets executed.



Thus to wrap this all up, you could rewrite this code in psuedo C code as follows

int x = 21;
if(x < 21)
 x = 15;


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics GCC and GDB Disassembly

Intel Assembly Basics



I want to write a C program in linux and see what X86 assembly it generates. Let's try this.

nano increment.c

int main(){
  int x = 15;
  x++;
}


gcc -mpreffered-stack-boundary=2 --ggdb increment.c -o increment

gdb ~/increment

(gdb) disas main

Dump of assembler code for function main:
  0x080483bb <+0>: push %ebp
  0x080483bc <+1>: mov %esp,%ebp
  0x080483be <+3>: sub $0x4,%esp
  0x080483c1 <+6>: movl $0xf,-0x4(%ebp)
  0x080483c8 <+13>: addl $0x1,-0x4(%ebp)
  0x080483cc <+17>: mov $0x0,%eax
  0x080483d1 <+22>: leave
  0x080483d2 <+23>: ret
End of assembler dump.


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, September 16, 2016

Sending SMTP Emails

This kali tutorial on SMTP hacking give a simple walk-through

If you find a vulnerable SMTP server that does not require authentication you can telnet or netcat to it on port 25.

First greet the server with HELO thedomain.com

Next start a message with the sender MAIL FROM: sendingvictim@thedomain.com

And set the recipient RCPT TO: spamvictim@somewhere.com

And start the body by typing DATA

Enter the subject with SUBJECT: my subject

Then type in the body of the email you want

Then type . and hit <ENTER> to send the email

Then get out of there with QUIT



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Snort Rules Monitoring User-Agents

I think some Snort rules like these could be used to monitor specific user-agents that sometimes are common with recon, vulnerability scans, and exploits.

WPScan

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"WPScan"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*WPScan/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string WPScan - vulnerability scanner"; classtype:network-scan; rev:1; )

Wget

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Wget"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Wget/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Wget non-browser"; classtype:network-scan; rev:1; )

Synapse

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Synapse"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Synapse/Hm"; metadata:service http; reference:url,http://www.spambotsecurity.com/forum/viewtopic.php?f=43&t=2876; msg:"BLACKLIST User-Agent known malicious user-agent string Synapse - SQLi IoC"; classtype:network-scan; rev:1; )

SqlMap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"sqlmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*sqlmap/Hm"; metadata:service http; reference:url,http://sqlmap.org/; msg:"BLACKLIST User-Agent known malicious user-agent string sqlmap - vulnerability scanner"; classtype:network-scan; rev:1; )

Python

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Python-urllib"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Python/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Python non-browser"; classtype:network-scan; rev:3; )

PycURL

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"PycURL"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*PycURL/Hm"; metadata:service http; reference:url,http://pycurl.io/; msg:"BLACKLIST User-Agent known malicious user-agent string PycURL - non Browser"; classtype:network-scan; rev:1; )

Paros

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Paros"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Paros/Hm"; metadata:service http; reference:url,http://sectools.org/tool/paros/; msg:"BLACKLIST User-Agent known malicious user-agent string Paros - vulnerability scanner"; classtype:network-scan; rev:1; )

OpenVAS

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"OpenVAS"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*OpenVAS/Hm"; metadata:service http; reference:url,http://www.openvas.org/; msg:"BLACKLIST User-Agent known malicious user-agent string OpenVAS - vulnerability scanner"; classtype:network-scan; rev:2; )

Nmap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nmap/Hm"; metadata:service http; reference:url,https://nmap.org/book/nse.html; msg:"BLACKLIST User-Agent known malicious user-agent string Nmap - scanner"; classtype:network-scan; rev:2; )

Nikto

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nikto"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nikto/Hm"; metadata:service http; reference:url,http://sectools.org/tool/nikto/; msg:"BLACKLIST User-Agent known malicious user-agent string Nikto - vulnerability scanner"; classtype:network-scan; rev:1; )

Kazehakase

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Kazehakase"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Kazehakase/Hm"; metadata:service http; reference:url,https://en.wikipedia.org/wiki/Kazehakase; msg:"BLACKLIST User-Agent known malicious user-agent string Kazehakase - suspicious browser"; classtype:network-scan; rev:1; )

curl

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"curl"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*curl/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string curl - non browswer"; classtype:network-scan; rev:1; )

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

MySQL Backdoors in UDFs

Thought this blog by securusglobal about MySQL Backdoor with udf was interesting. In Short, a UDF is a user-defined-function in MySQL. In general you can use it to manipulate column values for example in a select statement without having to put the dirty non-Mysql logic (such as C/C++) inside the actual select statement. Example: select udf_tocelsius(temps.fahrenheit) from temps

But instead of doing some nice like a formula or calculation, as a bad guy you could perhaps do something like

char *cmd;
FILE *fp;
strcat(cmd, args->args[i]);
fp = popen(cmd, "r");


Which is C code that essentially runs systems commands (similar to the system() function) against the operating system, so you could pass in commands that download your malware, execute it, etc.

Please note this is not a vulnerability, this is more of just an example of a backdoor persistence method. Of course a lot of things have to be setup correctly for this to even work, so for example if the attacker didn't have appropriate access or permissions were locked down tight, this might never even work. But interesting though none-the-less.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

SIEM Implementation (Security Incident and Event Management)

Just thought I'd throw together some items that I've experienced as being critical to the implementation and long-term success of a SIEM.

1.) Staff to manage the Infrastructure (uptime, performance, storage, upgrades)
2.) Staff to administer the SIEM (rule/alert tuning and creation, log sources collection and monitoring)
3.) Staff to monitor and analyze the alerts (ensure you have enough to manage the queue quickly and hit all SLAs)
4.) System Resources (Enough hardware, licenses, etc. so you don't drop logs, and can correlate events quickly, etc.)
5.) Custom Alerts for your Environment (disable most of the defaults, write the rules specific to what should or shouldn't happen in your company)
6.) Constant Tuning of existing Alerts (to ensure analysts are only working on useful alerts and not noisy junk)
7.) Constant Adding/Enhancing of Alerts (as new security trends pop up, quickly add new alerts to capture them)
8.) Add accurate and relevant Intel (don't blindly take free feeds, make sure the intel you gather is accurate and relevant to your environment)
9.) Log Sources Processes (ensure processes exist so whenever a new device, server, or app is brought up it doesn't go-live until you're getting logs)
10.) Document all alerts (generate a history for devices, servers, users, ips, urls, etc. so that analysts have context and don't have to re-invent the wheel)
11.) Data Classification (analysts must know what your sensitive data is and where is resides so they know what they're protecting and know when to raise red flags)
12.) Management support (you need managers that show interest and concern for things like alert queues, SLAs, false positive rates, etc. to drive improvement)


It's a lot, but if you have those things it would seem that a SIEM can be a valuable tool in your layered Security!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

SiteCore Security Hardening

Thought this security hardening article by Rackspace was useful for those supporting SiteCore environments. To quickly summarize

1. Deny anonymous users access to key folders (e.g. keep bad guys out from reconing your admin, config, debug, and other folders)
2. Disable client RSS feeds (this prevents bad guys from getting access to modify or see sensitive data)
3. Secure the file upload functionality (e.g. disable execute permissions, apply a strong and strict filter, etc.
4. Improve the security of the website folder (e.g. move non-web folders like data and indexes out of the web root)
5. Increase login security (e.g. enable HTTPS and disable auto-complete)
6. Limit access to certain file types (e.g. block access to your configuration files, transformation files, etc.)
7. Protect PhantomJS (e.g. get rid of this tool, it's generally not needed but could be used against you)
8. Protect media requests (e.g. only allow server generated requests to be processed on images)
9. Remove header information from responses sent by your website (e.g. remove response headers to prevent information leakage)


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.