blog.korelogic.com
Open in
urlscan Pro
205.134.174.162
Public Scan
Submitted URL: http://blog.korelogic.com/
Effective URL: https://blog.korelogic.com/blog
Submission: On November 14 via api from US — Scanned from DE
Effective URL: https://blog.korelogic.com/blog
Submission: On November 14 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
KoreLogic Blog
* Main
* Blog
* Contest
* Tools
* Contact Us
WMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes 2021-08-21 20:24
WMkick is a tool we recently released to MITM and capture NetNTLMv2 hashes for
some protocols not (yet?) supported by other tools like Responder, such as WMI
access to MS-RPC (135/tcp) and Powershell Remoting/WSMan/WinRM (5985/tcp).
We have observed various enterprise software that continues to rely on
Microsoft's Windows Management Instrumentation (WMI) for remote authentication,
which can be leveraged by attackers, even passively, to steal hashes that can be
converted to credentials. There are WMI clients programs that initiate NTLMSSP
authentication flow over the WMI access port (tcp/135), which can be redirected
in order to gather all the pieces needed to obtain a valid NetNTLMv2 hash. A
valid NetNTLMv2 hash can be cracked into plaintext credentials, to gain further
access into the network. The accounts used in these applications are often
privileged accounts, as WMI remote authentication is often used to perform
administrative tasks such as running remote commands, asset inventory
management, and scanning.
WMkick is a TCP protocol redirector/MITM tool that targets the Windows NTLM
authentication message flow. Anyone with access to an internal network can
leverage WMkick to capture administrative hashes if WMI is being used to
remotely administer within the network and mitigations have not been enforced,
such as disabling NTLM authentication.
We think the security community should give MS-RPC more attention, and others
are starting to do so. Eventually we hope to build/add enough of an MS-RPC
implementation and impersonation into WMkick that redirecting is no longer
needed.
Read more ...
0 comments Posted by Houston Hunt at: 20:24 permalink
WePresent... vulnerabilities! 2021-01-05 20:21
This blog post describes an exploit chain to go from a completely
unauthenticated attacker to a root shell on a WePresent WiPG-1600. The device
was running firmware version 2.5.1.8, which was the latest version available at
the time this research was performed. Several vulnerabilities were found, and
CVEs and fixes for each have since been published.
CVE-2020-28329 - DEFAULT API CREDENTIALS
The first vulnerability is the existence of default, hardcoded credentials that
can be used to access an API service listening on port 4001/tcp. The password
exists as clear text in /etc/lighthttp/admin and in a hashed form in
etc/lighttpd/lighttpd.user. This information was obtained by downloading and
unpacking the firmware from WePresent's site. The URL for the firmware is
https://www.barco.com/en/support/wepresent-wipg-1600w/drivers. Binwalk, with
recursive scanning of extracted files, does partially unpack the firmware. A
simple, more elegant approach will be discussed later in this blog post.
Read more ...
0 comments Posted by Jim Becher at: 20:21 permalink
Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools
2020-06-29 17:18
How can vulnerabilities in technologies used by our judicial system affect the
outcome of cases brought to the courts?
The Universal Forensic Extraction Device (UFED) device from Cellebrite is used
by law enforcement agencies throughout the world. The popularity of their
offerings has been well documented by journalists, which is what initially
caught my attention. Today I will talk about the process I used to establish a
debugging environment and locate issues in their UFED product, which I believe
pose a significant concern. This concern demonstrates a need for additional
scrutiny of any tool that is designed to acquire digital forensic evidence for
use in any court of law. Along the way, we generated multiple advisories and
CVEs, which the vendor has addressed, and a bonus "WONTFIX" in Android.
Read more ...
0 comments Posted by Matt Bergin at: 17:18 permalink
FTimes, KLEL, and File Hooks 2019-11-08 10:00
This is another blog post in the FTimes series showcasing various aspects and
controls that can be utilized within the FTimes framework. This blog post will
focus on using file hooks, a feature that offers the ability to run external
programs or scripts on matching files during dig, map, or mad stages.
Read more ...
0 comments Posted by Jay and Klayton at: 10:00 permalink
Building FTimes With Lua 2019-09-05 15:40
This is the next part in a series of blog posts focusing on the open-source tool
FTimes. This blog post will demonstrate building FTimes with XMagic and an
embedded Lua interpreter. In so doing, FTimes will be able to perform more
complex searches by utilizing file hooks.
For this exercise, we will be using Kali Linux as our build environment.
Read more ...
0 comments Posted by Jay at: 15:40 permalink
FTimes 3.13.0 Released 2019-09-04 17:30
Version 3.13.0 is a minor release of FTimes. Generally, code was cleaned up and
refined as necessary. Several bugs have been fixed -- see the ChangeLog for
details. The most significant changes in this release are the addition of new
encoder/decoder/embedded routines, support for B-Tree file systems (BTRFS) under
Linux, and the introduction of KLEL-based include/exclude filters. Note that
both PCRE and KLEL (1.2.0 or higher) libraries are now required. For now,
PCRE-base filters are still enabled by default, but the plan is to phase them
out completely in a future release.
0 comments Posted by Klayton at: 17:30 permalink
Unpatched Fringe Infrastructure Bits 2019-08-19 11:00
Typically during internal network penetration tests, pentesters come across many
different types of devices. Much of the focus is likely on the Windows/UNIX-like
systems and critical infrastructure devices (e.g., storage, DNS servers,
routers, switches, etc.). There are, however, a number of other network
connected devices that often times get passed over due to factors such as
function, purpose, placement, or lack of sensitive data contained within.
A pentester may take a second look at a given device because telnet or FTP is
enabled, but after a cursory glance at the HTTP listener and thinking it is a
UPS - maybe they will likely skip over it in favor of the Linux system running
Apache, MySQL, and SSH.
Welcome to the land of forgotten and misfit toys ... this is not exciting,
cutting-edge, sexy stuff. These are devices organizations typically plug in,
configure minimally (just enough to "do the job"), and forget about. In this
post, I discuss a particular vulnerability of a TrippLite Power Distribution
Unit (PDU).
Read more ...
0 comments Posted by Jim Becher at: 11:00 permalink
Password Audits – Focus on the Admins 2019-05-09 17:00
Have you considered adding periodic password audits to your corporate security
plan? Compared to the cost of a security breach or standard pentest, periodic
password audits are relatively inexpensive (e.g., on the order of $7K/quarter
for a single medium-sized domain), yet they shed light on an important aspect of
security that management has little ability to control: the passwords that
administrators and end users choose.
In this article, I discuss the impact of weekly audits on chosen admin passwords
over a 4-year period.
Read more ...
0 comments Posted by Klayton at: 17:00 permalink
Building FTimes With Python3 2019-04-25 11:10
This is the next part in a series of blog posts focusing on the open-source tool
FTimes. This blog post will demonstrate building FTimes with XMagic and an
embedded Python interpreter. In so doing, FTimes will be able to perform more
complex searches by utilizing file hooks.
For this exercise, we will be using Devuan Linux as our build environment.
Read more ...
0 comments Posted by Jay at: 11:10 permalink
Building FTimes With Perl 2019-04-11 00:00
This is a first in a series of blog posts focusing on the open-source tool
FTimes. This blog post will demonstrate building FTimes with XMagic and an
embedded Perl interpreter. In so doing, FTimes will be able to perform more
complex searches by utilizing file hooks.
For this exercise, we will be using Ubuntu Linux as our build environment.
Read more ...
0 comments Posted by Jay at: 00:00 permalink
FTimes 3.12.0 Released 2019-03-15 17:00
Version 3.12.0 is a minor release of FTimes. Basically, the various changes,
enhancements, additions, and bug fixes that have accumulated over the past few
years reached critical mass. Some of the noteworthy changes include: a new
option for depth-limited mapping/digging, additional
encoding/decoding/transformer options/functionality, and support for a number of
additional file systems (APFS, AUTOFS, JFFS2, OVERLAYFS, SMB2, UBIFS).
Additionally, two new tools, ftimes-srm and ftimes-xpatool, have been added to
the project. Finally, this is likely to be the last release in the 3.X branch.
Going forward, the project will be setting up a new public-facing code
repository (SF discontinued CVS support late in 2017), and all new effort will
focus on the 4.X branch.
0 comments Posted by Klayton at: 17:00 permalink
New LibPathWell Release, and an Updated Talk 2017-05-12 23:30
A couple of weeks ago we released a PathWell update, version 0.7.0, available
here. I had the pleasure of giving a talk about it at RMISC yesterday that
highlighted the new features; the slides are here. [PDF warning]
The primary user-visible change in this release is an administrator-configurable
hinting engine, to provide different levels of feedback to users whose new
password choice is rejected.
Read more ...
0 comments Posted by Hank at: 23:30 permalink
Virtual Appliance Spelunking 2016-10-10 15:35
Hello again and welcome back. Today I want to talk about a Sunday I spent
reversing the Cisco Firepower Management Console virtual appliance that resulted
in multiple CVEs being issued. The tricks I will show have worked on four or
five other virtual appliances from other vendors. Results from those are either
pending disclosure or have already been reported by other researchers. Either
way, this should be something you can easily recreate to find vulnerabilities.
Read more ...
0 comments Posted by Matt at: 15:35 permalink
Nothing To See Here, Move Along 2016-08-08 13:45
Vendors often have interesting ways to facilitate support for their appliances.
Today, I'll discuss a few ways we have seen it implemented: one that is
vulnerable to exploitation and others that aren't so bad.
When we find vulnerabilities doing independent research, we work with the
vendors through our disclosure program to attempt to get the issues fixed, and
we are free to publish whether or not the vendor addresses the problems.
Occasionally while on an engagement for a client, we come across one or more
vulnerabilities in third-party platforms. When this happens, we work with our
client to inform their vendor in an effort to get the vulnerabilities corrected,
and coordinate disclosure.
Usually, vendors are responsive, and our client and other customers of that
vendor get the fix. However, it does not always work that way.
Read more ...
0 comments Posted by Matt at: 13:45 permalink
Cracking Grid – Essential Attributes 2016-05-25 11:30
Here at KoreLogic, we are constantly cracking passwords – it's just one of the
things we do. While we haven't made a concerted effort to track it, I'd venture
to say that cracking for us is pretty close to a 24/7/365 operation. Between
paid cracking engagements and penetration tests, our resident cracking expert,
Rick, almost always has something cooking on our Distributed Cracking Grid
("Grid"). This week, it happens to be LinkedIn hashes. This level of uptime is
made possible by the WebJob framework, the foundation upon which our Grid was
built (check out this paper for a brief overview of the technology). WebJob's
queuing system allows us to maintain a number of concurrent work orders at any
given time. Today, for instance, we have 22 active work orders consisting of
151,995 jobs (or attacks) spread out over 35 queues. At any time, a single
attack can be in one of several states (e.g., waiting, working, complete), and
resources (i.e., GPU and CPU cores) can be shifted from queue to queue as needs
dictate. Additionally, attacks within any given queue can be prioritized. All of
this allows us to keep work orders active for days, weeks, or even months at a
time, and that's pretty darn cool.
As the Grid's chief architect and primary developer, it's my job to keep the
Grid running and add new features/capabilities over time. In this article, I'd
like to share with you our aspirations and reasons for creating a cracking grid
that is secure, distributed, scalable, and extensible.
Read more ...
0 comments Posted by Klayton at: 11:30 permalink
LinkedIn Revisited – Full 2012 Hash Dump Analysis 2016-05-19 15:00
As you may know, a "full" dump of email addresses and password hashes for the
Linkedin.com attack that occured in 2012 has become available. Here at
KoreLogic, we got our hands on the list of emails and the separate list of
passwords (but nothing linking the two together, which we don't want or need).
We started to gather some statistics on them using our Password Recovery Service
(PRS). The following analysis assumes the lists are real; due to the valid email
addresses and confirming some of our own accounts' data from back then, we
believe that the dump is real.
What we know so far:
Read more ...
0 comments Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 15:00 permalink
Update on Crack Me If You Can – DEFCON 2016 2016-03-28 12:12
The @CrackMeIfYouCan team at KoreLogic has had a lot of questions about this
year's DEFCON Crack Me If You Can (CMIYC) contest ...
The short answer is, we are not doing a CMIYC this year at DEFCON. That does not
mean that 2015 was our last year, it just means we aren't doing one in 2016.
It's been a very busy year for us so far, and CMIYC is a huge commitment on our
schedules. We just cannot make it happen this year.
On a more personal note, I dreamed up CMIYC in 2010 with multiple goals in mind:
Read more ...
0 comments Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 12:12 permalink
Hacking an Arris Cablemodem 2016-02-12 15:00
Welcome to part four in our four part series on firmware and embedded devices.
In our final part, we will discuss a remote root vulnerability in a popular
cable modem. Awhile ago, we were shown the administrator portal for a particular
cable modem vendor. Old school, right? Still, what an interesting attack vector,
we thought. We realize ISPs need some degree of access in order to properly
provision modems, but how much should you trust your ISP (and who they partner
with) to make security decisions for you? Personally, we only believe in what
can be measured and this meant our hands needed to get dirty... Don't worry
root, we're coming for you!
Read more ...
4 comments Posted by Matt & Hank at: 15:00 permalink
The importance of access to firmware files 2015-12-18 16:25
Welcome to the third part of our series! Today I hope to spark a conversation
amongst the readers about an important topic in a world filled with IoT: access
to device firmware. And not just (at best) encrypted opaque blobs provided for
device updates, but usable images that can be deconstructed, evaluated, and
reconstructed.
There are a few categories of devices for which firmware access would apply.
These are consumer, enterprise, medical, and military. My coworkers and I have
dealt with all of these to varying degrees. You might think military procurement
would always include full firmware/source code access; I mean, they'll want to
make sure the device is not designed in a way that is counter to their interests
in the same way that I want to ensure the same thing when I (and most other
people for that matter) also purchase a device. Mumble mumble...
What about consumer or enterprise grade devices? Most vendors have some support
level (i.e. price point) at which they'll give an enterprise customer access to
firmware. But for smaller organizations, or one-off purchases, they are often
told what I am as a consumer a majority of the time: "no". In the last two parts
of our series, I'll go into deeper thought on firmware access using current and
upcoming examples from our vulnerability disclosure program.
Read more ...
1 comments Posted by Matt at: 16:25 permalink
Unplugging An IoT Device From The Cloud 2015-12-11 17:45
Hello again and welcome back. This is part two in our four-part series on
firmware and embedded devices. Today, I will be discussing home automation and
the Internet of Things (IoT). More specifically, I'll be talking about Blossom.
Blossom is a cloud-based smart lawn watering system that will 'automatically'
water your lawn. Normally, our goal is to break into the target device so I may
inspect running processes and resident binaries to ensure they are not designed
to work in ways that are counter to our interests. Today, I won't be doing that.
Instead, I am going to observe the functionality of the device and how it
interacts with the manufacturers cloud-based API. Then, I'll force network
traffic redirection from the device to a server I control. Finally, I will
recreate a bare minimum copy of the manufacturer's API available internally so
that the device will no longer require internet access for a somewhat normal
operation.
What does this mean? I am going to write an application to water my lawn, when I
want my lawn watered. Why? Because I like the functionality of smart-enabled
devices, but I do not like adding network potential pivot points anywhere on my
networks. My hope is that this part in our series serves as a soft introduction
into the thought process I typically use when removing an unwanted third-party
from my networks or even attempting to attack the underlying software of a
target device.
Read more ...
0 comments Posted by Matt at: 17:45 permalink
Q: Can I have your password? A: Yes you can. 2015-12-04 16:45
Hello folks, welcome to the first of a four part blog mini-series on firmware
and embedded devices. My name is Matt Bergin and i'll be guiding you through the
series. We plan to release each part of the series on the Friday of each week in
December. The release of the final part in our series is dependent on our
responsible disclosure timeline holding for a finding, but we're pretty
confident.
We're going to start slowly and with something simple. Today's tale is about a
little access point that tried and tried but just couldn't keep its mouth shut.
If it has an IP it'll talk, and what it says you might not like. Though, we
tried to make it stop (see the timeline in the advisory), it didn't seem to
matter to the manufacturer. So here we are: an 0day to help start your holiday
season.
Sincerely,
KoreLogic
Onward and upward!
You can purchase the vulnerable device and download the corresponding firmware
here: http://www.linksys.com/us/support-product?pid=01t80000003cVuwAAE
Read more ...
3 comments Posted by Matt at: 16:45 permalink
LibPathWell 0.6.3 Released 2015-10-01 15:45
I am pleased to announce that a new release of the Password Topology Histogram
Wear-Leveling (PathWell) library and PAM module for dynamic password-strength
enforcement is now available for download here.
Version 0.6.3 is an update release of PathWell. Generally, code was cleaned up
and refined as necessary. The API remains unchanged, but the library did get a
revision bump -- the new version is 1:1:0. The primary goals of this release
were to work out the build issues previously encountered for some flavors of
Linux and to extend configure/build support to MinGW/MSYS build environments.
And while the library along with the associated command line utilities compile
cleanly and pass all their unit tests under Windows, setting up that build
environment and getting the various dependencies (e.g., GMP, PCRE, SQLite, etc.)
to compile involves a number of steps, a few hurdles, and fair amount of
determination, so be prepared if you decide to venture down that road. Perhaps
that will be the topic of a future blog post. Who knows? ...
Anyway, this will likely be our last release for the 0.6.0 branch as our
attention has shifted to the 0.7.0 release, which includes new features and
tools. More on that to follow in the coming days, so stay tuned ...
0 comments Posted by Klayton at: 15:45 permalink
MASTIFF Output Plug-ins 2015-09-25 17:00
MASTIFF is a living project whose continuous goal is to provide an automated
means for static analysis of files. To meet this end, the project has multiple
short and long term goals in place. Recently we silently released an update that
hit one of the major goals we have been working towards since inception of the
project: output plug-ins.
Read more ...
0 comments Posted by Tyler at: 17:00 permalink
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 – #11 2015-08-21 11:20
So far I've discussed how puzzles #1-#4 and puzzles #5-#8 in the Yara CTF for
Black Hat 2015 contest were solved. In this post, I'll go over the final three
puzzles.
As noted before, the puzzles are still accessible at the CTF page, so there are
spoilers if you plan to go through them.
Read more ...
0 comments Posted by Tyler at: 11:20 permalink
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 – #8 2015-08-19 17:00
Previously, I posted how I solved puzzles #1-#4 of the Yara CTF for Black Hat
2015, sponsored by phishme.com. In this post, I'll go into how I solved puzzles
#5-#8.
As noted before, the puzzles are still accessible at the CTF page, so there are
spoilers if you plan to go through them.
Read more ...
0 comments Posted by Tyler at: 17:00 permalink
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 – #4 2015-08-17 08:00
During Black Hat, Ron Tokazowski of phishme.com put together a Yara Capture The
Flag (CTF) contest for Black Hat 2015. This CTF consisted of 11 logic and
Yara-based puzzles that participants had to solve for a chance to win a DJI
Quadcopter. The best part is you could participate in the CTF if you weren't at
Black Hat!
I participated in the CTF and won!!! I got through 10 out of 11 puzzles; the
11th and my lack of doing it is explained later. This post, as well as two more,
describe how I went through each puzzle and solved them. The puzzles are still
accessible at the CTF page, so be warned that spoilers are below!
Read more ...
0 comments Posted by Tyler at: 08:00 permalink
LibPathWell 0.6.1 Released 2015-07-31 16:35
I am thrilled to announce the first public release of the Password Topology
Histogram Wear-Leveling (PathWell) library and PAM module for dynamic
password-strength enforcement. Version 0.6.1 is available for download here.
We have blogged and written and presented about PathWell several times, but now
we've finally dropped the code.
The LibPathWell release is a PAM module and supporting library to implement
password topology complexity enforcement. There is a static component called
blacklisting that allows you to seed the PathWell database with the most popular
password topologies, so instead of an attacker cracking 25%+ in their first few
mask attacks, they get zero. And then there are dynamic components ensuring that
enterprise users, as they change their passwords, are forced to choose new
passwords that are substantially different from one another.
tl;dr: PathWell makes enterprise user passwords 5-6 orders of magnitude harder
to guess!
Read more ...
0 comments Posted by Hank at: 16:35 permalink
Hacking Team Documents Claim BIOS-based Persistence 2015-07-09 16:15
A search through the online mirror of the information stolen from Hacking Team
shows indications that a BIOS-based infection capability was developed as part
of the Remote Control System software. This may be the first time a commercial
spyware product claims this type of capability.
0 comments Posted by Don at: 16:15 permalink
Giles at Black Hat and in the ISSA Journal 2015-06-23 18:20
The Giles production rule system compiler (which we described here) has gotten
some good press lately!
An article describing Giles and its use has been published in the June 2015
issue of The ISSA Journal, which can be seen by subscribers here. The ISSA
Journal is the official journal of the Information Systems Security Association,
and we're very proud to have an opportunity to discuss Giles on its pages. The
article describes what Giles is, how to use it, and how to use the engines it
creates. It also talks a little bit about how it works under the hood.
Also of note, I will be presenting a talk about Giles at this year's Black Hat
USA in Las Vegas on August 1-6th. This talk will describe the reasons behind the
creation of Giles, how it works, and how it can help you build efficient, simple
event correlation engines and expert systems. Let us know if you're going to be
at Black Hat this summer; we hope to see you there!
And remember, Giles is open source, so be sure to check it out (both in the
look-at-it sense and in the grab-a-copy-of-its-code sense) at
https://korelogic.com/tools.html.
0 comments Posted by Rob at: 18:20 permalink
MASTIFF Online Updated to Add pyOLEScanner 2015-06-19 16:08
The MASTIFF Online site was updated on 2015-06-05 which included the following:
* Enabled pyOLEScanner version 1.2 tool as part of processing samples.
pyOLEScanner is a python based script written by Giuseppe 'Evilcry' Bonfa and
inspired from OfficeMalScanner. It scans office documents in order to assess
if they could be malicious. Within MASTIFF Online the plugin is only executed
for office document file types (a.k.a., "Office"), and the results of the
plugin can be seen by clicking on the "office-analysis" record in the detail
pane for those file types.
* Added an "x" icon next to the GUI search box which clears the search box text
and refreshes the list when clicked.
We will re-process samples when necessary (e.g., after a MASTIFF upgrade or
plugin addition) and as time allows. In this case the existing samples have been
re-processed so that they now have the new plugin results.
0 comments Posted by Andy at: 16:08 permalink
The WebJob Framework: An Endpoint Security Solution 2015-06-10 17:30
The WebJob framework is a next generation endpoint security solution that, from
a centralized management location, can execute virtually any program on an
arbitrary number of end systems at any time. This framework has been deployed in
a number of production environments including the Federal government and Fortune
500 businesses to perform various activities such as evidence collection,
enterprise searches, incident response, live forensics, system management and
monitoring, and grid computing.
The WebJob framework is an open source client-server solution that acts as a
force multiplier for anyone who needs to automate various tasks or work on an
enterprise scale. It does this by enabling engineers to run arbitrary programs
and/or scripts on a wide array of operating systems (e.g., UNIX®, Linux®, Mac
OS®, Windows®, Android®, etc.). The results, if any, can be aggregated and
collated on the WebJob server where they can be operated on in bulk. With the
flexibility that the framework provides, administrators who are inclined to
write their own scripts can achive a high level of automation and efficiencies
of scale. With the WebJob framework, you can effectively do more with less.
Please click the link below to read more about how the framework could be the
next generation endpoint security solution for you.
The WebJob Framework: A Generic, Extensible, and Scalable Endpoint Security
Solution
0 comments Posted by Andy at: 17:30 permalink
One Month of MASTIFF Online! 2015-05-27 11:30
It has been exactly one month since MASTIFF Online was opened, and to celebrate,
we have released the next stable version of MASTIFF! Version 0.7.1 includes a
large number of bug fixes, as well as some new analysis plug-ins to get more
information out of the files you are analyzing. The new version can be found at
https://korelogic.com/tools.html.
Read more ...
0 comments Posted by Tyler at: 11:30 permalink
What Did CCleaner Wipe? 2015-05-18 15:35
The use of CCleaner is encountered at times during forensic investigations of
computer systems. It has been labeled an "anti-forensics" tool as it has a
secure deletion mode where it can overwrite data, filenames, and free space.
Overwriting files and filenames removes the chance to recover the data and
subject it to further analyses; hence, the anti-forensics label. There may be
some remnants and data left for analysis and comparison; but, at best you can
infer what had been wiped. What you are faced with is a case of "You don't know
what you don't know".
That is, until now. CCleaner will actually tell you what files it wiped. You
just have to work for it.
Read more ...
0 comments Posted by Don at: 15:35 permalink
MASTIFF Online Free 1.0.0 Released 2015-04-27 13:15
KoreLogic is pleased to announce the release of MASTIFF Online, a web interface
into the open source MASTIFF static analysis framework. With this free online
tool, anyone can upload files to be examined by MASTIFF, returning the results
within minutes. MASTIFF Online can be accessed at
https://mastiff-online.korelogic.com.
Read more ...
0 comments Posted by Andy at: 13:15 permalink
SSD Storage - Ignorance of Technology is No Excuse 2015-03-24 09:15
Digital evidence storage for legal matters is a common practice. As the use of
Solid State Drives (SSD) in consumer and enterprise computers has increased, so
too has the number of SSDs in storage increased. When most, if not all, of the
drives in storage were mechanical, there was little chance of silent data
corruption as long as the environment in the storage enclosure maintained
reasonable thresholds. The same is not true for SSDs.
A stored SSD, without power, can start to lose data in as little as a single
week on the shelf.
Read more ...
0 comments Posted by Don at: 09:15 permalink
Windows 2003 Privilege Escalation via tcpip.sys 2015-01-28 22:00
In my post for today, I will be discussing a vulnerability that I found within
the TCP/IP driver as implemented by Microsoft within their Windows 2003
Operating System with Service Pack 2 installed (advisory here). If an attacker
has obtained unprivileged access into the operating system, this vulnerability
may be used to elevate their privilege to that of SYSTEM. This is accomplished
by abusing a null near pointer dereference within code that runs during the
processing of a specific unprivileged IOCTL call.
This vulnerability was issued identifiers: KL-001-2015-001, MS14-070, and
CVE-2014-4076.
In order to avoid duplicating content from the advisory issued for this
vulnerability, I will only provide a brief tl;dr before diving into the exploit.
Read more ...
0 comments Posted by Matt at: 22:00 permalink
Giles 3.0.0 Released 2015-01-22 17:55
The Giles production rule system compiler has just been released! It is
available for download here.
Production rule systems (or "engines" in Giles parlance) are tools that are
commonly used to efficiently find patterns in streams of data where any number
of data items (or "facts") can be added or removed over time. They're very
commonly used to perform complex behavior detection (i.e., event correlation),
like fraud detection for credit cards via transaction history or multi-part
attacks against servers via combined analysis of firewall and server logs. They
can also be used to provide some form of artificial intelligence, forming the
core of many expert systems and automated planners.
All that sounds great, but what is Giles?
Read more ...
0 comments Posted by Rob at: 17:55 permalink
Brain Bleeding JavaScript Obfuscation 2015-01-12 16:00
JavaScript is often used to facilitate web-based attacks. To make analysis more
difficult and hide from signature-based systems, attackers will often obfuscate
their JavaScript. Fortunately, there are many ways to deobfuscate JavaScript, or
at least determine what it is doing. Sometimes, however, you come across
obfuscated JavaScript that just makes your brain bleed.
UPDATE: Some have requested the actual JS used in this analysis, so here it is:
* https://blog.korelogic.com/2015/01/12/javascript_deobfuscation/malJS.zip
(MD5: 8ad201d4dba1e19295ea1162308f3c0b, pass: infected)
Read more ...
9 comments Posted by Tyler at: 16:00 permalink
Using Windows Resource Language Codes for Attribution 2014-12-23 20:25
Since news of the Sony hack broke, a number of reports have been pointing to
North Korea as the source of the compromise. Part of the reasoning that North
Korea is to blame is undoutedly because the malware recovered from the
compromise, and subsequently made available on a number of malware analysis
websites, had internal resources that had the Korean language. While the
languages associated with Windows resources on executables can be used for
attribution, this post will show that they should not be singularly relied upon.
Disclosure: KoreLogic is not involved with this investigation, nor do we have
any inside knowledge. This post is based on the public information available and
our experience and expertise.
Read more ...
0 comments Posted by Tyler at: 20:25 permalink
VMware: "It's not a vulnerability, mmkkkayyy" 2014-11-18 16:15
During a recent review of the VMWare Workstation application, I discovered a
method that allows any member of the __vmware__ group to extract arbitrary
sections of kernel memory. When you consider the fact that members of this group
are not required to already have administrative privileges, this suddenly
becomes a significant vulnerability in the sense that it implies that otherwise
unprivileged users now have the means to extract and subsequently use/abuse
sensitive data like process-level tokens, encryption keys, etc. Needless to say,
this poses a significant security risk to any organization that allows
unprivileged users to operate virtual machines by way of the __vmware__ group.
To date, VMWare has declined to mitigate this vulnerability despite the detailed
evidence we have provided and our repeated attempts to convince them that there
is an underlying design flaw here that needs to be addressed. Also note that
this vulnerability, officially documented here, has not been assigned a CVE
identifier because MITRE declined to do so.
Read more ...
0 comments Posted by Matt at: 16:15 permalink
im in ur scm, bein a ninja 2014-11-05 12:45
A few months ago I posted a high-level overview of some source code repository
tampering risks.
The other day I presented a much deeper dive at BSides DC, with examples of
multiple ways to manipulate CVS, Git, and Subversion repositories, and some
thoughts on how companies and code-hosting sites could/should harden their
infrastructures.
Watch the presentation, or download the slides. (PDF warning)
Watch for future blog posts that extract and expand upon some of those examples.
Thanks to the BSidesDC folks for a great conference, and to ComputeCycle for the
recordings!
0 comments Posted by Hank at: 12:45 permalink
Password Security Research Featured in the Huffington Post 2014-10-17 12:00
Check out the recent Huffington Post article The Big Password Mistake That
Hackers Are Hoping You'll Make by Jeff Fox that talks about the need to "avoid a
little-known mistake recently uncovered by password researchers" (i.e., the
overuse of common password patterns (or topologies) by users as they create
their passwords). This article references some of the conclusions that came out
of our PathWell (Password Topology Histogram Wear-Leveling) project, which was
sponsored by DARPA (Defense Advanced Research Projects Agency) in 2013 under its
Cyber FastTrack program. Stay tuned for more PathWell-related news as we are
preparing to release the software developed for that project in the near future.
0 comments Posted by Klayton at: 12:00 permalink
Vuln Analysis: Classic write-what-where in XP's BthPan 2014-10-07 18:00
Recently, we came across the BthPan.sys driver while researching Microsoft's
Bluetooth implementation within 32-bit Windows XP (SP3), and after conducting a
number of fuzzing tests, we discovered that this driver has a vulnerability
known as a write-what-where condition. It should be noted that the BthPan.sys
driver is not enabled or even installed by default. Thus, the attack described
below will only function if the end user or operating system administrator has
installed the driver, such as via 'Add/Remove Programs' within the Control
Panel, or installing some hardware driver that implicitly enables it.
Read more ...
0 comments Posted by Matt at: 18:00 permalink
CISO's Corner: Password Cracking Best Practices and Myths 2014-10-02 16:00
Despite repeated breaches of password repositories, most recently the rumored
cause of the Apple iCloud celebrity image theft, password-based authentication
remains the norm for most users even though solutions like multi-factor
authentication offer superior protection. Not only are user accounts at risk,
but more importantly, so are their data. More often than not, default passwords
have been the root cause of multiple high-profile system and company
compromises. As with any recurring, successful attack, the bar must be raised to
prevent the inevitable question from management: "This attack is well known, so
why didn't we prevent it?"
Read more ...
2 comments Posted by Bob at: 16:00 permalink
FTimes 3.11.0 Released 2014-07-30 16:00
Version 3.11.0 is a minor release of FTimes. Generally, code was cleaned up and
refined as necessary. Several bugs have been fixed -- see the ChangeLog for
details. This release introduces file hooks support for an embedded Python
interpreter. Finally, a new tool, ftimes-bimvl, has been added to the project.
0 comments Posted by Klayton at: 16:00 permalink
KLogTail 1.2.0 Released 2014-07-22 14:00
Version 1.2.0 is a minor release of KLogTail. Generally, code was cleaned up and
refined as necessary. Several bugs have been fixed; all warning and error
messages have been enhanced to facilitate post-processing by log analysis tools;
a basic man page has been added; and the project has been completely
restructured to use autoconf/automake for the configure/build process.
0 comments Posted by Klayton at: 14:00 permalink
Repository Tampering: What You Don't Know Can Hurt You 2014-06-26 18:05
Consider this security scenario: Attackers gain access to developer or sysadmin
accounts. They find and target the revision control system that is used to
manage system configurations, internal code, or even software that is shipped to
customers. The attackers use the compromised accounts to modify the source code
and insert back doors or logic bombs. Now ask this question: How long will it
take the organization to notice?
This scenario may seem far-fetched, but think about all of the breaches of
software vendors you've read about: Adobe, the victims of Aurora, APT1, etc. Who
says they only had their code read?
Read more ...
0 comments Posted by Hank at: 18:05 permalink
Callback Functions in Malware 2014-05-27 15:18
Recently, KoreLogic examined a number of malware downloaders that use API
callback functions to redirect the flow of execution and make malware analysis
more difficult. While this is not a new technique our research did not find many
public resources discussing this topic. The purpose of this blog post is to
describe KoreLogic's analysis on what callback functions are, how malware uses
them, and how this technique can be detected and analyzed.
Read more ...
0 comments Posted by Tyler at: 15:18 permalink
MASTIFF Updates and Git SSL Issue 2014-04-17 01:50
Over the last few weeks, a number of updates have been pushed to the dev version
of MASTIFF located in the Git repository. One of these updates is a major change
to the analysis plug-in architecture.
The updates are described below.
Read more ...
0 comments Posted by Tyler at: 01:50 permalink
Mini-Crack Me If You Can for ISSW 2014 2014-04-07 11:45
This weekend at Infosec SouthWest 2014 KoreLogic's Crack Me If You Can (CMIYC)
team ran a mini-CMIYC contest for the people attending the conference. The prize
was a $100 dollar gift card.
We made the challenge pretty simple, with 1-2 hashes that were a little bit
harder.
The winner was Scot Perkins. Congratulations to the winner! Here are the hashes
we posted if you want to play along after the fact:
Read more ...
0 comments Posted by Rick at: 11:45 permalink
PathWell Topologies 2014-04-04 20:55
As previously discussed at multiple conference and in this blog, KoreLogic
worked on the PathWell project for the DARPA Cyber Fast Track program. PathWell
identifies and blocks common passwords based upon common password topologies and
learned user behavior.
Watch a presentation on PathWell, or download the slides here.
The PathWell software is not yet public, but people have frequently asked us to
publish the list of the most popular topologies within enterprises that we
compiled during that research. So, that is what we are doing today.
Read more ...
1 comments Posted by Rick at: 20:55 permalink
MASTIFF in KoreLogic Git Repository 2014-03-25 16:03
In order to make new development versions of MASTIFF available to the masses,
KoreLogic has put MASTIFF in a GitHub repo. This repository can be accessed at
https://github.com/KoreLogicSecurity/mastiff or the repository can be cloned
with:
git clone https://github.com/KoreLogicSecurity/mastiff
Read more ...
0 comments Posted by Tyler at: 16:03 permalink
ShmooCon Epilogue Prologue: PathWell 2014-01-09 15:14
On January 20, I will be giving a talk at ShmooCon Epilogue on PathWell, a
project we did last summer. Epilogue is a great event and is much easier to get
tickets for than ShmooCon, and I highly recommend it. (And I said that before
they accepted my talk ;)
Over the past couple of years, we - mostly my coworker Rick Redman (Minga) -
have given many talks about how enterprise password strength enforcement rules,
as currently implemented, are broken and harmful. They make enterprise passwords
easy to crack. The only thing worse than having them is not having them.
PathWell ("Password Topology Histogram Wear-Leveling") introduces a new
dimension for measuring and enforcing enterprise password strength that attempts
to take away from the attacker the advantages that they currently have when
cracking (or even just flat-out guessing blindly) an enterprise's passwords.
Read more ...
0 comments Posted by Hank at: 15:14 permalink
Converting IDA PAT to Yara Signatures 2013-11-15 13:15
One of the issues when analyzing malicious Linux executables occurs when the
executable has been statically linked and the debugging symbols stripped. Since
the debugging symbols are stripped, IDA Pro is unable to identify the names of
the library functions and we are left to determine the names on our own, or load
and/or create the appropriate IDA signatures to identify the functions. To do
this, we need to know which libraries were used during compilation, and possibly
the OS (Linux distribution name and version) it was compiled on as well.
Read more ...
0 comments Posted by Tyler at: 13:15 permalink
MASTIFF on Mac OS X 2013-10-30 17:22
One of the reasons MASTIFF was written in Python was to give it the flexibility
to run wherever it was needed. Linux and other *nix's have been supported since
the initial release, but one goal was to have MASTIFF work on Mac OS X. It was
suspected that MASTIFF would run without a problem on OS X, but it had never
been tested...until now.
This week MASTIFF was finally tested and proven to work on Mac OS X. Mac OS X
10.8.5 (Mountain Lion) was used during testing, although other versions of OS X
will likely work as well.
The instructions to install MASTIFF on Mac OS X are below. In these instructions
we used Homebrew to install a number of packages. There are many ways to install
packages on OS X, this is the one that was chosen this time.
Read more ...
0 comments Posted by Tyler at: 17:22 permalink
CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints 2013-09-04
23:59
We've just published details about the Crack Me If You Can 2013 encrypted file
challenges here: the passphrase for each encrypted file, and the hints that are
included in each one.
Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly
complex passphrases.
Read more ...
2 comments Posted by Hank at: 23:59 permalink
Mini-Password Cracking Challenge for LOLBitCoin Party 2013-08-12 12:12
As a favor to @Druidian, I supplied a mini password cracking challenge for
hackers at DEFCON. It was a small list of NTLM hashes that the teams had to
crack. They had no idea what the significance of them was.
I supplied the following NTLM hashes:
Read more ...
0 comments Posted by Rick at: 12:12 permalink
CMIYC 2013 Post-game 2013-08-08 15:15
This is the first of several posts we'll make post-Crack Me If You Can 2013.
Later we'll gather things up and add content to the main 2013 contest site.
In this post I'll talk a little about the structural changes we made in this
year's DEFCON contest, what we did that we think worked well, some not so well.
We'd love feedback that we can use when planning future contests.
Structure
Read more ...
1 comments Posted by Hank at: 15:15 permalink
Submerging a GPU Cluster in Mineral Oil 2013-06-05 20:55
You may have seen the recent article on Ars Technica by Dan Goodin about
KoreLogic. We (Rick Redman and Dale Corpron, KoreLogic consultants) dipped a
computer in oil, and left it there, running, 24x7.
Although this idea isn't really all that new (Cray did it in 1985!), our use of
it is relatively rare. We dipped a GPU powered password cracking system in the
oil. Thanks to Midas Green Tech's help, it was really easy to do. Our hardware
wasn't new or even custom, but it's running, right now, in mineral oil.
So, why did we do it?
Read more ...
2 comments Posted by Rick at: 20:55 permalink
Crack Me If You Can 2013 Is On! 2013-05-09 21:15
It's official, Crack Me If You Can will definitely be back for DEFCON 21 in
August.
We've been planning what to do for this year's contest, combining all our
lessons learned. Will get the 2013 site up, and start announcing structure and
rules soon.
0 comments Posted by Hank at: 21:15 permalink
MASTIFF 0.6.0 Released 2013-04-19 09:50
The latest version of MASTIFF, 0.6.0, has just been released! Run over to the
download site and grab the latest version!
The official changelog is located here, but the major improvements are described
below.
Upgrading MASTIFF to the latest version is easy. You can follow this process:
1. Download and install pydeep.
2. Download MASTIFF 0.6.0 and untar it.
3. Run "make test" to ensure you are not missing any dependencies.
4. Run "sudo make install" to install the latest version.
5. Copy the analysis plug-ins (the plugins directory in the tarball) to your
location of choice and ensure the config file is pointing to that directory.
6. Add any new options to your MASTIFF config file. The easiest way may be to
use sdiff.
Read more ...
0 comments Posted by Tyler at: 09:50 permalink
FTimes 3.10.0 Released 2013-04-01 18:15
Version 3.10.0 is a minor release of FTimes. Generally, code was cleaned up and
refined as necessary. Several bugs have been fixed -- see the ChangeLog for
details. This release includes updated support for file hooks and introduces
KLEL-based XMagic. Consequently, the minimum required version of libklel has
been rasied to 1.1.0, which has a library version of 2:0:1. Finally, file system
support for SquashFS was added.
0 comments Posted by Klayton at: 18:15 permalink
KLEL 1.1.0 Released 2013-02-15 17:36
The latest version of KLEL, 1.1.0, has just been released! It's available for
download at its SourceForge site.
This release brings a much cleaner and faster parser, and a more consistent API
for developers. The KLEL standard library has been extended with a family of
"abort" functions to trigger runtime errors in expressions.
Read more ...
0 comments Posted by Rob at: 17:36 permalink
* Twitter
* GitHub
* LinkedIn
Copyright 2024. KoreLogic Security. All rights reserved
MainBlogContestToolsContact Us