A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers which silently installs a root certificate[1]. The risks associated with this kind of behaviour are multiple, the most important …
Read more “Keep An Eye on your Root Certificates, (Sat, Nov 11th)”
Lately I’ve been doing a lot of phishing exercises – by looking at last couple of years I would say that we can finally see some increased awareness. Unfortunately, this increased awareness is mainly between the IT security folks: the phishing (or social engineering) campaigns usually have very devastating results. When conducing a social engineering …
Until we all fully embrace IPv6, we’re living in a NAT world. And the folks who build security for that world often need to work around NAT that they didn’t build. Probably at least once per day, I need my current public IP address – usually to allow myself admin access to something for a …
After the stories I posted last week on SSH, I had some folks ask me about putting an SSH server on the public internet – apparently lots of lots of folks still think that’s a safe thing to do. Shodan lists 15 million such trusting souls: OK – so can 15 million people be wrong? …
Read more “SSH Server "Time to Live"? Less than a cup of coffee!, (Wed, Nov 8th)”
Here is another sample that I found in my spam trap. The technique to infect the victim’s computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd)[1] that exploits the OLE2Link vulnerability (CVE-2017-0199[2]). Once opened, the document fetches the following URL: hxxp://newsshopper[.]info/news/tp.php?thread=0 It returns the XML content: ; ; ; This …
I often write posts and make videos on malicious document analysis, that I post here and on my blog. Here is another video on malicious Office document analysis (a .docm file), but with a twist: this maldoc was created with Metasploit module office_word_macro. .docm files created with this module embed a payload (a Windows executable) …
In my previous diary entry, we looked at a phishing PDF and extracted the URLs. But what if you want to look at the message contained in the PDF without opening it? There are several tools (online and offline) that can convert PDF documents to text. It can also be done with my pdf-parser.py tool, …
Read more “Extracting the text from PDF documents, (Sun, Nov 5th)”
These days, when I receive a suspect PDF document, it’s rare that it contains malicious code, but it will rather be a phishing or other social engineering attack. Such PDFs often contain URLs that can be clicked. URLs can be include in PDF documents using the /URI name. I recently updated my pdfid.py tool to …
Yesterday, I found in my spam trap a file named ‘0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named ‘0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT[1] and looks to be a nice candidate for a quick analysis. .jar files are ZIP archives that contain compiled Java …
Read more “Simple Analysis of an Obfuscated JAR File, (Fri, Nov 3rd)”
So, now that we’ve talked about securing SSH and auditing SSH over the last few days, how about attacking SSH? A primary method is to simply brute force hosts that have userid/password authentication enabled. Hydra and Medusa both have nice interfaces for this. I like using Hydra for this – it allows you to do …
Read more “Attacking SSH Over the Wire – Go Red Team!, (Thu, Nov 2nd)”