- Forensics -
Last update 09.10.2017 12:39:21
Introduction List Kategorie Subcategory 0 1 2 3 4 5
FireEye releases GoCrack, a free managed Password Cracking Tool
31.10.2017 securityweek Forensics
Early this week FireEye released a managed password cracking tool, dubbed GoCrack, that is able to execute tasks across multiple GPU servers.
Early this week FireEye released a managed password cracking tool, dubbed GoCrack, that is able to execute tasks across multiple GPU servers. GoCrack is an open source tool developed by FireEye’s Innovation and Custom Engineering (ICE) team that implements an easy-to-use, web-based real-time UI to create, view, and manage password cracking tasks.
Users can deploy a GoCrack server along with a worker on every GPU/CPU capable machine, the tasks will be automatically distributed across the GPU/CPU of the machines composing the network.
“FireEye’s Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI to create, view, and manage tasks.” reads the post published by FireEye. “Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.”
GoCrack supports the hashcat v3.6+ engine and requires no external database server, the experts also implemented the support for both LDAP and database backed authentication.
FireEye plans to add support for both MySQL and Postgres database engines soon.
The server component can run on any Linux server with Docker installed, users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.
Password cracking is a very important activity for security professionals that aim to test password effectiveness and management.
“Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations.” continues FireEye.
GoCrack logs any sensitive actions for auditing purposes, the tool allows to hide task data unauthorized users.
“Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators,” continues the post. “Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as ‘Shared’, which allows other users to use them in task yet do not grant them the ability to download or edit.”
You can download GoCrack code from the GitHub repository along with the tool itself.
Experts have no doubt about the fact that this could be soon a privileged instrument for threat actors looking to crack passwords.
FireEye Releases Managed Password Cracking Tool
31.10.2017 securityweek Forensics
FireEye on Monday released a tool designed to help red teams manage password cracking tasks across multiple GPU servers. Called GoCrack, the open source tool provides an easy-to-use, web-based real-time UI to create, view, and manage password cracking tasks.
Developed in house by FireEye's Innovation and Custom Engineering (ICE) team, users can deploy a GoCrack server along with a worker on every GPU/CPU capable machine with tasks being automatically distributed across the GPU/CPU machines.
GoCrack currently supports the hashcat v3.6+ engine and requires no external database server, and includes support for both LDAP and database backed authentication.
The server component can run on any Linux server running Docker, while users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.
“Password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements,” FireEye’s Christopher Schmitt explained in a blog post. “Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations."
The tool also includes the ability to hide task data from others unless they are the creator or have been granted access to the task.
“Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators,” Schmitt wrote. “Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as 'Shared', which allows other users to use them in task yet do not grant them the ability to download or edit.”
GoCrack is available for download from GitHub, along its source code.
While FireEye says the tool is targeted for use within enterprise security teams, the tool will also serve useful for malicious actors looking to crack passwords which can be used in future attacks.
Support for MySQL and Postgres database engines for larger deployments are planned for the future, along with additional features and greater configuration of the hashcat engine.
Free Tool Detects, Exploits DLL Hijacking Vulnerabilities
5.10.2017 securityweek Forensics
DLL hijacking is not a new attack vector. It's been around for 20 years or more. It's not easy, but it's very effective. Once achieved it provides stealth and persistence -- precisely those attributes sought by advanced and state actors.
Forrest Williams, senior security researcher at Cybereason, spotted an incidence of DLL hijacking on a customer's network; and decided to tackle the problem. His solution was to develop a new scanner, a tool he calls Siofra, that will both detect a hijacking vulnerability and also provide an automated method of exploiting the vulnerability.
It is a drastic solution, and one that leaves him and his company open to criticism in the same way that Metasploit is criticized: it can help bad guys attack good guys. Williams first approached Microsoft and was told, this attack "is predicated on the attacker having written a malicious binary to the directory where the application is launched from. As described in the Windows library search order process, loading binaries from the application directory is by design. This does not meet the bar for security servicing."
The story behind Siofra, pronounced 'sheefra' (a 'changeling' in Celtic mythology) is told in a new blog post from Cybereason. The developer, Forrest Williams, discussed the problem with SecurityWeek. He tells the full story in an associated paper (PDF). His hope is that Siofra will eventually force Microsoft to address the DLL hijacking vulnerability in the same way that Mimikatz forced it to address the underlying problem with credentials in the latest release of Windows 10.
DLL hijacking occurs when a modified and weaponized DLL is called by an application instead of the original DLL. It is neither an easy nor a common attack; but a hijacked DLL can be left behind after a network compromise, allowing the attacker to withdraw while leaving a stealthy, persistent and dangerous malware behind. Because of the inherent difficulties, it is primarily used by advanced or state actors.
And it does happen. It happened with the recent CCleaner compromise, now thought to have been conducted by a Chinese state actor. "M.E.DOC is possibly a better example," said Williams. Here, the .net code in ZvitPublishedObjects.dll had been modified on multiple occasions to allow a malicious actor to gather data and download and execute arbitrary code. "It is even speculated", said Williams, "that the whole purpose of the M.E.DOC company was really to deliver a malicious payload [the NotPetya wiper] on behalf of the Russian government against Ukraine."
In both of these cases, it is thought that advanced state actors compromised the supply chain with DLL hijacking. So although the threat isn't common, it can be devastating; and as nation states continue to increase their cyber activity, so the threat and danger is likely to grow. The growing interaction between geopolitics and cybersecurity makes this inevitable.
For the moment, it appears that Microsoft is unwilling to address the problem. "The only real solution from Microsoft would be whitelisting or code signing so that no DLL is ever loaded into a Microsoft process unless it is digitally signed," explained Williams. "Thing is, they don't do this; and I think the reason they don't do this is because they won't be able to do backwards compatibility. Also," he added, "some Microsoft code is designed with 'just-in-time-compiling'. It's compiled as the code is run -- and there's no way to sign it. So there's no real way to create a whitelist. Windows simply wasn't designed with this issue in mind -- so it is design flaws that have prevented them fixing the issue to this day."
The design flaws will need to be designed out of Windows -- but it will take a lot of development effort from Microsoft. "It wouldn't be an easy fix," said Williams. "If attacks become more prevalent -- and right now they're not very common -- I think that Microsoft would definitely do something. After the release of the Mimikatz tool to steal credentials, making credential stealing much easier, Microsoft has now changed their design. They've fixed the issue in the latest Windows 10 release. But it took them a long time to do, and it needed someone to make it easy for the attackers with the release of Mimikatz, before they actually felt the pain and started to solve the problem. I don't think Microsoft would have fixed the underlying vulnerability that Mimikatz weaponized without it being released. So unless DLL hijacking becomes well-known and used, I don't think it will ever be fixed."
Williams hopes that Siofra will change the status quo; that is, force Microsoft to address the issue. Siofra is not the first DLL scanner. "But it has one unique addition," explains Williams. First it will find vulnerable DLLs; "but then it is able to create an almost identical copy of the DLL that it targets; so that when you exploit one of these vulnerabilities Siofra creates a DLL that is almost a perfect clone except that it's got a tiny modification that allows the attacker to add their own payload into the DLL. It's not just a scanner. There have been scanners before; but this scanner is much more powerful. It has the ability to create these attacks and exploit the vulnerability; and that's unique."
Williams has little doubt that DLL hijacking will continue and become a growing problem from advanced attackers. The problem is that the vulnerability is everywhere. "When I tested Siofra," he told SecurityWeek, "I did not find a single application that did not include at least one vulnerable DLL." This isn't limited to Microsoft applications, although it includes Windows Defender, Internet Explorer and WMI -- none of which were previously known to be vulnerable. But it also includes applications like Adobe Reader and Firefox. "No defensive software wants to delete high-trust applications like these." As a result, a hijacked DLL simply flies under the radar of anti-malware software.
"DLL hijacking," suggests Williams, "is the new rootkit."
New Microsoft Tool Analyzes Memory Corruption Bugs
5.10.2017 securityweek Forensics
A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.
Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.
WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.
“By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.
The tool begins the analysis process from the crash location then progresses to determine the root cause. VulnScan includes support for five different classes of memory corruption issues, namely Out of bounds read/write, Use after free, Type confusion, Uninitialized memory use, and Null/constant pointer dereference.
According to Krzywicki, the tool can also detect integer overflows and underflows, along with basic out of bounds accesses caused by a bad loop counter value. Use-after-free bugs can be detected even without PageHeap enabled.
MSRC already makes use of the new tool as part of their automation framework called Sonar, which was designed to process externally reported proof of concept files. The platform can both reproduce issues and perform root cause analysis by employing multiple different environments.
Microsoft also plans on including VulnScan in the Microsoft Security Risk Detection service (Project Springfield). As part of this service, it will be used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.
“Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers,” Krzywicki says.
The tool uses multi-branch taint analysis, meaning that it can sequentially track all values obtained from a single instruction. VulnScan also features a queue of registers and memory addresses associated with specific positions in the execution timeline and performs taint analysis separately for each branch, so that application data flow could be recreated in full.
How to succeed in online investigations and digital forensics
2.2.2017 Kaspersky Forensics
Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement and intelligence agencies, banking organizations, financial institutions and others in security-related work since it was released in 2008.
To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer. The course runs for two days, from April 1st and 2nd 2017 on St. Maarten. Book a seat now — the class is limited to 15 people maximum!
Down with the Excel worksheets
Maltego brings power to any online investigation, processing publicly available information that is hard to see with the naked eye. But it’s not just about mining — it’s also about analyzing and visualizing relationships between people and groups of people, companies, organizations, web sites, Internet infrastructure (domains, DNS names, netblocks, IP addresses) and affiliations (documents and files). The tool grabs information from DNS and whois records, search engines, social networks, online APIs and metadata. The results are provided in different graphical orders for better clustering, which brings into view hidden connections even if they are three or four degrees of separation, and even attempts makes attribution attainable.
Why do you need the training before you start using Maltego
During the two-day course participants will discover the entire Maltego ecosystem and learn how to use the tool properly to get most out of it. The trainers guarantee that you will go out with an understanding of how to apply the tool in your organizations and how to accurately interpret this kind of node based graph:
All practical exercises will involve real world data.
Roelof Temmingh, Managing Director and founder of Paterva, the South African company that introduced Maltego to the world in 2008, and Andrew MacPherson, the operations manager at Paterva and lead Maltego server developer.
Roelof and Andrew invite pen-testers, LEAs, intelligence agencies and security experts from any industry dealing with digital data gathering.
Applicants should meet the following prerequisites. They should have knowledge of common Internet services (HTTP, DNS), search engines (Google hacking), basic IT security principles (such as port scanning), scripting or programming experience (Python, PERL). You’ll need a PC or Mac with an external mouse and at least 2GB of RAM, a decent resolution display and some space to install the latest version of Maltego.