Friday, January 23, 2015

Is Your Browser Secure?

You surf the internet with a browser (Internet Explorer, Google Chrome, Firefox, Safari, etc.). Staying secure on the Internet REQUIRES you to run the latest versions that are patched.

The browser probably does a decent job of telling you if it's got the latest version or updates. It'll popup to tell you a new update is available, or it'll just download and perform the update for you automatically.

But what about some of the other critical plugins such as Java, Adobe, Silverlight, QuickTime, etc?

I came across this pretty nice tool made by Qualys that I recommend you make your homepage, so that everytime you load your browser, it runs a quick scan and tells you if you're secure. Try it out! https://browsercheck.qualys.com/?scan_type=js



Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, January 8, 2015

De-Obfuscating Malicious Code encoded with JJEncode

Tools like an IDS, browser, etc are getting better at picking up malicious Javascript and client-side code and blocking it or preventing it from running. Thus attackers have become accustomed to this and restore to Obfuscating their malicious code or making it unreadable. This presents problems now because the tools cannot easily see into the obfuscated code (especially if it's randomized or if it's a new obfuscation method the tool doesn't know about).

One such way attackers do that is with jjencode. For example you can encode for free online here.

You could start with plain text code like this

alert('hello world');

and end up with disgusting looking code like this (that performs the same task!)

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"('\\"+$.__$+$.$_$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+"\\"+$.$__+$.___+"\\"+$.__$+$.$$_+$.$$$+$._$+"\\"+$.__$+$.$$_+$._$_+(![]+"")[$._$_]+$.$$_$+"');"+"\"")())();



If you are one of the good guys, this makes your job difficult because you can't just read and understand code with your naked eye anymore, you have to first de-obfuscate it.

One way to do so for jjencode is to get the jjdecoder python library from github

Then save the obfuscating disgusting looking javascript to a file like 'input.js' and run the following command

C:\Python27>python.exe jjdecoder_test.py input.js

and boom, it outputs the cleaner easier to read code.

Good luck!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, January 7, 2015

Password Sniffing Insecure Protocols is Too Easy

I suggested previously that we should just bite the bullet and kill insecure protocols like HTTP. Sometimes it's difficult to take a statement like that seriously unless you see what the malicious actors can do first hand. Thus for demonstration purposes only I'm going to show you a simple little tool that anybody (both good guys & bad guys) can get for free.

Please keep in mind my intent of this post is to hammer home the point that we should kill HTTP and other insecure protocols like FTP, etc. So, let's say I have a legit reason to look for passwords on my system. Perhaps I forgot my password, but you know some application on my system is using the password, then I can recover it with this tool. Keep in mind, it's not a far stretch at all for a malicious user to perform very similar tasks with illegitimate intentions.

The tool we're taking 2 minutes to look at is SniffPass – Simple Password Sniffer. You could start by reading darknet's article and downloading SniffPass. Please note if you're running an Anti-Virus like McAfee it may detect SniffPass.exe and delete the downloaded file as Tool-PassView, or PUP (potentially unwanted program)


Once downloaded and extracted, double-click on SniffPass.exe to open it up.


Next, click the green start arrow. Then select any of the options you have (RawSockets, WinPCap, etc.). For this demonstration they all work.


Something of interest, notice there is a Promiscious Mode checkbox you could utilize. Wow, I wonder if that might come in handy for somebody? :-P


After you hit ok, you're basically done. Your final step is to activate the application using the insecure protocol (perhaps you have filezilla running already with your saved password, perhaps you goto an FTP site in your browser, perhaps a website that requires basic windows authentication, etc.) Run the application or type in your username & password that you thought was perhaps secure. Find out immediately per the screenshot below that you're not.


The sad part? This was too simple. It took me literally 2 minutes from download to successful usage with a tool I had never in my life used before. Is it time to get rid of those insecure protocols yet? I think so.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.